Before this update, an underlying RHEL issue caused a known issue with UEFI boot for instances. With this update, the underlying RHEL issue has now been fixed and the UEFI Secure Boot feature for instances is now available.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Red Hat OpenStack Platform 17.0.1 bug fix and enhancement advisory), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2023:0271
Description of problem: Booting a guest with UEFI Secure boot fails due to SMM boot not enabled: (overcloud) [stack@undercloud-0 ~]$ openstack resource provider list +--------------------------------------+------------------------+------------+ | uuid | name | generation | +--------------------------------------+------------------------+------------+ | 257fd332-0049-46d6-9c88-29692fd3d6f4 | compute-1.redhat.local | 84 | | b8aab45e-4a05-49f8-9811-58fa0c3bc7e5 | compute-0.redhat.local | 64 | +--------------------------------------+------------------------+------------+ (overcloud) [stack@undercloud-0 ~]$ openstack --os-placement-api-version 1.17 resource provider trait list 257fd332-0049-46d6-9c88-29692fd3d6f4 | grep -i secure | COMPUTE_SECURITY_UEFI_SECURE_BOOT | (overcloud) [stack@undercloud-0 ~]$ openstack image create uefi-secure-boot --disk-format qcow2 --container-format bare --file $IMGNAME +------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ | container_format | bare | | created_at | 2022-07-11T19:08:08Z | | disk_format | qcow2 | | file | /v2/images/bcbb1f68-5353-45aa-8cf7-f051057996e8/file | | id | bcbb1f68-5353-45aa-8cf7-f051057996e8 | | min_disk | 0 | | min_ram | 0 | | name | uefi-secure-boot | | owner | 5573ce87f00f422abf5150b3cee83eda | | properties | os_hidden='False', owner_specified.openstack.md5='', owner_specified.openstack.object='images/uefi-secure-boot', owner_specified.openstack.sha256='' | | protected | False | | schema | /v2/schemas/image | | status | queued | | tags | | | updated_at | 2022-07-11T19:08:08Z | | visibility | shared | +------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ (overcloud) [stack@undercloud-0 ~]$ openstack image set --property hw_firmware_type=uefi --property os_secure_boot=required uefi-secure-boot (overcloud) [stack@undercloud-0 ~]$ openstack server create --flavor m1.micro --image uefi-secure-boot test-vm --wait Error creating server: test-vm Error creating server (overcloud) [stack@undercloud-0 ~]$ openstack server event list test-vm +------------------------------------------+--------------------------------------+--------+----------------------------+ | Request ID | Server ID | Action | Start Time | +------------------------------------------+--------------------------------------+--------+----------------------------+ | req-8f191cb0-6522-42da-8018-5290d0a764f7 | 553d41ec-d373-4f6a-abab-be6667435570 | create | 2022-07-11T19:09:33.000000 | +------------------------------------------+--------------------------------------+--------+----------------------------+ (overcloud) [stack@undercloud-0 ~]$ openstack server event show 553d41ec-d373-4f6a-abab-be6667435570 req-8f191cb0-6522-42da-8018-5290d0a764f7 -f json -c events | jq { "events": [ { "event": "compute__do_build_and_run_instance", "start_time": "2022-07-11T19:09:39.000000", "finish_time": null, "result": null, "traceback": null, "host": "compute-0.redhat.local", "hostId": "5c4bafef71b408571cf73c280d380c9cc42887bcee68a0ba7892c2c8", "details": null }, { "event": "compute__do_build_and_run_instance", "start_time": "2022-07-11T19:09:34.000000", "finish_time": "2022-07-11T19:09:43.000000", "result": "Success", "traceback": null, "host": "compute-1.redhat.local", "hostId": "79425b40b02272f7feb2d0e37d6f9b7180bb7b9d9c3eae3ea7d47673", "details": null } ] } # From compute log 2022-07-11 19:09:42.753 2 ERROR nova.virt.libvirt.guest [req-8f191cb0-6522-42da-8018-5290d0a764f7 c81a390aed56446287c74aa24f64dd8e 5573ce87f00f422abf5150b3cee83eda - default default] Error defining a guest with XML: <domain type="kvm"> <uuid>553d41ec-d373-4f6a-abab-be6667435570</uuid> <name>instance-0000002d</name> <memory>196608</memory> <vcpu cpuset="0-1">1</vcpu> <metadata> <nova:instance xmlns:nova="http://openstack.org/xmlns/libvirt/nova/1.1"> <nova:package version="23.2.1-0.20220622150406.7d5b289.el9ost"/> <nova:name>test-vm</nova:name> <nova:creationTime>2022-07-11 19:09:42</nova:creationTime> <nova:flavor name="m1.micro"> <nova:memory>192</nova:memory> <nova:disk>1</nova:disk> <nova:swap>0</nova:swap> <nova:ephemeral>0</nova:ephemeral> <nova:vcpus>1</nova:vcpus> </nova:flavor> <nova:owner> <nova:user uuid="c81a390aed56446287c74aa24f64dd8e">admin</nova:user> <nova:project uuid="5573ce87f00f422abf5150b3cee83eda">admin</nova:project> </nova:owner> <nova:root type="image" uuid="bcbb1f68-5353-45aa-8cf7-f051057996e8"/> <nova:ports> <nova:port uuid="ae8d4518-fef1-43a4-a9e5-28343e568d84"> <nova:ip type="fixed" address="2620:52:0:13b8::1000:8c" ipVersion="6"/> <nova:ip type="fixed" address="10.0.0.167" ipVersion="4"/> </nova:port> </nova:ports> </nova:instance> </metadata> <sysinfo type="smbios"> <system> <entry name="manufacturer">Red Hat</entry> <entry name="product">OpenStack Compute</entry> <entry name="version">23.2.1-0.20220622150406.7d5b289.el9ost</entry> <entry name="serial">553d41ec-d373-4f6a-abab-be6667435570</entry> <entry name="uuid">553d41ec-d373-4f6a-abab-be6667435570</entry> <entry name="family">Virtual Machine</entry> </system> </sysinfo> <os> <type machine="q35">hvm</type> <loader type="pflash" readonly="yes" secure="yes">/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd</loader> <nvram template="/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd"/> <boot dev="hd"/> <smbios mode="sysinfo"/> </os> <features> <acpi/> <apic/> </features> <clock offset="utc"> <timer name="pit" tickpolicy="delay"/> <timer name="rtc" tickpolicy="catchup"/> <timer name="hpet" present="no"/> </clock> <cpu mode="custom" match="exact"> <model>Haswell-noTSX</model> <topology sockets="1" cores="1" threads="1"/> <feature name="mmx" policy="disable"/> <feature name="ssse3" policy="require"/> <feature name="vme" policy="require"/> </cpu> <devices> <disk type="file" device="disk"> <driver name="qemu" type="qcow2" cache="none"/> <source file="/var/lib/nova/instances/553d41ec-d373-4f6a-abab-be6667435570/disk"/> <target dev="vda" bus="virtio"/> </disk> <interface type="bridge"> <mac address="fa:16:3e:af:2b:c5"/> <model type="virtio"/> <driver name="vhost" rx_queue_size="1024"/> <source bridge="br-int"/> <mtu size="1500"/> <target dev="tapae8d4518-fe"/> <virtualport type="openvswitch"> <parameters interfaceid="ae8d4518-fef1-43a4-a9e5-28343e568d84"/> </virtualport> </interface> <serial type="pty"> <log file="/var/lib/nova/instances/553d41ec-d373-4f6a-abab-be6667435570/console.log" append="off"/> </serial> <graphics type="vnc" autoport="yes" listen="172.17.1.28"/> <video> <model type="virtio"/> </video> <input type="tablet" bus="usb"/> <rng model="virtio"> <backend model="random">/dev/urandom</backend> </rng> <controller type="pci" model="pcie-root"/> <controller type="pci" model="pcie-root-port"/> <controller type="pci" model="pcie-root-port"/> <controller type="pci" model="pcie-root-port"/> <controller type="pci" model="pcie-root-port"/> <controller type="pci" model="pcie-root-port"/> <controller type="pci" model="pcie-root-port"/> <controller type="pci" model="pcie-root-port"/> <controller type="pci" model="pcie-root-port"/> <controller type="pci" model="pcie-root-port"/> <controller type="pci" model="pcie-root-port"/> <controller type="pci" model="pcie-root-port"/> <controller type="pci" model="pcie-root-port"/> <controller type="pci" model="pcie-root-port"/> <controller type="pci" model="pcie-root-port"/> <controller type="pci" model="pcie-root-port"/> <controller type="pci" model="pcie-root-port"/> <controller type="usb" index="0"/> <memballoon model="virtio"> <stats period="10"/> </memballoon> </devices> </domain> : libvirt.libvirtError: unsupported configuration: Secure boot requires SMM feature enabled 2022-07-11 19:09:42.753 2 ERROR nova.virt.libvirt.driver [req-8f191cb0-6522-42da-8018-5290d0a764f7 c81a390aed56446287c74aa24f64dd8e 5573ce87f00f422abf5150b3cee83eda - default default] [instance: 553d41ec-d373-4f6a-abab-be6667435570] Failed to start libvirt guest: libvirt.libvirtError: unsupported configuration: Secure boot requires SMM feature enabled Version-Release number of selected component (if applicable): 17 How reproducible: 100% Steps to Reproduce: 1. Configure an image with --property hw_firmware_type=uefi --property os_secure_boot=required on a 17 environment 2. Launch a guest with the image 3. Actual results: Guest fails to schedule Expected results: Guest schedules and comes up without any issues Additional info: