On 2/23/26 19:30, Andrea Bolognani via Devel wrote:
This series makes it possible to use Secure Boot with aarch64 VMs.
https://issues.redhat.com/browse/RHEL-82645
Changes from [v3]:
* changes to JSON firmware descriptors shipped by the edk2 package have been merged in Fedora, so the corresponding patch is no longer marked as DONOTMERGE;
* drop new varstore-specific flags from virsh, the existing NVRAM-related flags will work for varstore too;
* drop some changes to firmware selection that were not related to varstore support, to be reworked and submitted again at a later date;
* split, join and shuffle around patches;
* tweak things according to review feedback.
Changes from [v2]:
* changes to the schema for JSON firmware descriptors have been queued for merge in QEMU, so the corresponding patch is no longer marked as DONOTMERGE;
* improve documentation;
* rebase on top of master, addressing conflicts that I have caused with some recent changes related to this work.
Changes from [v1]:
* rewrite based on review feedback: the <nvram> element is no longer used, and a dedicated <varstore> element is introduced instead;
* additional test coverage, as well as fixes and improvements related to firmware selection and its documentation, are present as well.
[v3] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/5JTQA... [v2] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/WVWT3... [v1] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/TGLFM...
Andrea Bolognani (36): docs: Rename "BIOS bootloader" section to "guest firmware" docs: Improvement related to firmware selection qemu_firmware: Only set format for custom loader if path is present conf: Move type=rom default for loader to drivers tests: Rename custom JSON firmware descriptors schema: Introduce osnvram define conf: Parse and format varstore element conf: Update validation to consider varstore element qemu_capabilities: Introduce QEMU_CAPS_DEVICE_UEFI_VARS qemu: Validate presence of uefi-vars device tests: Add firmware-manual-efi-varstore-q35 tests: Add firmware-manual-efi-varstore-aarch64 tests: Add firmware-auto-efi-varstore-q35 tests: Add firmware-auto-efi-varstore-aarch64 tests: Add firmware-auto-efi-enrolled-keys-aarch64 qemu_firmware: Parse host-uefi-vars firmware feature qemu_firmware: Split sanity check qemu_firmware: Consider host-uefi-vars feature in sanity check qemu_firmware: Support extended syntax for ROM firmware descriptors qemu_firmware: Report NVRAM template path for ROMs conf: Include varstore element in domcaps qemu: Fill in varstore element in domcaps qemu_firmware: Use of NVRAM implies stateful firmware qemu_firmware: Allow matching stateful ROMs qemu_firmware: Fill in varstore information qemu: Introduce varstoreDir qemu_firmware: Generate varstore path when necessary qemu: Introduce qemuPrepareNVRAMFileCommon() qemu: Create and delete varstore file security: Mark ROMs as read only when using AppArmor security: Handle varstore file tests: Add firmware descriptors for uefi-vars builds qemu_command: Use uefi-vars device where appropriate include: Mention varstore where applicable virsh: Update for varstore handling news: Document support for uefi-vars device and firmwares
173 files changed, 1546 insertions(+), 307 deletions(-)
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Michal