This series improves validation so that more nonsensical
configurations are rejected, fixes a number of scenarios in which
user-provided attributes were getting overwritten by the firmware
selection process, and overall makes things more predictable and
reliable.

Notably, it addresses the inability of starting confidential VMs on
aarch64, which was reported[1] some time ago.

It is also a prerequisite of another series that I will post shortly,
which introduces support for the uefi-vars QEMU device and thus makes
it possible to use Secure Boot for aarch64 VMs. Since all these fixes
and improvements make sense on their own, and there is a little bit
of work still needed on the QEMU/edk2 side before the other series
can be merged, I decided to post this one separately instead of
lumping them together. It's not like it's not meaty enough on its own
anyway :)

[1] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/D5UDRJ4G66JXDMJHHEUNITRZHLBQH2TO/

Andrea Bolognani (36):
  qemu_firmware: Drop support for kernel descriptors
  qemu_firmware: Drop 'nvram' local variable
  qemu_firmware: Move format=raw compat exception
  qemu_firmware: Move copying of nvram.format to loader.format
  tests: Add firmware-manual-efi-rw-nvram
  domain_validate: Reject NVRAM with read/write firmware
  tests: Add firmware-auto-bios-rw
  tests: Add firmware-manual-bios-rw
  domain_validate: Reject read/write ROMs
  tests: Add firmware-auto-efi-format-loader-qcow2-rom
  domain_validate: Reject ROMs with format other than raw
  qemu_firmware: Ignore stateless/combined when NVRAM is configured
  qemu_firmware: Drop fallback for absent nvramTemplateFormat
  schemas: Allow templateFormat without template path
  tests: Add firmware-manual-efi-nvram-template-nonstandard-format
  tests: Add firmware-manual-efi-nvram-template-nonstandard-legacy-paths
  tests: Add firmware-auto-efi-format-nvram-raw
  tests: Add firmware-auto-efi-format-nvram-raw-loader-path
  tests: Add firmware-auto-efi-format-nvram-raw-nvramtemplate-path
  tests: Add firmware-auto-efi-format-nvramtemplate-qcow2
  tests: Add firmware-auto-efi-format-mismatch-nvramtemplate
  qemu_firmware: Introduce qemuFirmwareFillDomainCustom()
  qemu_firmware: Set templateFormat for custom paths
  qemu_firmware: Simplify handling of legacy paths
  qemu_firmware: Refactor setting NVRAM format
  qemu_firmware: Prefer template format to loader format
  qemu_firmware: Retain user-specified NVRAM format
  qemu_firmware: Take templateFormat into account when matching
  qemu_firmware: Take NVRAM format into account when matching
  qemu_firmware: Remove NVRAM to loader format copy hack
  tests: Add firmware-manual-efi-sev-snp
  tests: Add firmware-manual-efi-tdx
  qemu_firmware: ROM firmware is always in raw format
  qemu_firmware: Don't skip autoselection for ROM
  qemu_firmware: Allow matching both UEFI and BIOS for ROM loader
  news: Mention improvements and fixes to firmware selection

 NEWS.rst                                      |   8 +
 src/conf/domain_conf.c                        |  18 +-
 src/conf/domain_validate.c                    |  30 ++
 src/conf/schemas/domaincommon.rng             |  10 +-
 src/qemu/qemu_firmware.c                      | 367 ++++++++++--------
 src/qemu/qemu_postparse.c                     |  17 -
 .../firmware-auto-bios-rw.x86_64-latest.err   |   1 +
 ...> firmware-auto-bios-rw.x86_64-latest.xml} |   5 +-
 .../qemuxmlconfdata/firmware-auto-bios-rw.xml |  18 +
 ...-format-loader-qcow2-rom.x86_64-latest.err |   1 +
 ...mware-auto-efi-format-loader-qcow2-rom.xml |  18 +
 ...t-mismatch-nvramtemplate.x86_64-latest.err |   1 +
 ...-mismatch-nvramtemplate.x86_64-latest.xml} |   6 +-
 ...auto-efi-format-mismatch-nvramtemplate.xml |  19 +
 ...uto-efi-format-mismatch.x86_64-latest.args |   5 +-
 ...auto-efi-format-mismatch.x86_64-latest.xml |   2 +-
 ...-nvram-raw-loader-path.x86_64-latest.args} |   4 +-
 ...t-nvram-raw-loader-path.x86_64-latest.xml} |   4 +-
 ...-auto-efi-format-nvram-raw-loader-path.xml |  19 +
 ...raw-nvramtemplate-path.x86_64-latest.args} |   4 +-
 ...-raw-nvramtemplate-path.x86_64-latest.xml} |   4 +-
 ...fi-format-nvram-raw-nvramtemplate-path.xml |  18 +
 ...t-nvram-raw.x86_64-latest.abi-update.args} |   0
 ...at-nvram-raw.x86_64-latest.abi-update.xml} |   0
 ...o-efi-format-nvram-raw.x86_64-latest.args} |   0
 ...to-efi-format-nvram-raw.x86_64-latest.xml} |   0
 .../firmware-auto-efi-format-nvram-raw.xml    |  18 +
 ...at-nvramtemplate-qcow2.x86_64-latest.args} |   9 +-
 ...mat-nvramtemplate-qcow2.x86_64-latest.xml} |   4 +-
 ...re-auto-efi-format-nvramtemplate-qcow2.xml |  18 +
 .../firmware-manual-bios-rw.x86_64-latest.err |   1 +
 .../firmware-manual-bios-rw.xml               |  15 +
 ...-loader-path-nonstandard.x86_64-latest.xml |   2 +-
 ...ate-nonstandard-format.x86_64-latest.args} |  10 +-
 ...late-nonstandard-format.x86_64-latest.xml} |   4 +-
 ...-efi-nvram-template-nonstandard-format.xml |  19 +
 ...nstandard-legacy-paths.x86_64-latest.args} |   4 +-
 ...onstandard-legacy-paths.x86_64-latest.xml} |   5 +-
 ...vram-template-nonstandard-legacy-paths.xml |  20 +
 ...ram-template-nonstandard.x86_64-latest.xml |   2 +-
 ...ware-manual-efi-rw-nvram.x86_64-latest.err |   1 +
 .../firmware-manual-efi-rw-nvram.xml          |  19 +
 ...ual-efi-sev-snp.x86_64-latest+amdsev.args} |   7 +-
 ...nual-efi-sev-snp.x86_64-latest+amdsev.xml} |  12 +-
 .../firmware-manual-efi-sev-snp.xml           |  21 +
 ...anual-efi-tdx.x86_64-latest+inteltdx.args} |   9 +-
 ...manual-efi-tdx.x86_64-latest+inteltdx.xml} |  11 +-
 .../firmware-manual-efi-tdx.xml               |  25 ++
 tests/qemuxmlconftest.c                       |  19 +
 49 files changed, 571 insertions(+), 263 deletions(-)
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-bios-rw.x86_64-latest.err
 copy tests/qemuxmlconfdata/{firmware-manual-efi-nvram-template-nonstandard.x86_64-latest.xml => firmware-auto-bios-rw.x86_64-latest.xml} (83%)
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-bios-rw.xml
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-format-loader-qcow2-rom.x86_64-latest.err
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-format-loader-qcow2-rom.xml
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-format-mismatch-nvramtemplate.x86_64-latest.err
 copy tests/qemuxmlconfdata/{firmware-manual-efi-nvram-template-nonstandard.x86_64-latest.xml => firmware-auto-efi-format-mismatch-nvramtemplate.x86_64-latest.xml} (83%)
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-format-mismatch-nvramtemplate.xml
 copy tests/qemuxmlconfdata/{firmware-auto-efi-format-mismatch.x86_64-latest.args => firmware-auto-efi-format-nvram-raw-loader-path.x86_64-latest.args} (90%)
 copy tests/qemuxmlconfdata/{firmware-auto-efi-format-mismatch.x86_64-latest.xml => firmware-auto-efi-format-nvram-raw-loader-path.x86_64-latest.xml} (81%)
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-format-nvram-raw-loader-path.xml
 copy tests/qemuxmlconfdata/{firmware-auto-efi-format-mismatch.x86_64-latest.args => firmware-auto-efi-format-nvram-raw-nvramtemplate-path.x86_64-latest.args} (90%)
 copy tests/qemuxmlconfdata/{firmware-auto-efi-format-mismatch.x86_64-latest.xml => firmware-auto-efi-format-nvram-raw-nvramtemplate-path.x86_64-latest.xml} (81%)
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-format-nvram-raw-nvramtemplate-path.xml
 copy tests/qemuxmlconfdata/{firmware-auto-efi-format-mismatch.x86_64-latest.args => firmware-auto-efi-format-nvram-raw.x86_64-latest.abi-update.args} (100%)
 copy tests/qemuxmlconfdata/{firmware-auto-efi-format-mismatch.x86_64-latest.xml => firmware-auto-efi-format-nvram-raw.x86_64-latest.abi-update.xml} (100%)
 copy tests/qemuxmlconfdata/{firmware-auto-efi-format-mismatch.x86_64-latest.args => firmware-auto-efi-format-nvram-raw.x86_64-latest.args} (100%)
 copy tests/qemuxmlconfdata/{firmware-auto-efi-format-mismatch.x86_64-latest.xml => firmware-auto-efi-format-nvram-raw.x86_64-latest.xml} (100%)
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-format-nvram-raw.xml
 copy tests/qemuxmlconfdata/{firmware-auto-efi-format-mismatch.x86_64-latest.args => firmware-auto-efi-format-nvramtemplate-qcow2.x86_64-latest.args} (77%)
 copy tests/qemuxmlconfdata/{firmware-auto-efi-format-mismatch.x86_64-latest.xml => firmware-auto-efi-format-nvramtemplate-qcow2.x86_64-latest.xml} (81%)
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-format-nvramtemplate-qcow2.xml
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-bios-rw.x86_64-latest.err
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-bios-rw.xml
 copy tests/qemuxmlconfdata/{firmware-auto-efi-format-mismatch.x86_64-latest.args => firmware-manual-efi-nvram-template-nonstandard-format.x86_64-latest.args} (70%)
 copy tests/qemuxmlconfdata/{firmware-manual-efi-nvram-template-nonstandard.x86_64-latest.xml => firmware-manual-efi-nvram-template-nonstandard-format.x86_64-latest.xml} (81%)
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-nvram-template-nonstandard-format.xml
 copy tests/qemuxmlconfdata/{firmware-auto-efi-format-mismatch.x86_64-latest.args => firmware-manual-efi-nvram-template-nonstandard-legacy-paths.x86_64-latest.args} (89%)
 copy tests/qemuxmlconfdata/{firmware-manual-efi-loader-path-nonstandard.x86_64-latest.xml => firmware-manual-efi-nvram-template-nonstandard-legacy-paths.x86_64-latest.xml} (81%)
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-nvram-template-nonstandard-legacy-paths.xml
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-rw-nvram.x86_64-latest.err
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-rw-nvram.xml
 copy tests/qemuxmlconfdata/{firmware-auto-efi-format-mismatch.x86_64-latest.args => firmware-manual-efi-sev-snp.x86_64-latest+amdsev.args} (74%)
 copy tests/qemuxmlconfdata/{firmware-manual-efi-nvram-template-nonstandard.x86_64-latest.xml => firmware-manual-efi-sev-snp.x86_64-latest+amdsev.xml} (75%)
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-sev-snp.xml
 copy tests/qemuxmlconfdata/{firmware-auto-efi-format-mismatch.x86_64-latest.args => firmware-manual-efi-tdx.x86_64-latest+inteltdx.args} (59%)
 copy tests/qemuxmlconfdata/{firmware-auto-efi-format-mismatch.x86_64-latest.xml => firmware-manual-efi-tdx.x86_64-latest+inteltdx.xml} (69%)
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-tdx.xml

-- 
2.52.0

On 12/29/25 00:33, Andrea Bolognani via Devel wrote:
> This series improves validation so that more nonsensical
> configurations are rejected, fixes a number of scenarios in which
> user-provided attributes were getting overwritten by the firmware
> selection process, and overall makes things more predictable and
> reliable.
> 
> Notably, it addresses the inability of starting confidential VMs on
> aarch64, which was reported[1] some time ago.
> 
> It is also a prerequisite of another series that I will post shortly,
> which introduces support for the uefi-vars QEMU device and thus makes
> it possible to use Secure Boot for aarch64 VMs. Since all these fixes
> and improvements make sense on their own, and there is a little bit
> of work still needed on the QEMU/edk2 side before the other series
> can be merged, I decided to post this one separately instead of
> lumping them together. It's not like it's not meaty enough on its own
> anyway :)
> 
> [1] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/D5UDRJ4G66JXDMJHHEUNITRZHLBQH2TO/
> 
> Andrea Bolognani (36):
>   qemu_firmware: Drop support for kernel descriptors
>   qemu_firmware: Drop 'nvram' local variable
>   qemu_firmware: Move format=raw compat exception
>   qemu_firmware: Move copying of nvram.format to loader.format
>   tests: Add firmware-manual-efi-rw-nvram
>   domain_validate: Reject NVRAM with read/write firmware
>   tests: Add firmware-auto-bios-rw
>   tests: Add firmware-manual-bios-rw
>   domain_validate: Reject read/write ROMs
>   tests: Add firmware-auto-efi-format-loader-qcow2-rom
>   domain_validate: Reject ROMs with format other than raw
>   qemu_firmware: Ignore stateless/combined when NVRAM is configured
>   qemu_firmware: Drop fallback for absent nvramTemplateFormat
>   schemas: Allow templateFormat without template path
>   tests: Add firmware-manual-efi-nvram-template-nonstandard-format
>   tests: Add firmware-manual-efi-nvram-template-nonstandard-legacy-paths
>   tests: Add firmware-auto-efi-format-nvram-raw
>   tests: Add firmware-auto-efi-format-nvram-raw-loader-path
>   tests: Add firmware-auto-efi-format-nvram-raw-nvramtemplate-path
>   tests: Add firmware-auto-efi-format-nvramtemplate-qcow2
>   tests: Add firmware-auto-efi-format-mismatch-nvramtemplate
>   qemu_firmware: Introduce qemuFirmwareFillDomainCustom()
>   qemu_firmware: Set templateFormat for custom paths
>   qemu_firmware: Simplify handling of legacy paths
>   qemu_firmware: Refactor setting NVRAM format
>   qemu_firmware: Prefer template format to loader format
>   qemu_firmware: Retain user-specified NVRAM format
>   qemu_firmware: Take templateFormat into account when matching
>   qemu_firmware: Take NVRAM format into account when matching
>   qemu_firmware: Remove NVRAM to loader format copy hack
>   tests: Add firmware-manual-efi-sev-snp
>   tests: Add firmware-manual-efi-tdx
>   qemu_firmware: ROM firmware is always in raw format
>   qemu_firmware: Don't skip autoselection for ROM
>   qemu_firmware: Allow matching both UEFI and BIOS for ROM loader
>   news: Mention improvements and fixes to firmware selection
> 
>  NEWS.rst                                      |   8 +
>  src/conf/domain_conf.c                        |  18 +-
>  src/conf/domain_validate.c                    |  30 ++
>  src/conf/schemas/domaincommon.rng             |  10 +-
>  src/qemu/qemu_firmware.c                      | 367 ++++++++++--------
>  src/qemu/qemu_postparse.c                     |  17 -
>  .../firmware-auto-bios-rw.x86_64-latest.err   |   1 +
>  ...> firmware-auto-bios-rw.x86_64-latest.xml} |   5 +-
>  .../qemuxmlconfdata/firmware-auto-bios-rw.xml |  18 +
>  ...-format-loader-qcow2-rom.x86_64-latest.err |   1 +
>  ...mware-auto-efi-format-loader-qcow2-rom.xml |  18 +
>  ...t-mismatch-nvramtemplate.x86_64-latest.err |   1 +
>  ...-mismatch-nvramtemplate.x86_64-latest.xml} |   6 +-
>  ...auto-efi-format-mismatch-nvramtemplate.xml |  19 +
>  ...uto-efi-format-mismatch.x86_64-latest.args |   5 +-
>  ...auto-efi-format-mismatch.x86_64-latest.xml |   2 +-
>  ...-nvram-raw-loader-path.x86_64-latest.args} |   4 +-
>  ...t-nvram-raw-loader-path.x86_64-latest.xml} |   4 +-
>  ...-auto-efi-format-nvram-raw-loader-path.xml |  19 +
>  ...raw-nvramtemplate-path.x86_64-latest.args} |   4 +-
>  ...-raw-nvramtemplate-path.x86_64-latest.xml} |   4 +-
>  ...fi-format-nvram-raw-nvramtemplate-path.xml |  18 +
>  ...t-nvram-raw.x86_64-latest.abi-update.args} |   0
>  ...at-nvram-raw.x86_64-latest.abi-update.xml} |   0
>  ...o-efi-format-nvram-raw.x86_64-latest.args} |   0
>  ...to-efi-format-nvram-raw.x86_64-latest.xml} |   0
>  .../firmware-auto-efi-format-nvram-raw.xml    |  18 +
>  ...at-nvramtemplate-qcow2.x86_64-latest.args} |   9 +-
>  ...mat-nvramtemplate-qcow2.x86_64-latest.xml} |   4 +-
>  ...re-auto-efi-format-nvramtemplate-qcow2.xml |  18 +
>  .../firmware-manual-bios-rw.x86_64-latest.err |   1 +
>  .../firmware-manual-bios-rw.xml               |  15 +
>  ...-loader-path-nonstandard.x86_64-latest.xml |   2 +-
>  ...ate-nonstandard-format.x86_64-latest.args} |  10 +-
>  ...late-nonstandard-format.x86_64-latest.xml} |   4 +-
>  ...-efi-nvram-template-nonstandard-format.xml |  19 +
>  ...nstandard-legacy-paths.x86_64-latest.args} |   4 +-
>  ...onstandard-legacy-paths.x86_64-latest.xml} |   5 +-
>  ...vram-template-nonstandard-legacy-paths.xml |  20 +
>  ...ram-template-nonstandard.x86_64-latest.xml |   2 +-
>  ...ware-manual-efi-rw-nvram.x86_64-latest.err |   1 +
>  .../firmware-manual-efi-rw-nvram.xml          |  19 +
>  ...ual-efi-sev-snp.x86_64-latest+amdsev.args} |   7 +-
>  ...nual-efi-sev-snp.x86_64-latest+amdsev.xml} |  12 +-
>  .../firmware-manual-efi-sev-snp.xml           |  21 +
>  ...anual-efi-tdx.x86_64-latest+inteltdx.args} |   9 +-
>  ...manual-efi-tdx.x86_64-latest+inteltdx.xml} |  11 +-
>  .../firmware-manual-efi-tdx.xml               |  25 ++
>  tests/qemuxmlconftest.c                       |  19 +
>  49 files changed, 571 insertions(+), 263 deletions(-)

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

Michal