[RFC PATCH v5 4/5] src: Add ARM CCA support in firmware feature

- Add ARM CCA to the supporting firmware feature. Signed-off-by: Kazuhiro Abe <fj1078ii@aa.jp.fujitsu.com> --- src/qemu/qemu_firmware.c | 19 ++++++++++++++- .../qemu/firmware/50-edk2-aarch64-armcca.json | 24 +++++++++++++++++++ tests/qemufirmwaretest.c | 3 +++ 3 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 tests/qemufirmwaredata/usr/share/qemu/firmware/50-edk2-aarch64-armcca.json diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c index 9391956521..4395e79223 100644 --- a/src/qemu/qemu_firmware.c +++ b/src/qemu/qemu_firmware.c @@ -142,6 +142,7 @@ typedef enum { QEMU_FIRMWARE_FEATURE_AMD_SEV_ES, QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP, QEMU_FIRMWARE_FEATURE_INTEL_TDX, + QEMU_FIRMWARE_FEATURE_ARM_CCA, QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS, QEMU_FIRMWARE_FEATURE_REQUIRES_SMM, QEMU_FIRMWARE_FEATURE_SECURE_BOOT, @@ -161,6 +162,7 @@ VIR_ENUM_IMPL(qemuFirmwareFeature, "amd-sev-es", "amd-sev-snp", "intel-tdx", + "arm-rme", "enrolled-keys", "requires-smm", "secure-boot", @@ -1092,6 +1094,7 @@ qemuFirmwareMatchDomain(const virDomainDef *def, bool supportsSEVES = false; bool supportsSEVSNP = false; bool supportsTDX = false; + bool supportsARMCCA = false; bool supportsSecureBoot = false; bool hasEnrolledKeys = false; int reqSecureBoot; @@ -1169,6 +1172,10 @@ qemuFirmwareMatchDomain(const virDomainDef *def, supportsTDX = true; break; + case QEMU_FIRMWARE_FEATURE_ARM_CCA: + supportsARMCCA = true; + break; + case QEMU_FIRMWARE_FEATURE_REQUIRES_SMM: requiresSMM = true; break; @@ -1400,8 +1407,15 @@ qemuFirmwareMatchDomain(const virDomainDef *def, } break; - case VIR_DOMAIN_LAUNCH_SECURITY_PV: case VIR_DOMAIN_LAUNCH_SECURITY_CCA: + if (!supportsARMCCA) { + VIR_DEBUG("Domain requires ARM-CCA firmware '%s' doesn't support it", + path); + return false; + } + break; + + case VIR_DOMAIN_LAUNCH_SECURITY_PV: break; case VIR_DOMAIN_LAUNCH_SECURITY_NONE: @@ -1516,6 +1530,7 @@ qemuFirmwareEnableFeaturesModern(virDomainDef *def, case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES: case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP: case QEMU_FIRMWARE_FEATURE_INTEL_TDX: + case QEMU_FIRMWARE_FEATURE_ARM_CCA: case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC: case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC: case QEMU_FIRMWARE_FEATURE_NONE: @@ -1566,6 +1581,7 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw, case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES: case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP: case QEMU_FIRMWARE_FEATURE_INTEL_TDX: + case QEMU_FIRMWARE_FEATURE_ARM_CCA: isConfidential = true; break; case QEMU_FIRMWARE_FEATURE_NONE: @@ -2062,6 +2078,7 @@ qemuFirmwareGetSupported(const char *machine, case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES: case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP: case QEMU_FIRMWARE_FEATURE_INTEL_TDX: + case QEMU_FIRMWARE_FEATURE_ARM_CCA: case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS: case QEMU_FIRMWARE_FEATURE_SECURE_BOOT: case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC: diff --git a/tests/qemufirmwaredata/usr/share/qemu/firmware/50-edk2-aarch64-armcca.json b/tests/qemufirmwaredata/usr/share/qemu/firmware/50-edk2-aarch64-armcca.json new file mode 100644 index 0000000000..681c1eadac --- /dev/null +++ b/tests/qemufirmwaredata/usr/share/qemu/firmware/50-edk2-aarch64-armcca.json @@ -0,0 +1,24 @@ +{ + "description": "UEFI firmware for ARM64 virtual machines with CCA support", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "memory", + "filename": "/usr/share/edk2/aarch64/QEMU_EFI-armcca.fd" + }, + "targets": [ + { + "architecture": "aarch64", + "machines": [ + "virt-*" + ] + } + ], + "features": [ + "arm-rme" + ], + "tags": [ + + ] +} diff --git a/tests/qemufirmwaretest.c b/tests/qemufirmwaretest.c index a4fb5c9b9c..091f385abb 100644 --- a/tests/qemufirmwaretest.c +++ b/tests/qemufirmwaretest.c @@ -89,6 +89,7 @@ testFWPrecedence(const void *opaque G_GNUC_UNUSED) PREFIX "/share/qemu/firmware/31-edk2-ovmf-2m-raw-x64-sb-enrolled.json", PREFIX "/share/qemu/firmware/40-edk2-ovmf-4m-qcow2-x64-sb.json", PREFIX "/share/qemu/firmware/41-edk2-ovmf-2m-raw-x64-sb.json", + PREFIX "/share/qemu/firmware/50-edk2-aarch64-armcca.json", PREFIX "/share/qemu/firmware/50-edk2-aarch64-qcow2.json", PREFIX "/share/qemu/firmware/50-edk2-loongarch64.json", PREFIX "/share/qemu/firmware/50-edk2-ovmf-4m-qcow2-x64-nosb.json", @@ -269,6 +270,7 @@ mymain(void) DO_PARSE_TEST("usr/share/qemu/firmware/31-edk2-ovmf-2m-raw-x64-sb-enrolled.json"); DO_PARSE_TEST("usr/share/qemu/firmware/40-edk2-ovmf-4m-qcow2-x64-sb.json"); DO_PARSE_TEST("usr/share/qemu/firmware/41-edk2-ovmf-2m-raw-x64-sb.json"); + DO_PARSE_TEST("usr/share/qemu/firmware/50-edk2-aarch64-armcca.json"); DO_PARSE_TEST("usr/share/qemu/firmware/50-edk2-aarch64-qcow2.json"); DO_PARSE_TEST("usr/share/qemu/firmware/50-edk2-loongarch64.json"); DO_PARSE_TEST("usr/share/qemu/firmware/50-edk2-ovmf-4m-qcow2-x64-nosb.json"); @@ -329,6 +331,7 @@ mymain(void) "/usr/share/edk2/ovmf/MICROVM.fd:NULL", VIR_DOMAIN_OS_DEF_FIRMWARE_EFI); DO_SUPPORTED_TEST("virt-3.1", VIR_ARCH_AARCH64, false, + "/usr/share/edk2/aarch64/QEMU_EFI-armcca.fd:NULL:" "/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.qcow2:/usr/share/edk2/aarch64/vars-template-pflash.qcow2:" "/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.raw:/usr/share/edk2/aarch64/vars-template-pflash.raw:" "/usr/share/edk2/aarch64/QEMU_EFI-pflash.qcow2:/usr/share/edk2/aarch64/vars-template-pflash.qcow2:" -- 2.43.0