Comment 36 for bug 1960758

Hi Corey,

While verifying (bionic) ussuri-proposed, I noticed bionic doesn't necessarily need the fix, since its ovmf package does not ship OVMF_CODE.secboot.fd (introduced later, present in focal).

Keeping the fix is safe, though, as it is a no-op by default (no functional change),
and may be desired to get nova in bionic-ussuri back in sync with focal, after the regression handling for CVE-2023-2088.patch, but I'm not sure of all the details involved.

I'll not mark this as verification-done-ussuri yet, in order to wait for your confirmation.

Thanks,
Mauricio

...

Verification on bionic:

With ussuri-updates, an uefi server _does_ boot (differently than focal):

 $ juju ssh nova-compute/0 'dpkg -s nova-compute | grep ^Version:' 2>/dev/null
 Version: 2:21.2.4-0ubuntu2.2~cloud0

 $ openstack image set jammy --property hw_firmware_type=uefi
 $ openstack server create --image jammy --flavor m1.small --network private test

 $ juju ssh nova-compute/0 sudo virsh dumpxml instance-00000001 2>&1 | sed -n '/<os>/,/<\/os>/p'
 ...
 <loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>
 ...

 $ openstack console log show test | grep -o 'test login:'
 test login:

This works because the problematic loader (OVMF_CODE.secboot.fd) is not yet available on bionic, only in focal:

 $ ls -1 /usr/share/OVMF/
 OVMF_CODE.fd
 OVMF_VARS.fd

 $ dpkg -S /usr/share/OVMF/OVMF_CODE.fd
 ovmf: /usr/share/OVMF/OVMF_CODE.fd

 $ dpkg -L ovmf | grep -F .fd
 /usr/share/OVMF/OVMF_CODE.fd
 /usr/share/OVMF/OVMF_VARS.fd
 /usr/share/ovmf/OVMF.fd
 /usr/share/qemu/OVMF.fd

 $ lsb_release -cs
 bionic

 $ pull-lp-debs ovmf focal
 $ dpkg-deb -c ovmf_*.deb
 ...
 -rw-r--r-- root/root 1966080 2022-11-08 05:40 ./usr/share/OVMF/OVMF_CODE.secboot.fd
 ...

With ussuri-proposed and new option disabled (default), an uefi server still boots (no regression by default):

 $ juju ssh nova-compute/0 'sudo add-apt-repository --yes "deb http://ubuntu-cloud.archive.canonical.com/ubuntu bionic-proposed/ussuri main"'
 $ juju ssh nova-compute/0 'sudo apt install --yes --option=Dpkg::Options::=--force-confnew --option=Dpkg::Options::=--force-confdef nova-compute'
 $ juju ssh nova-compute/0 'sudo systemctl restart nova-compute.service' 2>/dev/null

 $ juju ssh nova-compute/0 'dpkg -s nova-compute | grep ^Version:' 2>/dev/null
 Version: 2:21.2.4-0ubuntu2.6~cloud0

 $ openstack server stop test
 $ openstack server start test

 $ juju ssh nova-compute/0 sudo virsh dumpxml instance-00000001 2>&1 | sed -n '/<os>/,/<\/os>/p'
 ...
     <loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>
 ...

 $ openstack console log show test | grep -o 'test login:'
 test login:

With ussuri-proposed and the new option enabled (changed), an uefi server still boots (no regression)

 $ juju config nova-compute config-flags='ubuntu_libvirt_uefi_loader_path=True'
 $ juju ssh nova-compute/0 sudo grep ubuntu_libvirt_uefi_loader_path /etc/nova/nova.conf 2>/dev/null
 ubuntu_libvirt_uefi_loader_path = True

 $ openstack server stop test
 $ openstack server start test
 $ juju ssh nova-compute/0 sudo virsh dumpxml instance-00000001 2>&1 | sed -n '/<os>/,/<\/os>/p'
 ...
     <loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>
 ...

 $ openstack console log show test | grep -o 'test login:'
 test login: