- Add ARM CCA to the supporting firmware feature.
Signed-off-by: Kazuhiro Abe <[email protected]>
---
src/qemu/qemu_firmware.c | 19 ++++++++++++++-
.../qemu/firmware/50-edk2-aarch64-armcca.json | 24 +++++++++++++++++++
tests/qemufirmwaretest.c | 3 +++
3 files changed, 45 insertions(+), 1 deletion(-)
create mode 100644
tests/qemufirmwaredata/usr/share/qemu/firmware/50-edk2-aarch64-armcca.json
diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index 9391956521..4395e79223 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -142,6 +142,7 @@ typedef enum {
QEMU_FIRMWARE_FEATURE_AMD_SEV_ES,
QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP,
QEMU_FIRMWARE_FEATURE_INTEL_TDX,
+ QEMU_FIRMWARE_FEATURE_ARM_CCA,
QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS,
QEMU_FIRMWARE_FEATURE_REQUIRES_SMM,
QEMU_FIRMWARE_FEATURE_SECURE_BOOT,
@@ -161,6 +162,7 @@ VIR_ENUM_IMPL(qemuFirmwareFeature,
"amd-sev-es",
"amd-sev-snp",
"intel-tdx",
+ "arm-rme",
"enrolled-keys",
"requires-smm",
"secure-boot",
@@ -1092,6 +1094,7 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
bool supportsSEVES = false;
bool supportsSEVSNP = false;
bool supportsTDX = false;
+ bool supportsARMCCA = false;
bool supportsSecureBoot = false;
bool hasEnrolledKeys = false;
int reqSecureBoot;
@@ -1169,6 +1172,10 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
supportsTDX = true;
break;
+ case QEMU_FIRMWARE_FEATURE_ARM_CCA:
+ supportsARMCCA = true;
+ break;
+
case QEMU_FIRMWARE_FEATURE_REQUIRES_SMM:
requiresSMM = true;
break;
@@ -1400,8 +1407,15 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
}
break;
- case VIR_DOMAIN_LAUNCH_SECURITY_PV:
case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+ if (!supportsARMCCA) {
+ VIR_DEBUG("Domain requires ARM-CCA firmware '%s' doesn't
support it",
+ path);
+ return false;
+ }
+ break;
+
+ case VIR_DOMAIN_LAUNCH_SECURITY_PV:
break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
@@ -1516,6 +1530,7 @@ qemuFirmwareEnableFeaturesModern(virDomainDef *def,
case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
case QEMU_FIRMWARE_FEATURE_INTEL_TDX:
+ case QEMU_FIRMWARE_FEATURE_ARM_CCA:
case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
case QEMU_FIRMWARE_FEATURE_NONE:
@@ -1566,6 +1581,7 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw,
case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
case QEMU_FIRMWARE_FEATURE_INTEL_TDX:
+ case QEMU_FIRMWARE_FEATURE_ARM_CCA:
isConfidential = true;
break;
case QEMU_FIRMWARE_FEATURE_NONE:
@@ -2062,6 +2078,7 @@ qemuFirmwareGetSupported(const char *machine,
case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
case QEMU_FIRMWARE_FEATURE_INTEL_TDX:
+ case QEMU_FIRMWARE_FEATURE_ARM_CCA:
case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS:
case QEMU_FIRMWARE_FEATURE_SECURE_BOOT:
case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
diff --git
a/tests/qemufirmwaredata/usr/share/qemu/firmware/50-edk2-aarch64-armcca.json
b/tests/qemufirmwaredata/usr/share/qemu/firmware/50-edk2-aarch64-armcca.json
new file mode 100644
index 0000000000..681c1eadac
--- /dev/null
+++ b/tests/qemufirmwaredata/usr/share/qemu/firmware/50-edk2-aarch64-armcca.json
@@ -0,0 +1,24 @@
+{
+ "description": "UEFI firmware for ARM64 virtual machines with CCA support",
+ "interface-types": [
+ "uefi"
+ ],
+ "mapping": {
+ "device": "memory",
+ "filename": "/usr/share/edk2/aarch64/QEMU_EFI-armcca.fd"
+ },
+ "targets": [
+ {
+ "architecture": "aarch64",
+ "machines": [
+ "virt-*"
+ ]
+ }
+ ],
+ "features": [
+ "arm-rme"
+ ],
+ "tags": [
+
+ ]
+}
diff --git a/tests/qemufirmwaretest.c b/tests/qemufirmwaretest.c
index a4fb5c9b9c..091f385abb 100644
--- a/tests/qemufirmwaretest.c
+++ b/tests/qemufirmwaretest.c
@@ -89,6 +89,7 @@ testFWPrecedence(const void *opaque G_GNUC_UNUSED)
PREFIX "/share/qemu/firmware/31-edk2-ovmf-2m-raw-x64-sb-enrolled.json",
PREFIX "/share/qemu/firmware/40-edk2-ovmf-4m-qcow2-x64-sb.json",
PREFIX "/share/qemu/firmware/41-edk2-ovmf-2m-raw-x64-sb.json",
+ PREFIX "/share/qemu/firmware/50-edk2-aarch64-armcca.json",
PREFIX "/share/qemu/firmware/50-edk2-aarch64-qcow2.json",
PREFIX "/share/qemu/firmware/50-edk2-loongarch64.json",
PREFIX "/share/qemu/firmware/50-edk2-ovmf-4m-qcow2-x64-nosb.json",
@@ -269,6 +270,7 @@ mymain(void)
DO_PARSE_TEST("usr/share/qemu/firmware/31-edk2-ovmf-2m-raw-x64-sb-enrolled.json");
DO_PARSE_TEST("usr/share/qemu/firmware/40-edk2-ovmf-4m-qcow2-x64-sb.json");
DO_PARSE_TEST("usr/share/qemu/firmware/41-edk2-ovmf-2m-raw-x64-sb.json");
+ DO_PARSE_TEST("usr/share/qemu/firmware/50-edk2-aarch64-armcca.json");
DO_PARSE_TEST("usr/share/qemu/firmware/50-edk2-aarch64-qcow2.json");
DO_PARSE_TEST("usr/share/qemu/firmware/50-edk2-loongarch64.json");
DO_PARSE_TEST("usr/share/qemu/firmware/50-edk2-ovmf-4m-qcow2-x64-nosb.json");
@@ -329,6 +331,7 @@ mymain(void)
"/usr/share/edk2/ovmf/MICROVM.fd:NULL",
VIR_DOMAIN_OS_DEF_FIRMWARE_EFI);
DO_SUPPORTED_TEST("virt-3.1", VIR_ARCH_AARCH64, false,
+ "/usr/share/edk2/aarch64/QEMU_EFI-armcca.fd:NULL:"
"/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.qcow2:/usr/share/edk2/aarch64/vars-template-pflash.qcow2:"
"/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.raw:/usr/share/edk2/aarch64/vars-template-pflash.raw:"
"/usr/share/edk2/aarch64/QEMU_EFI-pflash.qcow2:/usr/share/edk2/aarch64/vars-template-pflash.qcow2:"
--
2.43.0
