[nova][ptg] Summary: Secure Boot support for QEMU- and KVM-based Nova instances

Kashyap Chamarthy kchamart at redhat.com
Sat May 4 18:45:17 UTC 2019

Spec: https://review.opendev.org/#/c/506720/ -- Add "Secure Boot support
      for KVM & QEMU guests" spec 


  - Major work in all the lower-level dependencies: OVMF, QEMU and
    libvirt is ready.  Nova can now start integrating this feature.
    (Refer to the spec for the details.)

  - [IN-PROGRESS] Ensure that the Linux distributions Nova cares about
    ship the OVMF firmware descriptor files.  (Requires QEMU 4.1, coming
    out in August.  Refer this QEMU patch series; merged in Git master:
    bundle edk2 platform firmware with QEMU.)
     - NOTE: This is not a blocker for Nova.  We can parallely hammer
       away at the work items outlined in the spec.

  - [IN-PROGRESS] Kashyap is working with Debian folks to ship a tool
    ('ovmf-vars-generator') to enroll default UEFI keys for Secure Boot.
     - Filed a Debian "RFP" for it
     - Fedora already ships it; Ubuntu is working on it
     - NOTE: This is not a blocker, but a nice-to-have, because
       distributions already ship an OVMF "VARS" (variable store file)
       with default UEFI keys enrolled.

  - ACTION: John Garbutt and Chris Friesen to review the Nova spec.


More information about the openstack-discuss mailing list