Unable to enable Virtualization Based Security

[mnb-usbank]

SUMMARY

Unable to enable Virtualization Based Security with required params: EFI, Secure Boot, Nested Virt, I/O MMU

ISSUE TYPE

• Bug Report

COMPONENT NAME

ANSIBLE VERSION

ansible [core 2.15.1]
  config file = /home/user/code/credential-guard/ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/user/.pyenv/ansible/lib64/python3.9/site-packages/ansible
  ansible collection location = /home/user/code/credential-guard/collections
  executable location = /home/user/.pyenv/ansible/bin/ansible
  python version = 3.9.13 (main, Nov  9 2022, 13:16:24) [GCC 8.5.0 20210514 (Red Hat 8.5.0-15)] (/home/user/.pyenv/ansible/bin/python3.9)
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

# /home/user/code/credential-guard/collections/ansible_collections
Collection       Version
---------------- -------
community.vmware 3.8.0

CONFIGURATION

ANSIBLE_PIPELINING(/home/user/code/credential-guard/ansible.cfg) = True
COLLECTIONS_PATHS(/home/user/code/credential-guard/ansible.cfg) = ['/home/user/code/credential-guard/collections']
CONFIG_FILE() = /home/user/code/credential-guard/ansible.cfg
DEFAULT_FORKS(/home/user/code/credential-guard/ansible.cfg) = 50
DEFAULT_HOST_LIST(/home/user/code/credential-guard/ansible.cfg) = ['/home/user/code/credential-guard/inventory']
DEFAULT_ROLES_PATH(/home/user/code/credential-guard/ansible.cfg) = ['/home/user/code/credential-guard/roles']
DEFAULT_VAULT_PASSWORD_FILE(/home/user/code/credential-guard/ansible.cfg) = /home/user/code/credential-guard/vault_password_file
DEPRECATION_WARNINGS(/home/user/code/credential-guard/ansible.cfg) = False
HOST_KEY_CHECKING(/home/user/code/credential-guard/ansible.cfg) = False
SHOW_CUSTOM_STATS(/home/user/code/credential-guard/ansible.cfg) = True
SYSTEM_WARNINGS(/home/user/code/credential-guard/ansible.cfg) = True

OS / ENVIRONMENT

RHEL 8 (8.5.0-15), 4.18.0-425.19.2.el8_7.x86_64

STEPS TO REPRODUCE

Ram the plays below with the vm powered off.

    - name: Change VM Boot Mode To EFI With Secure Boot
      community.vmware.vmware_guest_boot_manager:
        hostname: '{{ vcenter_hostname }}'
        username: '{{ vcenter_username }}'
        password: '{{ vcenter_password }}'
        validate_certs: no
        name: '{{ inventory_hostname | upper }}'
        boot_firmware: efi
        secure_boot_enabled: true

    - name: Enable Virtualization Based Security
      community.vmware.vmware_guest:
        hostname: '{{ vcenter_hostname }}'
        username: '{{ vcenter_username }}'
        password: '{{ vcenter_password }}'
        datacenter: '{{ vcenter_datacenters.datacenter_info[0].name }}'
        validate_certs: no
        name: '{{ inventory_hostname | upper }}'
        hardware:
          hotadd_cpu: false
          hotremove_cpu: false
          hotadd_memory: false
          nested_virt: true
          iommu: true
          virt_based_security: true

EXPECTED RESULTS

Expected VBS to be enabled on the vm when all requirements are satisfied.

ACTUAL RESULTS

All requirements are satisfied yet the checks in vmware_guest.py are failing regardless.

The lines in question from vmware_guest.py:

    # Check requirements for virtualization based security
    if pyv.params['hardware']['virt_based_security']:
        if not pyv.params['hardware']['nested_virt']:
            pyv.module.fail_json(msg="Virtualization based security requires nested virtualization. Please enable nested_virt.")

        if not pyv.params['hardware']['secure_boot']:
            pyv.module.fail_json(msg="Virtualization based security requires (U)EFI secure boot. Please enable secure_boot.")

        if not pyv.params['hardware']['iommu']:
            pyv.module.fail_json(msg="Virtualization based security requires I/O MMU. Please enable iommu.")

If I comment out the checks above it enabled VBS without issue.

TASK [credential_guard : Change VM Boot Mode To EFI With Secure Boot] ********************************************************************************************************************************
changed: [target-vm -> localhost]

TASK [credential_guard : Enable Virtualization Based Security] ********************************************************************************************************************************
fatal: [target-vm -> localhost]: FAILED! => {"changed": false, "msg": "Virtualization based security requires (U)EFI secure boot. Please enable secure_boot."}

[ansibullbot]

Files identified in the description:
None

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

[mnb-usbank]

The issue is the python code only checks parameters provided in the play and does not account for current config on the target vm. I have tried including all the req params in the same task like below:

    - name: Enable Virtualization Based Security
      community.vmware.vmware_guest:
        hostname: '{{ vcenter_hostname }}'
        username: '{{ vcenter_username }}'
        password: '{{ vcenter_password }}'
        datacenter: '{{ vcenter_datacenters.datacenter_info[0].name }}'
        validate_certs: no
        name: '{{ inventory_hostname | upper }}'
        hardware:
          boot_firmware: "efi"
          secure_boot: true
          hotadd_cpu: false
          hotremove_cpu: false
          hotadd_memory: false
          nested_virt: true
          iommu: true
          virt_based_security: true

I ran into a different issue where the target vcenter believes the config is invalid, which is what led me to work around the issue by using the vmware_guest_boot_manager module in the first place.

TASK [credential_guard : Enable Virtualization Based Security] ************************************************************************************************************************************************************************************************************************************************************************************************************
fatal: [vmamnaj9c01b9a -> localhost]: FAILED! => {"changed": false, "msg": "Invalid virtual machine configuration.", "op": "reconfig"}