openstack
/
os-traits
Code Issues Proposed changes

Add a trait for UEFI Secure Boot support 

Introduce a trait, COMPUTE_SECURITY_UEFI_SECURE_BOOT, as discussed in
the Secure Boot spec[1].  (Yeah, it reads a little awkward, not sure if
we can avoid it, as I've included it as part of compute/security.py
file.)

This lets an admin set the trait either via the flavor extra-specs or
image metadata properties:

    trait:COMPUTE_SECURITY_UEFI_SECURE_BOOT=required

to request to boot an instance in Secure Boot mode.  Nova's libvirt
driver is responsible make sure the compute node has the necessary
capabilities (e.g. relevant libvirt, QEMU, OVMF, EDK2 et al versions).
If the host hypervisor is incapable, the instance creation will fail.

[1] https://opendev.org/openstack/nova-specs/src/branch/master/specs/wallaby/approved/allow-secure-boot-for-qemu-kvm-guests.rst#fnref8

blueprint: allow-secure-boot-for-qemu-kvm-guests

Change-Id: I333147dcd47c6d0b926338a5a0c545f5adc63961
Signed-off-by: Kashyap Chamarthy <kchamart@redhat.com>
This commit is contained in:
Kashyap Chamarthy 2021-01-12 16:17:14 +01:00
parent 454292dbd2
commit 89cec2696b
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
os_traits/compute/security.py
View File

@ -18,5 +18,9 @@ TRAITS = [
# support for TPM 1.2
'TPM_1_2',
# support for TPM 2.0
'TPM_2_0'
'TPM_2_0',
# support for UEFI Secure Boot
# ref:
# https://opendev.org/openstack/nova-specs/src/branch/master/specs/wallaby/approved/allow-secure-boot-for-qemu-kvm-guests.rst#fnref8
'UEFI_SECURE_BOOT'
]