You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
83 lines
3.5 KiB
83 lines
3.5 KiB
From 483c5c561743c4e685ffce1d238527f13c8e83a3 Mon Sep 17 00:00:00 2001
|
|
Message-ID: <483c5c561743c4e685ffce1d238527f13c8e83a3.1772815313.git.jdenemar@redhat.com>
|
|
From: Andrea Bolognani <abologna@redhat.com>
|
|
Date: Mon, 24 Nov 2025 14:42:45 +0100
|
|
Subject: [PATCH] qemu_firmware: Consider host-uefi-vars feature in sanity
|
|
check
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Just like with firmware builds targeting the confidential use
|
|
case, use of the uefi-vars device obviates the need to have SMM
|
|
emulation enabled while still guaranteeing that protected EFI
|
|
variables work as intended.
|
|
|
|
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
|
|
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
|
|
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
(cherry picked from commit d0c6aa084f53c0c856d00b87255a31fbbc1237ad)
|
|
|
|
https://issues.redhat.com/browse/RHEL-82645
|
|
|
|
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
|
|
---
|
|
src/qemu/qemu_firmware.c | 14 ++++++++++++--
|
|
1 file changed, 12 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
|
|
index 5c923b5a02..f9cb9058ac 100644
|
|
--- a/src/qemu/qemu_firmware.c
|
|
+++ b/src/qemu/qemu_firmware.c
|
|
@@ -1552,6 +1552,7 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw,
|
|
bool requiresSMM = false;
|
|
bool supportsSecureBoot = false;
|
|
bool hasEnrolledKeys = false;
|
|
+ bool usesUefiVarsDevice = false;
|
|
bool isConfidential = false;
|
|
|
|
for (i = 0; i < fw->nfeatures; i++) {
|
|
@@ -1565,6 +1566,9 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw,
|
|
case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS:
|
|
hasEnrolledKeys = true;
|
|
break;
|
|
+ case QEMU_FIRMWARE_FEATURE_HOST_UEFI_VARS:
|
|
+ usesUefiVarsDevice = true;
|
|
+ break;
|
|
case QEMU_FIRMWARE_FEATURE_AMD_SEV:
|
|
case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
|
|
case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
|
|
@@ -1574,7 +1578,6 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw,
|
|
case QEMU_FIRMWARE_FEATURE_NONE:
|
|
case QEMU_FIRMWARE_FEATURE_ACPI_S3:
|
|
case QEMU_FIRMWARE_FEATURE_ACPI_S4:
|
|
- case QEMU_FIRMWARE_FEATURE_HOST_UEFI_VARS:
|
|
case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
|
|
case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
|
|
case QEMU_FIRMWARE_FEATURE_LAST:
|
|
@@ -1588,14 +1591,21 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw,
|
|
* support SMM. This is OK, because EFI binaries for confidential
|
|
* VMs also don't support EFI variable storage in NVRAM, instead
|
|
* the secureboot state is hardcoded to enabled.
|
|
+ *
|
|
+ * Similarly, use of the uefi-vars QEMU device guarantees that
|
|
+ * protected EFI variables work as expected without requiring SMM
|
|
+ * emulation.
|
|
*/
|
|
if (!isConfidential &&
|
|
+ !usesUefiVarsDevice &&
|
|
supportsSecureBoot != requiresSMM) {
|
|
VIR_WARN("Firmware description '%s' has invalid set of features: "
|
|
- "%s = %d, %s = %d (isConfidential = %d)",
|
|
+ "%s = %d, %s = %d, %s = %d (isConfidential = %d)",
|
|
filename,
|
|
qemuFirmwareFeatureTypeToString(QEMU_FIRMWARE_FEATURE_REQUIRES_SMM),
|
|
requiresSMM,
|
|
+ qemuFirmwareFeatureTypeToString(QEMU_FIRMWARE_FEATURE_HOST_UEFI_VARS),
|
|
+ usesUefiVarsDevice,
|
|
qemuFirmwareFeatureTypeToString(QEMU_FIRMWARE_FEATURE_SECURE_BOOT),
|
|
supportsSecureBoot,
|
|
isConfidential);
|
|
--
|
|
2.53.0
|
|
|