On Wed, Jul 27, 2016 at 05:11:59PM +0200, Laszlo Ersek wrote:
On 07/27/16 10:43, Michal Privoznik wrote:
In qemu, enabling this feature boils down to adding the following onto the command line:
-global driver=cfi.pflash01,property=secure,value=on
However, there are some constraints resulting from the implementation. For instance, System Management Mode (SMM) is required to be enabled, the machine type must be q35-2.5 or
s/q35-2.5/q35-2.4/
later, and the guest should be x86_64. While technically it is possible to have 32 bit guests with secure boot, some non-trivial CPU flags tuning is required (for instance lm and nx flags must be prohibited). Given complexity of our CPU driver, this is not trivial. Therefore I've chosen to forbid 32 bit guests for now. If there's ever need, we can refine the check later.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/qemu/qemu_command.c | 7 ++++++ src/qemu/qemu_domain.c | 27 ++++++++++++++++++++ .../qemuxml2argv-bios-nvram-secure.args | 29 ++++++++++++++++++++++ tests/qemuxml2argvtest.c | 7 ++++++ 4 files changed, 70 insertions(+) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-bios-nvram-secure.args
This patch looks almost complete to me (it causes all necessary QEMU options to appear, directly or indirectly (= via requiring SMM)). However, can you also enforce that the Q35 machtype has version 2.5 or later? Technically, "pc-q35-2.4" exists too, and it's not good enough (according to the instructions I wrote up in OvmfPkg/README earlier). I certainly never tested it.
Thanks, Laszlo
I've tested it and it seems to work also with "pc-q35-2.4". I've installed Fedora 24 inside a guest and I can see "Secure boot enabled" in dmesg output. Unless Laszlo has some more information about secure boot and why it shouldn't work with "pc-q35-2.4" this patch can be pushed as is. ACK