libvit driver launching instances with stateless firmware

https://blueprints.launchpad.net/nova/+spec/libvirt-stateless-firmware

Since v8.6.0, libvirt allows launching instance with stateless firmware, which disables the potential attack surface from hypervisor. This work aims to introduce the required feature to allow users to use this feature.

Problem description

Libvirt v8.6.0 introduced the new feature to launch instance with stateless firmware. When an instance is launched with this feature enabled along with UEFI, the instance uses a ready-only firmware image without NVRAM file. This feature is useful for confidential computing use case, because it prevents injection into firmware vars from hypervisor. It also allows more complete measurement of elements involved in the boot chain of the instance which is the key requirement of remote attestation. This is described in the libvirt guide.

However this libvirt feature can’t be enabled in instances launched by current nova, because nova does not set the stateless option. Also nova always injects nvram file into libvirt domain XML.

Use Cases

  1. As a cloud administrator, in order that my users can have more confidence in the security of their running instances, I want to allow my users to enforce stateless firmware for their instances.

  2. As a user, I want to prevent risk caused by firmware variables injected by hypevisor, for instances which load very confidential data.

Proposed change

We propose adding a new image property to request stateless firmwre, so that users can create their instance with stateless firmware.

  • Add the new COMPUTE_SECURITY_STATELESS_FIRMWARE trait to os-traits.

  • Make libvirt driver check the current version of libvirt and report the supports_stateless_firmware capability when the version is equal or newer than v8.6.0. This capability should be mapped to the COMPUTE_SECURITY_STATELESS_FIRMWARE trait.

  • Add the new hw_firmware_stateless image property, which accept boolean values and is false by default. If the property is set to true then nova translate it to requiring the COMPUTE_SECURITY_STATELESS_FIRMWARE trait.

  • Change the libvirt driver to adds the stateless option to the loader element of libvirt domain XML and skip injecting nvram file, if instance metadata of the instance contains hw_firmware_stateless property set to true.

Alternatives

None

Data model impact

A new trait and new image property will be used to present availability and request of stateless firmware feature in libvirt.

REST API impact

None

Security impact

None

Notifications impact

None

Other end user impact

The end user will be able to use statless firmware for their instances through the existing image property mechanism.

Performance Impact

None

Other deployer impact

In order for users to be able to use this feature, the operator will need to deploy libvirt v8.6.0 or later in the deployment.

Developer impact

None

Upgrade impact

None

Implementation

Assignee(s)

Primary assignee:

kajinamit (irc: tkajinam)

Other contributors:

None

Work Items

  1. Add the new COMPUTE_SECURITY_STATELESS_FIRMWARE trait to os-traits.

  2. Make libvirt driver check libvirt version and present availability of stateless firmware in compute node capabilities, as the COMPUTE_SECURITY_STATELESS_FIRMWARE trait, based on the detected version.

  3. Add the new hw_firmware_stateless image property to the ImageMeta object

  4. Update scheduler util to require COMPUTE_SECURITY_STATELESS_FIRMWARE trait when the hw_firmware_stateless property in instance image properties is set to true

  5. Make libvirt driver set stateless="yes" in the loder element when instance image properties contains the hw_firmware_stateless property set to true.

  6. Update documentations

  7. Update image property schema in glance to validate the new hw_firmware_stateless property.

Unit tests and functional tests should be added according to new logic.

Future work

None

Dependencies

Libvirt v8.6.0 or later.

Testing

The fakelibvirt test driver will need adaptation to emulate libvirt older than v8.6.0 and libvirt v8.6.0 or later.

Corresponding unit/functional tests will need to be extended or added to cover:

  • detection of the statless firmware support by libvirt

  • the use of a trait to include extra stateless loader option in domain XML configuration.

Documentation Impact

References

History

Revisions

Release Name

Description

2024.2 Dalmatian

Introduced