OpenStack Compute (nova)

UEFI - Forbid access to /usr/share/OVMF/OVMF_CODE.fd

Bug #1574195 reported by Chung Chih, Hung
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Won't Fix
Undecided
Unassigned

Bug Description

Libvirt will use AppArmor for security in some distributions such as ubuntu.
AppArmor profile is manipulated by virt-aa-helper.
If user want to boot in uefi, they need to specify uefi loader path.
But currently nova will only access to /usr/share/OVMF/OVMF_CODE.fd.
However libvirt forbid access to /usr/share before following patch.
https://github.com/libvirt/libvirt/commit/2f01cfdf05448513d150ff1914d3444161c531b9
The patch was merged since livirt 1.2.19.
Default package for older os release such as ubuntu trusty didn't merge the patch yet.

Therefore those vm will created failed with following logs.
Those logs occurred in compute log.
libvirtError: internal error: cannot load AppArmor profile 'libvirt-58090233-7964-4457-9981-62ba4c488b12'

Those logs occurred in libvirtd log
2016-04-25 06:49:42.902+0000: 26078: error : virCommandWait:2532 : internal error: Child process (/usr/lib/libvirt/virt-aa-helper -p 0 -c -u libvirt-58090233-7964-4457-9981-62ba4c488b12) unexpected exit status 1: virt-aa-helper: error: /usr/share/OVMF/OVMF_CODE.fd
virt-aa-helper: error: skipped restricted file
virt-aa-helper: error: invalid VM definition

Maybe we should add one uefi option for uefi loader path instead of static code in following link.
https://github.com/openstack/nova/blob/master/nova/virt/libvirt/driver.py#L328

See original description
Chung Chih, Hung (lyanchih)
Changed in nova:
assignee: nobody → Chung Chih, Hung (lyanchih)
Chung Chih, Hung (lyanchih)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/309930

Changed in nova:
status: New → In Progress
Revision history for this message
Daniel Berrange (berrange) wrote :

IMHO this should just be reassigned to libvirt in ubuntu so they can backport the apparmour fix rather than hacking around it in nova by having the admin moving the OVMF files to a non-standard location

Revision history for this message
Chung Chih, Hung (lyanchih) wrote :

There are two reasons caused me felt maybe the OVMF files can been setting in option, besides my environment is ubuntu 14.04 trusty.

First, ovmf package in trusty version was saved at /usr/share/ovmf folder instead /usr/share/OVMF. But ovmf package will been saved in correct folder after wily version. In fact, I don't know why files will been saved there in trusty version.
You can check following two links, first is ovmf package files for trusty version, and second is ovmf package files for wily version.
http://packages.ubuntu.com/trusty/all/ovmf/filelist
http://packages.ubuntu.com/xenial/all/ovmf/filelist

Second, libvirt had backport fix since 1.2.19 version. Therefore trusty and wily version still not fix that. I had verify package files in following link.
http://packages.ubuntu.com/xenial/libvirt-bin

I know I can just copy files to fixed first reason.
And reassigned to libvirt ubuntu so they can backport fix will be great solution.
But I don't know how to send backport fix request to ubuntu and whether fix patch will been merged, therefore I just commit this is work around patch.
Yes, not really important work around patch.....
At last, I just curious about why /usr/share/OVMF will be standard location.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on nova (master)

Change abandoned by lyanchih (<email address hidden>) on branch: master
Review: https://review.openstack.org/309930
Reason: This issue should be reassigned to libvirt in ubuntu so they can backport apparmor

Revision history for this message
Maciej Szankin (mszankin) wrote :

This bug report has an assignee for a while now but there is no patch
for that. It looks like that the chance of getting a patch is low.
I'm going to remove the assignee to signal to others that they can take
over if they like.
If you want to work on this, please:
* add yourself as assignee AND
* set the status to "In Progress" AND
* provide a (WIP) patch within the next 2 weeks after that.
If you need assistance, reach out on the IRC channel #openstack-nova or
use the mailing list.

Also tagging as New. It is old and requires to be verified.

Changed in nova:
status: In Progress → New
assignee: Chung Chih, Hung (lyanchih) → nobody
Revision history for this message
Sean Dague (sdague) wrote :

The current min libvirt is 1.2.9, so I think this isn't something we're going to fix in master

Changed in nova:
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.