OpenStack Compute (nova)

nova / libvirt Secure Boot VM support not fully functional

Bug #1958636 reported by Imran Hussain
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Low
Unassigned

Bug Description

Hi,

I've been trying to get Secure Boot VMs working on my Openstack. But I'm running in to issues with firmware requiring SMM enabled.

Versions:
libvirt version: 6.0.0, package: 0ubuntu8.15
QEMU emulator version 4.2.1 (Debian 1:4.2-3ubuntu6.18)
Nova 23.1.1 (deployed via kolla, so kolla/ubuntu-source-nova-compute:wallaby is the image)
ovmf 0~20191122.bd85bf54-2ubuntu3.3

There's an issue with the way Nova Libvirt driver handles secure boot and the firmware bit.

It boils down to Nova Libvirt driver doesn't produce the correct XML to start a VM. Nova needs to either:

1) Take advantage of Libvirts auto firmware selection feature
OR
2) Produce the correct XML

I have produced 2 series of patch sets for both approaches. Neither patch set is production/merge ready but works on my systems and provides a base.

1. https://review.opendev.org/c/openstack/nova/+/825729
2. https://review.opendev.org/c/openstack/nova/+/825496

Context:
http://lists.openstack.org/pipermail/openstack-discuss/2022-January/026796.html
http://lists.openstack.org/pipermail/openstack-discuss/2022-January/026826.html
https://specs.openstack.org/openstack/nova-specs/specs/wallaby/implemented/allow-secure-boot-for-qemu-kvm-guests.html
https://that.guru/blog/uefi-secure-boot-in-libvirt/
https://libvirt.org/formatdomain.html#bios-bootloader

OpenStack Infra (hudson-openstack)
Changed in nova:
status: New → In Progress
Revision history for this message
Stephen Finucane (stephenfinucane) wrote :

Confirmed on an Ubuntu 20.04 host with DevStack. This check has been in libvirt since the very beginning [1] so I'm not sure how I didn't hit this during development. Perhaps libvirt has changed something, Ubuntu is doing something different to Fedora, or I simply messed up...

[1] https://github.com/libvirt/libvirt/commit/9c1524a01#diff-909be9ec94676bb693c57b5a8692cc32bd2f9728c42dc9fe1c9cbcf569971b36R2345-R2349

Revision history for this message
Imran Hussain (imranh2) wrote :

Stephen,

Based on https://fedoraproject.org/wiki/Using_UEFI_with_QEMU#Installing_.27UEFI_for_QEMU.27_nightly_builds

If you pull open the RPM (edk2.git-ovmf-x64-0-20211216.94.gb451c69088.noarch.rpm) and look at usr/share/qemu/firmware/80-ovmf-x64-git-need-smm.json only it requires SMM. The other firmwares don't.

Now The more I look at the libvirt driver code in Nova the more I think it is seriously wrong in the way it finds and detects firmware. I don't have the time to confirm this but I really think it's just missed the mark when it comes to discovering firmware and it's features, and we should push for option 1 and let libvirt do all the hardware instead of reinventing the wheel.

I apricate the wheel is new and Nova needed to do it in the past but I don't think it's the right approach today.

Revision history for this message
Imran Hussain (imranh2) wrote :

Excuse my typos, I pressed the send button too fast!

Revision history for this message
sean mooney (sean-k-mooney) wrote :

nit this is not really a nova bug but a workaround for a libvirt bug but I'm happy to see the workaround added to nova as a bug fix so lets proceed with this

Changed in nova:
importance: Undecided → Low
tags: added: libvirt
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.opendev.org/c/openstack/nova/+/825496
Committed: https://opendev.org/openstack/nova/commit/6ad789010043dc4dcf8d1c0f497b6c728d230f45
Submitter: "Zuul (22348)"
Branch: master

commit 6ad789010043dc4dcf8d1c0f497b6c728d230f45
Author: Imran Hussain <email address hidden>
Date: Thu Jan 20 12:26:41 2022 +0000

    [nova/libvirt] Support for checking and enabling SMM when needed

    Check the features list we get from the firmware descriptor file
    to see if we need SMM (requires-smm), if so then enable it as
    we aren't using the libvirt built in mechanism to enable it
    when grabbing the right firmware.

    Closes-Bug: 1958636

    Change-Id: I890b3021a29fa546d9e36b21b1111e8537cd0020
    Signed-off-by: Imran Hussain <email address hidden>

Changed in nova:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 25.0.0.0rc1

This issue was fixed in the openstack/nova 25.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/nova/+/849610

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/nova/+/849676

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/nova/+/849676
Committed: https://opendev.org/openstack/nova/commit/62e1a621d19e8833a18afdba86de7f8334171c63
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 62e1a621d19e8833a18afdba86de7f8334171c63
Author: Imran Hussain <email address hidden>
Date: Thu Jan 20 12:26:41 2022 +0000

    [nova/libvirt] Support for checking and enabling SMM when needed

    Check the features list we get from the firmware descriptor file
    to see if we need SMM (requires-smm), if so then enable it as
    we aren't using the libvirt built in mechanism to enable it
    when grabbing the right firmware.

    Closes-Bug: 1958636

    Change-Id: I890b3021a29fa546d9e36b21b1111e8537cd0020
    Signed-off-by: Imran Hussain <email address hidden>
    (cherry picked from commit 6ad789010043dc4dcf8d1c0f497b6c728d230f45)

tags: added: in-stable-xena
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/nova/+/849610
Committed: https://opendev.org/openstack/nova/commit/3fe70981f85c5f2bd5765e35b61b5dfae501b0a0
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 3fe70981f85c5f2bd5765e35b61b5dfae501b0a0
Author: Imran Hussain <email address hidden>
Date: Thu Jan 20 12:26:41 2022 +0000

    [nova/libvirt] Support for checking and enabling SMM when needed

    Check the features list we get from the firmware descriptor file
    to see if we need SMM (requires-smm), if so then enable it as
    we aren't using the libvirt built in mechanism to enable it
    when grabbing the right firmware.

    Closes-Bug: 1958636

    Change-Id: I890b3021a29fa546d9e36b21b1111e8537cd0020
    Signed-off-by: Imran Hussain <email address hidden>
    (cherry picked from commit 6ad789010043dc4dcf8d1c0f497b6c728d230f45)
    (cherry picked from commit 62e1a621d19e8833a18afdba86de7f8334171c63)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 23.2.2

This issue was fixed in the openstack/nova 23.2.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 24.2.0

This issue was fixed in the openstack/nova 24.2.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.