[libvirt PATCH 25/28] qemu_firmware: Enable loader.secure when requires-smm

Andrea Bolognani abologna at redhat.com
Thu Jun 23 16:14:37 UTC 2022 

Currently, a firmware configuration such as

  <os firmware='efi'>
    <firmware>
      <feature enabled='yes' name='enrolled-keys'/>
    </firmware>
  </os>

will correctly pick a firmware that implements the Secure Boot
feature and initialize the NVRAM file so that it contains the
keys necessary to enforce the signing requirements. However, the
lack of a

  <loader secure='yes'/>

element makes it possible for pflash writes to happen outside
of SMM mode. This means that the EFI secure variables where the
keys are stored could potentially be overwritten by malicious
code running in the guest, thus making it possible to circumvent
Secure Boot.

To prevent that from happening, automatically turn on the
loader.secure feature whenever a firmware that implements Secure
Boot is chosen by the firmware autoselection logic. This is
identical to the way we already automatically enable SMM in such
a scenario.

Note that, while this is technically a guest-visible change, it
will not affect migration of existings VMs and will not prevent
legitimate guest code from running.

Signed-off-by: Andrea Bolognani <abologna at redhat.com>
---
 src/qemu/qemu_firmware.c                                        | 2 ++
 .../firmware-auto-efi-enrolled-keys.x86_64-latest.args          | 1 +
 .../qemuxml2argvdata/firmware-auto-efi-nvram.x86_64-latest.args | 1 +
 .../firmware-auto-efi-secboot.x86_64-latest.args                | 1 +
 tests/qemuxml2argvdata/firmware-auto-efi.x86_64-latest.args     | 1 +
 5 files changed, 6 insertions(+)

diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index c8f462bfcf..5b2fa51a9c 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -1240,6 +1240,8 @@ qemuFirmwareEnableFeatures(virQEMUDriver *driver,
             case VIR_TRISTATE_SWITCH_LAST:
                 break;
             }
+            VIR_DEBUG("Enabling secure loader");
+            def->os.loader->secure = VIR_TRISTATE_BOOL_YES;
             break;
 
         case QEMU_FIRMWARE_FEATURE_NONE:
diff --git a/tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys.x86_64-latest.args b/tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys.x86_64-latest.args
index 885c83445d..7479b05af4 100644
--- a/tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys.x86_64-latest.args
+++ b/tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys.x86_64-latest.args
@@ -17,6 +17,7 @@ XDG_CONFIG_HOME=/tmp/lib/domain--1-fedora/.config \
 -machine pc-q35-4.0,usb=off,smm=on,dump-guest-core=off,pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format,memory-backend=pc.ram \
 -accel kvm \
 -cpu qemu64 \
+-global driver=cfi.pflash01,property=secure,value=on \
 -m 8 \
 -object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":8388608}' \
 -overcommit mem-lock=off \
diff --git a/tests/qemuxml2argvdata/firmware-auto-efi-nvram.x86_64-latest.args b/tests/qemuxml2argvdata/firmware-auto-efi-nvram.x86_64-latest.args
index e37521b0a3..1061e93554 100644
--- a/tests/qemuxml2argvdata/firmware-auto-efi-nvram.x86_64-latest.args
+++ b/tests/qemuxml2argvdata/firmware-auto-efi-nvram.x86_64-latest.args
@@ -17,6 +17,7 @@ XDG_CONFIG_HOME=/tmp/lib/domain--1-fedora/.config \
 -machine pc-q35-4.0,usb=off,smm=on,dump-guest-core=off,pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format,memory-backend=pc.ram \
 -accel kvm \
 -cpu qemu64 \
+-global driver=cfi.pflash01,property=secure,value=on \
 -m 8 \
 -object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":8388608}' \
 -overcommit mem-lock=off \
diff --git a/tests/qemuxml2argvdata/firmware-auto-efi-secboot.x86_64-latest.args b/tests/qemuxml2argvdata/firmware-auto-efi-secboot.x86_64-latest.args
index 885c83445d..7479b05af4 100644
--- a/tests/qemuxml2argvdata/firmware-auto-efi-secboot.x86_64-latest.args
+++ b/tests/qemuxml2argvdata/firmware-auto-efi-secboot.x86_64-latest.args
@@ -17,6 +17,7 @@ XDG_CONFIG_HOME=/tmp/lib/domain--1-fedora/.config \
 -machine pc-q35-4.0,usb=off,smm=on,dump-guest-core=off,pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format,memory-backend=pc.ram \
 -accel kvm \
 -cpu qemu64 \
+-global driver=cfi.pflash01,property=secure,value=on \
 -m 8 \
 -object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":8388608}' \
 -overcommit mem-lock=off \
diff --git a/tests/qemuxml2argvdata/firmware-auto-efi.x86_64-latest.args b/tests/qemuxml2argvdata/firmware-auto-efi.x86_64-latest.args
index 885c83445d..7479b05af4 100644
--- a/tests/qemuxml2argvdata/firmware-auto-efi.x86_64-latest.args
+++ b/tests/qemuxml2argvdata/firmware-auto-efi.x86_64-latest.args
@@ -17,6 +17,7 @@ XDG_CONFIG_HOME=/tmp/lib/domain--1-fedora/.config \
 -machine pc-q35-4.0,usb=off,smm=on,dump-guest-core=off,pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format,memory-backend=pc.ram \
 -accel kvm \
 -cpu qemu64 \
+-global driver=cfi.pflash01,property=secure,value=on \
 -m 8 \
 -object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":8388608}' \
 -overcommit mem-lock=off \
-- 
2.35.3

More information about the libvir-list mailing list