From 43382d91d15bf35798590ce786c2ae6a0d0bae5c Mon Sep 17 00:00:00 2001
Message-Id: <43382d91d15bf35798590ce786c2ae6a0d0bae5c@dist-git>
From: Michal Privoznik <mprivozn@redhat.com>
Date: Fri, 5 Aug 2016 14:35:27 +0200
Subject: [PATCH] qemu: Enable secure boot
https://bugzilla.redhat.com/show_bug.cgi?id=1304483
In qemu, enabling this feature boils down to adding the following
onto the command line:
-global driver=cfi.pflash01,property=secure,value=on
However, there are some constraints resulting from the
implementation. For instance, System Management Mode (SMM) is
required to be enabled, the machine type must be q35-2.4 or
later, and the guest should be x86_64. While technically it is
possible to have 32 bit guests with secure boot, some non-trivial
CPU flags tuning is required (for instance lm and nx flags must
be prohibited). Given complexity of our CPU driver, this is not
trivial. Therefore I've chosen to forbid 32 bit guests for now.
If there's ever need, we can refine the check later.
Also, for the RHEL-7.3 I had to adjust the machine-smm-opt test.
In the upstream we already retired QEMU_CAPS_SMP_TOPOLOGY
capability, but not in RHEL yet.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 9c1524a01c357ea235f90c345c3b6a2682ec05f2)
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
src/qemu/qemu_command.c | 7 ++++++
src/qemu/qemu_domain.c | 27 ++++++++++++++++++++
.../qemuxml2argv-bios-nvram-secure.args | 29 ++++++++++++++++++++++
tests/qemuxml2argvtest.c | 8 ++++++
4 files changed, 71 insertions(+)
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-bios-nvram-secure.args
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 773f5f3..6be16cc 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -8949,6 +8949,13 @@ qemuBuildDomainLoaderCommandLine(virCommandPtr cmd,
goto cleanup;
}
+ if (loader->secure == VIR_TRISTATE_BOOL_YES) {
+ virCommandAddArgList(cmd,
+ "-global",
+ "driver=cfi.pflash01,property=secure,value=on",
+ NULL);
+ }
+
virBufferAsprintf(&buf,
"file=%s,if=pflash,format=raw,unit=%d",
loader->path, unit);
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index a6a0121..cc726dc 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -2228,6 +2228,33 @@ qemuDomainDefValidate(const virDomainDef *def,
return -1;
}
+ if (def->os.loader &&
+ def->os.loader->secure == VIR_TRISTATE_BOOL_YES) {
+ /* These are the QEMU implementation limitations. But we
+ * have to live with them for now. */
+
+ if (!qemuDomainMachineIsQ35(def)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("Secure boot is supported with q35 machine types only"));
+ return -1;
+ }
+
+ /* Now, technically it is possible to have secure boot on
+ * 32bits too, but that would require some -cpu xxx magic
+ * too. Not worth it unless we are explicitly asked. */
+ if (def->os.arch != VIR_ARCH_X86_64) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("Secure boot is supported for x86_64 architecture only"));
+ return -1;
+ }
+
+ if (def->features[VIR_DOMAIN_FEATURE_SMM] != VIR_TRISTATE_SWITCH_ON) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("Secure boot requires SMM feature enabled"));
+ return -1;
+ }
+ }
+
return 0;
}
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-bios-nvram-secure.args b/tests/qemuxml2argvdata/qemuxml2argv-bios-nvram-secure.args
new file mode 100644
index 0000000..c014254
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-bios-nvram-secure.args
@@ -0,0 +1,29 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/home/test \
+USER=test \
+LOGNAME=test \
+QEMU_AUDIO_DRV=none \
+/usr/bin/qemu \
+-name test-bios \
+-S \
+-machine pc-q35-2.5,accel=tcg,smm=on \
+-global driver=cfi.pflash01,property=secure,value=on \
+-drive file=/usr/share/OVMF/OVMF_CODE.secboot.fd,if=pflash,format=raw,unit=0,\
+readonly=on \
+-drive file=/usr/share/OVMF/OVMF_VARS.fd,if=pflash,format=raw,unit=1 \
+-m 1024 \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid 362d1fc1-df7d-193e-5c18-49a71bd1da66 \
+-nographic \
+-nodefaults \
+-monitor unix:/tmp/lib/domain--1-test-bios/monitor.sock,server,nowait \
+-boot c \
+-device i82801b11-bridge,id=pci.1,bus=pcie.0,addr=0x1e \
+-device pci-bridge,chassis_nr=2,id=pci.2,bus=pci.1,addr=0x0 \
+-device virtio-scsi-pci,id=scsi0,bus=pci.2,addr=0x1 \
+-drive file=/dev/HostVG/QEMUGuest1,format=raw,if=none,id=drive-scsi0-0-0-0 \
+-device scsi-disk,bus=scsi0.0,channel=0,scsi-id=0,lun=0,\
+drive=drive-scsi0-0-0-0,id=scsi0-0-0-0 \
+-serial pty \
+-device virtio-balloon-pci,id=balloon0,bus=pci.2,addr=0x2
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 5c26812..95474e8 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -685,6 +685,14 @@ mymain(void)
DO_TEST("bios", QEMU_CAPS_SGA);
DO_TEST("bios-nvram", NONE);
+ DO_TEST("bios-nvram-secure",
+ QEMU_CAPS_DEVICE_DMI_TO_PCI_BRIDGE,
+ QEMU_CAPS_DEVICE_PCI_BRIDGE,
+ QEMU_CAPS_ICH9_AHCI,
+ QEMU_CAPS_MACHINE_OPT,
+ QEMU_CAPS_MACHINE_SMM_OPT,
+ QEMU_CAPS_SMP_TOPOLOGY,
+ QEMU_CAPS_VIRTIO_SCSI);
DO_TEST("clock-utc", QEMU_CAPS_NODEFCONFIG);
DO_TEST("clock-localtime", NONE);
DO_TEST("clock-localtime-basis-localtime", QEMU_CAPS_RTC);
--
2.9.2