auto-mark new VMs for Secure Boot certificate update on boot#7155
Open
stephenchengCloud wants to merge 2 commits into
Open
auto-mark new VMs for Secure Boot certificate update on boot#7155stephenchengCloud wants to merge 2 commits into
stephenchengCloud wants to merge 2 commits into
Conversation
…date on boot 1. Add a pool-level boolean Pool.auto_update_vm_secureboot_certificates (RW, default false). This is the opt-in switch for automatically updating expiring Secure Boot certificates on newly created VMs; it defaults to disabled so xapi never modifies VM NVRAM unless the admin opts in. 2. When the pool option auto_update_vm_secureboot_certificates is enabled, VM.create now inspects the NVRAM supplied at creation time (e.g. by MCS) and, if the Secure Boot certificates are due to expire, sets the VM's secureboot_certificates_state to update_on_boot so the certificates are refreshed on the next boot. check_secureboot_certificates_state returns ok cheaply when the NVRAM has no EFI variables (e.g. BIOS VMs), so no external check is run in that case. The behaviour is gated on the pool opt-in, so default behaviour is unchanged. Signed-off-by: Stephen Cheng <stephen.cheng@citrix.com>
Signed-off-by: Stephen Cheng <stephen.cheng@citrix.com>
dd208c0 to
a791bf2
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Microsoft's 2011 Secure Boot certificates expire between June and October 2026. XenServer already has a remediation workflow (the per-VM field
VM.secureboot_certificates_stateplusVM.update_secureboot_certificates_on_boot) that lets an admin mark a VM so its Secure Boot certificates are replaced on the next (re)boot. CVAD MCS (Citrix Machine Creation Services) stores a copy of the VM NVRAM per catalog and supplies it on VM.create; catalogs built from 2011-only VMs therefore keep creating 2011-only VMs, which can fail to boot once the disk relies on 2023 certs. This feature lets a pool opt in to having xapi auto-mark such freshly created VMs so the certs are updated on first boot.Tested:
update_required.VM.createto trigger the logic: