Bug 2120377

Summary: [17.0 ga known issue] Deploying guest with UEFI Secure Boot fails due to SMM boot not enabled
Product: Red Hat OpenStack Reporter: Artom Lifshitz <alifshit>
Component: openstack-novaAssignee: OSP DFG:Compute <osp-dfg-compute>
Status: CLOSED CURRENTRELEASE QA Contact: OSP DFG:Compute <osp-dfg-compute>
Severity: medium Docs Contact:
Priority: medium    
Version: 17.0 (Wallaby)CC: dasmith, eglynn, igallagh, jhakimra, jschluet, kchamart, sbauza, sgordon, smooney, vromanso
Target Milestone: gaKeywords: Triaged
Target Release: 17.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
You cannot use the UEFI Secure Boot feature because there is currently a known issue with UEFI boot for instances. This is due to an underlying RHEL issue.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-12 17:20:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Artom Lifshitz 2022-08-22 17:35:06 UTC 
This bug was initially created as a copy of Bug #2106763

I am copying this bug because: 

Need to add a known issue in release notes for UEFI in 17 GA.

Description of problem:
Booting a guest with UEFI Secure boot fails due to SMM boot not enabled:

(overcloud) [stack@undercloud-0 ~]$ openstack resource provider list
+--------------------------------------+------------------------+------------+
| uuid                                 | name                   | generation |
+--------------------------------------+------------------------+------------+
| 257fd332-0049-46d6-9c88-29692fd3d6f4 | compute-1.redhat.local |         84 |
| b8aab45e-4a05-49f8-9811-58fa0c3bc7e5 | compute-0.redhat.local |         64 |
+--------------------------------------+------------------------+------------+
(overcloud) [stack@undercloud-0 ~]$ openstack --os-placement-api-version 1.17 resource provider trait list 257fd332-0049-46d6-9c88-29692fd3d6f4 | grep -i secure
| COMPUTE_SECURITY_UEFI_SECURE_BOOT     |
(overcloud) [stack@undercloud-0 ~]$ openstack image create uefi-secure-boot --disk-format qcow2 --container-format bare --file $IMGNAME
+------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field            | Value                                                                                                                                                |
+------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+
| container_format | bare                                                                                                                                                 |
| created_at       | 2022-07-11T19:08:08Z                                                                                                                                 |
| disk_format      | qcow2                                                                                                                                                |
| file             | /v2/images/bcbb1f68-5353-45aa-8cf7-f051057996e8/file                                                                                                 |
| id               | bcbb1f68-5353-45aa-8cf7-f051057996e8                                                                                                                 |
| min_disk         | 0                                                                                                                                                    |
| min_ram          | 0                                                                                                                                                    |
| name             | uefi-secure-boot                                                                                                                                     |
| owner            | 5573ce87f00f422abf5150b3cee83eda                                                                                                                     |
| properties       | os_hidden='False', owner_specified.openstack.md5='', owner_specified.openstack.object='images/uefi-secure-boot', owner_specified.openstack.sha256='' |
| protected        | False                                                                                                                                                |
| schema           | /v2/schemas/image                                                                                                                                    |
| status           | queued                                                                                                                                               |
| tags             |                                                                                                                                                      |
| updated_at       | 2022-07-11T19:08:08Z                                                                                                                                 |
| visibility       | shared                                                                                                                                               |
+------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+
(overcloud) [stack@undercloud-0 ~]$ openstack image set --property hw_firmware_type=uefi --property os_secure_boot=required uefi-secure-boot
(overcloud) [stack@undercloud-0 ~]$ openstack server create --flavor m1.micro --image uefi-secure-boot test-vm --wait
Error creating server: test-vm
Error creating server
(overcloud) [stack@undercloud-0 ~]$ openstack server event list test-vm
+------------------------------------------+--------------------------------------+--------+----------------------------+
| Request ID                               | Server ID                            | Action | Start Time                 |
+------------------------------------------+--------------------------------------+--------+----------------------------+
| req-8f191cb0-6522-42da-8018-5290d0a764f7 | 553d41ec-d373-4f6a-abab-be6667435570 | create | 2022-07-11T19:09:33.000000 |
+------------------------------------------+--------------------------------------+--------+----------------------------+
(overcloud) [stack@undercloud-0 ~]$ openstack server event show 553d41ec-d373-4f6a-abab-be6667435570 req-8f191cb0-6522-42da-8018-5290d0a764f7 -f json -c events | jq
{
  "events": [
    {
      "event": "compute__do_build_and_run_instance",
      "start_time": "2022-07-11T19:09:39.000000",
      "finish_time": null,
      "result": null,
      "traceback": null,
      "host": "compute-0.redhat.local",
      "hostId": "5c4bafef71b408571cf73c280d380c9cc42887bcee68a0ba7892c2c8",
      "details": null
    },
    {
      "event": "compute__do_build_and_run_instance",
      "start_time": "2022-07-11T19:09:34.000000",
      "finish_time": "2022-07-11T19:09:43.000000",
      "result": "Success",
      "traceback": null,
      "host": "compute-1.redhat.local",
      "hostId": "79425b40b02272f7feb2d0e37d6f9b7180bb7b9d9c3eae3ea7d47673",
      "details": null
    }
  ]
}

# From compute log
2022-07-11 19:09:42.753 2 ERROR nova.virt.libvirt.guest [req-8f191cb0-6522-42da-8018-5290d0a764f7 c81a390aed56446287c74aa24f64dd8e 5573ce87f00f422abf5150b3cee83eda - default default] Error defining a guest with XML: <domain type="kvm">
  <uuid>553d41ec-d373-4f6a-abab-be6667435570</uuid>
  <name>instance-0000002d</name>
  <memory>196608</memory>
  <vcpu cpuset="0-1">1</vcpu>
  <metadata>
    <nova:instance xmlns:nova="http://openstack.org/xmlns/libvirt/nova/1.1">
      <nova:package version="23.2.1-0.20220622150406.7d5b289.el9ost"/>
      <nova:name>test-vm</nova:name>
      <nova:creationTime>2022-07-11 19:09:42</nova:creationTime>
      <nova:flavor name="m1.micro">
        <nova:memory>192</nova:memory>
        <nova:disk>1</nova:disk>
        <nova:swap>0</nova:swap>
        <nova:ephemeral>0</nova:ephemeral>
        <nova:vcpus>1</nova:vcpus>
      </nova:flavor>
      <nova:owner>
        <nova:user uuid="c81a390aed56446287c74aa24f64dd8e">admin</nova:user>
        <nova:project uuid="5573ce87f00f422abf5150b3cee83eda">admin</nova:project>
      </nova:owner>
      <nova:root type="image" uuid="bcbb1f68-5353-45aa-8cf7-f051057996e8"/>
      <nova:ports>
        <nova:port uuid="ae8d4518-fef1-43a4-a9e5-28343e568d84">
          <nova:ip type="fixed" address="2620:52:0:13b8::1000:8c" ipVersion="6"/>
          <nova:ip type="fixed" address="10.0.0.167" ipVersion="4"/>
        </nova:port>
      </nova:ports>
    </nova:instance>
  </metadata>
  <sysinfo type="smbios">
    <system>
      <entry name="manufacturer">Red Hat</entry>
      <entry name="product">OpenStack Compute</entry>
      <entry name="version">23.2.1-0.20220622150406.7d5b289.el9ost</entry>
      <entry name="serial">553d41ec-d373-4f6a-abab-be6667435570</entry>
      <entry name="uuid">553d41ec-d373-4f6a-abab-be6667435570</entry>
      <entry name="family">Virtual Machine</entry>
    </system>
  </sysinfo>
  <os>
    <type machine="q35">hvm</type>
    <loader type="pflash" readonly="yes" secure="yes">/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd</loader>
    <nvram template="/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd"/>
    <boot dev="hd"/>
    <smbios mode="sysinfo"/>
  </os>
  <features>
    <acpi/>
    <apic/>
  </features>
  <clock offset="utc">
    <timer name="pit" tickpolicy="delay"/>
    <timer name="rtc" tickpolicy="catchup"/>
    <timer name="hpet" present="no"/>
  </clock>
  <cpu mode="custom" match="exact">
    <model>Haswell-noTSX</model>
    <topology sockets="1" cores="1" threads="1"/>
    <feature name="mmx" policy="disable"/>
    <feature name="ssse3" policy="require"/>
    <feature name="vme" policy="require"/>
  </cpu>
  <devices>
    <disk type="file" device="disk">
      <driver name="qemu" type="qcow2" cache="none"/>
      <source file="/var/lib/nova/instances/553d41ec-d373-4f6a-abab-be6667435570/disk"/>
      <target dev="vda" bus="virtio"/>
    </disk>
    <interface type="bridge">
      <mac address="fa:16:3e:af:2b:c5"/>
      <model type="virtio"/>
      <driver name="vhost" rx_queue_size="1024"/>
      <source bridge="br-int"/>
      <mtu size="1500"/>
      <target dev="tapae8d4518-fe"/>
      <virtualport type="openvswitch">
        <parameters interfaceid="ae8d4518-fef1-43a4-a9e5-28343e568d84"/>
      </virtualport>
    </interface>
    <serial type="pty">
      <log file="/var/lib/nova/instances/553d41ec-d373-4f6a-abab-be6667435570/console.log" append="off"/>
    </serial>
    <graphics type="vnc" autoport="yes" listen="172.17.1.28"/>
    <video>
      <model type="virtio"/>
    </video>
    <input type="tablet" bus="usb"/>
    <rng model="virtio">
      <backend model="random">/dev/urandom</backend>
    </rng>
    <controller type="pci" model="pcie-root"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="usb" index="0"/>
    <memballoon model="virtio">
      <stats period="10"/>
    </memballoon>
  </devices>
</domain>
: libvirt.libvirtError: unsupported configuration: Secure boot requires SMM feature enabled
2022-07-11 19:09:42.753 2 ERROR nova.virt.libvirt.driver [req-8f191cb0-6522-42da-8018-5290d0a764f7 c81a390aed56446287c74aa24f64dd8e 5573ce87f00f422abf5150b3cee83eda - default default] [instance: 553d41ec-d373-4f6a-abab-be6667435570] Failed to start libvirt guest: libvirt.libvirtError: unsupported configuration: Secure boot requires SMM feature enabled

Version-Release number of selected component (if applicable):
17

How reproducible:
100%

Steps to Reproduce:
1. Configure an image with --property hw_firmware_type=uefi --property os_secure_boot=required on a 17 environment
2. Launch a guest with the image
3.

Actual results:
Guest fails to schedule

Expected results:
Guest schedules and comes up without any issues

Additional info:
Comment 3 Irina 2022-11-24 12:27:16 UTC 
*** Bug 2147610 has been marked as a duplicate of this bug. ***
Comment 8 Artom Lifshitz 2022-12-12 17:20:34 UTC 
Let's close this out, the known issue release note has been done.
Comment 9 Red Hat Bugzilla 2023-09-18 04:45:16 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days