From 89cec2696b95f924e277dc1eda091a545e359fa6 Mon Sep 17 00:00:00 2001 From: Kashyap Chamarthy Date: Tue, 12 Jan 2021 16:17:14 +0100 Subject: [PATCH] Add a trait for UEFI Secure Boot support Introduce a trait, COMPUTE_SECURITY_UEFI_SECURE_BOOT, as discussed in the Secure Boot spec[1]. (Yeah, it reads a little awkward, not sure if we can avoid it, as I've included it as part of compute/security.py file.) This lets an admin set the trait either via the flavor extra-specs or image metadata properties: trait:COMPUTE_SECURITY_UEFI_SECURE_BOOT=required to request to boot an instance in Secure Boot mode. Nova's libvirt driver is responsible make sure the compute node has the necessary capabilities (e.g. relevant libvirt, QEMU, OVMF, EDK2 et al versions). If the host hypervisor is incapable, the instance creation will fail. [1] https://opendev.org/openstack/nova-specs/src/branch/master/specs/wallaby/approved/allow-secure-boot-for-qemu-kvm-guests.rst#fnref8 blueprint: allow-secure-boot-for-qemu-kvm-guests Change-Id: I333147dcd47c6d0b926338a5a0c545f5adc63961 Signed-off-by: Kashyap Chamarthy --- os_traits/compute/security.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/os_traits/compute/security.py b/os_traits/compute/security.py index eaf8f22..044fac9 100644 --- a/os_traits/compute/security.py +++ b/os_traits/compute/security.py @@ -18,5 +18,9 @@ TRAITS = [ # support for TPM 1.2 'TPM_1_2', # support for TPM 2.0 - 'TPM_2_0' + 'TPM_2_0', + # support for UEFI Secure Boot + # ref: + # https://opendev.org/openstack/nova-specs/src/branch/master/specs/wallaby/approved/allow-secure-boot-for-qemu-kvm-guests.rst#fnref8 + 'UEFI_SECURE_BOOT' ]