libvirt: AMD statless firmware support
NOTE: This will be submitted for reference and early discussions. This should be resubmitted to 2024.2 once spec proposal is open. blueprint: libvirt-stateless-firmware Change-Id: I3e3c2350e623a95e3b2831818012376df0508232
This commit is contained in:
parent
f0ffcb6ddf
commit
350de765f6
|
@ -0,0 +1,190 @@
|
||||||
|
..
|
||||||
|
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||||
|
License.
|
||||||
|
|
||||||
|
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||||
|
|
||||||
|
=========================================================
|
||||||
|
libvit driver launching instances with stateless firmware
|
||||||
|
=========================================================
|
||||||
|
|
||||||
|
Since v8.6.0, libvirt allows launching instance with stateless firmware, which
|
||||||
|
disables the potential attack serface from hypervisor. This work aims to
|
||||||
|
introduce the required feature to allow users to use this feature.
|
||||||
|
|
||||||
|
|
||||||
|
Problem description
|
||||||
|
===================
|
||||||
|
|
||||||
|
Libvirt v8.6.0 introduced the new feature to launch instance with stateless
|
||||||
|
firmware. When an instance is launched with this feature enabled along with
|
||||||
|
UEFI, the instance loads a single OVMF image which contains read-only CODE and
|
||||||
|
VARS (or CODES only). This feature is useful for confidential computing use
|
||||||
|
case, because it prevens injection into firmware vars from hypervisor. It also
|
||||||
|
allows more complete measurement of elements involved in the boot chain of
|
||||||
|
the instance which is the key requirement of remote attestation. This is
|
||||||
|
described in `the libvirt guide
|
||||||
|
<https://libvirt.org/kbase/launch_security_sev.html>`_ about SEV-encrypted
|
||||||
|
guests.
|
||||||
|
|
||||||
|
However this libvirt feature can't be enabled in instances launched by current
|
||||||
|
nova, because nova does not set the required options in libvirt. Also nova
|
||||||
|
always injects nvram file into libvirt domain XML.
|
||||||
|
|
||||||
|
Use Cases
|
||||||
|
---------
|
||||||
|
|
||||||
|
#. As a cloud administrator, in order that my users can have more confidence in
|
||||||
|
the security of their running instances, I want to allow my users to
|
||||||
|
enforce stateless firmware for their instances.
|
||||||
|
|
||||||
|
#. As a user, I want to prevent risk caused by firmware state injected by
|
||||||
|
hypevisor, for instances which load very confidential data.
|
||||||
|
|
||||||
|
|
||||||
|
Proposed change
|
||||||
|
===============
|
||||||
|
|
||||||
|
We propose adding a new image property to request stateless firmwre, so that
|
||||||
|
users can create their instance with stateless firmware.
|
||||||
|
|
||||||
|
- Add the new ``COMPUTE_SECURITY_STATELESS_FIRMWARE`` trait to os-traits.
|
||||||
|
|
||||||
|
- Make libvirt driver check the current version of libvirt and report
|
||||||
|
the ``supports_stateless_firmware`` capability when the version is equal or
|
||||||
|
newer than v8.6.0. This capability should be mapped to
|
||||||
|
the ``COMPUTE_SECURITY_STATELESS_FIRMWARE`` trait.
|
||||||
|
|
||||||
|
- Add the new ``hw_firmware_stateless`` image property, which accept boolean
|
||||||
|
values and is ``false`` by default. If the property is set to ``true`` then
|
||||||
|
nova translate it to requiring the ``COMPUTE_SECURITY_STATELESS_FIRMWARE``
|
||||||
|
trait.
|
||||||
|
|
||||||
|
- Change the libvirt driver to adds the ``stateless`` option to the ``loader``
|
||||||
|
element of libvirt domain XML, if instance metadata of the instance contains
|
||||||
|
``hw_firmware_stateless`` property set to ``true``.
|
||||||
|
|
||||||
|
Alternatives
|
||||||
|
------------
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
Data model impact
|
||||||
|
-----------------
|
||||||
|
|
||||||
|
A new trait and new image property will be used to present availability and
|
||||||
|
request of stateless firmware feature in libvirt.
|
||||||
|
|
||||||
|
REST API impact
|
||||||
|
---------------
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
Security impact
|
||||||
|
---------------
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
Notifications impact
|
||||||
|
--------------------
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
Other end user impact
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
The end user will be able to use statless firmware for their instances through
|
||||||
|
the existing image property mechanism.
|
||||||
|
|
||||||
|
Performance Impact
|
||||||
|
------------------
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
Other deployer impact
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
In order for users to be able to use this feature, the operator will need to
|
||||||
|
deploy libvirt v8.6.0 or later in the deployment.
|
||||||
|
|
||||||
|
Developer impact
|
||||||
|
----------------
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
Upgrade impact
|
||||||
|
--------------
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
|
||||||
|
Implementation
|
||||||
|
==============
|
||||||
|
|
||||||
|
Assignee(s)
|
||||||
|
-----------
|
||||||
|
|
||||||
|
Primary assignee:
|
||||||
|
kajinamit (irc: tkajinam)
|
||||||
|
|
||||||
|
Other contributors:
|
||||||
|
None
|
||||||
|
|
||||||
|
Work Items
|
||||||
|
----------
|
||||||
|
|
||||||
|
TBD
|
||||||
|
|
||||||
|
Dependencies
|
||||||
|
============
|
||||||
|
|
||||||
|
Libvirt v8.6.0 or later.
|
||||||
|
|
||||||
|
|
||||||
|
Testing
|
||||||
|
=======
|
||||||
|
|
||||||
|
The ``fakelibvirt`` test driver will need adaptation to emulate libvirt older
|
||||||
|
than v8.6.0 and libvirt v8.6.0 or later.
|
||||||
|
|
||||||
|
Corresponding unit/functional tests will need to be extended or added
|
||||||
|
to cover:
|
||||||
|
|
||||||
|
- detection of the statless firmware support by libvirt
|
||||||
|
|
||||||
|
- the use of a trait to include extra stateless loader option in domain XML
|
||||||
|
configuration.
|
||||||
|
|
||||||
|
|
||||||
|
Documentation Impact
|
||||||
|
====================
|
||||||
|
|
||||||
|
- Update `the Feature Support Matrix
|
||||||
|
<https://docs.openstack.org/nova/latest/user/support-matrix.html>`_, to
|
||||||
|
include stateless firmware support.
|
||||||
|
|
||||||
|
- Update the existing `AMD SEV
|
||||||
|
<https://docs.openstack.org/nova/latest/admin/sev.html>`_ guide to include
|
||||||
|
information about stateless firmware.
|
||||||
|
|
||||||
|
|
||||||
|
References
|
||||||
|
==========
|
||||||
|
|
||||||
|
- `libvirt's Domain XML format
|
||||||
|
<https://libvirt.org/formatdomain.html#bios-bootloader>`_
|
||||||
|
|
||||||
|
|
||||||
|
- `libvirt's SEV options <https://libvirt.org/formatdomain.html#sev>`_
|
||||||
|
|
||||||
|
|
||||||
|
History
|
||||||
|
=======
|
||||||
|
|
||||||
|
.. list-table:: Revisions
|
||||||
|
:header-rows: 1
|
||||||
|
|
||||||
|
* - Release Name
|
||||||
|
- Description
|
||||||
|
* - 2024.2 Dalmetian
|
||||||
|
- Introduced
|
Loading…
Reference in New Issue