| Posted | Nick | Remark | |
|---|---|---|---|
| #openstack-nova - 2019-06-04 | |||
| 09:09:19 | johnthetubaguy | yeah, that is the bit | |
| 09:09:35 | kashyap | I have a TODO to trim that second point to reflect that. | |
| 09:19:06 | johnthetubaguy | kashyap: so this sounds harsh... but I think you need to turn your spec upside down, given the new libvirt version, and I guess that is what you are thinking too | |
| 09:19:35 | kashyap | johnthetubaguy: Sorry, what do you mean upside down? | |
| 09:19:49 | kashyap | johnthetubaguy: You mean, push the content from Work Items a bit above? | |
| 09:20:12 | kashyap | Noting clearly that the new libvirt (and QEMU, OVMF / EDK2) version handles most of the work for us? | |
| 09:20:46 | kashyap | (All harsh feedback is welcome :-) After spending so much time on my text, I need other eyes to help edit it.) | |
| 09:20:56 | kashyap | s/other/others'/ | |
| 09:21:32 | johnthetubaguy | kashyap: trying to work out how to describe what I am thinking :) | |
| 09:22:09 | kashyap | johnthetubaguy: Sure. Whatever brings clarity. | |
| 09:22:12 | johnthetubaguy | so overall I think we are largely there, libvirt does all the work, it clearly is something useful | |
| 09:22:43 | kashyap | "No mind is ever willingly deprived of the truth" — Plato | |
| 09:22:51 | kashyap | johnthetubaguy: Yeah, indeed. | |
| 09:23:18 | johnthetubaguy | so I think this spec was needed before libvirt did all the hard work | |
| 09:23:37 | johnthetubaguy | and we still need a bunch of the detail for sure | |
| 09:23:46 | johnthetubaguy | just wondering first about what is missing | |
| 09:23:51 | johnthetubaguy | ... so the last two work items | |
| 09:24:37 | johnthetubaguy | actually, that is back to front, maybe I just say what I think I was expecting... which doesn't make it the right or only way, its just a data point | |
| 09:25:01 | kashyap | Yeah, noted. | |
| 09:25:10 | kashyap | Also, it's not just the last two points, surely? | |
| 09:25:48 | kashyap | Also the point on making Nova use the firmware auto-selection feature? | |
| 09:25:49 | kashyap | </os> | |
| 09:25:49 | kashyap | <loader secure='yes'/> | |
| 09:25:49 | kashyap | <os firmware='efi'> | |
| 09:25:56 | johnthetubaguy | yeah, totally | |
| 09:26:14 | johnthetubaguy | lets go through each bit of the spec quickly, I think its close | |
| 09:26:22 | kashyap | Certainly. | |
| 09:26:54 | johnthetubaguy | so problem and use cases, I think you could simplify it a little bit, line 51-52 and line 42-44 are good | |
| 09:27:47 | kashyap | Right, I'll reword the "or other kernel code ..." thing, if you prefer. | |
| 09:28:05 | johnthetubaguy | well, I mean those lines are vital... i.e. you need this for guests to protect against certain kinds of maleware, and by the way we already added this for hyper-v | |
| 09:28:08 | kashyap | (It's just saying: either guest side malware or malware from kernel modules) | |
| 09:28:25 | johnthetubaguy | the hypervisor kernel modules? | |
| 09:28:28 | kashyap | johnthetubaguy: Added what? (The SecureBoot feature? Sure) | |
| 09:28:31 | kashyap | Yes | |
| 09:28:58 | johnthetubaguy | hmm, OK, I guess it does... :/ not sure | |
| 09:29:21 | johnthetubaguy | anyways, the guest malware seems the key thing for the user | |
| 09:29:29 | johnthetubaguy | sweet | |
| 09:30:38 | johnthetubaguy | the proposed change thing: (1) copy hyper-v interface, (2) libvirt does all the work when we add the above XML, (3) scheduling to make sure we get on a capable host | |
| 09:30:56 | johnthetubaguy | is there anything else from the "changes to nova" sense? | |
| 09:31:23 | kashyap | johnthetubaguy: For the (2) part, we need to expand that: introduce libvirt config classes, etc? | |
| 09:32:20 | kashyap | johnthetubaguy: No, from the list of three, I don't think there's any further, from "changes to Nova" sense. | |
| 09:32:29 | johnthetubaguy | I would do the reverse, this is the magic we put in the XML... PS this is what that really means | |
| 09:33:18 | johnthetubaguy | from the scheduling, I think in the comments it noted that the libvirt driver would add a secure_boot capability style trait if its capable | |
| 09:33:19 | kashyap | Right, noted. | |
| 09:33:32 | johnthetubaguy | I guess we need to ask libvirt if we can do that, once libvirt is the correct version? | |
| 09:34:31 | kashyap | Yes, we need to query via `capabilities` | |
| 09:34:41 | kashyap | To look if it supports the "secure" flag for 'efi' | |
| 09:34:46 | johnthetubaguy | cool | |
| 09:34:54 | johnthetubaguy | so its "a little bit" like this: https://github.com/openstack/nova/blob/2ea6e6f8db9fc6cecf389cacdd0d82d8226b99fb/nova/virt/libvirt/driver.py#L334 | |
| 09:35:07 | kashyap | s/capabilities/getDomainCapabilities/ | |
| 09:35:09 | johnthetubaguy | in that its a conditional capability | |
| 09:36:00 | kashyap | johnthetubaguy: (Aside: While implementing, I could use some help on the scheduling bits, it's my weak area.) | |
| 09:36:22 | johnthetubaguy | so I fear the spec needs to cover the rough details of what is going to happen there | |
| 09:36:24 | johnthetubaguy | https://github.com/openstack/nova/blob/2ea6e6f8db9fc6cecf389cacdd0d82d8226b99fb/nova/virt/libvirt/driver.py#L4959 | |
| 09:36:33 | johnthetubaguy | I guess its an extension of that | |
| 09:37:07 | kashyap | johnthetubaguy: Yeah, indeed: Need to write: _has_uefi_secure_boot_support() | |
| 09:37:34 | johnthetubaguy | how to we schedule for uefi today... I don't rightly remember | |
| 09:37:55 | kashyap | We don't do any scheduling decisions for UEFI, IIRC | |
| 09:40:05 | kashyap | johnthetubaguy: Do you see anything contrary to what I say in the code? | |
| 09:41:18 | johnthetubaguy | kashyap: not so far... just re-reading the hyper-v spec | |
| 09:42:10 | johnthetubaguy | do we not need os_secure_boot_signature? | |
| 09:42:17 | johnthetubaguy | ref: https://specs.openstack.org/openstack/nova-specs/specs/ocata/implemented/hyper-v-uefi-secureboot.html | |
| 09:42:37 | openstackgerrit | Ghanshyam Mann proposed openstack/nova-specs master: Policy Default Refresh spec https://review.opendev.org/547850 | |
| 09:44:50 | kashyap | johnthetubaguy: I _think_ for the first iteration, it should be optional. | |
| 09:45:03 | kashyap | `os_secure_boot_signature` allows specifying bootloader's signature | |
| 09:45:17 | kashyap | I need to play a bit more to see how strongly we need it | |
| 09:45:47 | kashyap | johnthetubaguy: Because, the OVMF maintainer says: if you don't trust the default UEFI keys, then it is almost the same as you're not trusting the filesystem where your Compute node is running | |
| 09:46:08 | johnthetubaguy | so you know... I think this was before the distros shipped trusted default keys | |
| 09:46:27 | kashyap | Yeah, very true. | |
| 09:46:29 | johnthetubaguy | lets just add in the spec that we only support using the default keys in the first implementation? | |
| 09:46:44 | kashyap | johnthetubaguy: Yes, very much worth it to spell it out | |
| 09:54:06 | johnthetubaguy | kashyap: so I just added an extra note to give a summary of what I was thinking for the proposed changes section | |
| 09:54:22 | johnthetubaguy | I am tempted to say this first version follows UEFI and simple errors out if not supported? | |
| 09:55:00 | johnthetubaguy | then in the alternatives but that in the future a request spec filter can be added similar to the existing image type filter | |
| 09:56:06 | johnthetubaguy | kashyap, the release note for hyper-v is quite nice: https://github.com/openstack/nova/blob/c6218428e9b29a2c52808ec7d27b4b21aadc0299/releasenotes/notes/hyperv-uefi-secure-boot-a2a617ac2c313afd.yaml | |
| 09:56:57 | kashyap | johnthetubaguy: Looking... | |
| 09:57:04 | kashyap | johnthetubaguy: Meanwhile, just typed this up: http://kashyapc.fedorapeople.org/Feedback-to-address-SecureBoot-spec.txt | |
| 09:57:38 | kashyap | johnthetubaguy: Yes, we should error-out simply if there's no support | |
| 09:57:50 | kashyap | johnthetubaguy: Can you explain a bit more on the request spec filter alternative? | |
| 09:58:03 | johnthetubaguy | yeah | |
| 09:58:32 | kashyap | johnthetubaguy: Yes, we'll write an equally good release note :-) | |
| 09:58:58 | johnthetubaguy | so the code for the image one is here: https://github.com/openstack/nova/blob/0c9c422c878719bae5b97fd07cafe7cd933bf103/nova/scheduler/request_filter.py#L124 | |
| 10:00:13 | johnthetubaguy | for secure boot, I think we look at the flavor and image to work out if secure_boot is required, and if it is we would request the trait the driver capabilties could advertise like SECURE_BOOT_CAPABLE or something like that | |
| 10:01:10 | kashyap | Ah-ha, noted. | |
| 10:01:15 | kashyap | johnthetubaguy: Thanks for the explanation. | |
| 10:01:19 | johnthetubaguy | no worries | |
| 10:01:40 | johnthetubaguy | so I attempted a summary comment here: https://review.opendev.org/#/c/506720/11/specs/train/approved/allow-secure-boot-for-qemu-kvm-guests.rst@82 | |
| 10:02:01 | kashyap | johnthetubaguy: Excellent, reading it already | |
| 10:03:06 | kashyap | johnthetubaguy: Can you also compare my notes here, the 2nd point: http://kashyapc.fedorapeople.org/Feedback-to-address-SecureBoot-spec.txt | |
| 10:03:31 | kashyap | This week, I'm going to address that, plus other items you noted in the review. | |
| 10:03:48 | kashyap | Will make it ready by end of this week, to keep the momentum, and not let it languish | |
| 10:04:50 | kashyap | Not least because ... "One who delays his work is always wrestling with ruin." | |
| 10:05:17 | johnthetubaguy | I may have changed my mind on some of the things in your notes... | |
| 10:05:35 | johnthetubaguy | problem description is good | |
| 10:05:43 | johnthetubaguy | use cases, I would just focus on the first one | |
| 10:05:52 | johnthetubaguy | ... I am tempted to focus only on the guest level protection | |
| 10:05:52 | kashyap | Okay, will adjust | |
| 10:06:03 | johnthetubaguy | then reference the other white paper for more details | |
| 10:06:14 | johnthetubaguy | that way its not our job to review it / keep it correct :) | |
| 10:06:25 | kashyap | Yes, indeed | |