[virt-tools-list] [virt-manager PATCH 3/3] virtinst: if required by UEFI enable SMM feature and set q35 machine type

Pavel Hrdina phrdina at redhat.com
Wed May 31 15:36:05 UTC 2017


If we detect that the UEFI image is build to require SMM feature we
should configure the guest to enable SMM feature and set q35 machine
type.  Without this user wouldn't be able to boot the guest.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1387479

Signed-off-by: Pavel Hrdina <phrdina at redhat.com>
---
 tests/capabilities-xml/kvm-x86_64-domcaps-q35.xml  | 126 +++++++++++++++++++++
 .../compare/virt-install-boot-uefi.xml             |  61 ++++++++++
 tests/clitest.py                                   |   4 +
 tests/utils.py                                     |   2 +
 virtManager/domain.py                              |   1 +
 virtinst/guest.py                                  |  23 ++++
 6 files changed, 217 insertions(+)
 create mode 100644 tests/capabilities-xml/kvm-x86_64-domcaps-q35.xml
 create mode 100644 tests/cli-test-xml/compare/virt-install-boot-uefi.xml

diff --git a/tests/capabilities-xml/kvm-x86_64-domcaps-q35.xml b/tests/capabilities-xml/kvm-x86_64-domcaps-q35.xml
new file mode 100644
index 00000000..780ada61
--- /dev/null
+++ b/tests/capabilities-xml/kvm-x86_64-domcaps-q35.xml
@@ -0,0 +1,126 @@
+<domainCapabilities>
+  <path>/home/phrdina/work/qemu/x86_64-softmmu/qemu-system-x86_64</path>
+  <domain>kvm</domain>
+  <machine>pc-q35-2.9</machine>
+  <arch>x86_64</arch>
+  <vcpu max='288'/>
+  <os supported='yes'>
+    <loader supported='yes'>
+      <value>/usr/share/ovmf/OVMF_CODE.secboot.fd</value>
+      <enum name='type'>
+        <value>rom</value>
+        <value>pflash</value>
+      </enum>
+      <enum name='readonly'>
+        <value>yes</value>
+        <value>no</value>
+      </enum>
+    </loader>
+  </os>
+  <cpu>
+    <mode name='host-passthrough' supported='yes'/>
+    <mode name='host-model' supported='yes'>
+      <model fallback='forbid'>Skylake-Client</model>
+      <vendor>Intel</vendor>
+      <feature policy='require' name='ss'/>
+      <feature policy='require' name='vmx'/>
+      <feature policy='require' name='hypervisor'/>
+      <feature policy='require' name='tsc_adjust'/>
+      <feature policy='require' name='clflushopt'/>
+      <feature policy='require' name='xsaves'/>
+      <feature policy='require' name='pdpe1gb'/>
+      <feature policy='require' name='invtsc'/>
+    </mode>
+    <mode name='custom' supported='yes'>
+      <model usable='yes'>qemu64</model>
+      <model usable='yes'>qemu32</model>
+      <model usable='no'>phenom</model>
+      <model usable='yes'>pentium3</model>
+      <model usable='yes'>pentium2</model>
+      <model usable='yes'>pentium</model>
+      <model usable='yes'>n270</model>
+      <model usable='yes'>kvm64</model>
+      <model usable='yes'>kvm32</model>
+      <model usable='yes'>coreduo</model>
+      <model usable='yes'>core2duo</model>
+      <model usable='no'>athlon</model>
+      <model usable='yes'>Westmere</model>
+      <model usable='yes'>Skylake-Client</model>
+      <model usable='yes'>SandyBridge</model>
+      <model usable='yes'>Penryn</model>
+      <model usable='no'>Opteron_G5</model>
+      <model usable='no'>Opteron_G4</model>
+      <model usable='no'>Opteron_G3</model>
+      <model usable='yes'>Opteron_G2</model>
+      <model usable='yes'>Opteron_G1</model>
+      <model usable='yes'>Nehalem</model>
+      <model usable='yes'>IvyBridge</model>
+      <model usable='yes'>Haswell</model>
+      <model usable='yes'>Haswell-noTSX</model>
+      <model usable='yes'>Conroe</model>
+      <model usable='yes'>Broadwell</model>
+      <model usable='yes'>Broadwell-noTSX</model>
+      <model usable='yes'>486</model>
+    </mode>
+  </cpu>
+  <devices>
+    <disk supported='yes'>
+      <enum name='diskDevice'>
+        <value>disk</value>
+        <value>cdrom</value>
+        <value>floppy</value>
+        <value>lun</value>
+      </enum>
+      <enum name='bus'>
+        <value>fdc</value>
+        <value>scsi</value>
+        <value>virtio</value>
+        <value>usb</value>
+        <value>sata</value>
+      </enum>
+    </disk>
+    <graphics supported='yes'>
+      <enum name='type'>
+        <value>sdl</value>
+        <value>vnc</value>
+        <value>spice</value>
+      </enum>
+    </graphics>
+    <video supported='yes'>
+      <enum name='modelType'>
+        <value>vga</value>
+        <value>cirrus</value>
+        <value>vmvga</value>
+        <value>qxl</value>
+        <value>virtio</value>
+      </enum>
+    </video>
+    <hostdev supported='yes'>
+      <enum name='mode'>
+        <value>subsystem</value>
+      </enum>
+      <enum name='startupPolicy'>
+        <value>default</value>
+        <value>mandatory</value>
+        <value>requisite</value>
+        <value>optional</value>
+      </enum>
+      <enum name='subsysType'>
+        <value>usb</value>
+        <value>pci</value>
+        <value>scsi</value>
+      </enum>
+      <enum name='capsType'/>
+      <enum name='pciBackend'>
+        <value>default</value>
+        <value>kvm</value>
+        <value>vfio</value>
+      </enum>
+    </hostdev>
+  </devices>
+  <features>
+    <gic supported='no'/>
+  </features>
+</domainCapabilities>
+
+
diff --git a/tests/cli-test-xml/compare/virt-install-boot-uefi.xml b/tests/cli-test-xml/compare/virt-install-boot-uefi.xml
new file mode 100644
index 00000000..e0f2089f
--- /dev/null
+++ b/tests/cli-test-xml/compare/virt-install-boot-uefi.xml
@@ -0,0 +1,61 @@
+<domain type="kvm">
+  <name>foobar</name>
+  <uuid>00000000-1111-2222-3333-444444444444</uuid>
+  <memory>65536</memory>
+  <currentMemory>65536</currentMemory>
+  <vcpu>1</vcpu>
+  <os>
+    <type arch="x86_64" machine="q35">hvm</type>
+    <loader readonly="yes" type="pflash">/usr/share/ovmf/OVMF_CODE.secboot.fd</loader>
+    <boot dev="hd"/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <smm state="on"/>
+    <vmport state="off"/>
+  </features>
+  <cpu mode="custom" match="exact">
+    <model>Opteron_G4</model>
+  </cpu>
+  <clock offset="utc">
+    <timer name="rtc" tickpolicy="catchup"/>
+    <timer name="pit" tickpolicy="delay"/>
+    <timer name="hpet" present="no"/>
+  </clock>
+  <pm>
+    <suspend-to-mem enabled="no"/>
+    <suspend-to-disk enabled="no"/>
+  </pm>
+  <devices>
+    <emulator>/usr/bin/qemu-kvm</emulator>
+    <controller type="usb" index="0" model="ich9-ehci1"/>
+    <controller type="usb" index="0" model="ich9-uhci1">
+      <master startport="0"/>
+    </controller>
+    <controller type="usb" index="0" model="ich9-uhci2">
+      <master startport="2"/>
+    </controller>
+    <controller type="usb" index="0" model="ich9-uhci3">
+      <master startport="4"/>
+    </controller>
+    <interface type="bridge">
+      <source bridge="eth0"/>
+      <mac address="00:11:22:33:44:55"/>
+    </interface>
+    <input type="mouse" bus="ps2"/>
+    <graphics type="spice" port="-1" tlsPort="-1" autoport="yes">
+      <image compression="off"/>
+    </graphics>
+    <console type="pty"/>
+    <channel type="spicevmc">
+      <target type="virtio" name="com.redhat.spice.0"/>
+    </channel>
+    <sound model="ich6"/>
+    <video>
+      <model type="qxl"/>
+    </video>
+    <redirdev bus="usb" type="spicevmc"/>
+    <redirdev bus="usb" type="spicevmc"/>
+  </devices>
+</domain>
diff --git a/tests/clitest.py b/tests/clitest.py
index ae330538..08d32c68 100644
--- a/tests/clitest.py
+++ b/tests/clitest.py
@@ -71,6 +71,7 @@ test_files = {
     'URI-TEST-DEFAULT': utils.uri_test_default,
     'URI-TEST-REMOTE': utils.uri_test_remote,
     'URI-KVM': utils.uri_kvm,
+    'URI-KVM-Q35': utils.uri_kvm_q35,
     'URI-KVM-SESSION': utils.uri_kvm_session,
     'URI-KVM-REMOTE': utils.uri_kvm + ",remote",
     'URI-KVM-NODOMCAPS': utils.uri_kvm_nodomcaps,
@@ -782,6 +783,9 @@ c.add_invalid("--disk none --boot network --machine foobar")  # Unknown machine
 c.add_invalid("--nodisks --boot network --arch mips --virt-type kvm")  # Invalid domain type for arch
 c.add_invalid("--nodisks --boot network --paravirt --arch mips")  # Invalid arch/virt combo
 
+c = vinst.add_category("kvm-q35", "--connect %(URI-KVM-Q35)s --noautoconsole", compare_check=support.SUPPORT_CONN_VMPORT)
+c.add_compare("--boot uefi --disk none", "boot-uefi")
+
 
 ######################
 # LXC specific tests #
diff --git a/tests/utils.py b/tests/utils.py
index 0b8fc365..9947f3b0 100644
--- a/tests/utils.py
+++ b/tests/utils.py
@@ -37,10 +37,12 @@ uri_test_remote = uri_test + ",remote"
 
 _uri_qemu = "%s,qemu" % uri_test
 _uri_kvm_domcaps = (_uri_qemu + _domcapsprefix + "kvm-x86_64-domcaps.xml")
+_uri_kvm_domcaps_q35 = (_uri_qemu + _domcapsprefix + "kvm-x86_64-domcaps-q35.xml")
 _uri_kvm_aarch64_domcaps = (_uri_qemu + _domcapsprefix + "kvm-aarch64-domcaps.xml")
 uri_kvm_nodomcaps = (_uri_qemu + _capsprefix + "kvm-x86_64.xml")
 uri_kvm_rhel = (_uri_kvm_domcaps + _capsprefix + "kvm-x86_64-rhel7.xml")
 uri_kvm = (_uri_kvm_domcaps + _capsprefix + "kvm-x86_64.xml")
+uri_kvm_q35 = (_uri_kvm_domcaps_q35 + _capsprefix + "kvm-x86_64.xml")
 uri_kvm_session = uri_kvm + ",session"
 
 uri_kvm_armv7l = (_uri_kvm_domcaps + _capsprefix + "kvm-armv7l.xml")
diff --git a/virtManager/domain.py b/virtManager/domain.py
index 6b94455d..6fb10266 100644
--- a/virtManager/domain.py
+++ b/virtManager/domain.py
@@ -698,6 +698,7 @@ class vmmDomain(vmmLibvirtObject):
                 guest.os.loader = loader
                 guest.os.loader_type = "pflash"
                 guest.os.loader_ro = True
+                guest.check_uefi_smm()
 
         if nvram != _SENTINEL:
             guest.os.nvram = nvram
diff --git a/virtinst/guest.py b/virtinst/guest.py
index aa956449..d6dd5aa6 100644
--- a/virtinst/guest.py
+++ b/virtinst/guest.py
@@ -561,6 +561,29 @@ class Guest(XMLBuilder):
         self.os.loader_type = "pflash"
         self.os.loader = path
 
+        self.check_uefi_smm()
+
+
+    def check_uefi_smm(self):
+        """
+        If the firmware name contains "secboot" it is probably build
+        with SMM feature required so we need to enable that feature,
+        otherwise the firmware may fail to load.  True secure boot is
+        currently supported only on x86 architecture and with q35 with
+        SMM feature enabled so change the machine to q35 as well.
+        """
+
+        if not self.os.is_x86():
+            return
+
+        if "secboot" not in self.os.loader:
+            return
+
+        if not self.conn.check_support(self.conn.SUPPORT_DOMAIN_FEATURE_SMM):
+            return
+
+        self.features.smm = True
+        self.os.machine = "q35"
 
     ###################
     # Device defaults #
-- 
2.13.0




More information about the virt-tools-list mailing list