Add Secure Boot support for QEMU- and KVM-based guests
This feature will let Nova guests take advantage of an OVMF firmware build that has both Secure Boot (SB) + System Management Mode (SMM) features built into it. This will allow trustworthy code in Nova instances to: (a) enable the Secure Boot operational mode (for protecting itself); and (b) *also* prevent malicious code in the guests from _circumventing_ the actual security of the Secure Boot operational mode.
An additional advantage with OVMF + UEFI: A PCI Express graphics card with a UEFI driver has no legacy baggage (e.g. no central IO ports) that would result in conflicts if you had multiple such devices in your system. This means several emulated and assigned UEFI graphics cards can peacefully co-exist.
Blueprint information
- Status:
- Complete
- Approver:
- Balazs Gibizer
- Priority:
- Undefined
- Drafter:
- Kashyap Chamarthy
- Direction:
- Needs approval
- Assignee:
- Kashyap Chamarthy
- Definition:
- Approved
- Series goal:
- Accepted for wallaby
- Implementation:
- Implemented
- Milestone target:
- wallaby-3
- Started by
- Matt Riedemann
- Completed by
- Balazs Gibizer
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Add "Secure Boot support for KVM & QEMU guests" spec
Gerrit topic: https:/
Gerrit topic: https:/
Addressed by: https:/
Add "Secure Boot support for KVM & QEMU guests" spec
Addressed by: https:/
Fix indentation in the "Secure Boot for KVM ... guests" spec
Gerrit topic: https:/
Addressed by: https:/
Track libvirt host/domain capabilities for multiple machine types
Addressed by: https:/
libvirt: Parse the 'os' element from domainCapabilities
Addressed by: https:/
libvirt: Handle alternative UEFI firmware binary paths
Addressed by: https:/
libvirt: Scaffolding for Secure Boot for KVM/QEMU guests
Gerrit topic: https:/
Train feature freeze is tomorrow and there are still WIP patches for this blueprint so I'm deferring to Ussuri. If there is a spec it will need to be re-proposed for Ussuri. -- mriedem 20190911
Addressed by: https:/
libvirt: Add methods to detect firmware auto-selection and SB
Addressed by: https:/
libvirt: Methods to handle request for Secure Boot & non-Q35 machine types
Addressed by: https:/
Re-propose "Secure Boot support for KVM & QEMU guests" spec
[efried 20200210] spec approved
[efried 20200220] Agreed in the Nova meeting to Direction:Approve all Definition:Approved blueprints http://
[gibi 20200414] we hit feature freeze in Ussuri, so it is deferred to Victoria
Addressed by: https:/
Re-propose "Secure Boot support for KVM & QEMU guests" for Wallaby
[gibi 20210304]: hm I missed this bp. The spec was approved in December for Wallaby. So the bp should have been approved as well for Wallaby.
[2021.03.16 gibi]: the last patch merged so I mark this implemented in Wallaby. The firmware autodetection piece is deferred as it is blocked by a libvirt bug https:/