Windows offline activation with ACPI SLIC table

[victortoso]

What this PR does / why we need it:
It allows setting the SLIC ACPI table which is useful for offline Windows activation.

The user needs to have the data following Microsoft specification. This PR does not provide a way for users to generate this binary data.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

This is a working PR with a proposal to provide this feature. We can test this without Windows VMs as the ACPI SLIC table can be verified in a Linux Guest.

Checklist

This checklist is not enforcing, but it's a reminder of items that could be relevant to every PR.
Approvers are expected to review this list.

• Design: A design document was considered and is present (link) or not required
• PR: The PR description is expressive enough and will help future contributors
• Code: Write code that humans can understand and Keep it simple
• Refactor: You have left the code cleaner than you found it (Boy Scout Rule)
• Upgrade: Impact of this change on upgrade flows was considered and addressed if required
• Testing: New code requires new unit tests. New features and bug fixes require at least on e2e test
• Documentation: A user-guide update was considered and is present (link) or not required. You want a user-guide update if it's a user facing feature / API change.
• Community: Announcement to kubevirt-dev was considered

Release note:

Windows offline activation with ACPI SLIC table

[victortoso]

• pull-kubevirt-generate — Job failed.                    

./hack/verify-generate.sh
./hack/check-for-binaries.sh
< tests/testdata/firmware-acpi-slic-table.bin:1
Binary files are present in git repostory.
make: *** [Makefile:56: generate-verify] Error 1 

This is a 36 bytes file... it should be fine for test purposes but I can move it to const array if binary files are no-no.

[alicefr]

/cc

[alicefr]

super nit: you can use a single const block

[victortoso]

Hi Alice, thanks for the quick review. I'll make it a const block in the next iteration. I'll probably move the binary data here as well and use that to compare (instead of hexData).

[alicefr]

@victortoso the code looks already great!
/lgtm

[vasiliy-ul]

@victortoso, the code looks good overall. Just a thought from my side: as I see now there is a need to manually setup the volume with volume source pointing to the proper secret. Wouldn't it be more convenient for the end-user if we had just SlicNameRef in the VMI spec referencing the secret (not to the volume name), and the volume could be rendered automatically if vmi.Spec.Domain.Firmware.ACPI.SlicNameRef is set?

[vasiliy-ul]

Suggested change

	// SliceNameRef should match the volume name of a secret object. The data in the secret should
	// SlicNameRef should match the volume name of a secret object. The data in the secret should

[victortoso]

Hi @vasiliy-ul , thanks for the quick review.

I thought about referencing the Secret in the SlicNameRef as well but I decided to do the easier path first.

I don't have a strong opinion in this so I can change it. Let's just double check if others agree. @alicefr, @xpivarc what do you think?

[alicefr]

IMO, pointing to the volume name is fine. If for any reasons we decide to support another type of volume for this, then this mechanism still remains true. Also, kubernetes references the secrets by volume name inside the pod spec. So, I don't think it is too unusual for the user to reference the volume name instead of the secret name.

[vasiliy-ul]

Just to note: changing later the reference from volume to secret will be a breaking API change. I am not pushing with this, but IMHO it is better to come up with a long-term decision when the API is introduced. Altering it after the release may become problematic.

[victortoso]

I agree that deciding now is better. For the moment, I'm keeping the current code behavior to reference the volume name.

[victortoso]

• Rebased
• Fixed the nits, thanks Alice and Vasiliy for the reviews.
• Removed the embed 36 bytes binary to workaround the check-for-binaries.sh. The slic table is now a []byte in the test.

[victortoso]

/retest

[alicefr]

/test-required
/approve
/hold
Putting on hold to let others reviewing it
@vasiliy-ul what do you think about this PR? IMO, this is ready.

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alicefr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [alicefr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[vasiliy-ul]

@vasiliy-ul what do you think about this PR? IMO, this is ready.

The PR looks good from my perspective. Regarding the issue I raised in #10774 (review), I do not see it as a blocker and do not insist on changing the implementation.

Still leaving it up to @victortoso to unhold :)

[vasiliy-ul]

/lgtm

[vasiliy-ul]

Removed the embed 36 bytes binary to workaround the #10774 (comment).

BTW, I guess you could have used base64 to store the table in a text file (and silence the checker) and use embed. Then decode it in the test... Just a thought.

[victortoso]

Still leaving it up to @victortoso to unhold :)

Thanks @vasiliy-ul and @alicefr for the quick reviews. Let's unhold it then. I'm not sure I can do it, but does not hurt to try:

/unhold

BTW, I guess you could have used base64 to store the table in a text file (and silence the checker) and use embed. Then decode it in the test... Just a thought.

That's neat. I'll keep it in mind for the next time.

[victortoso]

/retest

[victortoso]

/test pull-kubevirt-check-tests-for-flakes

[victortoso]

19:49:20: 19:49:20: 2023/11/30 19:49:20 Image pull was unsuccessful: reading image "quay.io/kubevirt/alpine-ext-kernel-boot-demo@sha256:a2ddb2f568bf3814e594a14bc793d5a655a61d5983f3561d60d02afa7bbc56b4": GET https://quay.io/v2/: unsupported status code 502; body:

/test pull-kubevirt-check-tests-for-flakes

[kubevirt-commenter-bot]

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[kubevirt-bot]

@victortoso: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-kubevirt-check-tests-for-flakes	6a04bfb	link	false	/test pull-kubevirt-check-tests-for-flakes
pull-kubevirt-e2e-k8s-1.26-sig-compute	6a04bfb	link	unknown	/test pull-kubevirt-e2e-k8s-1.26-sig-compute

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[victortoso]

/retest

[xpivarc]

Do we need to restrict this to x86? @alicefr @victortoso

[victortoso]

I don't think so. I'm double checking and I'll let you know.

[victortoso]

Hi @xpivarc, there is no explicit restriction. It should work for Windows on arm, albeit this was not tested.