[libvirt PATCH 9/9] qemu: implement support for firmware auto-selection feature filtering
Michal Privoznik
mprivozn at redhat.com
Thu Mar 18 16:18:38 UTC 2021
On 3/18/21 1:26 PM, Pavel Hrdina wrote:
> Signed-off-by: Pavel Hrdina <phrdina at redhat.com>
> ---
> src/qemu/qemu_firmware.c | 40 +++++++++++++++
> ...re-efi-no-enrolled-keys.x86_64-latest.args | 49 ++++++++++++++++++
> .../os-firmware-efi-no-enrolled-keys.xml | 25 ++++++++++
> tests/qemuxml2argvtest.c | 1 +
> ...are-efi-no-enrolled-keys.x86_64-latest.xml | 50 +++++++++++++++++++
> tests/qemuxml2xmltest.c | 1 +
> 6 files changed, 166 insertions(+)
> create mode 100644 tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.args
> create mode 100644 tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml
> create mode 100644 tests/qemuxml2xmloutdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.xml
>
> diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
> index d3198e2d45..f6f371f51f 100644
> --- a/src/qemu/qemu_firmware.c
> +++ b/src/qemu/qemu_firmware.c
> @@ -930,6 +930,10 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
> bool supportsS4 = false;
> bool requiresSMM = false;
> bool supportsSEV = false;
> + bool supportsSecureBoot = false;
> + bool hasEnrolledKeys = false;
> + int reqSecureBoot;
> + int reqEnrolledKeys;
>
> want = qemuFirmwareOSInterfaceTypeFromOsDefFirmware(def->os.firmware);
>
> @@ -979,7 +983,13 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
> break;
>
> case QEMU_FIRMWARE_FEATURE_SECURE_BOOT:
> + supportsSecureBoot = true;
> + break;
> +
> case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS:
> + hasEnrolledKeys = true;
> + break;
> +
> case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
> case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
> case QEMU_FIRMWARE_FEATURE_NONE:
> @@ -1000,6 +1010,36 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
> return false;
> }
>
> + if (def->os.firmwareFeatures) {
> + reqSecureBoot = def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_SECURE_BOOT];
> + if (reqSecureBoot != VIR_TRISTATE_BOOL_ABSENT) {
> + if (reqSecureBoot == VIR_TRISTATE_BOOL_YES && !supportsSecureBoot) {
> + VIR_DEBUG("User requested Secure Boot, firmware '%s' doesn't support it",
> + path);
> + return false;
> + }
> +
> + if (reqSecureBoot == VIR_TRISTATE_BOOL_NO && supportsSecureBoot) {
> + VIR_DEBUG("User refused Secure Boot, firmware '%s' supports it", path);
> + return false;
> + }
> + }
> +
> + reqEnrolledKeys = def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_ENROLLED_KEYS];
> + if (reqEnrolledKeys != VIR_TRISTATE_BOOL_ABSENT) {
> + if (reqEnrolledKeys == VIR_TRISTATE_BOOL_YES && !hasEnrolledKeys) {
> + VIR_DEBUG("User requested Enrolled keys, firmware '%s' doesn't support it",
"doesn't have them" perhaps?
> + path);
> + return false;
> + }
> +
> + if (reqEnrolledKeys == VIR_TRISTATE_BOOL_NO && hasEnrolledKeys) {
> + VIR_DEBUG("User refused Enrolled keys, firmware '%s' supports it", path);
"has them" perhaps?
> + return false;
> + }
> + }
> + }
> +
> if (def->os.loader &&
> def->os.loader->secure == VIR_TRISTATE_BOOL_YES &&
> !requiresSMM) {
> diff --git a/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.args b/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.args
> new file mode 100644
> index 0000000000..561a905e78
> --- /dev/null
> +++ b/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.args
> @@ -0,0 +1,49 @@
> +LC_ALL=C \
> +PATH=/bin \
> +HOME=/tmp/lib/domain--1-fedora \
> +USER=test \
> +LOGNAME=test \
> +XDG_DATA_HOME=/tmp/lib/domain--1-fedora/.local/share \
> +XDG_CACHE_HOME=/tmp/lib/domain--1-fedora/.cache \
> +XDG_CONFIG_HOME=/tmp/lib/domain--1-fedora/.config \
> +/usr/bin/qemu-system-x86_64 \
> +-name guest=fedora,debug-threads=on \
> +-S \
> +-object secret,id=masterKey0,format=raw,\
> +file=/tmp/lib/domain--1-fedora/master-key.aes \
> +-blockdev '{"driver":"file","filename":"/usr/share/OVMF/OVMF_CODE.fd",\
> +"node-name":"libvirt-pflash0-storage","auto-read-only":true,\
> +"discard":"unmap"}' \
> +-blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,\
> +"driver":"raw","file":"libvirt-pflash0-storage"}' \
> +-blockdev '{"driver":"file",\
> +"filename":"/var/lib/libvirt/qemu/nvram/fedora_VARS.fd",\
> +"node-name":"libvirt-pflash1-storage","auto-read-only":true,\
> +"discard":"unmap"}' \
> +-blockdev '{"node-name":"libvirt-pflash1-format","read-only":false,\
> +"driver":"raw","file":"libvirt-pflash1-storage"}' \
> +-machine pc-q35-4.0,accel=kvm,usb=off,dump-guest-core=off,\
> +pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format,\
> +memory-backend=pc.ram \
> +-cpu qemu64 \
> +-m 8 \
> +-object memory-backend-ram,id=pc.ram,size=8388608 \
> +-overcommit mem-lock=off \
> +-smp 1,sockets=1,cores=1,threads=1 \
> +-uuid 63840878-0deb-4095-97e6-fc444d9bc9fa \
> +-display none \
> +-no-user-config \
> +-nodefaults \
> +-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \
> +-mon chardev=charmonitor,id=monitor,mode=control \
> +-rtc base=utc \
> +-no-shutdown \
> +-boot strict=on \
> +-device pcie-root-port,port=0x8,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,\
> +addr=0x1 \
> +-device pcie-root-port,port=0x9,chassis=2,id=pci.2,bus=pcie.0,addr=0x1.0x1 \
> +-device qemu-xhci,id=usb,bus=pci.1,addr=0x0 \
> +-audiodev id=audio1,driver=none \
> +-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\
> +resourcecontrol=deny \
> +-msg timestamp=on
> diff --git a/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml b/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml
> new file mode 100644
> index 0000000000..6c0b323fd4
> --- /dev/null
> +++ b/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml
> @@ -0,0 +1,25 @@
> +<domain type='kvm'>
> + <name>fedora</name>
> + <uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid>
> + <memory unit='KiB'>8192</memory>
> + <currentMemory unit='KiB'>8192</currentMemory>
> + <vcpu placement='static'>1</vcpu>
> + <os firmware='efi'>
> + <firmware type='efi'>
> + <feature enabled='no' name='enrolled-keys'/>
> + </firmware>
> + <type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
> + </os>
> + <features>
> + <acpi/>
> + <apic/>
> + <pae/>
> + </features>
> + <devices>
> + <emulator>/usr/bin/qemu-system-x86_64</emulator>
> + <controller type='pci' index='0' model='pcie-root'/>
> + <input type='mouse' bus='ps2'/>
> + <input type='keyboard' bus='ps2'/>
> + <memballoon model='none'/>
> + </devices>
> +</domain>
> diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
> index 2b32b7f303..44c2a316b0 100644
> --- a/tests/qemuxml2argvtest.c
> +++ b/tests/qemuxml2argvtest.c
> @@ -3549,6 +3549,7 @@ mymain(void)
> DO_TEST_CAPS_LATEST("os-firmware-bios");
> DO_TEST_CAPS_LATEST("os-firmware-efi");
> DO_TEST_CAPS_LATEST("os-firmware-efi-secboot");
> + DO_TEST_CAPS_LATEST("os-firmware-efi-no-enrolled-keys");
> DO_TEST_CAPS_LATEST_PARSE_ERROR("os-firmware-invalid-type");
> DO_TEST_CAPS_ARCH_LATEST("aarch64-os-firmware-efi", "aarch64");
>
> diff --git a/tests/qemuxml2xmloutdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.xml b/tests/qemuxml2xmloutdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.xml
Alternatively, let this be link to the XML above, since the difference
between them is not in the area of interest of this feature.
Michal
More information about the libvir-list
mailing list