Re: [libvirt] [PATCH 4/5] qemu: Enable secure boot
On Wed, Jul 27, 2016 at 05:11:59PM +0200, Laszlo Ersek wrote:
On 07/27/16 10:43, Michal Privoznik wrote:
> In qemu, enabling this feature boils down to adding the following
> onto the command line:
>
> -global driver=cfi.pflash01,property=secure,value=on
>
> However, there are some constraints resulting from the
> implementation. For instance, System Management Mode (SMM) is
> required to be enabled, the machine type must be q35-2.5 or
s/q35-2.5/q35-2.4/
> later, and the guest should be x86_64. While technically it is
> possible to have 32 bit guests with secure boot, some non-trivial
> CPU flags tuning is required (for instance lm and nx flags must
> be prohibited). Given complexity of our CPU driver, this is not
> trivial. Therefore I've chosen to forbid 32 bit guests for now.
> If there's ever need, we can refine the check later.
>
> Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
> ---
> src/qemu/qemu_command.c | 7 ++++++
> src/qemu/qemu_domain.c | 27 ++++++++++++++++++++
> .../qemuxml2argv-bios-nvram-secure.args | 29 ++++++++++++++++++++++
> tests/qemuxml2argvtest.c | 7 ++++++
> 4 files changed, 70 insertions(+)
> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-bios-nvram-secure.args
This patch looks almost complete to me (it causes all necessary QEMU
options to appear, directly or indirectly (= via requiring SMM)).
However, can you also enforce that the Q35 machtype has version 2.5 or
later? Technically, "pc-q35-2.4" exists too, and it's not good enough
(according to the instructions I wrote up in OvmfPkg/README earlier). I
certainly never tested it.
Thanks,
Laszlo
I've tested it and it seems to work also with "pc-q35-2.4". I've
installed
Fedora 24 inside a guest and I can see "Secure boot enabled" in dmesg output.
Unless Laszlo has some more information about secure boot and why it shouldn't
work with "pc-q35-2.4" this patch can be pushed as is.
ACK