[libvirt] [PATCH 4/5] qemu: Enable secure boot

Pavel Hrdina phrdina at redhat.com
Thu Aug 4 13:14:44 UTC 2016 

On Wed, Jul 27, 2016 at 05:11:59PM +0200, Laszlo Ersek wrote:
> On 07/27/16 10:43, Michal Privoznik wrote:
> > In qemu, enabling this feature boils down to adding the following
> > onto the command line:
> > 
> >   -global driver=cfi.pflash01,property=secure,value=on
> > 
> > However, there are some constraints resulting from the
> > implementation. For instance, System Management Mode (SMM) is
> > required to be enabled, the machine type must be q35-2.5 or

s/q35-2.5/q35-2.4/

> > later, and the guest should be x86_64. While technically it is
> > possible to have 32 bit guests with secure boot, some non-trivial
> > CPU flags tuning is required (for instance lm and nx flags must
> > be prohibited). Given complexity of our CPU driver, this is not
> > trivial. Therefore I've chosen to forbid 32 bit guests for now.
> > If there's ever need, we can refine the check later.
> > 
> > Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
> > ---
> >  src/qemu/qemu_command.c                            |  7 ++++++
> >  src/qemu/qemu_domain.c                             | 27 ++++++++++++++++++++
> >  .../qemuxml2argv-bios-nvram-secure.args            | 29 ++++++++++++++++++++++
> >  tests/qemuxml2argvtest.c                           |  7 ++++++
> >  4 files changed, 70 insertions(+)
> >  create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-bios-nvram-secure.args
> 
> This patch looks almost complete to me (it causes all necessary QEMU
> options to appear, directly or indirectly (= via requiring SMM)).
> However, can you also enforce that the Q35 machtype has version 2.5 or
> later? Technically, "pc-q35-2.4" exists too, and it's not good enough
> (according to the instructions I wrote up in OvmfPkg/README earlier). I
> certainly never tested it.
> 
> Thanks,
> Laszlo

I've tested it and it seems to work also with "pc-q35-2.4".  I've installed
Fedora 24 inside a guest and I can see "Secure boot enabled" in dmesg output.
Unless Laszlo has some more information about secure boot and why it shouldn't
work with "pc-q35-2.4" this patch can be pushed as is.

ACK

More information about the libvir-list mailing list