249 lines
9.8 KiB
Diff
249 lines
9.8 KiB
Diff
From d1c5d166a891a2abf408a5879b95bded23b45825 Mon Sep 17 00:00:00 2001
|
|
Message-Id: <d1c5d166a891a2abf408a5879b95bded23b45825@dist-git>
|
|
From: Pavel Hrdina <phrdina@redhat.com>
|
|
Date: Fri, 21 May 2021 14:16:12 +0200
|
|
Subject: [PATCH] qemu: implement support for firmware auto-selection feature
|
|
filtering
|
|
|
|
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
|
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
|
|
(cherry picked from commit c91fa273062ec388385bf8cc081117c78c2f7af5)
|
|
|
|
Conflicts:
|
|
tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.args
|
|
- missing upstream commits:
|
|
d96fb5cb31b870e1539bd8ee95fb27dbe461a357
|
|
43c9c0859f2d53321ccc646ab905beec0740490b
|
|
88957116c9d3cb4705380c3702c9d4315fb500bb
|
|
|
|
tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml
|
|
- missing upstream commits:
|
|
e88367095f3cad2cf80a687fd599dfaeb3073841
|
|
|
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1929357
|
|
|
|
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
|
Message-Id: <de1971688ed4bf1556d669973e60de6e3c76b4c1.1621599207.git.phrdina@redhat.com>
|
|
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
|
|
---
|
|
src/qemu/qemu_firmware.c | 40 +++++++++++++++
|
|
...re-efi-no-enrolled-keys.x86_64-latest.args | 47 ++++++++++++++++++
|
|
.../os-firmware-efi-no-enrolled-keys.xml | 49 +++++++++++++++++++
|
|
tests/qemuxml2argvtest.c | 1 +
|
|
...are-efi-no-enrolled-keys.x86_64-latest.xml | 1 +
|
|
tests/qemuxml2xmltest.c | 1 +
|
|
6 files changed, 139 insertions(+)
|
|
create mode 100644 tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.args
|
|
create mode 100644 tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml
|
|
create mode 120000 tests/qemuxml2xmloutdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.xml
|
|
|
|
diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
|
|
index 8ef515ca57..e875e355c7 100644
|
|
--- a/src/qemu/qemu_firmware.c
|
|
+++ b/src/qemu/qemu_firmware.c
|
|
@@ -952,6 +952,10 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
|
|
bool supportsS4 = false;
|
|
bool requiresSMM = false;
|
|
bool supportsSEV = false;
|
|
+ bool supportsSecureBoot = false;
|
|
+ bool hasEnrolledKeys = false;
|
|
+ int reqSecureBoot;
|
|
+ int reqEnrolledKeys;
|
|
|
|
want = qemuFirmwareOSInterfaceTypeFromOsDefFirmware(def->os.firmware);
|
|
|
|
@@ -1001,7 +1005,13 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
|
|
break;
|
|
|
|
case QEMU_FIRMWARE_FEATURE_SECURE_BOOT:
|
|
+ supportsSecureBoot = true;
|
|
+ break;
|
|
+
|
|
case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS:
|
|
+ hasEnrolledKeys = true;
|
|
+ break;
|
|
+
|
|
case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
|
|
case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
|
|
case QEMU_FIRMWARE_FEATURE_NONE:
|
|
@@ -1022,6 +1032,36 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
|
|
return false;
|
|
}
|
|
|
|
+ if (def->os.firmwareFeatures) {
|
|
+ reqSecureBoot = def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_SECURE_BOOT];
|
|
+ if (reqSecureBoot != VIR_TRISTATE_BOOL_ABSENT) {
|
|
+ if (reqSecureBoot == VIR_TRISTATE_BOOL_YES && !supportsSecureBoot) {
|
|
+ VIR_DEBUG("User requested Secure Boot, firmware '%s' doesn't support it",
|
|
+ path);
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ if (reqSecureBoot == VIR_TRISTATE_BOOL_NO && supportsSecureBoot) {
|
|
+ VIR_DEBUG("User refused Secure Boot, firmware '%s' supports it", path);
|
|
+ return false;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ reqEnrolledKeys = def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_ENROLLED_KEYS];
|
|
+ if (reqEnrolledKeys != VIR_TRISTATE_BOOL_ABSENT) {
|
|
+ if (reqEnrolledKeys == VIR_TRISTATE_BOOL_YES && !hasEnrolledKeys) {
|
|
+ VIR_DEBUG("User requested Enrolled keys, firmware '%s' doesn't have them",
|
|
+ path);
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ if (reqEnrolledKeys == VIR_TRISTATE_BOOL_NO && hasEnrolledKeys) {
|
|
+ VIR_DEBUG("User refused Enrolled keys, firmware '%s' has them", path);
|
|
+ return false;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
if (def->os.loader &&
|
|
def->os.loader->secure == VIR_TRISTATE_BOOL_YES &&
|
|
!requiresSMM) {
|
|
diff --git a/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.args b/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.args
|
|
new file mode 100644
|
|
index 0000000000..c3c838fb1a
|
|
--- /dev/null
|
|
+++ b/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.args
|
|
@@ -0,0 +1,47 @@
|
|
+LC_ALL=C \
|
|
+PATH=/bin \
|
|
+HOME=/tmp/lib/domain--1-fedora \
|
|
+USER=test \
|
|
+LOGNAME=test \
|
|
+XDG_DATA_HOME=/tmp/lib/domain--1-fedora/.local/share \
|
|
+XDG_CACHE_HOME=/tmp/lib/domain--1-fedora/.cache \
|
|
+XDG_CONFIG_HOME=/tmp/lib/domain--1-fedora/.config \
|
|
+QEMU_AUDIO_DRV=none \
|
|
+/usr/bin/qemu-system-x86_64 \
|
|
+-name guest=fedora,debug-threads=on \
|
|
+-S \
|
|
+-object secret,id=masterKey0,format=raw,\
|
|
+file=/tmp/lib/domain--1-fedora/master-key.aes \
|
|
+-blockdev '{"driver":"file","filename":"/usr/share/OVMF/OVMF_CODE.fd",\
|
|
+"node-name":"libvirt-pflash0-storage","auto-read-only":true,\
|
|
+"discard":"unmap"}' \
|
|
+-blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,\
|
|
+"driver":"raw","file":"libvirt-pflash0-storage"}' \
|
|
+-blockdev '{"driver":"file",\
|
|
+"filename":"/var/lib/libvirt/qemu/nvram/fedora_VARS.fd",\
|
|
+"node-name":"libvirt-pflash1-storage","auto-read-only":true,\
|
|
+"discard":"unmap"}' \
|
|
+-blockdev '{"node-name":"libvirt-pflash1-format","read-only":false,\
|
|
+"driver":"raw","file":"libvirt-pflash1-storage"}' \
|
|
+-machine pc-q35-4.0,accel=kvm,usb=off,dump-guest-core=off,\
|
|
+pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format \
|
|
+-cpu qemu64 \
|
|
+-m 8 \
|
|
+-overcommit mem-lock=off \
|
|
+-smp 1,sockets=1,cores=1,threads=1 \
|
|
+-uuid 63840878-0deb-4095-97e6-fc444d9bc9fa \
|
|
+-display none \
|
|
+-no-user-config \
|
|
+-nodefaults \
|
|
+-chardev socket,id=charmonitor,fd=1729,server,nowait \
|
|
+-mon chardev=charmonitor,id=monitor,mode=control \
|
|
+-rtc base=utc \
|
|
+-no-shutdown \
|
|
+-boot strict=on \
|
|
+-device pcie-root-port,port=0x8,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,\
|
|
+addr=0x1 \
|
|
+-device pcie-root-port,port=0x9,chassis=2,id=pci.2,bus=pcie.0,addr=0x1.0x1 \
|
|
+-device qemu-xhci,id=usb,bus=pci.1,addr=0x0 \
|
|
+-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\
|
|
+resourcecontrol=deny \
|
|
+-msg timestamp=on
|
|
diff --git a/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml b/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml
|
|
new file mode 100644
|
|
index 0000000000..7f8f57a859
|
|
--- /dev/null
|
|
+++ b/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml
|
|
@@ -0,0 +1,49 @@
|
|
+<domain type='kvm'>
|
|
+ <name>fedora</name>
|
|
+ <uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid>
|
|
+ <memory unit='KiB'>8192</memory>
|
|
+ <currentMemory unit='KiB'>8192</currentMemory>
|
|
+ <vcpu placement='static'>1</vcpu>
|
|
+ <os firmware='efi'>
|
|
+ <type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
|
|
+ <firmware type='efi'>
|
|
+ <feature enabled='no' name='enrolled-keys'/>
|
|
+ </firmware>
|
|
+ <boot dev='hd'/>
|
|
+ </os>
|
|
+ <features>
|
|
+ <acpi/>
|
|
+ <apic/>
|
|
+ <pae/>
|
|
+ </features>
|
|
+ <cpu mode='custom' match='exact' check='none'>
|
|
+ <model fallback='forbid'>qemu64</model>
|
|
+ </cpu>
|
|
+ <clock offset='utc'/>
|
|
+ <on_poweroff>destroy</on_poweroff>
|
|
+ <on_reboot>restart</on_reboot>
|
|
+ <on_crash>destroy</on_crash>
|
|
+ <devices>
|
|
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
|
|
+ <controller type='pci' index='0' model='pcie-root'/>
|
|
+ <controller type='pci' index='1' model='pcie-root-port'>
|
|
+ <model name='pcie-root-port'/>
|
|
+ <target chassis='1' port='0x8'/>
|
|
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0' multifunction='on'/>
|
|
+ </controller>
|
|
+ <controller type='pci' index='2' model='pcie-root-port'>
|
|
+ <model name='pcie-root-port'/>
|
|
+ <target chassis='2' port='0x9'/>
|
|
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
|
|
+ </controller>
|
|
+ <controller type='usb' index='0' model='qemu-xhci'>
|
|
+ <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
|
|
+ </controller>
|
|
+ <controller type='sata' index='0'>
|
|
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
|
|
+ </controller>
|
|
+ <input type='mouse' bus='ps2'/>
|
|
+ <input type='keyboard' bus='ps2'/>
|
|
+ <memballoon model='none'/>
|
|
+ </devices>
|
|
+</domain>
|
|
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
|
|
index bc04bea692..5e16d7fd31 100644
|
|
--- a/tests/qemuxml2argvtest.c
|
|
+++ b/tests/qemuxml2argvtest.c
|
|
@@ -3094,6 +3094,7 @@ mymain(void)
|
|
DO_TEST_CAPS_LATEST("os-firmware-bios");
|
|
DO_TEST_CAPS_LATEST("os-firmware-efi");
|
|
DO_TEST_CAPS_LATEST("os-firmware-efi-secboot");
|
|
+ DO_TEST_CAPS_LATEST("os-firmware-efi-no-enrolled-keys");
|
|
DO_TEST_CAPS_LATEST_PARSE_ERROR("os-firmware-invalid-type");
|
|
DO_TEST_CAPS_ARCH_LATEST("aarch64-os-firmware-efi", "aarch64");
|
|
|
|
diff --git a/tests/qemuxml2xmloutdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.xml b/tests/qemuxml2xmloutdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.xml
|
|
new file mode 120000
|
|
index 0000000000..902ccb783b
|
|
--- /dev/null
|
|
+++ b/tests/qemuxml2xmloutdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.xml
|
|
@@ -0,0 +1 @@
|
|
+../qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml
|
|
\ No newline at end of file
|
|
diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c
|
|
index 461b5bc68f..9e5747290a 100644
|
|
--- a/tests/qemuxml2xmltest.c
|
|
+++ b/tests/qemuxml2xmltest.c
|
|
@@ -1122,6 +1122,7 @@ mymain(void)
|
|
DO_TEST_CAPS_LATEST("os-firmware-bios");
|
|
DO_TEST_CAPS_LATEST("os-firmware-efi");
|
|
DO_TEST_CAPS_LATEST("os-firmware-efi-secboot");
|
|
+ DO_TEST_CAPS_LATEST("os-firmware-efi-no-enrolled-keys");
|
|
|
|
DO_TEST("aarch64-aavmf-virtio-mmio",
|
|
QEMU_CAPS_DEVICE_VIRTIO_MMIO,
|
|
--
|
|
2.31.1
|
|
|