OpenStack Compute (nova)

Add Secure Boot support for QEMU- and KVM-based guests

Registered by Kashyap Chamarthy

This feature will let Nova guests take advantage of an OVMF firmware build that has both Secure Boot (SB) + System Management Mode (SMM) features built into it. This will allow trustworthy code in Nova instances to: (a) enable the Secure Boot operational mode (for protecting itself); and (b) *also* prevent malicious code in the guests from _circumventing_ the actual security of the Secure Boot operational mode.

An additional advantage with OVMF + UEFI: A PCI Express graphics card with a UEFI driver has no legacy baggage (e.g. no central IO ports) that would result in conflicts if you had multiple such devices in your system. This means several emulated and assigned UEFI graphics cards can peacefully co-exist.

Blueprint information

Status:
Complete
Approver:
Balazs Gibizer
Priority:
Undefined
Drafter:
Kashyap Chamarthy
Direction:
Needs approval
Assignee:
Kashyap Chamarthy
Definition:
Approved
Series goal:
Accepted for wallaby
Implementation:
Implemented
Milestone target:
milestone icon wallaby-3
Started by
Matt Riedemann
Completed by
Balazs Gibizer

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/allow-secure-boot-for-qemu-kvm-guests,n,z

Addressed by: https://review.openstack.org/506720
    Add "Secure Boot support for KVM & QEMU guests" spec

Gerrit topic: https://review.openstack.org/#/q/topic:bp/allow-secure-boot-for-qemu-kvm-guests

Gerrit topic: https://review.opendev.org/#/q/topic:bp/allow-secure-boot-for-qemu-kvm-guests

Addressed by: https://review.opendev.org/506720
    Add "Secure Boot support for KVM & QEMU guests" spec

Addressed by: https://review.opendev.org/669284
    Fix indentation in the "Secure Boot for KVM ... guests" spec

Gerrit topic: https://review.opendev.org/#/q/topic:bp/amd-sev-libvirt-support

Addressed by: https://review.opendev.org/673151
    Track libvirt host/domain capabilities for multiple machine types

Addressed by: https://review.opendev.org/673790
    libvirt: Parse the 'os' element from domainCapabilities

Addressed by: https://review.opendev.org/348394
    libvirt: Handle alternative UEFI firmware binary paths

Addressed by: https://review.opendev.org/674657
    libvirt: Scaffolding for Secure Boot for KVM/QEMU guests

Gerrit topic: https://review.opendev.org/#/q/topic:track-machine-types

Train feature freeze is tomorrow and there are still WIP patches for this blueprint so I'm deferring to Ussuri. If there is a spec it will need to be re-proposed for Ussuri. -- mriedem 20190911

Addressed by: https://review.opendev.org/682627
    libvirt: Add methods to detect firmware auto-selection and SB

Addressed by: https://review.opendev.org/682628
    libvirt: Methods to handle request for Secure Boot & non-Q35 machine types

Addressed by: https://review.opendev.org/693844
    Re-propose "Secure Boot support for KVM & QEMU guests" spec

[efried 20200210] spec approved

[efried 20200220] Agreed in the Nova meeting to Direction:Approve all Definition:Approved blueprints http://eavesdrop.openstack.org/meetings/nova/2020/nova.2020-02-20-14.00.log.html#l-131

[gibi 20200414] we hit feature freeze in Ussuri, so it is deferred to Victoria

Addressed by: https://review.opendev.org/759731
    Re-propose "Secure Boot support for KVM & QEMU guests" for Wallaby

[gibi 20210304]: hm I missed this bp. The spec was approved in December for Wallaby. So the bp should have been approved as well for Wallaby.

[2021.03.16 gibi]: the last patch merged so I mark this implemented in Wallaby. The firmware autodetection piece is deferred as it is blocked by a libvirt bug https://review.opendev.org/c/openstack/nova/+/682627

(?)

Work Items

Nearby

This blueprint contains Public information 
Everyone can see this information.