mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-03 11:35:19 +00:00
qemu: Enable secure boot
In qemu, enabling this feature boils down to adding the following onto the command line: -global driver=cfi.pflash01,property=secure,value=on However, there are some constraints resulting from the implementation. For instance, System Management Mode (SMM) is required to be enabled, the machine type must be q35-2.4 or later, and the guest should be x86_64. While technically it is possible to have 32 bit guests with secure boot, some non-trivial CPU flags tuning is required (for instance lm and nx flags must be prohibited). Given complexity of our CPU driver, this is not trivial. Therefore I've chosen to forbid 32 bit guests for now. If there's ever need, we can refine the check later. Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
parent
64c2480043
commit
9c1524a01c
@ -8910,6 +8910,13 @@ qemuBuildDomainLoaderCommandLine(virCommandPtr cmd,
|
|||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (loader->secure == VIR_TRISTATE_BOOL_YES) {
|
||||||
|
virCommandAddArgList(cmd,
|
||||||
|
"-global",
|
||||||
|
"driver=cfi.pflash01,property=secure,value=on",
|
||||||
|
NULL);
|
||||||
|
}
|
||||||
|
|
||||||
virBufferAsprintf(&buf,
|
virBufferAsprintf(&buf,
|
||||||
"file=%s,if=pflash,format=raw,unit=%d",
|
"file=%s,if=pflash,format=raw,unit=%d",
|
||||||
loader->path, unit);
|
loader->path, unit);
|
||||||
|
@ -2322,6 +2322,33 @@ qemuDomainDefValidate(const virDomainDef *def,
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (def->os.loader &&
|
||||||
|
def->os.loader->secure == VIR_TRISTATE_BOOL_YES) {
|
||||||
|
/* These are the QEMU implementation limitations. But we
|
||||||
|
* have to live with them for now. */
|
||||||
|
|
||||||
|
if (!qemuDomainMachineIsQ35(def)) {
|
||||||
|
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
||||||
|
_("Secure boot is supported with q35 machine types only"));
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Now, technically it is possible to have secure boot on
|
||||||
|
* 32bits too, but that would require some -cpu xxx magic
|
||||||
|
* too. Not worth it unless we are explicitly asked. */
|
||||||
|
if (def->os.arch != VIR_ARCH_X86_64) {
|
||||||
|
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
||||||
|
_("Secure boot is supported for x86_64 architecture only"));
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (def->features[VIR_DOMAIN_FEATURE_SMM] != VIR_TRISTATE_SWITCH_ON) {
|
||||||
|
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
||||||
|
_("Secure boot requires SMM feature enabled"));
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
29
tests/qemuxml2argvdata/qemuxml2argv-bios-nvram-secure.args
Normal file
29
tests/qemuxml2argvdata/qemuxml2argv-bios-nvram-secure.args
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
LC_ALL=C \
|
||||||
|
PATH=/bin \
|
||||||
|
HOME=/home/test \
|
||||||
|
USER=test \
|
||||||
|
LOGNAME=test \
|
||||||
|
QEMU_AUDIO_DRV=none \
|
||||||
|
/usr/bin/qemu \
|
||||||
|
-name test-bios \
|
||||||
|
-S \
|
||||||
|
-machine pc-q35-2.5,accel=tcg,smm=on \
|
||||||
|
-global driver=cfi.pflash01,property=secure,value=on \
|
||||||
|
-drive file=/usr/share/OVMF/OVMF_CODE.secboot.fd,if=pflash,format=raw,unit=0,\
|
||||||
|
readonly=on \
|
||||||
|
-drive file=/usr/share/OVMF/OVMF_VARS.fd,if=pflash,format=raw,unit=1 \
|
||||||
|
-m 1024 \
|
||||||
|
-smp 1,sockets=1,cores=1,threads=1 \
|
||||||
|
-uuid 362d1fc1-df7d-193e-5c18-49a71bd1da66 \
|
||||||
|
-nographic \
|
||||||
|
-nodefaults \
|
||||||
|
-monitor unix:/tmp/lib/domain--1-test-bios/monitor.sock,server,nowait \
|
||||||
|
-boot c \
|
||||||
|
-device i82801b11-bridge,id=pci.1,bus=pcie.0,addr=0x1e \
|
||||||
|
-device pci-bridge,chassis_nr=2,id=pci.2,bus=pci.1,addr=0x0 \
|
||||||
|
-device virtio-scsi-pci,id=scsi0,bus=pci.2,addr=0x1 \
|
||||||
|
-drive file=/dev/HostVG/QEMUGuest1,format=raw,if=none,id=drive-scsi0-0-0-0 \
|
||||||
|
-device scsi-disk,bus=scsi0.0,channel=0,scsi-id=0,lun=0,\
|
||||||
|
drive=drive-scsi0-0-0-0,id=scsi0-0-0-0 \
|
||||||
|
-serial pty \
|
||||||
|
-device virtio-balloon-pci,id=balloon0,bus=pci.2,addr=0x2
|
@ -685,6 +685,13 @@ mymain(void)
|
|||||||
|
|
||||||
DO_TEST("bios", QEMU_CAPS_SGA);
|
DO_TEST("bios", QEMU_CAPS_SGA);
|
||||||
DO_TEST("bios-nvram", NONE);
|
DO_TEST("bios-nvram", NONE);
|
||||||
|
DO_TEST("bios-nvram-secure",
|
||||||
|
QEMU_CAPS_DEVICE_DMI_TO_PCI_BRIDGE,
|
||||||
|
QEMU_CAPS_DEVICE_PCI_BRIDGE,
|
||||||
|
QEMU_CAPS_ICH9_AHCI,
|
||||||
|
QEMU_CAPS_MACHINE_OPT,
|
||||||
|
QEMU_CAPS_MACHINE_SMM_OPT,
|
||||||
|
QEMU_CAPS_VIRTIO_SCSI);
|
||||||
DO_TEST("clock-utc", QEMU_CAPS_NODEFCONFIG);
|
DO_TEST("clock-utc", QEMU_CAPS_NODEFCONFIG);
|
||||||
DO_TEST("clock-localtime", NONE);
|
DO_TEST("clock-localtime", NONE);
|
||||||
DO_TEST("clock-localtime-basis-localtime", QEMU_CAPS_RTC);
|
DO_TEST("clock-localtime-basis-localtime", QEMU_CAPS_RTC);
|
||||||
|
Loading…
Reference in New Issue
Block a user