This series makes it possible to use Secure Boot with aarch64 VMs.
https://issues.redhat.com/browse/RHEL-82645
Note that, while I consider the entire series to be ready for review,
there is one patch that is marked as DONOTMERGE: that's because it
imports into the tree firmware descriptor that are not yet part of
the Fedora edk2 package.
Changes from [v2]:
* changes to the schema for JSON firmware descriptors have been
queued for merge in QEMU, so the corresponding patch is no longer
marked as DONOTMERGE;
* improve documentation;
* rebase on top of master, addressing conflicts that I have caused
with some recent changes related to this work.
Changes from [v1]:
* rewrite based on review feedback: the <nvram> element is no
longer used, and a dedicated <varstore> element is introduced
instead;
* additional test coverage, as well as fixes and improvements
related to firmware selection and its documentation, are present
as well.
[v2]
https://lists.libvirt.org/archives/list/[email protected]/thread/WVWT3BX3J5HM4FKRG3IW7HAW6JMU2VOH/
[v1]
https://lists.libvirt.org/archives/list/[email protected]/thread/TGLFMPRXCATRPA6MPHH5KYXY5XCTSRDT/
Andrea Bolognani (38):
qemu_firmware: Only set format for custom loader if path is present
conf: Move type=rom default for loader to drivers
qemu_firmware: Improve matching when loader.type is absent
tests: Rename custom JSON firmware descriptors
tests: Update JSON firmware descriptor for BIOS
schema: Add varstore element
conf: Parse and format varstore element
conf: Update validation to consider varstore element
qemu_capabilities: Introduce QEMU_CAPS_DEVICE_UEFI_VARS
qemu: Validate presence of uefi-vars device
tests: Add firmware-manual-efi-varstore-q35
tests: Add firmware-manual-efi-varstore-aarch64
tests: Add firmware-auto-efi-varstore-q35
tests: Add firmware-auto-efi-varstore-aarch64
tests: Add firmware-auto-efi-enrolled-keys-aarch64
qemu_firmware: Parse host-uefi-vars firmware feature
qemu_firmware: Split sanity check
qemu_firmware: Consider host-uefi-vars feature in sanity check
qemu_firmware: Support extended syntax for ROM firmware descriptors
qemu_firmware: Report NVRAM template path for ROMs
schema: Add varstore element for domcaps
conf: Include varstore element in domcaps
qemu: Fill in varstore element in domcaps
qemu_firmware: Use of NVRAM implies stateful firmware
qemu_firmware: Allow matching stateful ROMs
qemu_firmware: Fill in varstore information
qemu: Introduce varstoreDir
qemu_firmware: Generate varstore path when necessary
DONOTMERGE: tests: Add firmware descriptors for uefi-vars builds
qemu_command: Use uefi-vars device where appropriate
qemu: Introduce qemuPrepareNVRAMFileCommon()
qemu: Create and delete varstore file
security: Mark ROMs as read only when using AppArmor
security: Handle varstore file
include: Mention varstore where applicable
virsh: Update for varstore handling
docs: Update for varstore and improve
news: Document support for uefi-vars device and firmwares
NEWS.rst | 16 ++
docs/formatcaps.rst | 2 +-
docs/formatdomain.rst | 47 +++--
docs/formatdomaincaps.rst | 85 +++++---
docs/kbase/secureboot.rst | 46 +++--
docs/manpages/virsh.rst | 44 +++--
include/libvirt/libvirt-domain-snapshot.h | 2 +-
include/libvirt/libvirt-domain.h | 4 +-
libvirt.spec.in | 1 +
src/conf/domain_capabilities.c | 10 +
src/conf/domain_capabilities.h | 6 +
src/conf/domain_conf.c | 79 +++++++-
src/conf/domain_conf.h | 9 +
src/conf/domain_postparse.c | 19 --
src/conf/domain_validate.c | 82 +++-----
src/conf/schemas/domaincaps.rng | 9 +
src/conf/schemas/domaincommon.rng | 64 +++---
src/conf/virconftypes.h | 2 +
src/libvirt_private.syms | 2 +
src/libxl/libxl_domain.c | 6 +
src/qemu/meson.build | 1 +
src/qemu/qemu_capabilities.c | 29 ++-
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_command.c | 34 ++++
src/qemu/qemu_conf.c | 4 +
src/qemu/qemu_conf.h | 1 +
src/qemu/qemu_driver.c | 27 ++-
src/qemu/qemu_firmware.c | 182 ++++++++++++++++--
src/qemu/qemu_firmware.h | 1 +
src/qemu/qemu_process.c | 84 ++++++--
src/qemu/qemu_validate.c | 20 ++
src/security/security_dac.c | 22 ++-
src/security/security_selinux.c | 53 +++--
src/security/virt-aa-helper.c | 36 +++-
.../qemu_10.0.0-q35.x86_64+amdsev.xml | 1 +
.../domaincapsdata/qemu_10.0.0-q35.x86_64.xml | 1 +
.../qemu_10.0.0-tcg.x86_64+amdsev.xml | 1 +
.../domaincapsdata/qemu_10.0.0-tcg.x86_64.xml | 1 +
.../qemu_10.0.0-virt.aarch64.xml | 3 +
tests/domaincapsdata/qemu_10.0.0.aarch64.xml | 3 +
tests/domaincapsdata/qemu_10.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_10.0.0.s390x.xml | 1 +
.../qemu_10.0.0.x86_64+amdsev.xml | 1 +
tests/domaincapsdata/qemu_10.0.0.x86_64.xml | 1 +
.../qemu_10.1.0-q35.x86_64+inteltdx.xml | 1 +
.../domaincapsdata/qemu_10.1.0-q35.x86_64.xml | 1 +
.../qemu_10.1.0-tcg.x86_64+inteltdx.xml | 1 +
.../domaincapsdata/qemu_10.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_10.1.0.s390x.xml | 1 +
.../qemu_10.1.0.x86_64+inteltdx.xml | 1 +
tests/domaincapsdata/qemu_10.1.0.x86_64.xml | 1 +
.../qemu_10.2.0-q35.x86_64+mshv.xml | 1 +
.../domaincapsdata/qemu_10.2.0-q35.x86_64.xml | 1 +
.../qemu_10.2.0-tcg.x86_64+mshv.xml | 1 +
.../domaincapsdata/qemu_10.2.0-tcg.x86_64.xml | 1 +
.../qemu_10.2.0-virt.aarch64.xml | 3 +
tests/domaincapsdata/qemu_10.2.0.aarch64.xml | 3 +
.../qemu_10.2.0.x86_64+mshv.xml | 1 +
tests/domaincapsdata/qemu_10.2.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_11.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_11.0.0-tcg.x86_64.xml | 1 +
.../qemu_11.0.0-virt.aarch64.xml | 3 +
tests/domaincapsdata/qemu_11.0.0.aarch64.xml | 3 +
tests/domaincapsdata/qemu_11.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_6.2.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_6.2.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_6.2.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_6.2.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_7.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_7.0.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_7.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_7.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_7.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_7.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_7.1.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_7.1.0.x86_64.xml | 1 +
.../qemu_7.2.0-hvf.x86_64+hvf.xml | 1 +
.../domaincapsdata/qemu_7.2.0-q35.x86_64.xml | 1 +
.../qemu_7.2.0-tcg.x86_64+hvf.xml | 1 +
.../domaincapsdata/qemu_7.2.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_7.2.0.ppc.xml | 1 +
tests/domaincapsdata/qemu_7.2.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_8.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_8.0.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_8.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_8.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_8.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_8.1.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_8.1.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_8.2.0-q35.x86_64.xml | 1 +
.../qemu_8.2.0-tcg-virt.loongarch64.xml | 1 +
.../domaincapsdata/qemu_8.2.0-tcg.x86_64.xml | 1 +
.../qemu_8.2.0-virt.aarch64.xml | 3 +
.../qemu_8.2.0-virt.loongarch64.xml | 1 +
tests/domaincapsdata/qemu_8.2.0.aarch64.xml | 3 +
tests/domaincapsdata/qemu_8.2.0.armv7l.xml | 1 +
tests/domaincapsdata/qemu_8.2.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_8.2.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_9.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_9.0.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_9.0.0.sparc.xml | 1 +
tests/domaincapsdata/qemu_9.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_9.1.0-q35.x86_64.xml | 1 +
.../qemu_9.1.0-tcg-virt.riscv64.xml | 1 +
.../domaincapsdata/qemu_9.1.0-tcg.x86_64.xml | 1 +
.../qemu_9.1.0-virt.riscv64.xml | 1 +
tests/domaincapsdata/qemu_9.1.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_9.1.0.x86_64.xml | 1 +
.../qemu_9.2.0-hvf.aarch64+hvf.xml | 3 +
.../qemu_9.2.0-q35.x86_64+amdsev.xml | 1 +
.../domaincapsdata/qemu_9.2.0-q35.x86_64.xml | 1 +
.../qemu_9.2.0-tcg.x86_64+amdsev.xml | 1 +
.../domaincapsdata/qemu_9.2.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_9.2.0.s390x.xml | 1 +
.../qemu_9.2.0.x86_64+amdsev.xml | 1 +
tests/domaincapsdata/qemu_9.2.0.x86_64.xml | 1 +
.../caps_10.0.0_aarch64.xml | 1 +
.../caps_10.0.0_x86_64+amdsev.xml | 1 +
.../caps_10.0.0_x86_64.xml | 1 +
.../caps_10.1.0_s390x.xml | 1 +
.../caps_10.1.0_x86_64+inteltdx.xml | 1 +
.../caps_10.1.0_x86_64.xml | 1 +
.../caps_10.2.0_aarch64.xml | 1 +
.../caps_10.2.0_x86_64+mshv.xml | 1 +
.../caps_10.2.0_x86_64.xml | 1 +
.../caps_11.0.0_aarch64.xml | 1 +
.../caps_11.0.0_x86_64.xml | 1 +
.../etc/qemu/firmware/20-bios.json | 1 -
.../etc/qemu/firmware/20-libvirt-bios.json | 1 +
.../etc/qemu/firmware/59-combined.json | 1 -
.../qemu/firmware/59-libvirt-combined.json | 1 +
...{92-masked.json => 92-libvirt-masked.json} | 0
.../{10-bios.json => 10-libvirt-bios.json} | 0
...0-edk2-ovmf-qemuvars-x64-sb-enrolled.json} | 15 +-
.../70-edk2-qemuvars-aarch64-sb-enrolled.json | 28 +++
...json => 71-edk2-ovmf-qemuvars-x64-sb.json} | 16 +-
.../firmware/71-edk2-qemuvars-aarch64-sb.json | 27 +++
...combined.json => 90-libvirt-combined.json} | 0
.../{91-bios.json => 91-libvirt-bios.json} | 2 +-
...{92-masked.json => 92-libvirt-masked.json} | 0
...3-invalid.json => 93-libvirt-invalid.json} | 0
tests/qemufirmwaretest.c | 71 ++++---
...-auto-bios-not-stateless.x86_64-latest.err | 2 +-
...auto-bios-not-stateless.x86_64-latest.xml} | 6 +-
...firmware-auto-bios-nvram.x86_64-latest.err | 2 +-
...are-auto-bios-stateless.x86_64-latest.args | 2 +-
...ware-auto-bios-stateless.x86_64-latest.xml | 2 +-
.../firmware-auto-bios.x86_64-latest.args | 2 +-
.../firmware-auto-bios.x86_64-latest.xml | 2 +-
...fi-enrolled-keys-aarch64.aarch64-8.2.0.err | 1 +
...enrolled-keys-aarch64.aarch64-latest.args} | 12 +-
...i-enrolled-keys-aarch64.aarch64-latest.xml | 32 +++
...irmware-auto-efi-enrolled-keys-aarch64.xml | 20 ++
...-efi-varstore-aarch64.aarch64-latest.args} | 12 +-
...to-efi-varstore-aarch64.aarch64-latest.xml | 32 +++
.../firmware-auto-efi-varstore-aarch64.xml | 18 ++
...-auto-efi-varstore-q35.x86_64-latest.args} | 5 +-
...e-auto-efi-varstore-q35.x86_64-latest.xml} | 11 +-
.../firmware-auto-efi-varstore-q35.xml | 18 ++
...ual-bios-not-stateless.x86_64-latest.args} | 8 +-
...anual-bios-not-stateless.x86_64-latest.err | 1 -
...nual-bios-not-stateless.x86_64-latest.xml} | 2 +-
...re-manual-bios-stateless.x86_64-latest.xml | 6 +-
.../firmware-manual-bios.x86_64-latest.xml | 6 +-
...nual-efi-nvram-stateless.x86_64-latest.err | 2 +-
...nvram-template-stateless.x86_64-latest.err | 2 +-
...ware-manual-efi-rw-nvram.x86_64-latest.err | 2 +-
...ual-efi-varstore-aarch64.aarch64-8.2.0.err | 1 +
...-efi-varstore-aarch64.aarch64-latest.args} | 12 +-
...al-efi-varstore-aarch64.aarch64-latest.xml | 32 +++
.../firmware-manual-efi-varstore-aarch64.xml | 19 ++
...e-manual-efi-varstore-q35.x86_64-8.2.0.err | 1 +
...anual-efi-varstore-q35.x86_64-latest.args} | 5 +-
...manual-efi-varstore-q35.x86_64-latest.xml} | 11 +-
.../firmware-manual-efi-varstore-q35.xml | 19 ++
tests/qemuxmlconftest.c | 16 +-
tests/testutilsqemu.c | 2 +
tools/virsh-domain.c | 55 ++++--
tools/virsh-snapshot.c | 9 +-
179 files changed, 1314 insertions(+), 380 deletions(-)
delete mode 120000 tests/qemufirmwaredata/etc/qemu/firmware/20-bios.json
create mode 120000
tests/qemufirmwaredata/etc/qemu/firmware/20-libvirt-bios.json
delete mode 120000 tests/qemufirmwaredata/etc/qemu/firmware/59-combined.json
create mode 120000
tests/qemufirmwaredata/etc/qemu/firmware/59-libvirt-combined.json
rename tests/qemufirmwaredata/etc/qemu/firmware/{92-masked.json =>
92-libvirt-masked.json} (100%)
rename tests/qemufirmwaredata/home/user/.config/qemu/firmware/{10-bios.json =>
10-libvirt-bios.json} (100%)
copy tests/qemufirmwaredata/usr/share/qemu/firmware/{90-combined.json =>
70-edk2-ovmf-qemuvars-x64-sb-enrolled.json} (55%)
create mode 100644
tests/qemufirmwaredata/usr/share/qemu/firmware/70-edk2-qemuvars-aarch64-sb-enrolled.json
copy tests/qemufirmwaredata/usr/share/qemu/firmware/{90-combined.json =>
71-edk2-ovmf-qemuvars-x64-sb.json} (51%)
create mode 100644
tests/qemufirmwaredata/usr/share/qemu/firmware/71-edk2-qemuvars-aarch64-sb.json
rename tests/qemufirmwaredata/usr/share/qemu/firmware/{90-combined.json =>
90-libvirt-combined.json} (100%)
rename tests/qemufirmwaredata/usr/share/qemu/firmware/{91-bios.json =>
91-libvirt-bios.json} (90%)
rename tests/qemufirmwaredata/usr/share/qemu/firmware/{92-masked.json =>
92-libvirt-masked.json} (100%)
rename tests/qemufirmwaredata/usr/share/qemu/firmware/{93-invalid.json =>
93-libvirt-invalid.json} (100%)
copy tests/qemuxmlconfdata/{firmware-auto-bios.x86_64-latest.xml =>
firmware-auto-bios-not-stateless.x86_64-latest.xml} (84%)
create mode 100644
tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.aarch64-8.2.0.err
copy tests/qemuxmlconfdata/{firmware-auto-bios.x86_64-latest.args =>
firmware-auto-efi-enrolled-keys-aarch64.aarch64-latest.args} (72%)
create mode 100644
tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.aarch64-latest.xml
create mode 100644
tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.xml
copy tests/qemuxmlconfdata/{firmware-auto-bios.x86_64-latest.args =>
firmware-auto-efi-varstore-aarch64.aarch64-latest.args} (72%)
create mode 100644
tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.aarch64-latest.xml
create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.xml
copy tests/qemuxmlconfdata/{firmware-auto-bios-stateless.x86_64-latest.args =>
firmware-auto-efi-varstore-q35.x86_64-latest.args} (83%)
copy tests/qemuxmlconfdata/{firmware-auto-bios-stateless.x86_64-latest.xml =>
firmware-auto-efi-varstore-q35.x86_64-latest.xml} (73%)
create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.xml
copy tests/qemuxmlconfdata/{firmware-auto-bios.x86_64-latest.args =>
firmware-manual-bios-not-stateless.x86_64-latest.args} (84%)
delete mode 100644
tests/qemuxmlconfdata/firmware-manual-bios-not-stateless.x86_64-latest.err
copy tests/qemuxmlconfdata/{firmware-manual-bios.x86_64-latest.xml =>
firmware-manual-bios-not-stateless.x86_64-latest.xml} (90%)
create mode 100644
tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.aarch64-8.2.0.err
copy tests/qemuxmlconfdata/{firmware-auto-bios.x86_64-latest.args =>
firmware-manual-efi-varstore-aarch64.aarch64-latest.args} (73%)
create mode 100644
tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.aarch64-latest.xml
create mode 100644
tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.xml
create mode 100644
tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.x86_64-8.2.0.err
copy tests/qemuxmlconfdata/{firmware-auto-bios.x86_64-latest.args =>
firmware-manual-efi-varstore-q35.x86_64-latest.args} (85%)
copy tests/qemuxmlconfdata/{firmware-auto-bios-stateless.x86_64-latest.xml =>
firmware-manual-efi-varstore-q35.x86_64-latest.xml} (74%)
create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.xml
--
2.53.0
