5dc78fd9a1
Previously-approved: Mitaka Change-Id: Ic7d5641b37fbcc8739d45e9470f8af0b16dc353e Implements: blueprint hyper-v-uefi-secureboot
7.6 KiB
Hyper-V UEFI SecureBoot
https://blueprints.launchpad.net/nova/+spec/hyper-v-uefi-secureboot
Secure Boot is a mechanism that starts the bootloader only if the bootloader's signature has maintained integrity, assuring that only approved components are allowed to run. Secure Boot is dependent on UEFI.
Problem description
Secure Boot is currently disabled in the Nova Hyper-V Driver, as it did not support Linux guests [2], only Windows guests [3]. The new Windows / Hyper-V Server Technical Preview introduces Secure Boot support for Linux guests. [3]
Use Cases
This feature will increase the security of the spawned instances, assuring their integrity before they boot.
Proposed change
In order enable Secure Boot on an instance, the field SecureBootEnabled must be set to True, when creating the instance's Msvm_VirtualSystemSettingData WMI object.
As Secure Boot is not supported by all guests, enabling it for
instances that do not support it will result in a hanging VM. Thus,
Secure Boot feature will be enabled by setting the
os_secure_boot image property or the
os:secure_boot flavor extra spec to required.
Other possible values are: disabled and
optional. The flavor extra spec value overrides the image
property value.
The image property values are:
disabled, optional, required. If the property is not
defined, the default value disabled will be used. The
flavor extra spec acceptable value is: required. Any other
value will be ignored.
Linux guests are supported in Windows / Hyper-V Server Technical
Preview and they also require the bootloader's digital signature. This
will also be provided as an image property
os_secure_boot_signature (string).
If the given instance requires Secure Boot but it does not contain
the hw_machine_type=hyperv-gen2 image property, the
instance creation should fail, as Secure Boot requires Generation 2 VMs.
Generation 2 VMs were introduced in Windows / Hyper-V Server 2012 R2 and
support for them was introduced in the Kilo release (see Dependencies
section).
Scheduling is assured by the ImagePropertiesFilter [5], which checks
if the image property hypervisor_version_requires is
satisfied by the given hosts. This is the initial approach to solving
the scheduling problem. Ideally, this problem will be solved by exposing
this feature as a host capability and having the
os_secure_boot and os_type image properties
match the host capability.
Alternatives
None
Data model impact
os_secure_boot field must be added to the ImageMetaProps
object, as there is no field for the image property with the same
name.
REST API impact
None
Security impact
This feature will assure that the spawned instances are safe.
Notifications impact
None
Other end user impact
None
Performance Impact
None
Other deployer impact
The images must be prepared for Secure Boot. For example, the VM on which the image is prepared, it must be Generation 2 VM with Secure Boot enabled. Instances using such images will be able to spawned with Secure Boot on or off, while instances using images that are not prepared for Secure Boot can only spawn with Secure Boot off.
Images should be for Generation 2 VMs images. The image property
hw_machine_type=hyperv-gen2 is mandatory.
Linux images requiring Secure Boot must be spawned on Windows /
Hyper-V Server Technical Preview. In order for the instances to be
properly scheduled, the images must contain the property
hypervisor_version_requires='>=10.0'. In this case, the
image property os_secure_boot_signature containing the
bootloader's digital signature is required.
Nova scheduler should use the ImagePropertiesFilter [5], which checks
that the hosts satisfy the hypervisor_version_requires
image property. In order to use this filter, it should be added to the
scheduler's nova.conf file, scheduler_default_filters
field. By default, this filter is included in the list.
In order to properly use Secure Boot, images should be created as follows:
Windows images (Windows 8 or Windows / Hyper-V Server 2012 R2 or newer):
glance image-create --property hypervisor_type=hyperv --property hw_machine_type=hyperv-gen2 --property hypervisor_version_requires='>=6.3' --property os_secure_boot=required --name win-secure --disk-format vhd --container-format bare --file path/to/windows.vhdx
or
glance image-update --property hw_machine_type=hyperv-gen2 win-secure
glance image-update --property os_secure_boot=required win-secure
glance image-update --property hypervisor_version_requires='>=6.3' win-secure
Linux images:
glance image-create --property hypervisor_type=hyperv --property hw_machine_type=hyperv-gen2 --property hypervisor_version_requires='>=10.0' --property os_secure_boot=required --property os_secure_boot_signature=$SIGNATURE --name im-secure --disk-format vhd --container-format bare --file path/to/linux.vhdx
or
glance image-update --property hw_machine_type=hyperv-gen2 im-secure
glance image-update --property os_secure_boot=required im-secure
glance image-update --property os_secure_boot_signature=$SIGNATURE im-secure
glance image-update --property hypervisor_version_requires='>=10.0' im-secure
The os_secure_boot image property acceptable values are:
disabled, optional, required. If the property is not
defined, disabled will be used as default value. The
optional value means that the image is capable of Secure
Boot, but it will require the flavor extra spec in order to use this
feature.
Secure Boot VMs can also be requested as a flavor extra spec called
os:secure_boot, having the value required.
Example:
nova flavor-key m1.your.flavor set "os:secure_boot=required"
Developer impact
None
Implementation
Assignee(s)
- Primary assignee:
-
Claudiu Belu <cbelu@cloudbasesolutions.com>
Work Items
As described in the Proposed Change.
Dependencies
- Hyper-V VM Generation 2 nova spec. Feature merged in Kilo.
Testing
- Unit tests.
- Will be tested by Hyper-V CI.
Documentation Impact
The new image properties and will have to be documented.
References
- [1] Hyper-V Generation 2 VMs
- [2] Secure Boot not supported on:
- [3] Secure Boot supported on:
-
- Ubuntu, SUSE on Hyper-V Technical Preview:
-
https://technet.microsoft.com/en-us/library/dn765471.aspx#BKMK_linux
- [4] Msvm_VirtualSystemSettingData:
-
https://msdn.microsoft.com/en-us/library/hh850257%28v=vs.85%29.aspx
- [5] Nova scheduler ImagePropertiesFilter:
-
https://github.com/openstack/nova/blob/master/nova/scheduler/filters/image_props_filter.py#L75