Validation of memory encryption constraints fails as img properties are not present

Bug #2007697 reported by Samuel Kunkel
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
In Progress
Samuel Kunkel

Bug Description

Creating a VM with AMD SEV attached to it fails during get_mem_encryption_constraint.

During the creation process of the vm nova-compute runs twice into get_mem_encryption_constraint. Within this function nova evaluates if all preconditions for AMD SEV are met for the selected flavor and image. (e.g. machine_type=q35, hw_firmware_type=uefi)

During the second time get_mem_encryption_constraint is triggered from scheduler_utils. In this state nova-compute does not have any information about the image (expected as its called by get_flags_by_flavor_specs -> scheduler_utils.ResourceRequest.from_request_spec -> translate_memory_encryption).

As no image informations are present, from_request_spec generates an instance of objects.ImageMeta(properties=objects.ImageMetaProps()), which is basically an "empty image shell".

Further down the chain, during _check_mem_encryption_uses_uefi_image this fails as the image does not contain any information at all.

This check was already validated by nova-compute beforehand (with the image information present).
Therefore this second iteration through _check_mem_encryption_uses_uefi_image is not needed and fails there anyway.

Steps to reproduce
Have an image with property hw_firmware_type=uefi set.
Have a flavor with property hw:mem_encryption=true set
Have the hypervisor properly set up for SEV.
Schedule a VM.

Expected result
The VM should be created properly and be running after creation.

Actual result
The second run through _check_mem_encryption_uses_uefi_image fails as there are no image informations present at all.

Hypervisor: Libvirt/KVM
OS: Ubuntu 22.04 LTS (Jammy Jellyfish)
Openstack Release: Yoga

Logs & Configs
Traceback (most recent call last):,
File /usr/local/lib/python3.10/dist-packages/nova/compute/, line 2503, in _build_and_run_instance,
  self.driver.spawn(context, instance, image_meta,,
File /usr/local/lib/python3.10/dist-packages/nova/virt/libvirt/, line 4328, in spawn,
  xml = self._get_guest_xml(context, instance, network_info,,
File /usr/local/lib/python3.10/dist-packages/nova/virt/libvirt/, line 7299, in _get_guest_xml,
  conf = self._get_guest_config(instance, network_info, image_meta,,
File /usr/local/lib/python3.10/dist-packages/nova/virt/libvirt/, line 6876, in _get_guest_config,
  guest.cpu = self._get_guest_cpu_config(,
File /usr/local/lib/python3.10/dist-packages/nova/virt/libvirt/, line 5311, in _get_guest_cpu_config,
  cpu = self._get_guest_cpu_model_config(flavor, arch),
File /usr/local/lib/python3.10/dist-packages/nova/virt/libvirt/, line 5258, in _get_guest_cpu_model_config,
  flags = libvirt_utils.get_flags_by_flavor_specs(flavor),
File /usr/local/lib/python3.10/dist-packages/nova/virt/libvirt/, line 600, in get_flags_by_flavor_specs,
  resource_request = scheduler_utils.ResourceRequest.from_request_spec(,
File /usr/local/lib/python3.10/dist-packages/nova/scheduler/, line 188, in from_request_spec,
  res_req._translate_memory_encryption(request_spec.flavor, image),
File /usr/local/lib/python3.10/dist-packages/nova/scheduler/, line 298, in _translate_memory_encryption,
  if not hardware.get_mem_encryption_constraint(flavor, image):,
File /usr/local/lib/python3.10/dist-packages/nova/virt/, line 1198, in get_mem_encryption_constraint,
  _check_mem_encryption_uses_uefi_image(requesters, image_meta),
File /usr/local/lib/python3.10/dist-packages/nova/virt/, line 1245, in _check_mem_encryption_uses_uefi_image,
  raise exception.FlavorImageConflict(emsg % data), nova.exception.FlavorImageConflict: Memory encryption requested by hw:mem_encryption extra spec in m1a.8d-sev flavor but image None doesn't have 'hw_firmware_type' property set to 'uefi' or volume-backed instance was requested

Tags: libvirt uefi
Revision history for this message
Sylvain Bauza (sylvain-bauza) wrote :

Attaching the fix created by the reporter :

Changed in nova:
importance: Undecided → Low
status: New → In Progress
assignee: nobody → Samuel Kunkel (xshyve)
tags: added: libvirt uefi
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.