OpenStack Compute (nova)

vTPM Live Migration

Registered by Artom Lifshitz

When Nova first added vTPM support, all non-spawn operations were
rejected [1] at the API level. Extra work was necessary to manage the
vTPM state file whe moving an instance. This work was eventually
completed for resize and cold migration, and those
operations were unblocked [2]. The live migration block has remained
in place to this day.

A TPM device is required for certain features [3] of Windows Server
2022 and 2025, most notably BitLocker Drive Encryption. The inability
to live migrate instances with vTPM is a major roadblock for anyone
operating Windows guests in an OpenStack cloud.

Libvirt support for vTPM live migration now exists, but Nova changes
are necessary before being able to remove the API block. This spec
describes those changes.

[1] https://review.opendev.org/c/openstack/nova/+/741500
[2] https://review.opendev.org/c/openstack/nova/+/639934
[3] https://learn.microsoft.com/en-us/windows-server/get-started/hardware-requirements

Blueprint information

Status:
Not started
Approver:
sean mooney
Priority:
Undefined
Drafter:
Artom Lifshitz
Direction:
Approved
Assignee:
melanie witt
Definition:
Approved
Series goal:
Accepted for 2025.2
Implementation:
Deferred
Milestone target:
None

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.opendev.org/#/q/topic:bp/vtpm-live-migration

Addressed by: https://review.opendev.org/c/openstack/nova-specs/+/936775
    WIP: vTPM live migration

[20250114 bauzas] Spec was approved for the Epoxy cycle

Addressed by: https://review.opendev.org/c/openstack/nova/+/925771
    WIP: Allow vTPM live migrations for admins

Addressed by: https://review.opendev.org/c/openstack/nova/+/940194
    WIP: Add [libvirt]default_tpm_secret_security

Addressed by: https://review.opendev.org/c/openstack/nova/+/940195
    WIP: Add [libvirt]supported_tpm_secret_security

Addressed by: https://review.opendev.org/c/openstack/nova/+/940196
    WIP: Add hw_tpm_secret_security image property

Addressed by: https://review.opendev.org/c/openstack/nova/+/940197
    WIP: Add hw:tpm_secret_security extra spec validation

Addressed by: https://review.opendev.org/c/openstack/nova/+/941062
    WIP: Set default TPM secret security upon svc upgrade

Addressed by: https://review.opendev.org/c/openstack/nova/+/941483
    WIP: Modify vTPM LM block to block legacy instances

Addressed by: https://review.opendev.org/c/openstack/nova/+/941795
    WIP: TPM: support instances with `host` secret security

Addressed by: https://review.opendev.org/c/openstack/nova/+/942021
    WIP: TPM: support instances with `deployment` secret security

Addressed by: https://review.opendev.org/c/openstack/nova/+/942501
    TPM: migrate legacy instances to new security policy

Addressed by: https://review.opendev.org/c/openstack/nova/+/942502
    TPM: support booting instances with `user` secret security

Addressed by: https://review.opendev.org/c/openstack/nova-specs/+/947542
    Re-propose vTPM live migration

Addressed by: https://review.opendev.org/c/openstack/nova/+/952628
    Add vtpm_secret_(uuid|value) to LiveMigrateData

Addressed by: https://review.opendev.org/c/openstack/nova/+/952629
    TPM: test live migration between hosts with different security

Addressed by: https://review.opendev.org/c/openstack/nova/+/952630
    TPM: update instance request_spec with secret security

Addressed by: https://review.opendev.org/c/openstack/nova/+/955847
    TPM: confirm secret security via hard reboot

Addressed by: https://review.opendev.org/c/openstack/nova/+/956975
    TPM: add late check for supported TPM secret security

Addressed by: https://review.opendev.org/c/openstack/nova/+/957477
    DNM vtpm tempest

[2025MMDD bauzas] spec got approved for Flamingo

[20250829 uggla] Spec is deferred. Mainly due to concerns that require reworking the series seen just before the FF.

Addressed by: https://review.opendev.org/c/openstack/nova-specs/+/961564
    Re-propose vTPM live migration

Addressed by: https://review.opendev.org/c/openstack/nova/+/962051
    TPM: bump service version and require it for live migration

Addressed by: https://review.opendev.org/c/openstack/nova/+/962052
    WIP Opt-in to new TPM secret security via resize

Addressed by: https://review.opendev.org/c/openstack/nova/+/962309
    FUP for vTPM live migration

Addressed by: https://review.opendev.org/c/openstack/nova/+/962007
    Move cleanup of vTPM secret from driver to compute

Addressed by: https://review.opendev.org/c/openstack/nova/+/962889
    TPM: add documentation and reno for live migration

Addressed by: https://review.opendev.org/c/openstack/nova/+/963648
    Add handling for vTPM secret permission error

Addressed by: https://review.opendev.org/c/openstack/nova/+/966499
    TPM: add RequestContext checks to functional tests

(?)

Work Items

Nearby

This blueprint contains Public information 
Everyone can see this information.