New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows offline activation with ACPI SLIC table #10774
Windows offline activation with ACPI SLIC table #10774
Conversation
400cbf2
to
1b0be18
Compare
1b0be18
to
1979262
Compare
This is a 36 bytes file... it should be fine for test purposes but I can move it to const array if binary files are no-no. |
/cc |
tests/vmi_configuration_test.go
Outdated
const volumeSlicSecretName = "volume-slic-secret" | ||
const secretWithSlicName = "secret-with-slic-data" | ||
const hexData = "534c49432400000001494352415348204d450000000000008804000071656d7500000000" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
super nit: you can use a single const block
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Alice, thanks for the quick review. I'll make it a const block in the next iteration. I'll probably move the binary data here as well and use that to compare (instead of hexData
).
@victortoso the code looks already great! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@victortoso, the code looks good overall. Just a thought from my side: as I see now there is a need to manually setup the volume with volume source pointing to the proper secret. Wouldn't it be more convenient for the end-user if we had just SlicNameRef
in the VMI spec referencing the secret (not to the volume name), and the volume could be rendered automatically if vmi.Spec.Domain.Firmware.ACPI.SlicNameRef
is set?
} | ||
|
||
type ACPI struct { | ||
// SliceNameRef should match the volume name of a secret object. The data in the secret should |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// SliceNameRef should match the volume name of a secret object. The data in the secret should | |
// SlicNameRef should match the volume name of a secret object. The data in the secret should |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @vasiliy-ul , thanks for the quick review.
I thought about referencing the Secret in the SlicNameRef
as well but I decided to do the easier path first.
I don't have a strong opinion in this so I can change it. Let's just double check if others agree. @alicefr, @xpivarc what do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO, pointing to the volume name is fine. If for any reasons we decide to support another type of volume for this, then this mechanism still remains true. Also, kubernetes references the secrets by volume name inside the pod spec. So, I don't think it is too unusual for the user to reference the volume name instead of the secret name.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to note: changing later the reference from volume to secret will be a breaking API change. I am not pushing with this, but IMHO it is better to come up with a long-term decision when the API is introduced. Altering it after the release may become problematic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree that deciding now is better. For the moment, I'm keeping the current code behavior to reference the volume name.
The SLIC table is used for generic activation of Windows guests. https://learn.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653305(v=vs.85) Signed-off-by: Victor Toso <victortoso@redhat.com>
It is specific and big enough logic block. - Return early if firmware is not set - Use local 'firmware' variable Signed-off-by: Victor Toso <victortoso@redhat.com>
Signed-off-by: Victor Toso <victortoso@redhat.com>
Result of make generate Signed-off-by: Victor Toso <victortoso@redhat.com>
Verifies the steps: - Creating a Secret with binary SLIC table - Passing its name to new ACPI api - Creates Guest with ACPI SLIC table Signed-off-by: Victor Toso <victortoso@redhat.com>
1979262
to
6a04bfb
Compare
|
/retest |
/test-required |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alicefr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@vasiliy-ul what do you think about this PR? IMO, this is ready.
The PR looks good from my perspective. Regarding the issue I raised in #10774 (review), I do not see it as a blocker and do not insist on changing the implementation.
Still leaving it up to @victortoso to unhold :)
/lgtm |
BTW, I guess you could have used base64 to store the table in a text file (and silence the checker) and use embed. Then decode it in the test... Just a thought. |
Thanks @vasiliy-ul and @alicefr for the quick reviews. Let's unhold it then. I'm not sure I can do it, but does not hurt to try: /unhold
That's neat. I'll keep it in mind for the next time. |
/retest |
/test pull-kubevirt-check-tests-for-flakes |
/test pull-kubevirt-check-tests-for-flakes |
/retest-required |
@victortoso: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest |
// SlicNameRef should match the volume name of a secret object. The data in the secret should | ||
// be a binary blob that follows the ACPI SLIC standard, see: | ||
// https://learn.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653305(v=vs.85) | ||
SlicNameRef string `json:"slicNameRef,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to restrict this to x86? @alicefr @victortoso
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think so. I'm double checking and I'll let you know.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @xpivarc, there is no explicit restriction. It should work for Windows on arm, albeit this was not tested.
What this PR does / why we need it:
It allows setting the SLIC ACPI table which is useful for offline Windows activation.
The user needs to have the data following Microsoft specification. This PR does not provide a way for users to generate this binary data.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
This is a working PR with a proposal to provide this feature. We can test this without Windows VMs as the ACPI SLIC table can be verified in a Linux Guest.
Checklist
This checklist is not enforcing, but it's a reminder of items that could be relevant to every PR.
Approvers are expected to review this list.
Release note: