From nobody Fri Jan 9 08:53:07 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1766969467; cv=none; d=zohomail.com; s=zohoarc; b=VyI0nwQtA1ukc+pkF016Mic/82ii83l0qjX0DhtZjRAHIamwVvifb7JwN3aT94PJlkPAJxsDqafJVGYX2A+sTG8H5Um8wLkIYdODJPm2Q8UBNoncCQ6CuI/0LkSYHBd7qVfDGG8OhH4MMd4rtVDhOa2CFMnKKWYaR173Tt0H3IU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1766969467; h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc; bh=eo1Ffcoe7lT4V1pC/Frbx8QT5m8AFqx8eZVRK7BYaiE=; b=ggochDyy020bso1Ou4TFaxMvx6b4kzvRxOR2PYRByOLOXab0OpOK1VNA5ZAtelSLnkKuR4ZSd6YIupQXrPx6GR169FT5nhg5HuTCf1q9Wr4nvSwuhexLXybBWpewxeoyVviaBCnj+gsb4FQjjni0vXczwY9A1cwDsltIacDI02Y= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1766969467452366.62645130648184; Sun, 28 Dec 2025 16:51:07 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 993) id 766903F963; Sun, 28 Dec 2025 19:51:06 -0500 (EST) Received: from [172.19.199.83] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id D1C2143F7C; Sun, 28 Dec 2025 19:42:20 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 993) id E3A203FD0B; Sun, 28 Dec 2025 18:49:30 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id B9CA641CAD for ; Sun, 28 Dec 2025 18:41:09 -0500 (EST) Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-131--2j7lkYUPECet0NItG-AKQ-1; Sun, 28 Dec 2025 18:41:08 -0500 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 514F218005B0 for ; Sun, 28 Dec 2025 23:41:07 +0000 (UTC) Received: from harajuku.usersys.redhat.com.homenet.telecomitalia.it (unknown [10.45.224.19]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 946F51800367 for ; Sun, 28 Dec 2025 23:41:06 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1766965269; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=eo1Ffcoe7lT4V1pC/Frbx8QT5m8AFqx8eZVRK7BYaiE=; b=QNVQMtd/r5y+vPtteB7GhIJ+LZotrIFAHPkzEi3rSIfB0Lnu6wOoAVA2Kw11spEvmN3ZXc K2b+MciJVxAZXrtk17pND2XExu5zgR2ybcs1nk6yAc9iUmeduyrkgqrQzRORS+v5TbLrKp v06KZ7vRFtXWhE1AweEJl9DLedz5e1k= X-MC-Unique: -2j7lkYUPECet0NItG-AKQ-1 X-Mimecast-MFC-AGG-ID: -2j7lkYUPECet0NItG-AKQ_1766965267 To: devel@lists.libvirt.org Subject: [PATCH 13/29] qemu_firmware: Split sanity check Date: Mon, 29 Dec 2025 00:40:32 +0100 Message-ID: <20251228234048.1711701-14-abologna@redhat.com> In-Reply-To: <20251228234048.1711701-1-abologna@redhat.com> References: <20251228234048.1711701-1-abologna@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: cYrzvkeL_U8eSRJSynxyLYj1An7aZGVGufXuVsRNvwI_1766965267 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: 7HWGKJU4FX4NSOS6SFZA2CYZS75NZ3KB X-Message-ID-Hash: 7HWGKJU4FX4NSOS6SFZA2CYZS75NZ3KB X-MailFrom: abologna@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Andrea Bolognani via Devel Reply-To: Andrea Bolognani X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1766969468193158500 Content-Type: text/plain; charset="utf-8"; x-default="true" The two checks are semantically different, so it makes sense to perform them separately. We will soon extend the first one. While at it, start printing out the value of isConfidential. We could print the value of each firmware feature it's derived from, but that would make things unnecessarily verbose; at the same time, knowing that libvirt believes that the firmware build is targeting the confidential use case can be useful for debugging so it's worth including it. Signed-off-by: Andrea Bolognani --- src/qemu/qemu_firmware.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c index 309ec3f349..68563b8083 100644 --- a/src/qemu/qemu_firmware.c +++ b/src/qemu/qemu_firmware.c @@ -1726,16 +1726,23 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw, * VMs also don't support EFI variable storage in NVRAM, instead * the secureboot state is hardcoded to enabled. */ - if ((!isConfidential && - (supportsSecureBoot !=3D requiresSMM)) || - (hasEnrolledKeys && !supportsSecureBoot)) { + if (!isConfidential && + supportsSecureBoot !=3D requiresSMM) { VIR_WARN("Firmware description '%s' has invalid set of features: " - "%s =3D %d, %s =3D %d, %s =3D %d", + "%s =3D %d, %s =3D %d (isConfidential =3D %d)", filename, qemuFirmwareFeatureTypeToString(QEMU_FIRMWARE_FEATURE_REQ= UIRES_SMM), requiresSMM, qemuFirmwareFeatureTypeToString(QEMU_FIRMWARE_FEATURE_SEC= URE_BOOT), supportsSecureBoot, + isConfidential); + } + if (hasEnrolledKeys && !supportsSecureBoot) { + VIR_WARN("Firmware description '%s' has invalid set of features: " + "%s =3D %d, %s =3D %d", + filename, + qemuFirmwareFeatureTypeToString(QEMU_FIRMWARE_FEATURE_SEC= URE_BOOT), + supportsSecureBoot, qemuFirmwareFeatureTypeToString(QEMU_FIRMWARE_FEATURE_ENR= OLLED_KEYS), hasEnrolledKeys); } --=20 2.52.0