From 578ac25c6ae86d3f655ad902d1bcb57beff0e936 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Fri, 22 Jul 2022 15:27:55 +0100 Subject: [PATCH] conf: support stateless UEFI firmware MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Normally when an UEFI firmware is marked as read-only, an associated NVRAM file will be created. Some builds of UEFI firmware, however, wish to remain stateless and so will be read-only, but never have any NVRAM file. To represent this concept a 'stateless' tristate bool attribute is introduced on the element. There are rather a large number of permutations to consider. With default firmware selection * => Historic default, no change * => Explicit version of historic default, no change * => Invalid, bios is always stateless With manual legacy BIOS selection * /path/to/seabios ... => Historic default, no change * /path/to/seabios ... => Explicit version of historic default, no change * /path/to/seabios ... => Invalid, bios is always stateless With manual UEFI selection * /path/to/edk2 ... => Historic default, no change * /path/to/edk2 ... => Skip auto-filling NVRAM / template * /path/to/edk2 ... => Explicit version of historic default, no change With automatic firmware selection * => Historic default, no change * => Explicit version of historic default, no change * => Invalid, bios is always stateless * => Historic default, no change * => Skip auto-filling NVRAM / template * => Explicit version of historic default, no change Reviewed-by: Michal Privoznik Signed-off-by: Daniel P. Berrangé --- docs/formatdomain.rst | 19 ++++++++++- src/conf/domain_conf.c | 9 +++++ src/conf/domain_conf.h | 1 + src/conf/domain_validate.c | 26 ++++++++++++++ src/conf/schemas/domaincommon.rng | 5 +++ ...-auto-bios-not-stateless.x86_64-latest.err | 1 + .../firmware-auto-bios-not-stateless.xml | 18 ++++++++++ ...are-auto-bios-stateless.x86_64-latest.args | 32 +++++++++++++++++ .../firmware-auto-bios-stateless.xml | 18 ++++++++++ .../firmware-manual-bios-not-stateless.err | 1 + .../firmware-manual-bios-not-stateless.xml | 15 ++++++++ .../firmware-manual-bios-stateless.args | 30 ++++++++++++++++ .../firmware-manual-bios-stateless.xml | 15 ++++++++ ...nual-efi-nvram-stateless.x86_64-latest.err | 1 + .../firmware-manual-efi-nvram-stateless.xml | 21 ++++++++++++ ...nvram-template-stateless.x86_64-latest.err | 1 + ...re-manual-efi-nvram-template-stateless.xml | 19 +++++++++++ tests/qemuxml2argvtest.c | 8 +++++ ...ware-auto-bios-stateless.x86_64-latest.xml | 34 +++++++++++++++++++ .../firmware-manual-bios-stateless.xml | 25 ++++++++++++++ .../firmware-manual-bios.xml | 25 ++++++++++++++ tests/qemuxml2xmltest.c | 3 ++ 22 files changed, 326 insertions(+), 1 deletion(-) create mode 100644 tests/qemuxml2argvdata/firmware-auto-bios-not-stateless.x86_64-latest.err create mode 100644 tests/qemuxml2argvdata/firmware-auto-bios-not-stateless.xml create mode 100644 tests/qemuxml2argvdata/firmware-auto-bios-stateless.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/firmware-auto-bios-stateless.xml create mode 100644 tests/qemuxml2argvdata/firmware-manual-bios-not-stateless.err create mode 100644 tests/qemuxml2argvdata/firmware-manual-bios-not-stateless.xml create mode 100644 tests/qemuxml2argvdata/firmware-manual-bios-stateless.args create mode 100644 tests/qemuxml2argvdata/firmware-manual-bios-stateless.xml create mode 100644 tests/qemuxml2argvdata/firmware-manual-efi-nvram-stateless.x86_64-latest.err create mode 100644 tests/qemuxml2argvdata/firmware-manual-efi-nvram-stateless.xml create mode 100644 tests/qemuxml2argvdata/firmware-manual-efi-nvram-template-stateless.x86_64-latest.err create mode 100644 tests/qemuxml2argvdata/firmware-manual-efi-nvram-template-stateless.xml create mode 100644 tests/qemuxml2xmloutdata/firmware-auto-bios-stateless.x86_64-latest.xml create mode 100644 tests/qemuxml2xmloutdata/firmware-manual-bios-stateless.xml create mode 100644 tests/qemuxml2xmloutdata/firmware-manual-bios.xml diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst index 3ea094e64c..1ed969ac3e 100644 --- a/docs/formatdomain.rst +++ b/docs/formatdomain.rst @@ -173,6 +173,15 @@ harddisk, cdrom, network) determining where to obtain/find the boot image. ... + + ... + + hvm + + + + ... + ``firmware`` The ``firmware`` attribute allows management applications to automatically fill ```` and ```` elements and possibly enable some @@ -242,7 +251,12 @@ harddisk, cdrom, network) determining where to obtain/find the boot image. firmwares may implement the Secure boot feature. Attribute ``secure`` can be used to tell the hypervisor that the firmware is capable of Secure Boot feature. It cannot be used to enable or disable the feature itself in the firmware. - :since:`Since 2.1.0` + :since:`Since 2.1.0`. If the loader is marked as read-only, then with UEFI it + is assumed that there will be a writable NVRAM available. In some cases, + however, it may be desirable for the loader to run without any NVRAM, discarding + any config changes on shutdown. The ``stateless`` flag (:since:`Since 8.6.0`) + can be used to control this behaviour, when set to ``no`` NVRAM will never + be created. ``nvram`` Some UEFI firmwares may want to use a non-volatile memory to store some variables. In the host, this is represented as a file and the absolute path @@ -262,6 +276,9 @@ harddisk, cdrom, network) determining where to obtain/find the boot image. **Note:** ``network`` backed NVRAM the variables are not instantiated from the ``template`` and it's user's responsibility to provide a valid NVRAM image. + It is not valid to provide this element if the loader is marked as + stateless. + ``boot`` The ``dev`` attribute takes one of the values "fd", "hd", "cdrom" or "network" and is used to specify the next boot device to consider. The diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index c7564e3a3a..e85cc1f809 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -16682,6 +16682,10 @@ virDomainLoaderDefParseXML(virDomainLoaderDef *loader, &loader->secure) < 0) return -1; + if (virXMLPropTristateBool(loaderNode, "stateless", VIR_XML_PROP_NONE, + &loader->stateless) < 0) + return -1; + return 0; } @@ -25888,6 +25892,11 @@ virDomainLoaderDefFormat(virBuffer *buf, virBufferAsprintf(&loaderAttrBuf, " type='%s'", virDomainLoaderTypeToString(loader->type)); + if (loader->stateless != VIR_TRISTATE_BOOL_ABSENT) { + virBufferAsprintf(&loaderAttrBuf, " stateless='%s'", + virTristateBoolTypeToString(loader->stateless)); + } + virBufferEscapeString(&loaderChildBuf, "%s", loader->path); virXMLFormatElementInternal(buf, "loader", &loaderAttrBuf, &loaderChildBuf, false, false); diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index 90de50c12f..060c395943 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -2266,6 +2266,7 @@ struct _virDomainLoaderDef { virTristateBool readonly; virDomainLoader type; virTristateBool secure; + virTristateBool stateless; virStorageSource *nvram; bool newStyleNVRAM; char *nvramTemplate; /* user override of path to master nvram */ diff --git a/src/conf/domain_validate.c b/src/conf/domain_validate.c index 814922cd46..cfd868fafa 100644 --- a/src/conf/domain_validate.c +++ b/src/conf/domain_validate.c @@ -1672,6 +1672,32 @@ virDomainDefOSValidate(const virDomainDef *def, } } + if (loader->stateless == VIR_TRISTATE_BOOL_YES) { + if (loader->nvramTemplate) { + virReportError(VIR_ERR_XML_DETAIL, "%s", + _("NVRAM template is not permitted when loader is stateless")); + return -1; + } + + if (loader->nvram) { + virReportError(VIR_ERR_XML_DETAIL, "%s", + _("NVRAM is not permitted when loader is stateless")); + return -1; + } + } else if (loader->stateless == VIR_TRISTATE_BOOL_NO) { + if (def->os.firmware == VIR_DOMAIN_OS_DEF_FIRMWARE_NONE) { + if (def->os.loader->type != VIR_DOMAIN_LOADER_TYPE_PFLASH) { + virReportError(VIR_ERR_XML_DETAIL, "%s", + _("Only pflash loader type permits NVRAM")); + return -1; + } + } else if (def->os.firmware != VIR_DOMAIN_OS_DEF_FIRMWARE_EFI) { + virReportError(VIR_ERR_XML_DETAIL, "%s", + _("Only EFI firmware permits NVRAM")); + return -1; + } + } + return 0; } diff --git a/src/conf/schemas/domaincommon.rng b/src/conf/schemas/domaincommon.rng index d15dd33f47..c4f293a4c3 100644 --- a/src/conf/schemas/domaincommon.rng +++ b/src/conf/schemas/domaincommon.rng @@ -320,6 +320,11 @@ + + + + + diff --git a/tests/qemuxml2argvdata/firmware-auto-bios-not-stateless.x86_64-latest.err b/tests/qemuxml2argvdata/firmware-auto-bios-not-stateless.x86_64-latest.err new file mode 100644 index 0000000000..b058f970a4 --- /dev/null +++ b/tests/qemuxml2argvdata/firmware-auto-bios-not-stateless.x86_64-latest.err @@ -0,0 +1 @@ +Only EFI firmware permits NVRAM diff --git a/tests/qemuxml2argvdata/firmware-auto-bios-not-stateless.xml b/tests/qemuxml2argvdata/firmware-auto-bios-not-stateless.xml new file mode 100644 index 0000000000..b2c8fc1122 --- /dev/null +++ b/tests/qemuxml2argvdata/firmware-auto-bios-not-stateless.xml @@ -0,0 +1,18 @@ + + fedora + 63840878-0deb-4095-97e6-fc444d9bc9fa + 8192 + 1 + + hvm + + + + + + + /usr/bin/qemu-system-x86_64 + + + + diff --git a/tests/qemuxml2argvdata/firmware-auto-bios-stateless.x86_64-latest.args b/tests/qemuxml2argvdata/firmware-auto-bios-stateless.x86_64-latest.args new file mode 100644 index 0000000000..1d45a8cfba --- /dev/null +++ b/tests/qemuxml2argvdata/firmware-auto-bios-stateless.x86_64-latest.args @@ -0,0 +1,32 @@ +LC_ALL=C \ +PATH=/bin \ +HOME=/tmp/lib/domain--1-fedora \ +USER=test \ +LOGNAME=test \ +XDG_DATA_HOME=/tmp/lib/domain--1-fedora/.local/share \ +XDG_CACHE_HOME=/tmp/lib/domain--1-fedora/.cache \ +XDG_CONFIG_HOME=/tmp/lib/domain--1-fedora/.config \ +/usr/bin/qemu-system-x86_64 \ +-name guest=fedora,debug-threads=on \ +-S \ +-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/tmp/lib/domain--1-fedora/master-key.aes"}' \ +-machine pc-q35-4.0,usb=off,dump-guest-core=off,memory-backend=pc.ram \ +-accel kvm \ +-cpu qemu64 \ +-bios /usr/share/seabios/bios-256k.bin \ +-m 8 \ +-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":8388608}' \ +-overcommit mem-lock=off \ +-smp 1,sockets=1,cores=1,threads=1 \ +-uuid 63840878-0deb-4095-97e6-fc444d9bc9fa \ +-display none \ +-no-user-config \ +-nodefaults \ +-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \ +-mon chardev=charmonitor,id=monitor,mode=control \ +-rtc base=utc \ +-no-shutdown \ +-boot strict=on \ +-audiodev '{"id":"audio1","driver":"none"}' \ +-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ +-msg timestamp=on diff --git a/tests/qemuxml2argvdata/firmware-auto-bios-stateless.xml b/tests/qemuxml2argvdata/firmware-auto-bios-stateless.xml new file mode 100644 index 0000000000..4847951346 --- /dev/null +++ b/tests/qemuxml2argvdata/firmware-auto-bios-stateless.xml @@ -0,0 +1,18 @@ + + fedora + 63840878-0deb-4095-97e6-fc444d9bc9fa + 8192 + 1 + + hvm + + + + + + + /usr/bin/qemu-system-x86_64 + + + + diff --git a/tests/qemuxml2argvdata/firmware-manual-bios-not-stateless.err b/tests/qemuxml2argvdata/firmware-manual-bios-not-stateless.err new file mode 100644 index 0000000000..188a5a4180 --- /dev/null +++ b/tests/qemuxml2argvdata/firmware-manual-bios-not-stateless.err @@ -0,0 +1 @@ +Only pflash loader type permits NVRAM diff --git a/tests/qemuxml2argvdata/firmware-manual-bios-not-stateless.xml b/tests/qemuxml2argvdata/firmware-manual-bios-not-stateless.xml new file mode 100644 index 0000000000..b60878ca0b --- /dev/null +++ b/tests/qemuxml2argvdata/firmware-manual-bios-not-stateless.xml @@ -0,0 +1,15 @@ + + test-bios + 362d1fc1-df7d-193e-5c18-49a71bd1da66 + 1048576 + 1 + + hvm + /usr/share/seabios/bios.bin + + + /usr/bin/qemu-system-i386 + + + + diff --git a/tests/qemuxml2argvdata/firmware-manual-bios-stateless.args b/tests/qemuxml2argvdata/firmware-manual-bios-stateless.args new file mode 100644 index 0000000000..e1cb064b71 --- /dev/null +++ b/tests/qemuxml2argvdata/firmware-manual-bios-stateless.args @@ -0,0 +1,30 @@ +LC_ALL=C \ +PATH=/bin \ +HOME=/tmp/lib/domain--1-test-bios \ +USER=test \ +LOGNAME=test \ +XDG_DATA_HOME=/tmp/lib/domain--1-test-bios/.local/share \ +XDG_CACHE_HOME=/tmp/lib/domain--1-test-bios/.cache \ +XDG_CONFIG_HOME=/tmp/lib/domain--1-test-bios/.config \ +QEMU_AUDIO_DRV=none \ +/usr/bin/qemu-system-i386 \ +-name guest=test-bios,debug-threads=on \ +-S \ +-object secret,id=masterKey0,format=raw,file=/tmp/lib/domain--1-test-bios/master-key.aes \ +-machine pc,usb=off,dump-guest-core=off \ +-accel tcg \ +-bios /usr/share/seabios/bios.bin \ +-m 1024 \ +-overcommit mem-lock=off \ +-smp 1,sockets=1,cores=1,threads=1 \ +-uuid 362d1fc1-df7d-193e-5c18-49a71bd1da66 \ +-display none \ +-no-user-config \ +-nodefaults \ +-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \ +-mon chardev=charmonitor,id=monitor,mode=control \ +-rtc base=utc \ +-no-shutdown \ +-no-acpi \ +-boot strict=on \ +-msg timestamp=on diff --git a/tests/qemuxml2argvdata/firmware-manual-bios-stateless.xml b/tests/qemuxml2argvdata/firmware-manual-bios-stateless.xml new file mode 100644 index 0000000000..9d6f4e4c83 --- /dev/null +++ b/tests/qemuxml2argvdata/firmware-manual-bios-stateless.xml @@ -0,0 +1,15 @@ + + test-bios + 362d1fc1-df7d-193e-5c18-49a71bd1da66 + 1048576 + 1 + + hvm + /usr/share/seabios/bios.bin + + + /usr/bin/qemu-system-i386 + + + + diff --git a/tests/qemuxml2argvdata/firmware-manual-efi-nvram-stateless.x86_64-latest.err b/tests/qemuxml2argvdata/firmware-manual-efi-nvram-stateless.x86_64-latest.err new file mode 100644 index 0000000000..de8db3763d --- /dev/null +++ b/tests/qemuxml2argvdata/firmware-manual-efi-nvram-stateless.x86_64-latest.err @@ -0,0 +1 @@ +NVRAM is not permitted when loader is stateless diff --git a/tests/qemuxml2argvdata/firmware-manual-efi-nvram-stateless.xml b/tests/qemuxml2argvdata/firmware-manual-efi-nvram-stateless.xml new file mode 100644 index 0000000000..717712e89b --- /dev/null +++ b/tests/qemuxml2argvdata/firmware-manual-efi-nvram-stateless.xml @@ -0,0 +1,21 @@ + + test-bios + 362d1fc1-df7d-193e-5c18-49a71bd1da66 + 1048576 + 1 + + hvm + /usr/share/OVMF/OVMF_CODE.fd + + + + + + + + + /usr/bin/qemu-system-x86_64 + + + + diff --git a/tests/qemuxml2argvdata/firmware-manual-efi-nvram-template-stateless.x86_64-latest.err b/tests/qemuxml2argvdata/firmware-manual-efi-nvram-template-stateless.x86_64-latest.err new file mode 100644 index 0000000000..95ec794c17 --- /dev/null +++ b/tests/qemuxml2argvdata/firmware-manual-efi-nvram-template-stateless.x86_64-latest.err @@ -0,0 +1 @@ +NVRAM template is not permitted when loader is stateless diff --git a/tests/qemuxml2argvdata/firmware-manual-efi-nvram-template-stateless.xml b/tests/qemuxml2argvdata/firmware-manual-efi-nvram-template-stateless.xml new file mode 100644 index 0000000000..a6d7079b78 --- /dev/null +++ b/tests/qemuxml2argvdata/firmware-manual-efi-nvram-template-stateless.xml @@ -0,0 +1,19 @@ + + test-bios + 362d1fc1-df7d-193e-5c18-49a71bd1da66 + 1048576 + 1 + + hvm + /usr/share/OVMF/OVMF_CODE.fd + + + + + + + /usr/bin/qemu-system-x86_64 + + + + diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index b2da42cb1f..57d5f3e1c1 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -1190,6 +1190,10 @@ mymain(void) DO_TEST("firmware-manual-bios", QEMU_CAPS_DEVICE_ISA_SERIAL); + DO_TEST("firmware-manual-bios-stateless", + QEMU_CAPS_DEVICE_ISA_SERIAL); + DO_TEST_PARSE_ERROR("firmware-manual-bios-not-stateless", + QEMU_CAPS_DEVICE_ISA_SERIAL); DO_TEST_NOCAPS("firmware-manual-efi"); DO_TEST_PARSE_ERROR_NOCAPS("firmware-manual-efi-no-path"); DO_TEST_CAPS_LATEST_PARSE_ERROR("firmware-manual-efi-features"); @@ -1202,10 +1206,12 @@ mymain(void) QEMU_CAPS_ICH9_AHCI, QEMU_CAPS_VIRTIO_SCSI); DO_TEST_CAPS_LATEST("firmware-manual-efi-nvram-template"); + DO_TEST_CAPS_LATEST_PARSE_ERROR("firmware-manual-efi-nvram-template-stateless"); DO_TEST_CAPS_LATEST("firmware-manual-efi-nvram-network-iscsi"); DO_TEST_CAPS_VER_PARSE_ERROR("firmware-manual-efi-nvram-network-iscsi", "4.1.0"); DO_TEST_CAPS_LATEST("firmware-manual-efi-nvram-network-nbd"); DO_TEST_CAPS_LATEST("firmware-manual-efi-nvram-file"); + DO_TEST_CAPS_LATEST_PARSE_ERROR("firmware-manual-efi-nvram-stateless"); /* Make sure all combinations of ACPI and UEFI behave as expected */ DO_TEST_NOCAPS("firmware-manual-efi-acpi-aarch64"); @@ -1218,6 +1224,8 @@ mymain(void) DO_TEST_NOCAPS("firmware-manual-noefi-noacpi-q35"); DO_TEST_CAPS_LATEST("firmware-auto-bios"); + DO_TEST_CAPS_LATEST("firmware-auto-bios-stateless"); + DO_TEST_CAPS_LATEST_PARSE_ERROR("firmware-auto-bios-not-stateless"); DO_TEST_CAPS_LATEST_PARSE_ERROR("firmware-auto-bios-nvram"); DO_TEST_CAPS_LATEST("firmware-auto-efi"); DO_TEST_CAPS_LATEST("firmware-auto-efi-nvram"); diff --git a/tests/qemuxml2xmloutdata/firmware-auto-bios-stateless.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-bios-stateless.x86_64-latest.xml new file mode 100644 index 0000000000..f1b5516ce4 --- /dev/null +++ b/tests/qemuxml2xmloutdata/firmware-auto-bios-stateless.x86_64-latest.xml @@ -0,0 +1,34 @@ + + fedora + 63840878-0deb-4095-97e6-fc444d9bc9fa + 8192 + 8192 + 1 + + hvm + + + + + + + + qemu64 + + + destroy + restart + destroy + + /usr/bin/qemu-system-x86_64 + + +
+ + + + +