From 9c398406731ce0155997db2dab6bb1db4cd110c6 Mon Sep 17 00:00:00 2001
From: Andrea Bolognani <abologna@redhat.com>
Date: Tue, 7 Feb 2023 19:12:44 +0100
Subject: [PATCH] drivers: Reject unsupported firmware formats

This ensures that, as we add support for more formats at the
domain XML level, we don't accidentally cause drivers to
misbehave or users to get confused.

All existing drivers support the raw format, and supporting
additional formats will require explicit opt-in on the
driver's part.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/bhyve/bhyve_firmware.c |  7 +++++++
 src/libxl/libxl_conf.c     |  7 +++++++
 src/qemu/qemu_firmware.c   | 16 ++++++++++++++++
 3 files changed, 30 insertions(+)

diff --git a/src/bhyve/bhyve_firmware.c b/src/bhyve/bhyve_firmware.c
index cb1b94b4d5..ff131efa41 100644
--- a/src/bhyve/bhyve_firmware.c
+++ b/src/bhyve/bhyve_firmware.c
@@ -80,6 +80,13 @@ bhyveFirmwareFillDomain(bhyveConn *driver,
     if (!def->os.loader)
         def->os.loader = virDomainLoaderDefNew();
 
+    if (def->os.loader->format != VIR_STORAGE_FILE_RAW) {
+        virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+                       _("Unsupported loader format '%s'"),
+                       virStorageFileFormatTypeToString(def->os.loader->format));
+        return -1;
+    }
+
     def->os.loader->type = VIR_DOMAIN_LOADER_TYPE_PFLASH;
     def->os.loader->readonly = VIR_TRISTATE_BOOL_YES;
 
diff --git a/src/libxl/libxl_conf.c b/src/libxl/libxl_conf.c
index 97c183ebf3..485015ef63 100644
--- a/src/libxl/libxl_conf.c
+++ b/src/libxl/libxl_conf.c
@@ -656,6 +656,13 @@ libxlMakeDomBuildInfo(virDomainDef *def,
             b_info->u.hvm.bios = LIBXL_BIOS_TYPE_OVMF;
         }
 
+        if (def->os.loader && def->os.loader->format != VIR_STORAGE_FILE_RAW) {
+            virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+                           _("Unsupported loader format '%s'"),
+                           virStorageFileFormatTypeToString(def->os.loader->format));
+            return -1;
+        }
+
         if (def->emulator) {
             if (!virFileExists(def->emulator)) {
                 virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index 4d34062ebf..be6d8d4519 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -1545,6 +1545,7 @@ qemuFirmwareFillDomain(virQEMUDriver *driver,
 {
     g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
     virDomainLoaderDef *loader = def->os.loader;
+    virStorageSource *nvram = loader ? loader->nvram : NULL;
     bool autoSelection = (def->os.firmware != VIR_DOMAIN_OS_DEF_FIRMWARE_NONE);
     int ret;
 
@@ -1559,6 +1560,21 @@ qemuFirmwareFillDomain(virQEMUDriver *driver,
     if (virDomainDefOSValidate(def, NULL) < 0)
         return -1;
 
+    if (loader &&
+        loader->format != VIR_STORAGE_FILE_RAW) {
+        virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+                       _("Unsupported loader format '%s'"),
+                       virStorageFileFormatTypeToString(loader->format));
+        return -1;
+    }
+    if (nvram &&
+        nvram->format != VIR_STORAGE_FILE_RAW) {
+        virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+                       _("Unsupported nvram format '%s'"),
+                       virStorageFileFormatTypeToString(nvram->format));
+        return -1;
+    }
+
     /* If firmware autoselection is disabled and the loader is a ROM
      * instead of a PFLASH device, then we're using BIOS and we don't
      * need any information at all */