Re: Some questions regarding firmware handling in the qemu driver

On Tue, Jun 07, 2022 at 02:57:17PM -0600, Jim Fehlig wrote: > Hi All, > > I received a bug report (private, sorry) about inability to "deploy uefi > virtual machine with secureboot enabled on aarch64 kvm host". Indeed the > qemu driver has some checks that would prohibit using secure boot with > aarch64 virt machines, e.g. > > https://gitlab.com/libvirt/libvirt/-/blob/master/src/qemu/qemu_validate.c... > > However it appears qemu does not restrict booting a firmware with keys > enrolled and secure boot enabled. E.g. > > qemu-system-aarch64 -m 4096 -cpu host -accel kvm -smp 4 -M virt -drive if=pflash,format=raw,readonly=on,file=/usr/share/qemu/aavmf-aarch64-opensuse-code.bin > -drive > if=pflash,format=raw,file=/vm_images/jim/images/test/test-vars-store.bin ... > > seems to work fine and within the guest I see db keys loaded by kernel > > [ 4.782777] integrity: Loading X.509 certificate: UEFI:db > [ 4.789494] integrity: Loaded X.509 cert 'Build time autogenerated kernel > key: 44e3470bd0c5eb190e3292dfc42db061521184ee' > [ 4.789548] integrity: Loading X.509 certificate: UEFI:db > [ 4.789701] integrity: Loaded X.509 cert 'openSUSE Secure Boot Signkey: > 0332fa9cbf0d88bf21924b0de82a09a54d5defc8' > [ 4.789710] integrity: Loading X.509 certificate: UEFI:db > [ 4.789841] integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure > Boot Signkey: 3fb077b6cebc6ff2522e1c148c57c777c788e3e7' > > Can we consider easing the secure boot restrictions in qemuValidateDomainDefBoot? Will such a configuration refuse to boot an unsigned guest OS? Is it reasonably tamper-proof (see below)? If the answer to both of these question is yes, then relaxing the check sounds reasonable.