Comment 25 for bug 2022312

Secure Boot does work in focal, but apparently never has through OpenStack. That's a bug or a new feature request, depending on how you look at it.

*If* we want to fix that/enable that feature, it sounds like we're back to Seyeoung's options #1 and #2 from comment #20. Option #2 - switching the 4M images to 32-bit PEI - is starting to sound like the best option. Patching Nova to do something atypical for focal feels like it would carry more risk.

We've had 4M images in focal for about 8 months (2023-01-24). The regression risk with this change would be that someone has created a VM in focal during that time that somehow needs 64-bit PEI. I'm not aware of any reason a VM would require 64-bit PEI, and I'm also unaware of any user-perceivable changes the switch would make. I haven't see any user reports about problems with that since we introduced that change in Debian/Ubuntu. If users are already booting Secure Boot VMs w/ S3 disabled to use them, they can continue doing that[*]. The fact that the firmware would now support booting them w/ S3 enabled wouldn't be a regression. And it would correct an internal inconsistency in OVMF - where it tells libvirt that the 4M images support s3 when they currently do not.

If you do move forward with this SRU Seyeoung, I'd suggest using the same or similar debian/changelog entry from when we introduced the change in 2020.11-1, as it provides more context.

[*] Of course, we need to verify that - it should be a verification test