libvirt/tests/qemuxml2argvdata/firmware-manual-efi-secure.args

LC_ALL=C \
PATH=/bin \
HOME=/tmp/lib/domain--1-test-bios \
USER=test \
LOGNAME=test \
XDG_DATA_HOME=/tmp/lib/domain--1-test-bios/.local/share \
XDG_CACHE_HOME=/tmp/lib/domain--1-test-bios/.cache \
XDG_CONFIG_HOME=/tmp/lib/domain--1-test-bios/.config \
/usr/bin/qemu-system-x86_64 \
-name guest=test-bios,debug-threads=on \
-S \
-object secret,id=masterKey0,format=raw,file=/tmp/lib/domain--1-test-bios/master-key.aes \
-blockdev '{"driver":"file","filename":"/usr/share/OVMF/OVMF_CODE.secboot.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \
-blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}' \
-blockdev '{"driver":"file","filename":"/some/user/nvram/path/guest_VARS.fd","node-name":"libvirt-pflash1-storage","auto-read-only":true,"discard":"unmap"}' \
-blockdev '{"node-name":"libvirt-pflash1-format","read-only":false,"driver":"raw","file":"libvirt-pflash1-storage"}' \
-machine q35,usb=off,smm=on,dump-guest-core=off,pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format \
-accel tcg \
-global driver=cfi.pflash01,property=secure,value=on \
-m 1024 \
-overcommit mem-lock=off \
-smp 1,sockets=1,cores=1,threads=1 \
-uuid 362d1fc1-df7d-193e-5c18-49a71bd1da66 \
-display none \
-no-user-config \
-nodefaults \
-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \
-mon chardev=charmonitor,id=monitor,mode=control \
-rtc base=utc \
-no-shutdown \
-boot strict=on \
-audiodev '{"id":"audio1","driver":"none"}' \
-msg timestamp=on
qemu: Enable secure boot In qemu, enabling this feature boils down to adding the following onto the command line: -global driver=cfi.pflash01,property=secure,value=on However, there are some constraints resulting from the implementation. For instance, System Management Mode (SMM) is required to be enabled, the machine type must be q35-2.4 or later, and the guest should be x86_64. While technically it is possible to have 32 bit guests with secure boot, some non-trivial CPU flags tuning is required (for instance lm and nx flags must be prohibited). Given complexity of our CPU driver, this is not trivial. Therefore I've chosen to forbid 32 bit guests for now. If there's ever need, we can refine the check later. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> 2016-07-13 09:33:52 +00:00			`LC_ALL=C \`
			`PATH=/bin \`
qemu: command: Override HOME variable for system QEMU By default, qemu user's home dir points to '/' which shouldn't be used at all. We therefore pass the HOME variable from the current variable iff not running as SUID, which means that for systemd we never set it. This patch makes sure, that for system QEMU this is always set to libDir/<driver>, session mode is left untouched. Signed-off-by: Erik Skultety <eskultet@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> 2019-03-06 12:29:01 +00:00			`HOME=/tmp/lib/domain--1-test-bios \`
qemu: Enable secure boot In qemu, enabling this feature boils down to adding the following onto the command line: -global driver=cfi.pflash01,property=secure,value=on However, there are some constraints resulting from the implementation. For instance, System Management Mode (SMM) is required to be enabled, the machine type must be q35-2.4 or later, and the guest should be x86_64. While technically it is possible to have 32 bit guests with secure boot, some non-trivial CPU flags tuning is required (for instance lm and nx flags must be prohibited). Given complexity of our CPU driver, this is not trivial. Therefore I've chosen to forbid 32 bit guests for now. If there's ever need, we can refine the check later. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> 2016-07-13 09:33:52 +00:00			`USER=test \`
			`LOGNAME=test \`
qemu: command: Enforce setting XDG variables for system QEMU For session mode, only XDG_CACHE_HOME is set, because we want to remain integrating with services in user session, but for system mode, this would have become reading/writing to '/' which carries the obvious issue with permissions (also, '/' is the wrong location in 99.9% cases anyway). Signed-off-by: Erik Skultety <eskultet@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> 2019-03-08 11:15:07 +00:00			`XDG_DATA_HOME=/tmp/lib/domain--1-test-bios/.local/share \`
			`XDG_CACHE_HOME=/tmp/lib/domain--1-test-bios/.cache \`
			`XDG_CONFIG_HOME=/tmp/lib/domain--1-test-bios/.config \`
tests: unify qemu binary paths for all qemu related tests Our test data used a lot of different qemu binary paths and some of them were based on downstream systems. Note that there is one file where I had to add "accel=kvm" because the qemuargv2xml code parses "/usr/bin/kvm" as virt type="kvm". Signed-off-by: Pavel Hrdina <phrdina@redhat.com> 2017-04-06 16:19:48 +00:00			`/usr/bin/qemu-system-x86_64 \`
qemu: command: Always assume support for '-name guest=' and '-name debug-threads=on' All QEMU versions we support have these and it's very unlikely that they will be removed. Remove the capability checks. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> 2021-08-10 14:39:38 +00:00			`-name guest=test-bios,debug-threads=on \`
qemu: Enable secure boot In qemu, enabling this feature boils down to adding the following onto the command line: -global driver=cfi.pflash01,property=secure,value=on However, there are some constraints resulting from the implementation. For instance, System Management Mode (SMM) is required to be enabled, the machine type must be q35-2.4 or later, and the guest should be x86_64. While technically it is possible to have 32 bit guests with secure boot, some non-trivial CPU flags tuning is required (for instance lm and nx flags must be prohibited). Given complexity of our CPU driver, this is not trivial. Therefore I've chosen to forbid 32 bit guests for now. If there's ever need, we can refine the check later. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> 2016-07-13 09:33:52 +00:00			`-S \`
qemu: Always assume presence of QEMU_CAPS_OBJECT_SECRET The secret object is supported since qemu-2.6 and can't be compiled out. Assume the presence to simplify the code. This enables the use of the secret key for most tests not using real caps. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> 2021-09-21 15:50:00 +00:00			`-object secret,id=masterKey0,format=raw,file=/tmp/lib/domain--1-test-bios/master-key.aes \`
tests: Force QEMU_CAPS_BLOCKDEV(_HOSTDEV_SCSI) in fake caps tests Until we finish removing the capabilities we need to force them in the tests so that it's obvious that the code changes have no impact. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> 2022-07-20 13:37:19 +00:00			`-blockdev '{"driver":"file","filename":"/usr/share/OVMF/OVMF_CODE.secboot.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \`
			`-blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}' \`
			`-blockdev '{"driver":"file","filename":"/some/user/nvram/path/guest_VARS.fd","node-name":"libvirt-pflash1-storage","auto-read-only":true,"discard":"unmap"}' \`
			`-blockdev '{"node-name":"libvirt-pflash1-format","read-only":false,"driver":"raw","file":"libvirt-pflash1-storage"}' \`
			`-machine q35,usb=off,smm=on,dump-guest-core=off,pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format \`
qemu: Switch to -accel We currently use -machine accel=XXX which is just a syntax sugar for -accel XXX. The former doesn't allow specifying arguments for accelerator, because all arguments passed to -machine are treated as arguments of machine itself. The -accel argument was introduced in QEMU commit v2.9.0-rc0~70^2~19 and since our minimum required version is newer (2.11.0) we can safely assume its existence and use it without any capability. Resolves: https://gitlab.com/libvirt/libvirt/-/issues/233 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Tested-by: Kashyap Chamarthy <kchamart@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com> 2021-11-05 08:38:10 +00:00			`-accel tcg \`
qemu: Enable secure boot In qemu, enabling this feature boils down to adding the following onto the command line: -global driver=cfi.pflash01,property=secure,value=on However, there are some constraints resulting from the implementation. For instance, System Management Mode (SMM) is required to be enabled, the machine type must be q35-2.4 or later, and the guest should be x86_64. While technically it is possible to have 32 bit guests with secure boot, some non-trivial CPU flags tuning is required (for instance lm and nx flags must be prohibited). Given complexity of our CPU driver, this is not trivial. Therefore I've chosen to forbid 32 bit guests for now. If there's ever need, we can refine the check later. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> 2016-07-13 09:33:52 +00:00			`-global driver=cfi.pflash01,property=secure,value=on \`
			`-m 1024 \`
qemu: command: Always assume QEMU_CAPS_OVERCOMMIT Starting with qemu-3.1 we always have the '-overcommit' argument and use it instead of '-realtime'. Remove the capability check and fix all fake-caps tests. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> 2022-02-10 11:57:26 +00:00			`-overcommit mem-lock=off \`
qemu: Enable secure boot In qemu, enabling this feature boils down to adding the following onto the command line: -global driver=cfi.pflash01,property=secure,value=on However, there are some constraints resulting from the implementation. For instance, System Management Mode (SMM) is required to be enabled, the machine type must be q35-2.4 or later, and the guest should be x86_64. While technically it is possible to have 32 bit guests with secure boot, some non-trivial CPU flags tuning is required (for instance lm and nx flags must be prohibited). Given complexity of our CPU driver, this is not trivial. Therefore I've chosen to forbid 32 bit guests for now. If there's ever need, we can refine the check later. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> 2016-07-13 09:33:52 +00:00			`-smp 1,sockets=1,cores=1,threads=1 \`
			`-uuid 362d1fc1-df7d-193e-5c18-49a71bd1da66 \`
qemu: deprecate QEMU_CAPS_DISPLAY Implied by QEMU >= 1.2.0. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com> 2018-03-29 10:51:55 +00:00			`-display none \`
qemu: deprecate QEMU_CAPS_NO_USER_CONFIG Implied by QEMU >= 1.2.0. Delete this one first, because QEMU_CAPS_NODEFCONFIG is only used when QEMU_CAPS_NO_USER_CONFIG is unsupported. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com> 2018-03-29 10:51:55 +00:00			`-no-user-config \`
qemu: Enable secure boot In qemu, enabling this feature boils down to adding the following onto the command line: -global driver=cfi.pflash01,property=secure,value=on However, there are some constraints resulting from the implementation. For instance, System Management Mode (SMM) is required to be enabled, the machine type must be q35-2.4 or later, and the guest should be x86_64. While technically it is possible to have 32 bit guests with secure boot, some non-trivial CPU flags tuning is required (for instance lm and nx flags must be prohibited). Given complexity of our CPU driver, this is not trivial. Therefore I've chosen to forbid 32 bit guests for now. If there's ever need, we can refine the check later. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> 2016-07-13 09:33:52 +00:00			`-nodefaults \`
qemu: Always assume QEMU_CAPS_CHARDEV_FD_PASS_COMMANDLINE All qemu versions now support FD passing either directly or via FDset. Assume that we always have this capability so that we can simplify chardev handling in many cases. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> 2022-02-03 12:31:28 +00:00			`-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \`
qemu: deprecate QEMU_CAPS_MONITOR_JSON We require QEMU >= 1.5.0, assume every QEMU supports it. Sadly that does not let us trivially drop qemuMonitor's priv->monJSON bool, because of qemuDomainQemuAttach. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com> 2018-03-28 22:04:58 +00:00			`-mon chardev=charmonitor,id=monitor,mode=control \`
qemu: deprecate QEMU_CAPS_RTC Implied by QEMU >= 1.2.0. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com> 2018-03-29 10:51:55 +00:00			`-rtc base=utc \`
qemu: deprecate QEMU_CAPS_NO_SHUTDOWN Implied by QEMU >= 1.2.0. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com> 2018-03-29 10:51:55 +00:00			`-no-shutdown \`
tests: Use minimal hardware for firmware tests When testing firmware selection, we don't really care about any of the hardware assigned to the VM, and in fact it's better to keep it as minimal as possible to make sure that the focus remains on the firmware bits. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> 2022-06-09 13:02:19 +00:00			`-boot strict=on \`
qemu: command: Always assume QEMU_CAPS_AUDIODEV Generate only new version of the '-audiodev' commandline. The leftover old code and validation will be removed in subsequent patches. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> 2022-06-22 13:36:23 +00:00			`-audiodev '{"id":"audio1","driver":"none"}' \`
qemu: command: Always assume support for '-msg timestamp=on' All supported QEMU versions have this option so there's no need for us to base it on the capability. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> 2021-08-10 15:07:10 +00:00			`-msg timestamp=on`