[libvirt PATCH 00/28] Improve firmware autoselection

Thursday, 23 June 2022

The main motivation behind this series was making it as simple as
possible ("one click") to enable Secure Boot for a VM.

In the process I ended up fixing, improving and cleaning up various
parts of the firmware selection interface.

GitLab branch: https://gitlab.com/abologna/libvirt/-/commits/firmware
Test pipeline: https://gitlab.com/abologna/libvirt/-/pipelines/571485540

Andrea Bolognani (28):
  tests: Remove firmware bits from unrelated tests
  tests: Use firmware autoselection on aarch64
  tests: Drop bios-nvram-os-interleave test
  tests: Rename and reorganize firmware tests
  tests: Use minimal hardware for firmware tests
  tests: Don't set NVRAM path manually
  tests: Don't use loader.secure=no with firmware autoselection
  tests: Add more firmware tests
  conf: Move virDomainLoaderDefParseXML()
  conf: Rename virDomainLoaderDefParseXMLNvram()
  conf: Move setting type for NVRAM source
  conf: Move nvramTemplate parsing
  conf: Handle NVRAM in virDomainLoaderDefParseXML()
  conf: Rename virDomainLoaderDefParseXML() argument
  conf: Use nodes in virDomainLoaderDefParseXMLNvram()
  conf: Always parse NVRAM path if present
  conf: Enable secure-boot when enrolled-keys is enabled
  conf: Add return value to virDomainDefPostParseOs()
  conf: Reject enrolled-keys=yes with secure-boot=no
  conf: Always parse all firmware information
  conf: Refactor virDomainDefOSValidate()
  conf: Validate firmware configuration more thoroughly
  conf: Always parse firmware features
  conf: Reject features when using manual firmware selection
  qemu_firmware: Enable loader.secure when requires-smm
  qemu_firmware: enrolled-keys requires secure-boot
  docs: Add kbase page for Secure Boot
  NEWS: Document improvements to firmware autoselection

 NEWS.rst                                      |   5 +
 docs/kbase/index.rst                          |   3 +
 docs/kbase/meson.build                        |   1 +
 docs/kbase/secureboot.rst                     | 102 ++++++++++
 src/conf/domain_conf.c                        | 182 ++++++++++--------
 src/conf/domain_validate.c                    |  83 ++++++--
 src/qemu/qemu_firmware.c                      |  16 +-
 tests/qemusecuritytest.c                      |   6 +-
 .../aarch64-os-firmware-efi.xml               |  31 ---
 .../bios-nvram-os-interleave.xml              |  40 ----
 .../bios-nvram-rw-implicit.xml                |  35 ----
 tests/qemuxml2argvdata/bios-nvram-rw.xml      |  35 ----
 tests/qemuxml2argvdata/bios-nvram-secure.xml  |  35 ----
 tests/qemuxml2argvdata/bios.xml               |  37 ----
 ...firmware-auto-bios-nvram.x86_64-latest.err |   1 +
 .../firmware-auto-bios-nvram.xml              |  18 ++
 ... => firmware-auto-bios.x86_64-latest.args} |  12 +-
 tests/qemuxml2argvdata/firmware-auto-bios.xml |  17 ++
 ...ware-auto-efi-aarch64.aarch64-latest.args} |   6 +-
 ...uefi.xml => firmware-auto-efi-aarch64.xml} |  12 +-
 ...enrolled-keys-no-secboot.x86_64-latest.err |   1 +
 ...ware-auto-efi-enrolled-keys-no-secboot.xml |  21 ++
 ...auto-efi-enrolled-keys.x86_64-latest.args} |  14 +-
 .../firmware-auto-efi-enrolled-keys.xml       |  20 ++
 ...auto-efi-loader-insecure.x86_64-latest.err |   1 +
 .../firmware-auto-efi-loader-insecure.xml     |  18 ++
 ...are-auto-efi-loader-path.x86_64-latest.err |   1 +
 .../firmware-auto-efi-loader-path.xml         |  18 ++
 ...auto-efi-loader-secure.x86_64-latest.args} |  15 +-
 .../firmware-auto-efi-loader-secure.xml       |  18 ++
 ...o-efi-no-enrolled-keys.x86_64-latest.args} |   3 -
 .../firmware-auto-efi-no-enrolled-keys.xml    |  20 ++
 ...re-auto-efi-no-secboot.x86_64-latest.args} |   3 -
 .../firmware-auto-efi-no-secboot.xml          |  20 ++
 ...irmware-auto-efi-nvram.x86_64-latest.args} |  10 +-
 .../firmware-auto-efi-nvram.xml               |  18 ++
 ...mware-auto-efi-secboot.x86_64-latest.args} |   8 +-
 .../firmware-auto-efi-secboot.xml             |  20 ++
 ...s => firmware-auto-efi.x86_64-latest.args} |   8 +-
 tests/qemuxml2argvdata/firmware-auto-efi.xml  |  17 ++
 ...anual-bios-rw-implicit.x86_64-latest.args} |   8 +-
 ...l => firmware-manual-bios-rw-implicit.xml} |   7 +-
 ...irmware-manual-bios-rw.x86_64-latest.args} |   8 +-
 ...o-path.xml => firmware-manual-bios-rw.xml} |   7 +-
 .../{bios.args => firmware-manual-bios.args}  |  11 +-
 .../qemuxml2argvdata/firmware-manual-bios.xml |  15 ++
 ... => firmware-manual-efi-acpi-aarch64.args} |   1 -
 ...l => firmware-manual-efi-acpi-aarch64.xml} |   4 +-
 ...args => firmware-manual-efi-acpi-q35.args} |   1 -
 ...i.xml => firmware-manual-efi-acpi-q35.xml} |   4 +-
 ...ware-manual-efi-features.x86_64-latest.err |   1 +
 ...e.xml => firmware-manual-efi-features.xml} |  12 +-
 ...th.err => firmware-manual-efi-no-path.err} |   0
 ...th.xml => firmware-manual-efi-no-path.xml} |   5 +-
 ...> firmware-manual-efi-noacpi-aarch64.args} |   1 -
 ...=> firmware-manual-efi-noacpi-aarch64.xml} |   4 +-
 ...err => firmware-manual-efi-noacpi-q35.err} |   0
 ...xml => firmware-manual-efi-noacpi-q35.xml} |   4 +-
 ...-manual-efi-nvram-file.x86_64-latest.args} |   4 +-
 ...xml => firmware-manual-efi-nvram-file.xml} |   6 +-
 ...-efi-nvram-network-iscsi.x86_64-4.1.0.err} |   0
 ...fi-nvram-network-iscsi.x86_64-latest.args} |   4 +-
 ...rmware-manual-efi-nvram-network-iscsi.xml} |   9 +-
 ...-efi-nvram-network-nbd.x86_64-latest.args} |   4 +-
 ...firmware-manual-efi-nvram-network-nbd.xml} |   9 +-
 ...ual-efi-nvram-template.x86_64-latest.args} |   4 +-
 ...=> firmware-manual-efi-nvram-template.xml} |   6 +-
 ...e.args => firmware-manual-efi-secure.args} |   9 +-
 ...efi.xml => firmware-manual-efi-secure.xml} |  11 +-
 ...os-nvram.args => firmware-manual-efi.args} |   7 +-
 ...m-template.xml => firmware-manual-efi.xml} |   8 +-
 ...=> firmware-manual-noefi-acpi-aarch64.err} |   0
 ...=> firmware-manual-noefi-acpi-aarch64.xml} |   7 +-
 ...gs => firmware-manual-noefi-acpi-q35.args} |   4 -
 ...xml => firmware-manual-noefi-acpi-q35.xml} |   7 +-
 ...firmware-manual-noefi-noacpi-aarch64.args} |   4 -
 ... firmware-manual-noefi-noacpi-aarch64.xml} |   7 +-
 ... => firmware-manual-noefi-noacpi-q35.args} |   4 -
 ...l => firmware-manual-noefi-noacpi-q35.xml} |   7 +-
 tests/qemuxml2argvdata/os-firmware-bios.xml   |  68 -------
 .../os-firmware-efi-secboot.xml               |  68 -------
 tests/qemuxml2argvdata/os-firmware-efi.xml    |  68 -------
 .../pci-bridge-many-disks.args                |   1 -
 .../pci-bridge-many-disks.xml                 |   1 -
 .../virtio-iommu-aarch64.aarch64-latest.args  |   2 +-
 .../qemuxml2argvdata/virtio-iommu-aarch64.xml |   6 +-
 tests/qemuxml2argvtest.c                      |  61 +++---
 .../bios-nvram-os-interleave.xml              |  52 -----
 tests/qemuxml2xmloutdata/bios-nvram.xml       |  44 -----
 .../firmware-auto-bios.x86_64-latest.xml}     |  23 +--
 ...mware-auto-efi-aarch64.aarch64-latest.xml} |  12 +-
 ...-auto-efi-enrolled-keys.x86_64-latest.xml} |  21 +-
 ...-auto-efi-loader-secure.x86_64-latest.xml} |  22 +--
 ...to-efi-no-enrolled-keys.x86_64-latest.xml} |  18 +-
 ...are-auto-efi-no-secboot.x86_64-latest.xml} |  20 +-
 ...firmware-auto-efi-nvram.x86_64-latest.xml} |  22 +--
 ...rmware-auto-efi-secboot.x86_64-latest.xml} |  20 +-
 .../firmware-auto-efi.x86_64-latest.xml}      |  21 +-
 ...e-manual-efi-nvram-file.x86_64-latest.xml} |   9 +-
 ...efi-nvram-network-iscsi.x86_64-latest.xml} |  11 +-
 ...l-efi-nvram-network-nbd.x86_64-latest.xml} |  11 +-
 .../firmware-manual-efi.xml}                  |  15 +-
 .../os-firmware-bios.x86_64-latest.xml        |  72 -------
 ...are-efi-no-enrolled-keys.x86_64-latest.xml |   1 -
 .../os-firmware-efi-secboot.x86_64-latest.xml |  72 -------
 .../os-firmware-efi.x86_64-latest.xml         |  72 -------
 .../pci-bridge-many-disks.xml                 |   1 -
 .../virtio-iommu-aarch64.aarch64-latest.xml   |   6 +-
 tests/qemuxml2xmltest.c                       |  25 +--
 109 files changed, 708 insertions(+), 1282 deletions(-)
 create mode 100644 docs/kbase/secureboot.rst
 delete mode 100644 tests/qemuxml2argvdata/aarch64-os-firmware-efi.xml
 delete mode 100644 tests/qemuxml2argvdata/bios-nvram-os-interleave.xml
 delete mode 100644 tests/qemuxml2argvdata/bios-nvram-rw-implicit.xml
 delete mode 100644 tests/qemuxml2argvdata/bios-nvram-rw.xml
 delete mode 100644 tests/qemuxml2argvdata/bios-nvram-secure.xml
 delete mode 100644 tests/qemuxml2argvdata/bios.xml
 create mode 100644 tests/qemuxml2argvdata/firmware-auto-bios-nvram.x86_64-latest.err
 create mode 100644 tests/qemuxml2argvdata/firmware-auto-bios-nvram.xml
 rename tests/qemuxml2argvdata/{os-firmware-bios.x86_64-latest.args =>
firmware-auto-bios.x86_64-latest.args} (55%)
 create mode 100644 tests/qemuxml2argvdata/firmware-auto-bios.xml
 rename tests/qemuxml2argvdata/{aarch64-os-firmware-efi.aarch64-latest.args =>
firmware-auto-efi-aarch64.aarch64-latest.args} (91%)
 copy tests/qemuxml2argvdata/{aarch64-acpi-uefi.xml => firmware-auto-efi-aarch64.xml}
(53%)
 create mode 100644
tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys-no-secboot.x86_64-latest.err
 create mode 100644 tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys-no-secboot.xml
 rename tests/qemuxml2argvdata/{os-firmware-efi-secboot.x86_64-latest.args =>
firmware-auto-efi-enrolled-keys.x86_64-latest.args} (60%)
 create mode 100644 tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys.xml
 create mode 100644
tests/qemuxml2argvdata/firmware-auto-efi-loader-insecure.x86_64-latest.err
 create mode 100644 tests/qemuxml2argvdata/firmware-auto-efi-loader-insecure.xml
 create mode 100644
tests/qemuxml2argvdata/firmware-auto-efi-loader-path.x86_64-latest.err
 create mode 100644 tests/qemuxml2argvdata/firmware-auto-efi-loader-path.xml
 rename tests/qemuxml2argvdata/{os-firmware-efi.x86_64-latest.args =>
firmware-auto-efi-loader-secure.x86_64-latest.args} (59%)
 create mode 100644 tests/qemuxml2argvdata/firmware-auto-efi-loader-secure.xml
 copy tests/qemuxml2argvdata/{os-firmware-efi-no-enrolled-keys.x86_64-latest.args =>
firmware-auto-efi-no-enrolled-keys.x86_64-latest.args} (84%)
 create mode 100644 tests/qemuxml2argvdata/firmware-auto-efi-no-enrolled-keys.xml
 copy tests/qemuxml2argvdata/{os-firmware-efi-no-enrolled-keys.x86_64-latest.args =>
firmware-auto-efi-no-secboot.x86_64-latest.args} (84%)
 create mode 100644 tests/qemuxml2argvdata/firmware-auto-efi-no-secboot.xml
 copy tests/qemuxml2argvdata/{os-firmware-efi-no-enrolled-keys.x86_64-latest.args =>
firmware-auto-efi-nvram.x86_64-latest.args} (65%)
 create mode 100644 tests/qemuxml2argvdata/firmware-auto-efi-nvram.xml
 copy tests/qemuxml2argvdata/{os-firmware-efi-no-enrolled-keys.x86_64-latest.args =>
firmware-auto-efi-secboot.x86_64-latest.args} (73%)
 create mode 100644 tests/qemuxml2argvdata/firmware-auto-efi-secboot.xml
 rename tests/qemuxml2argvdata/{os-firmware-efi-no-enrolled-keys.x86_64-latest.args =>
firmware-auto-efi.x86_64-latest.args} (73%)
 create mode 100644 tests/qemuxml2argvdata/firmware-auto-efi.xml
 rename tests/qemuxml2argvdata/{bios-nvram-rw.x86_64-latest.args =>
firmware-manual-bios-rw-implicit.x86_64-latest.args} (68%)
 copy tests/qemuxml2argvdata/{bios-nvram-no-path.xml =>
firmware-manual-bios-rw-implicit.xml} (70%)
 rename tests/qemuxml2argvdata/{bios-nvram-rw-implicit.x86_64-latest.args =>
firmware-manual-bios-rw.x86_64-latest.args} (68%)
 copy tests/qemuxml2argvdata/{bios-nvram-no-path.xml => firmware-manual-bios-rw.xml}
(68%)
 rename tests/qemuxml2argvdata/{bios.args => firmware-manual-bios.args} (65%)
 create mode 100644 tests/qemuxml2argvdata/firmware-manual-bios.xml
 rename tests/qemuxml2argvdata/{aarch64-acpi-uefi.args =>
firmware-manual-efi-acpi-aarch64.args} (98%)
 rename tests/qemuxml2argvdata/{aarch64-acpi-uefi.xml =>
firmware-manual-efi-acpi-aarch64.xml} (89%)
 rename tests/qemuxml2argvdata/{q35-acpi-uefi.args =>
firmware-manual-efi-acpi-q35.args} (98%)
 copy tests/qemuxml2argvdata/{q35-acpi-uefi.xml => firmware-manual-efi-acpi-q35.xml}
(90%)
 create mode 100644 tests/qemuxml2argvdata/firmware-manual-efi-features.x86_64-latest.err
 copy tests/qemuxml2argvdata/{bios-nvram-template.xml =>
firmware-manual-efi-features.xml} (67%)
 rename tests/qemuxml2argvdata/{bios-nvram-no-path.err =>
firmware-manual-efi-no-path.err} (100%)
 rename tests/qemuxml2argvdata/{bios-nvram-no-path.xml =>
firmware-manual-efi-no-path.xml} (79%)
 rename tests/qemuxml2argvdata/{aarch64-noacpi-uefi.args =>
firmware-manual-efi-noacpi-aarch64.args} (98%)
 rename tests/qemuxml2argvdata/{aarch64-noacpi-uefi.xml =>
firmware-manual-efi-noacpi-aarch64.xml} (88%)
 rename tests/qemuxml2argvdata/{q35-noacpi-uefi.err =>
firmware-manual-efi-noacpi-q35.err} (100%)
 rename tests/qemuxml2argvdata/{q35-noacpi-uefi.xml =>
firmware-manual-efi-noacpi-q35.xml} (89%)
 rename tests/qemuxml2argvdata/{bios-nvram-file.x86_64-latest.args =>
firmware-manual-efi-nvram-file.x86_64-latest.args} (89%)
 rename tests/qemuxml2argvdata/{bios-nvram-file.xml =>
firmware-manual-efi-nvram-file.xml} (81%)
 rename tests/qemuxml2argvdata/{bios-nvram-network-iscsi.x86_64-4.1.0.err =>
firmware-manual-efi-nvram-network-iscsi.x86_64-4.1.0.err} (100%)
 rename tests/qemuxml2argvdata/{bios-nvram-network-iscsi.x86_64-latest.args =>
firmware-manual-efi-nvram-network-iscsi.x86_64-latest.args} (91%)
 rename tests/qemuxml2argvdata/{bios-nvram-network-iscsi.xml =>
firmware-manual-efi-nvram-network-iscsi.xml} (76%)
 rename tests/qemuxml2argvdata/{bios-nvram-network-nbd.x86_64-latest.args =>
firmware-manual-efi-nvram-network-nbd.x86_64-latest.args} (89%)
 rename tests/qemuxml2argvdata/{bios-nvram-network-nbd.xml =>
firmware-manual-efi-nvram-network-nbd.xml} (72%)
 rename tests/qemuxml2argvdata/{bios-nvram-template.x86_64-latest.args =>
firmware-manual-efi-nvram-template.x86_64-latest.args} (89%)
 copy tests/qemuxml2argvdata/{bios-nvram-template.xml =>
firmware-manual-efi-nvram-template.xml} (79%)
 rename tests/qemuxml2argvdata/{bios-nvram-secure.args =>
firmware-manual-efi-secure.args} (67%)
 rename tests/qemuxml2argvdata/{q35-acpi-uefi.xml => firmware-manual-efi-secure.xml}
(60%)
 rename tests/qemuxml2argvdata/{bios-nvram.args => firmware-manual-efi.args} (76%)
 rename tests/qemuxml2argvdata/{bios-nvram-template.xml => firmware-manual-efi.xml}
(71%)
 rename tests/qemuxml2argvdata/{aarch64-acpi-nouefi.err =>
firmware-manual-noefi-acpi-aarch64.err} (100%)
 rename tests/qemuxml2argvdata/{aarch64-acpi-nouefi.xml =>
firmware-manual-noefi-acpi-aarch64.xml} (61%)
 rename tests/qemuxml2argvdata/{q35-acpi-nouefi.args =>
firmware-manual-noefi-acpi-q35.args} (84%)
 rename tests/qemuxml2argvdata/{q35-acpi-nouefi.xml =>
firmware-manual-noefi-acpi-q35.xml} (63%)
 rename tests/qemuxml2argvdata/{aarch64-noacpi-nouefi.args =>
firmware-manual-noefi-noacpi-aarch64.args} (83%)
 rename tests/qemuxml2argvdata/{aarch64-noacpi-nouefi.xml =>
firmware-manual-noefi-noacpi-aarch64.xml} (59%)
 rename tests/qemuxml2argvdata/{q35-noacpi-nouefi.args =>
firmware-manual-noefi-noacpi-q35.args} (84%)
 rename tests/qemuxml2argvdata/{q35-noacpi-nouefi.xml =>
firmware-manual-noefi-noacpi-q35.xml} (60%)
 delete mode 100644 tests/qemuxml2argvdata/os-firmware-bios.xml
 delete mode 100644 tests/qemuxml2argvdata/os-firmware-efi-secboot.xml
 delete mode 100644 tests/qemuxml2argvdata/os-firmware-efi.xml
 delete mode 100644 tests/qemuxml2xmloutdata/bios-nvram-os-interleave.xml
 delete mode 100644 tests/qemuxml2xmloutdata/bios-nvram.xml
 copy tests/{qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml =>
qemuxml2xmloutdata/firmware-auto-bios.x86_64-latest.xml} (55%)
 rename tests/qemuxml2xmloutdata/{aarch64-os-firmware-efi.aarch64-latest.xml =>
firmware-auto-efi-aarch64.aarch64-latest.xml} (71%)
 copy tests/{qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml =>
qemuxml2xmloutdata/firmware-auto-efi-enrolled-keys.x86_64-latest.xml} (58%)
 copy tests/{qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml =>
qemuxml2xmloutdata/firmware-auto-efi-loader-secure.x86_64-latest.xml} (57%)
 copy tests/{qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml =>
qemuxml2xmloutdata/firmware-auto-efi-no-enrolled-keys.x86_64-latest.xml} (61%)
 copy tests/{qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml =>
qemuxml2xmloutdata/firmware-auto-efi-no-secboot.x86_64-latest.xml} (58%)
 copy tests/{qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml =>
qemuxml2xmloutdata/firmware-auto-efi-nvram.x86_64-latest.xml} (57%)
 copy tests/{qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml =>
qemuxml2xmloutdata/firmware-auto-efi-secboot.x86_64-latest.xml} (58%)
 rename tests/{qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml =>
qemuxml2xmloutdata/firmware-auto-efi.x86_64-latest.xml} (57%)
 rename tests/qemuxml2xmloutdata/{bios-nvram-file.x86_64-latest.xml =>
firmware-manual-efi-nvram-file.x86_64-latest.xml} (75%)
 rename tests/qemuxml2xmloutdata/{bios-nvram-network-iscsi.x86_64-latest.xml =>
firmware-manual-efi-nvram-network-iscsi.x86_64-latest.xml} (76%)
 rename tests/qemuxml2xmloutdata/{bios-nvram-network-nbd.x86_64-latest.xml =>
firmware-manual-efi-nvram-network-nbd.x86_64-latest.xml} (74%)
 rename tests/{qemuxml2argvdata/bios-nvram.xml =>
qemuxml2xmloutdata/firmware-manual-efi.xml} (65%)
 delete mode 100644 tests/qemuxml2xmloutdata/os-firmware-bios.x86_64-latest.xml
 delete mode 120000
tests/qemuxml2xmloutdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.xml
 delete mode 100644 tests/qemuxml2xmloutdata/os-firmware-efi-secboot.x86_64-latest.xml
 delete mode 100644 tests/qemuxml2xmloutdata/os-firmware-efi.x86_64-latest.xml

-- 
2.35.3

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[libvirt PATCH 00/28] Improve firmware autoselection