While verifying (bionic) ussuri-proposed, I noticed bionic doesn't necessarily need the fix, since its ovmf package does not ship OVMF_CODE.secboot.fd (introduced later, present in focal).
Keeping the fix is safe, though, as it is a no-op by default (no functional change),
and may be desired to get nova in bionic-ussuri back in sync with focal, after the regression handling for CVE-2023-2088.patch, but I'm not sure of all the details involved.
I'll not mark this as verification-done-ussuri yet, in order to wait for your confirmation.
Thanks,
Mauricio
...
Verification on bionic:
With ussuri-updates, an uefi server _does_ boot (differently than focal):
Hi Corey,
While verifying (bionic) ussuri-proposed, I noticed bionic doesn't necessarily need the fix, since its ovmf package does not ship OVMF_CODE. secboot. fd (introduced later, present in focal).
Keeping the fix is safe, though, as it is a no-op by default (no functional change), 2088.patch, but I'm not sure of all the details involved.
and may be desired to get nova in bionic-ussuri back in sync with focal, after the regression handling for CVE-2023-
I'll not mark this as verification- done-ussuri yet, in order to wait for your confirmation.
Thanks,
Mauricio
...
Verification on bionic:
With ussuri-updates, an uefi server _does_ boot (differently than focal):
$ juju ssh nova-compute/0 'dpkg -s nova-compute | grep ^Version:' 2>/dev/null 4-0ubuntu2. 2~cloud0
Version: 2:21.2.
$ openstack image set jammy --property hw_firmware_ type=uefi
$ openstack server create --image jammy --flavor m1.small --network private test
$ juju ssh nova-compute/0 sudo virsh dumpxml instance-00000001 2>&1 | sed -n '/<os>/,/<\/os>/p' >/usr/share/ OVMF/OVMF_ CODE.fd< /loader>
...
<loader readonly='yes' type='pflash'
...
$ openstack console log show test | grep -o 'test login:'
test login:
This works because the problematic loader (OVMF_CODE. secboot. fd) is not yet available on bionic, only in focal:
$ ls -1 /usr/share/OVMF/
OVMF_CODE.fd
OVMF_VARS.fd
$ dpkg -S /usr/share/ OVMF/OVMF_ CODE.fd OVMF/OVMF_ CODE.fd
ovmf: /usr/share/
$ dpkg -L ovmf | grep -F .fd OVMF/OVMF_ CODE.fd OVMF/OVMF_ VARS.fd ovmf/OVMF. fd qemu/OVMF. fd
/usr/share/
/usr/share/
/usr/share/
/usr/share/
$ lsb_release -cs
bionic
$ pull-lp-debs ovmf focal OVMF/OVMF_ CODE.secboot. fd
$ dpkg-deb -c ovmf_*.deb
...
-rw-r--r-- root/root 1966080 2022-11-08 05:40 ./usr/share/
...
With ussuri-proposed and new option disabled (default), an uefi server still boots (no regression by default):
$ juju ssh nova-compute/0 'sudo add-apt-repository --yes "deb http:// ubuntu- cloud.archive. canonical. com/ubuntu bionic- proposed/ ussuri main"' Dpkg::Options: :=--force- confnew --option= Dpkg::Options: :=--force- confdef nova-compute' service' 2>/dev/null
$ juju ssh nova-compute/0 'sudo apt install --yes --option=
$ juju ssh nova-compute/0 'sudo systemctl restart nova-compute.
$ juju ssh nova-compute/0 'dpkg -s nova-compute | grep ^Version:' 2>/dev/null 4-0ubuntu2. 6~cloud0
Version: 2:21.2.
$ openstack server stop test
$ openstack server start test
$ juju ssh nova-compute/0 sudo virsh dumpxml instance-00000001 2>&1 | sed -n '/<os>/,/<\/os>/p' >/usr/share/ OVMF/OVMF_ CODE.fd< /loader>
...
<loader readonly='yes' type='pflash'
...
$ openstack console log show test | grep -o 'test login:'
test login:
With ussuri-proposed and the new option enabled (changed), an uefi server still boots (no regression)
$ juju config nova-compute config- flags=' ubuntu_ libvirt_ uefi_loader_ path=True' libvirt_ uefi_loader_ path /etc/nova/nova.conf 2>/dev/null libvirt_ uefi_loader_ path = True
$ juju ssh nova-compute/0 sudo grep ubuntu_
ubuntu_
$ openstack server stop test >/usr/share/ OVMF/OVMF_ CODE.fd< /loader>
$ openstack server start test
$ juju ssh nova-compute/0 sudo virsh dumpxml instance-00000001 2>&1 | sed -n '/<os>/,/<\/os>/p'
...
<loader readonly='yes' type='pflash'
...
$ openstack console log show test | grep -o 'test login:'
test login: