conf: support stateless UEFI firmware
Normally when an UEFI firmware is marked as read-only, an associated
NVRAM file will be created. Some builds of UEFI firmware, however, wish
to remain stateless and so will be read-only, but never have any NVRAM
file. To represent this concept a 'stateless' tristate bool attribute
is introduced on the <loader/> element.
There are rather a large number of permutations to consider.
With default firmware selection
* <os/>
=> Historic default, no change
* <os>
<loader stateless='yes'/>
</os>
=> Explicit version of historic default, no change
* <os>
<loader stateless='no'/>
</os>
=> Invalid, bios is always stateless
With manual legacy BIOS selection
* <os>
<loader>/path/to/seabios</loader>
...
</os>
=> Historic default, no change
* <os>
<loader stateless='yes'>/path/to/seabios</loader>
...
</os>
=> Explicit version of historic default, no change
* <os>
<loader stateless='no'>/path/to/seabios</loader>
...
</os>
=> Invalid, bios is always stateless
With manual UEFI selection
* <os>
<loader type='pflash'>/path/to/edk2</loader>
...
</os>
=> Historic default, no change
* <os>
<loader type='pflash' stateless='yes'>/path/to/edk2</loader>
...
</os>
=> Skip auto-filling NVRAM / template
* <os>
<loader type='pflash' stateless='no'>/path/to/edk2</loader>
...
</os>
=> Explicit version of historic default, no change
With automatic firmware selection
* <os firmware='bios'/>
=> Historic default, no change
* <os firmware='bios'>
<loader stateless='yes'/>
</os>
=> Explicit version of historic default, no change
* <os firmware='bios'>
<loader stateless='no'/>
</os>
=> Invalid, bios is always stateless
* <os firmware='uefi'/>
=> Historic default, no change
* <os firmware='uefi'>
<loader stateless='yes'/>
</os>
=> Skip auto-filling NVRAM / template
* <os firmware='uefi'>
<loader stateless='no'/>
</os>
=> Explicit version of historic default, no change
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2022-07-22 14:27:55 +00:00
|
|
|
LC_ALL=C \
|
|
|
|
PATH=/bin \
|
|
|
|
HOME=/tmp/lib/domain--1-fedora \
|
|
|
|
USER=test \
|
|
|
|
LOGNAME=test \
|
|
|
|
XDG_DATA_HOME=/tmp/lib/domain--1-fedora/.local/share \
|
|
|
|
XDG_CACHE_HOME=/tmp/lib/domain--1-fedora/.cache \
|
|
|
|
XDG_CONFIG_HOME=/tmp/lib/domain--1-fedora/.config \
|
|
|
|
/usr/bin/qemu-system-x86_64 \
|
|
|
|
-name guest=fedora,debug-threads=on \
|
|
|
|
-S \
|
|
|
|
-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/tmp/lib/domain--1-fedora/master-key.aes"}' \
|
|
|
|
-machine pc-q35-4.0,usb=off,dump-guest-core=off,memory-backend=pc.ram \
|
|
|
|
-accel kvm \
|
|
|
|
-cpu qemu64 \
|
|
|
|
-bios /usr/share/seabios/bios-256k.bin \
|
|
|
|
-m 8 \
|
|
|
|
-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":8388608}' \
|
|
|
|
-overcommit mem-lock=off \
|
|
|
|
-smp 1,sockets=1,cores=1,threads=1 \
|
|
|
|
-uuid 63840878-0deb-4095-97e6-fc444d9bc9fa \
|
|
|
|
-display none \
|
|
|
|
-no-user-config \
|
|
|
|
-nodefaults \
|
|
|
|
-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \
|
|
|
|
-mon chardev=charmonitor,id=monitor,mode=control \
|
|
|
|
-rtc base=utc \
|
|
|
|
-no-shutdown \
|
|
|
|
-boot strict=on \
|
|
|
|
-audiodev '{"id":"audio1","driver":"none"}' \
|
2023-01-20 10:22:22 +00:00
|
|
|
-global ICH9-LPC.noreboot=off \
|
|
|
|
-watchdog-action reset \
|
conf: support stateless UEFI firmware
Normally when an UEFI firmware is marked as read-only, an associated
NVRAM file will be created. Some builds of UEFI firmware, however, wish
to remain stateless and so will be read-only, but never have any NVRAM
file. To represent this concept a 'stateless' tristate bool attribute
is introduced on the <loader/> element.
There are rather a large number of permutations to consider.
With default firmware selection
* <os/>
=> Historic default, no change
* <os>
<loader stateless='yes'/>
</os>
=> Explicit version of historic default, no change
* <os>
<loader stateless='no'/>
</os>
=> Invalid, bios is always stateless
With manual legacy BIOS selection
* <os>
<loader>/path/to/seabios</loader>
...
</os>
=> Historic default, no change
* <os>
<loader stateless='yes'>/path/to/seabios</loader>
...
</os>
=> Explicit version of historic default, no change
* <os>
<loader stateless='no'>/path/to/seabios</loader>
...
</os>
=> Invalid, bios is always stateless
With manual UEFI selection
* <os>
<loader type='pflash'>/path/to/edk2</loader>
...
</os>
=> Historic default, no change
* <os>
<loader type='pflash' stateless='yes'>/path/to/edk2</loader>
...
</os>
=> Skip auto-filling NVRAM / template
* <os>
<loader type='pflash' stateless='no'>/path/to/edk2</loader>
...
</os>
=> Explicit version of historic default, no change
With automatic firmware selection
* <os firmware='bios'/>
=> Historic default, no change
* <os firmware='bios'>
<loader stateless='yes'/>
</os>
=> Explicit version of historic default, no change
* <os firmware='bios'>
<loader stateless='no'/>
</os>
=> Invalid, bios is always stateless
* <os firmware='uefi'/>
=> Historic default, no change
* <os firmware='uefi'>
<loader stateless='yes'/>
</os>
=> Skip auto-filling NVRAM / template
* <os firmware='uefi'>
<loader stateless='no'/>
</os>
=> Explicit version of historic default, no change
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2022-07-22 14:27:55 +00:00
|
|
|
-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
|
|
|
|
-msg timestamp=on
|