Hyper-V UEFI SecureBoot

Registered by Alessandro Pilotti on 2014-10-08

Hyper-V supports UEFI SecureBoot since the 2012 R2 version for Windows guests and this has been extended to Linux guests as well with the upcoming release [1].

A property in the images can be added to specify that secureboot must be enabled when instances are booted, identifying also the CA certificate to be used:

hyper-v-secureboot-certificate: string
Possible values: MicrosoftUEFICertificateAuthority, MicrosoftWindows

The implementation is straightforward and consist in enabling the related properties when spawning the image.

It requires a Gen2 VM.

[1] http://technet.microsoft.com/en-us/library/dn765471.aspx#BKMK_linux

Blueprint information

Status:
Complete
Approver:
John Garbutt
Priority:
Low
Drafter:
Alessandro Pilotti
Direction:
Approved
Assignee:
Simona Iuliana Toader
Definition:
Approved
Series goal:
Accepted for ocata
Implementation:
Implemented
Milestone target:
milestone icon ocata-1
Started by
John Garbutt on 2015-10-07
Completed by
Matt Riedemann on 2016-09-27

Related branches

Sprints

Whiteboard

Feels like this needs a spec, so we agree something that works for all hypervisors. If there are clear patterns to follow, then state that, but we certainly need more details about how to use this. --johnthetubaguy 10th October 2014

Gerrit topic: https://review.openstack.org/#q,topic:bp/s,n,z

Addressed by: https://review.openstack.org/190997
    Adds Hyper-V UEFI Secure Boot spec

Pending Patches
==============

Gerrit topic: https://review.openstack.org/#q,topic:bp/implements,n,z

Addressed by: https://review.openstack.org/209581
    Hyper-V: Adds Hyper-V UEFI Secure Boot

Gerrit topic: https://review.openstack.org/#q,topic:bp/hyper-v-uefi-secureboot,n,z

Addressed by: https://review.openstack.org/237593
    objects: added 'os_secure_boot' property to ImageMetaProps object

Sorry, we have now hit the Non-Priority Feature Freeze for Mitaka. For more details please see: http://docs.openstack.org/releases/schedules/mitaka.html#m-nova-npff and http://docs.openstack.org/developer/nova/process.html#non-priority-feature-freeze
--johnthetubaguy 2016.01.30

Addressed by: https://review.openstack.org/279041
    Moves Hyper-V Fibre Channel support spec to Newton

Addressed by: https://review.openstack.org/279042
    Moves Hyper-V Storage QOS spec to Newton

Addressed by: https://review.openstack.org/279043
    Moves the Hyper-V Cluster spec to Newton

Addressed by: https://review.openstack.org/279044
    Moves the Hyper-V NUMA instance spec to Newton

Addressed by: https://review.openstack.org/279045
    Moves the Hyper-V UEFI Secure Boot spec to Newton

Pending Patches
=============

Addressed by: https://review.openstack.org/237593
    objects: added 'os_secure_boot' property to ImageMetaProps object

Addressed by: https://review.openstack.org/209581
    Hyper-V: Adds Hyper-V UEFI Secure Boot

We're now past the non-priority feature freeze for this and I've found issues in the code, basically the nova patch is a rehash of a fork from the nova-hyperv repo from 10 months, and wouldn't even work with the os-win library that nova depends on, so I'm not interested in granting this a FFE anymore. Revisit this for Ocata. -- mriedem 20160706

Addressed by: https://review.openstack.org/339232
    hyperv: Autospec all the used os-win utils

This was nearly ready in Newton, just got hung up on some test issues at the feature freeze deadline, so let's queue this up for getting in early in Ocata. -- mriedem 20160830

Addressed by: https://review.openstack.org/373484
    Reproposes the Hyper-V UEFI Secure Boot spec to Ocata

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.