This series makes it possible to use Secure Boot with aarch64 VMs.

https://issues.redhat.com/browse/RHEL-82645

It needs a prerequisite series[1] to be applied first.

Note that, while I consider the entire series to be ready for review,
there are two patches that are marked as DONOTMERGE: that's because
they respectively implement support for a JSON firmware descriptor
syntax extension that has not yet been approved, and import into the
tree firmware descriptor that are not yet part of the Fedora edk2
package. The latter depends on the former, of course, for which
patches have been posted[2] to the QEMU mailing list.

[1] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/N2ETTZ3WI5RWXGJG7DW5YYMZ7UGDYMHA/
[2] https://mail.gnu.org/archive/html/qemu-devel/2025-12/msg03462.html

Andrea Bolognani (29):
  schemas: Drop pflashFormat
  schemas: Introduce firmware(Loader|Nvram)Formats
  schemas: Allow JSON format for NVRAM
  conf: Introduce VIR_STORAGE_FILE_JSON
  conf: Allow JSON format for NVRAM in the parser
  qemu_firmware: Rename qemuFirmwareFlashFile to qemuFirmwareFile
  qemu_firmware: Use qemuFirmwareFile in qemuFirmwareMappingMemory
  DONOTMERGE: qemu_firmware: Support extended syntax for ROM firmware
    descriptors
  qemu_firmware: Report NVRAM template path for ROMs
  qemu_firmware: Fill in more information for ROMs
  qemu_firmware: Don't skip EnsureNVRAM() for ROMs
  qemu_firmware: Parse host-uefi-vars firmware feature
  qemu_firmware: Split sanity check
  qemu_firmware: Consider host-uefi-vars feature in sanity check
  tests: Add firmware-manual-efi-qemuvars-q35
  tests: Add firmware-manual-efi-qemuvars-aarch64
  tests: Add firmware-manual-efi-qemuvars-nvram-network-nbd
  tests: Add firmware-auto-efi-enrolled-keys-aarch64
  tests: Add firmware-auto-efi-format-nvram-json
  qemu_capabilities: Introduce QEMU_CAPS_DEVICE_UEFI_VARS
  qemu: Validate presence of uefi-vars device
  qemu: Don't allow remote locations for JSON format NVRAM
  qemu_firmware: Generate correct name for JSON format NVRAM
  qemu_firmware: Update matching logic for ROMs
  qemu_firmware: Require host-uefi-vars feature for JSON NVRAM
  qemu_firmware: Allow JSON format for NVRAM
  DONOTMERGE: tests: Add firmware descriptors for uefi-vars builds
  qemu_command: Use uefi-vars device where appropriate
  news: Document support for uefi-vars device and firmwares

 NEWS.rst                                      |  10 +
 src/conf/domain_conf.c                        |   6 +-
 src/conf/schemas/domaincommon.rng             |  22 +-
 src/conf/storage_source_conf.c                |   2 +-
 src/conf/storage_source_conf.h                |   1 +
 src/qemu/qemu_block.c                         |   2 +
 src/qemu/qemu_capabilities.c                  |   3 +
 src/qemu/qemu_capabilities.h                  |   1 +
 src/qemu/qemu_command.c                       |  36 ++
 src/qemu/qemu_firmware.c                      | 353 +++++++++++++++---
 src/qemu/qemu_validate.c                      |  13 +
 .../caps_10.0.0_aarch64.xml                   |   1 +
 .../caps_10.0.0_x86_64+amdsev.xml             |   1 +
 .../caps_10.0.0_x86_64.xml                    |   1 +
 .../caps_10.1.0_s390x.xml                     |   1 +
 .../caps_10.1.0_x86_64+inteltdx.xml           |   1 +
 .../caps_10.1.0_x86_64.xml                    |   1 +
 .../caps_10.2.0_x86_64+mshv.xml               |   1 +
 .../caps_10.2.0_x86_64.xml                    |   1 +
 ...tdx.json => 50-edk2-ovmf-x64-microvm.json} |  12 +-
 .../firmware/60-edk2-ovmf-x64-inteltdx.json   |   6 +-
 .../out/usr/share/qemu/firmware/91-bios.json  |  33 ++
 ...70-edk2-ovmf-qemuvars-x64-sb-enrolled.json |  35 ++
 .../70-edk2-qemuvars-aarch64-sb-enrolled.json |  33 ++
 tests/qemufirmwaretest.c                      |  10 +-
 ...ware-auto-bios-stateless.x86_64-latest.xml |   2 +-
 .../firmware-auto-bios.x86_64-latest.xml      |   2 +-
 ...fi-enrolled-keys-aarch64.aarch64-8.2.0.err |   1 +
 ...-enrolled-keys-aarch64.aarch64-latest.args |  32 ++
 ...i-enrolled-keys-aarch64.aarch64-latest.xml |  32 ++
 ...irmware-auto-efi-enrolled-keys-aarch64.xml |  20 +
 ...uto-efi-format-nvram-json.x86_64-8.2.0.err |   1 +
 ...o-efi-format-nvram-json.x86_64-latest.args |  35 ++
 ...o-efi-format-nvram-json.x86_64-latest.xml} |  11 +-
 .../firmware-auto-efi-format-nvram-json.xml   |  18 +
 ...l-efi-qemuvars-aarch64.aarch64-latest.args |  33 ++
 ...l-efi-qemuvars-aarch64.aarch64-latest.xml} |  24 +-
 .../firmware-manual-efi-qemuvars-aarch64.xml  |  19 +
 ...muvars-nvram-network-nbd.x86_64-latest.err |   1 +
 ...-manual-efi-qemuvars-nvram-network-nbd.xml |  23 ++
 ...manual-efi-qemuvars-q35.x86_64-latest.args |  35 ++
 ...manual-efi-qemuvars-q35.x86_64-latest.xml} |  11 +-
 .../firmware-manual-efi-qemuvars-q35.xml      |  19 +
 ...-manual-efi-tdx.x86_64-latest+inteltdx.xml |   2 +-
 tests/qemuxmlconftest.c                       |   8 +
 .../storagepoolcapsschemadata/poolcaps-fs.xml |   5 +
 .../poolcaps-full.xml                         |   5 +
 .../out/qcow2-qcow2_qcow2-qcow2_qcow2-auto    |   2 +-
 .../out/qcow2-qcow2_qcow2-qcow2_raw-auto      |   2 +-
 .../out/qcow2-qcow2_qcow2-qcow2_raw-raw       |   2 +-
 tests/virstoragetestdata/out/qcow2-symlinks   |   2 +-
 .../out/qcow2datafile-qcow2_qcow2-datafile    |   2 +-
 52 files changed, 824 insertions(+), 111 deletions(-)
 copy tests/qemufirmwaredata/out/usr/share/qemu/firmware/{60-edk2-ovmf-x64-inteltdx.json => 50-edk2-ovmf-x64-microvm.json} (56%)
 create mode 100644 tests/qemufirmwaredata/out/usr/share/qemu/firmware/91-bios.json
 create mode 100644 tests/qemufirmwaredata/usr/share/qemu/firmware/70-edk2-ovmf-qemuvars-x64-sb-enrolled.json
 create mode 100644 tests/qemufirmwaredata/usr/share/qemu/firmware/70-edk2-qemuvars-aarch64-sb-enrolled.json
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.aarch64-8.2.0.err
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.aarch64-latest.args
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.aarch64-latest.xml
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.xml
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-format-nvram-json.x86_64-8.2.0.err
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-format-nvram-json.x86_64-latest.args
 copy tests/qemuxmlconfdata/{firmware-auto-bios-stateless.x86_64-latest.xml => firmware-auto-efi-format-nvram-json.x86_64-latest.xml} (71%)
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-format-nvram-json.xml
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-qemuvars-aarch64.aarch64-latest.args
 copy tests/qemuxmlconfdata/{firmware-auto-bios.x86_64-latest.xml => firmware-manual-efi-qemuvars-aarch64.aarch64-latest.xml} (52%)
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-qemuvars-aarch64.xml
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-qemuvars-nvram-network-nbd.x86_64-latest.err
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-qemuvars-nvram-network-nbd.xml
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-qemuvars-q35.x86_64-latest.args
 copy tests/qemuxmlconfdata/{firmware-auto-bios-stateless.x86_64-latest.xml => firmware-manual-efi-qemuvars-q35.x86_64-latest.xml} (74%)
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-qemuvars-q35.xml

-- 
2.52.0

On 12/29/25 00:40, Andrea Bolognani via Devel wrote:
> This series makes it possible to use Secure Boot with aarch64 VMs.
> 
> https://issues.redhat.com/browse/RHEL-82645
> 
> It needs a prerequisite series[1] to be applied first.
> 
> Note that, while I consider the entire series to be ready for review,
> there are two patches that are marked as DONOTMERGE: that's because
> they respectively implement support for a JSON firmware descriptor
> syntax extension that has not yet been approved, and import into the
> tree firmware descriptor that are not yet part of the Fedora edk2
> package. The latter depends on the former, of course, for which
> patches have been posted[2] to the QEMU mailing list.
> 
> [1] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/N2ETTZ3WI5RWXGJG7DW5YYMZ7UGDYMHA/
> [2] https://mail.gnu.org/archive/html/qemu-devel/2025-12/msg03462.html
> 
> Andrea Bolognani (29):
>   schemas: Drop pflashFormat
>   schemas: Introduce firmware(Loader|Nvram)Formats
>   schemas: Allow JSON format for NVRAM
>   conf: Introduce VIR_STORAGE_FILE_JSON
>   conf: Allow JSON format for NVRAM in the parser
>   qemu_firmware: Rename qemuFirmwareFlashFile to qemuFirmwareFile
>   qemu_firmware: Use qemuFirmwareFile in qemuFirmwareMappingMemory
>   DONOTMERGE: qemu_firmware: Support extended syntax for ROM firmware
>     descriptors
>   qemu_firmware: Report NVRAM template path for ROMs
>   qemu_firmware: Fill in more information for ROMs
>   qemu_firmware: Don't skip EnsureNVRAM() for ROMs
>   qemu_firmware: Parse host-uefi-vars firmware feature
>   qemu_firmware: Split sanity check
>   qemu_firmware: Consider host-uefi-vars feature in sanity check
>   tests: Add firmware-manual-efi-qemuvars-q35
>   tests: Add firmware-manual-efi-qemuvars-aarch64
>   tests: Add firmware-manual-efi-qemuvars-nvram-network-nbd
>   tests: Add firmware-auto-efi-enrolled-keys-aarch64
>   tests: Add firmware-auto-efi-format-nvram-json
>   qemu_capabilities: Introduce QEMU_CAPS_DEVICE_UEFI_VARS
>   qemu: Validate presence of uefi-vars device
>   qemu: Don't allow remote locations for JSON format NVRAM
>   qemu_firmware: Generate correct name for JSON format NVRAM
>   qemu_firmware: Update matching logic for ROMs
>   qemu_firmware: Require host-uefi-vars feature for JSON NVRAM
>   qemu_firmware: Allow JSON format for NVRAM
>   DONOTMERGE: tests: Add firmware descriptors for uefi-vars builds
>   qemu_command: Use uefi-vars device where appropriate
>   news: Document support for uefi-vars device and firmwares

>  52 files changed, 824 insertions(+), 111 deletions(-)

Once QEMU part is merged then you have my:

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

Michal