-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Add efi and secureboot support #12
base: master
Are you sure you want to change the base?
Changes from 2 commits
e4e732b
0ed64e7
a90cf1b
97cddf4
3a2f2a8
808573e
0e9b51f
bade36f
1957070
e96b7aa
d960ec0
fdbdbe2
8da41b5
06d3332
ea6989f
547a03d
5bb890d
923bf75
93a9ed7
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
--- | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. micronit: other task file names use dashes There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This file could do with a comment to explain what's going on. |
||
|
||
- name: Gather os specific variables | ||
include_vars: "{{ item }}" | ||
with_first_found: | ||
- files: | ||
- "{{ ansible_distribution }}-{{ ansible_distribution_major_version}}.yml" | ||
- "{{ ansible_distribution }}.yml" | ||
- "{{ ansible_os_family }}.yml" | ||
skip: true | ||
tags: vars | ||
|
||
- name: Ensure ovmf generator checkout directory is owned by ansible_user | ||
file: | ||
path: "{{ libvirt_ovmf_vars_generator_checkout_path }}" | ||
owner: "{{ ansible_user }}" | ||
state: directory | ||
become: true | ||
|
||
- name: Clone ovfm-vars generator | ||
git: | ||
repo: 'https://github.com/puiterwijk/qemu-ovmf-secureboot' | ||
dest: "{{ libvirt_ovmf_vars_generator_checkout_path }}" | ||
update: yes | ||
|
||
- name: Get checksum of template OVMF vars | ||
# We need to keep the generated vars in sync with templated version. | ||
# if the OVMF package is updated - we should update a new version with | ||
# the signing keys enrolled. | ||
stat: | ||
path: "{{ libvirt_vm_ovmf_efi_variable_store_path }}" | ||
get_checksum: true | ||
checksum_algorithm: sha256 | ||
register: ovmf_template | ||
|
||
- name: Register path of generated variables | ||
set_fact: | ||
ovmf_enrolled_variables_path: "\ | ||
{{ libvirt_ovmf_vars_generator_output_path }}/\ | ||
{{ libvirt_ovmf_vars_generator_output_prefix }}\ | ||
{{ ovmf_template.stat.checksum }}" | ||
|
||
- name: Check to see if we have generated these vars before | ||
stat: | ||
path: "{{ ovmf_enrolled_variables_path }}" | ||
register: generated_ovmf | ||
|
||
- name: Run OVMF vars generator | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Might be good if this role was just provided with a path to this script, which could be installed/cloned by libvirt-host. |
||
command: > | ||
python {{ libvirt_ovmf_vars_generator_checkout_path}}/ovmf-vars-generator | ||
--ovmf-binary {{ libvirt_vm_ovmf_efi_firmware_path }} | ||
--uefi-shell-iso {{ libvirt_vm_ovmf_uefi_shell_iso_path }} | ||
--ovmf-template-vars {{ libvirt_vm_ovmf_efi_variable_store_path }} | ||
--qemu-binary {{ libvirt_vm_emulator }} | ||
{% if libvirt_vm_engine == 'kvm' %}--enable-kvm{% endif %} | ||
--skip-testing | ||
--no-download | ||
{{ ovmf_enrolled_variables_path }} | ||
when: not generated_ovmf.stat.exists |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
--- | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This stuff probably belongs in libvirt-host. |
||
|
||
- name: Gather os specific variables | ||
include_vars: "{{ item }}" | ||
with_first_found: | ||
- files: | ||
- "{{ ansible_distribution }}-{{ ansible_distribution_major_version}}.yml" | ||
- "{{ ansible_distribution }}.yml" | ||
- "{{ ansible_os_family }}.yml" | ||
skip: true | ||
tags: vars | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Probably nicer to do this in main.yml. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I wasn't sure if we should make it so the playbooks can be run separately. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fair point. |
||
|
||
- name: Install custom yum repositories | ||
# Although argument splatting is marked as deprecated: | ||
# | ||
# [DEPRECATION WARNING]: Using variables for task params is unsafe, | ||
# especially if the variables come from an external source like facts. This | ||
# feature will be removed in a future release. | ||
# | ||
# The core team had a a change of heart and it is actually being preserved: | ||
# https://github.com/ansible/ansible/pull/43798 | ||
yum_repository: "{{ item }}" | ||
loop: "{{ libvirt_vm_custom_yum_repos | default({}) }}" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: default should be a list |
||
become: true | ||
|
||
- name: Install custom packages | ||
package: | ||
name: "{{ item }}" | ||
state: present | ||
loop: "{{ libvirt_vm_extra_packages }}" | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -26,6 +26,12 @@ | |
interface: "{{ item }}" | ||
with_items: "{{ interfaces }}" | ||
|
||
- name: Create secure boot template variables | ||
include_tasks: prepare_secure_boot.yml | ||
when: | ||
- boot_firmware == "efi" | ||
- libvirt_vm_ovmf_uefi_shell_iso_path is defined | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not supported on Debian? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The Debian packages don't contain the UEFI shell ISO which contains the |
||
|
||
- name: Ensure the VM is defined | ||
virt: | ||
name: "{{ vm.name }}" | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,3 +5,18 @@ libvirt_vm_log_owner: libvirt-qemu | |
|
||
# The environment passed to virt_volume.sh | ||
libvirt_vm_volume_creation_env: {} | ||
|
||
# Packages that are only necessary if you require EFI support | ||
libvirt_vm_extra_packages_efi: | ||
- ovmf | ||
|
||
# List of extra packages to install | ||
libvirt_vm_extra_packages: "{{ [] + (libvirt_vm_extra_packages_efi if libvirt_vm_enable_efi_support else []) | unique }}" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do you need the |
||
|
||
# Path to template OVMF efi variable store. A copy will be created | ||
# for each VM created. | ||
libvirt_vm_ovmf_efi_variable_store_path: /usr/share/OVMF/OVMF_VARS.fd | ||
|
||
# Path to OVMF efi firmware | ||
libvirt_vm_ovmf_efi_firmware_path: /usr/share/OVMF/OVMF_CODE.fd | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -7,3 +7,39 @@ libvirt_vm_log_owner: qemu | |
libvirt_vm_volume_creation_env: | ||
VOLUME_GROUP: qemu | ||
VOLUME_OWNER: qemu | ||
|
||
# Packages that are only necessary if you require EFI support | ||
libvirt_vm_extra_packages_efi: | ||
- edk2.git-ovmf-x64 # Official OVMF package doesn't boot (CentOS 7.5) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Interesting OVMF was just proposed for addition to the nova containers in kolla: https://review.openstack.org/608579 |
||
- qemu-kvm-ev # Need smm support for secure boot | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Does this require hardware virtualisation? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I believe SMM emulation, which is needed for secure boot, requires either KVM or TCG acceleration to be enabled. So, by enabling TCG we should be able to use secure-boot without KVM - but I will need to test this to be sure. |
||
|
||
# List of extra packages to install | ||
libvirt_vm_extra_packages: "{{ [] + (libvirt_vm_extra_packages_efi if libvirt_vm_enable_efi_support else []) | unique }}" | ||
|
||
# Path to template OVMF efi variable store. A copy will be created | ||
# for each VM created. | ||
# note(wszumski): official package path is /usr/share/OVMF/OVMF_VARS.fd | ||
libvirt_vm_ovmf_efi_variable_store_path: /usr/share/edk2.git/ovmf-x64/OVMF_VARS-need-smm.fd | ||
|
||
# Path to OVMF efi firmware | ||
# note(wszumski): official package path is /usr/share/OVMF/OVMF_CODE.secboot.fd | ||
libvirt_vm_ovmf_efi_firmware_path: /usr/share/edk2.git/ovmf-x64/OVMF_CODE-need-smm.fd | ||
|
||
# Path to iso containing signing keys | ||
# note(wszumski): official package path is /usr/share/OVMF/UefiShell.iso | ||
libvirt_vm_ovmf_uefi_shell_iso_path: /usr/share/edk2.git/ovmf-x64/UefiShell.iso | ||
|
||
# Add custom repository as OVMF package seems to be broken | ||
libvirt_vm_custom_yum_repos_efi: | ||
- name: qemu-firmware-jenkins | ||
description: upstream OVMF firmware images | ||
baseurl: https://www.kraxel.org/repos/jenkins/ | ||
gpgcheck: no | ||
# Need an updated version of qemu with smm support | ||
- name: centos-qemu-ev | ||
description: CentOS-$releasever - QEMU EV | ||
baseurl: http://mirror.centos.org/$contentdir/$releasever/virt/$basearch/kvm-common/ | ||
gpgcheck: yes | ||
|
||
libvirt_vm_custom_yum_repos: "{{ [] + (libvirt_vm_custom_yum_repos_efi if libvirt_vm_enable_efi_support else []) | unique }}" | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a bit clunky :( Looks like it's necessary though