mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-23 21:15:20 +00:00
262672dbbf
Currently, a firmware configuration such as <os firmware='efi'> <firmware> <feature enabled='yes' name='enrolled-keys'/> </firmware> </os> will correctly pick a firmware that implements the Secure Boot feature and initialize the NVRAM file so that it contains the keys necessary to enforce the signing requirements. However, the lack of a <loader secure='yes'/> element makes it possible for pflash writes to happen outside of SMM mode. This means that the authenticated UEFI variables where the keys are stored could potentially be overwritten by malicious code running in the guest, thus making it possible to circumvent Secure Boot. To prevent that from happening, automatically turn on the loader.secure feature whenever a firmware that implements Secure Boot is chosen by the firmware autoselection logic. This is identical to the way we already automatically enable SMM in such a scenario. Note that, while this is technically a guest-visible change, it will not affect migration of existings VMs and will not prevent legitimate guest code from running. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
37 lines
1.7 KiB
Plaintext
37 lines
1.7 KiB
Plaintext
LC_ALL=C \
|
|
PATH=/bin \
|
|
HOME=/tmp/lib/domain--1-fedora \
|
|
USER=test \
|
|
LOGNAME=test \
|
|
XDG_DATA_HOME=/tmp/lib/domain--1-fedora/.local/share \
|
|
XDG_CACHE_HOME=/tmp/lib/domain--1-fedora/.cache \
|
|
XDG_CONFIG_HOME=/tmp/lib/domain--1-fedora/.config \
|
|
/usr/bin/qemu-system-x86_64 \
|
|
-name guest=fedora,debug-threads=on \
|
|
-S \
|
|
-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/tmp/lib/domain--1-fedora/master-key.aes"}' \
|
|
-blockdev '{"driver":"file","filename":"/usr/share/OVMF/OVMF_CODE.secboot.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \
|
|
-blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}' \
|
|
-blockdev '{"driver":"file","filename":"/path/to/fedora_VARS.fd","node-name":"libvirt-pflash1-storage","auto-read-only":true,"discard":"unmap"}' \
|
|
-blockdev '{"node-name":"libvirt-pflash1-format","read-only":false,"driver":"raw","file":"libvirt-pflash1-storage"}' \
|
|
-machine pc-q35-4.0,usb=off,smm=on,dump-guest-core=off,pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format,memory-backend=pc.ram \
|
|
-accel kvm \
|
|
-cpu qemu64 \
|
|
-global driver=cfi.pflash01,property=secure,value=on \
|
|
-m 8 \
|
|
-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":8388608}' \
|
|
-overcommit mem-lock=off \
|
|
-smp 1,sockets=1,cores=1,threads=1 \
|
|
-uuid 63840878-0deb-4095-97e6-fc444d9bc9fa \
|
|
-display none \
|
|
-no-user-config \
|
|
-nodefaults \
|
|
-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \
|
|
-mon chardev=charmonitor,id=monitor,mode=control \
|
|
-rtc base=utc \
|
|
-no-shutdown \
|
|
-boot strict=on \
|
|
-audiodev '{"id":"audio1","driver":"none"}' \
|
|
-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
|
|
-msg timestamp=on
|