From 309e9356a67c5604bc7e5773bf11cd64d1c1379f Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Sun, 7 Sep 2025 21:59:54 +0900
Subject: [PATCH] Add new metadata definition of memory encryption model

Nova recently introduced support of SEV-ES, to extend the existing
memory encryption support using SEV. Add the new metadef value to
explain the flavor extra spec and the image property to determine
the hardware/CPU feature for memory encryption.

Also fix the outdated link of nova documentation about AMD SEV support.

Depends-on: https://review.opendev.org/c/openstack/nova/+/926106
Change-Id: I9063663a3b14161a67da59a68f5f7c92fd5447f5
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
---
 doc/source/admin/useful-image-properties.rst  | 22 ++++++++++++++++---
 etc/metadefs/compute-libvirt.json             | 11 +++++++---
 glance/tests/functional/db/base_metadef.py    |  2 +-
 ...ingo-metadef-changes-413a952cf47927ce.yaml | 12 ++++++++++
 4 files changed, 40 insertions(+), 7 deletions(-)
 create mode 100644 releasenotes/notes/flamingo-metadef-changes-413a952cf47927ce.yaml

diff --git a/doc/source/admin/useful-image-properties.rst b/doc/source/admin/useful-image-properties.rst
index 2ad37257c1..71d2588064 100644
--- a/doc/source/admin/useful-image-properties.rst
+++ b/doc/source/admin/useful-image-properties.rst
@@ -444,11 +444,27 @@ Here is a list of useful image properties and the values they expect.
 
   Enables encryption of guest memory at the hardware level, if
   there are compute hosts available which support this. See
-  `nova's documentation on configuration of the KVM hypervisor
-  <https://docs.openstack.org/nova/latest/admin/configuration/hypervisor-kvm.html#amd-sev-secure-encrypted-virtualization>`_
+  `nova's documentation on configuration of AMD SEV
+  <https://docs.openstack.org/nova/latest/admin/sev.html>`_
   for more details.
 
-  Only supported by the libvirt driver.
+  Only supported by the libvirt driver with the KVM/QEMU hypervisor.
+
+``hw_mem_encryption_model``
+  :Type: str
+
+  The hardware feature name to encrypt guest memory, if there are compute hosts
+  available which support this. See
+  `nova's documentation on configuration of AMD SEV
+  <https://docs.openstack.org/nova/latest/admin/sev.html>`_
+  for more details.
+
+  Only supported by the libvirt driver with the KVM/QEMU hypervisor.
+
+  One of:
+
+  - ``amd-sev``
+  - ``amd-sev-es``
 
 ``hw_virtio_packed_ring``
   :Type: bool
diff --git a/etc/metadefs/compute-libvirt.json b/etc/metadefs/compute-libvirt.json
index 3493be3885..1da08f2d45 100644
--- a/etc/metadefs/compute-libvirt.json
+++ b/etc/metadefs/compute-libvirt.json
@@ -29,11 +29,16 @@
         },
         "mem_encryption": {
             "title": "Hardware Memory Encryption",
-            "description": "Enables encryption of guest memory at the hardware level, if there are compute hosts available which support this. See https://docs.openstack.org/nova/latest/admin/configuration/hypervisor-kvm.html#amd-sev-secure-encrypted-virtualization for details.",
+            "description": "Enables encryption of guest memory at the hardware level, if there are compute hosts available which support this. See https://docs.openstack.org/nova/latest/admin/sev.html for details.",
             "type": "string",
             "enum": ["true", "false"]
-        }
-        ,
+        },
+        "mem_encryption_model": {
+            "title": "Hardware Memory Encryption Model",
+            "description": "The hardware feature name to encrypt guest memory, if there are compute hosts available which support this. See https://docs.openstack.org/nova/latest/admin/sev.html for details.",
+            "type": "string",
+            "enum": ["amd-sev", "amd-sev-es"]
+        },
         "virtio_packed_ring": {
             "title": "Virtio Packed Ring",
             "description": "Enables Packed VIRT-IO Queue feature. When set to true, instance will bescheduled to hosts that support negotiating the packed virt queue format. This feature may or may not be enabled depending on the guest driver. When used it will improve the small packet performance of network io.",
diff --git a/glance/tests/functional/db/base_metadef.py b/glance/tests/functional/db/base_metadef.py
index c2982d0e1d..378af82bca 100644
--- a/glance/tests/functional/db/base_metadef.py
+++ b/glance/tests/functional/db/base_metadef.py
@@ -773,7 +773,7 @@ class MetadefLoadUnloadTests:
         'CIM::VirtualSystemSettingData': 17,
         'OS::Compute::XenAPI': 1,
         'OS::Compute::InstanceData': 2,
-        'OS::Compute::Libvirt': 4,
+        'OS::Compute::Libvirt': 5,
         'OS::Compute::VMwareQuotaFlavor': 2,
         'OS::Cinder::Volumetype': 1,
         'OS::Glance::Signatures': 4,
diff --git a/releasenotes/notes/flamingo-metadef-changes-413a952cf47927ce.yaml b/releasenotes/notes/flamingo-metadef-changes-413a952cf47927ce.yaml
new file mode 100644
index 0000000000..508f36c2fd
--- /dev/null
+++ b/releasenotes/notes/flamingo-metadef-changes-413a952cf47927ce.yaml
@@ -0,0 +1,12 @@
+---
+upgrade:
+  - |
+    The following metadata definitions have been modified in the Flamingo
+    release:
+
+    * Added ``hw_memory_encryption_model`` enumerations in
+      the ``OS::Compute::Libvirt`` namespace.
+
+    You may upgrade these definitions using:
+
+    ``glance-manage db load_metadefs [--path <path>] [--merge] [--prefer_new]``