On 11/25/24 3:18 PM, taketani.ryo@fujitsu.com wrote:
To Whom It May Concern,
We are considering to propose and develop a new feature on OpenStack Nova for building Arm Confidential Computing Architecture (Arm CCA)-encrypted instances. I have some questions for doing it.
* While specification of Arm CCA is already open(https://developer.arm.com/documentation/den0125/0300/Overview), No Arm CCA-enabled hardware is currently available to our knowledge. Therefore, we plan to conduct testing in an internal environment. * Would a proposal for a feature utilizing publicly unavailable hardware be acceptable to OpenStack? Alternatively, in this case, what steps or preparations are required for approval?
I'd like to ask some opinions from nova team (especially nova cores) but I think having an internal and local testing environment is enough for the beginning. Ideally we may want 3rd party CI which runs tests for every single change to detect regressions but that may not block such features which has really specific hardware requirements. In spec there are some sections to describe the testing plan so once you propose the spec we can discuss details based on the plan described in that section. # For example for SEV-ES support work we agreed with no full functional test coverage in CI, # but only functional tests with fake driver + testing in local environment https://specs.openstack.org/openstack/nova-specs/specs/2025.1/approved/amd-s...
* Should the blueprint and specification be submitted simultaneously? * The specification is currently incomplete. Building Arm CCA instances requires libvirt APIs, similar to AMD SEV instances(https://blueprints.launchpad.net/nova/+spec/amd-sev-libvirt-support), but specification of these are not yet determined publicly. We are considering submitting the blueprint first to inform the community of our ongoing development efforts.
Technically we can start discussions in OpenStack with reference to draft libvirt API, if we have details such as xml format. However approval may be on-hold until support for Arm CCA is completed in libvirt. This is because we should avoid problems caused by the change made in libvirt AFTER design is made in nova. Also nova implements the mechanism to check minimum libvirt/qemu version to use requested features and we may need to know the exact libvirt/qemu version to support CCA to complete the implementation in nova.
Regards