This series makes it possible to use Secure Boot with aarch64 VMs.

https://issues.redhat.com/browse/RHEL-82645

Note that, while I consider the entire series to be ready for review,
there is one patch that is marked as DONOTMERGE: that's because it
imports into the tree firmware descriptor that are not yet part of
the Fedora edk2 package.

Changes from [v2]:

  * changes to the schema for JSON firmware descriptors have been
    queued for merge in QEMU, so the corresponding patch is no longer
    marked as DONOTMERGE;

  * improve documentation;

  * rebase on top of master, addressing conflicts that I have caused
    with some recent changes related to this work.

Changes from [v1]:

  * rewrite based on review feedback: the <nvram> element is no
    longer used, and a dedicated <varstore> element is introduced
    instead;

  * additional test coverage, as well as fixes and improvements
    related to firmware selection and its documentation, are present
    as well.

[v2] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/WVWT3BX3J5HM4FKRG3IW7HAW6JMU2VOH/
[v1] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/TGLFMPRXCATRPA6MPHH5KYXY5XCTSRDT/

Andrea Bolognani (38):
  qemu_firmware: Only set format for custom loader if path is present
  conf: Move type=rom default for loader to drivers
  qemu_firmware: Improve matching when loader.type is absent
  tests: Rename custom JSON firmware descriptors
  tests: Update JSON firmware descriptor for BIOS
  schema: Add varstore element
  conf: Parse and format varstore element
  conf: Update validation to consider varstore element
  qemu_capabilities: Introduce QEMU_CAPS_DEVICE_UEFI_VARS
  qemu: Validate presence of uefi-vars device
  tests: Add firmware-manual-efi-varstore-q35
  tests: Add firmware-manual-efi-varstore-aarch64
  tests: Add firmware-auto-efi-varstore-q35
  tests: Add firmware-auto-efi-varstore-aarch64
  tests: Add firmware-auto-efi-enrolled-keys-aarch64
  qemu_firmware: Parse host-uefi-vars firmware feature
  qemu_firmware: Split sanity check
  qemu_firmware: Consider host-uefi-vars feature in sanity check
  qemu_firmware: Support extended syntax for ROM firmware descriptors
  qemu_firmware: Report NVRAM template path for ROMs
  schema: Add varstore element for domcaps
  conf: Include varstore element in domcaps
  qemu: Fill in varstore element in domcaps
  qemu_firmware: Use of NVRAM implies stateful firmware
  qemu_firmware: Allow matching stateful ROMs
  qemu_firmware: Fill in varstore information
  qemu: Introduce varstoreDir
  qemu_firmware: Generate varstore path when necessary
  DONOTMERGE: tests: Add firmware descriptors for uefi-vars builds
  qemu_command: Use uefi-vars device where appropriate
  qemu: Introduce qemuPrepareNVRAMFileCommon()
  qemu: Create and delete varstore file
  security: Mark ROMs as read only when using AppArmor
  security: Handle varstore file
  include: Mention varstore where applicable
  virsh: Update for varstore handling
  docs: Update for varstore and improve
  news: Document support for uefi-vars device and firmwares

 NEWS.rst                                      |  16 ++
 docs/formatcaps.rst                           |   2 +-
 docs/formatdomain.rst                         |  47 +++--
 docs/formatdomaincaps.rst                     |  85 +++++---
 docs/kbase/secureboot.rst                     |  46 +++--
 docs/manpages/virsh.rst                       |  44 +++--
 include/libvirt/libvirt-domain-snapshot.h     |   2 +-
 include/libvirt/libvirt-domain.h              |   4 +-
 libvirt.spec.in                               |   1 +
 src/conf/domain_capabilities.c                |  10 +
 src/conf/domain_capabilities.h                |   6 +
 src/conf/domain_conf.c                        |  79 +++++++-
 src/conf/domain_conf.h                        |   9 +
 src/conf/domain_postparse.c                   |  19 --
 src/conf/domain_validate.c                    |  82 +++-----
 src/conf/schemas/domaincaps.rng               |   9 +
 src/conf/schemas/domaincommon.rng             |  64 +++---
 src/conf/virconftypes.h                       |   2 +
 src/libvirt_private.syms                      |   2 +
 src/libxl/libxl_domain.c                      |   6 +
 src/qemu/meson.build                          |   1 +
 src/qemu/qemu_capabilities.c                  |  29 ++-
 src/qemu/qemu_capabilities.h                  |   1 +
 src/qemu/qemu_command.c                       |  34 ++++
 src/qemu/qemu_conf.c                          |   4 +
 src/qemu/qemu_conf.h                          |   1 +
 src/qemu/qemu_driver.c                        |  27 ++-
 src/qemu/qemu_firmware.c                      | 182 ++++++++++++++++--
 src/qemu/qemu_firmware.h                      |   1 +
 src/qemu/qemu_process.c                       |  84 ++++++--
 src/qemu/qemu_validate.c                      |  20 ++
 src/security/security_dac.c                   |  22 ++-
 src/security/security_selinux.c               |  53 +++--
 src/security/virt-aa-helper.c                 |  36 +++-
 .../qemu_10.0.0-q35.x86_64+amdsev.xml         |   1 +
 .../domaincapsdata/qemu_10.0.0-q35.x86_64.xml |   1 +
 .../qemu_10.0.0-tcg.x86_64+amdsev.xml         |   1 +
 .../domaincapsdata/qemu_10.0.0-tcg.x86_64.xml |   1 +
 .../qemu_10.0.0-virt.aarch64.xml              |   3 +
 tests/domaincapsdata/qemu_10.0.0.aarch64.xml  |   3 +
 tests/domaincapsdata/qemu_10.0.0.ppc64.xml    |   1 +
 tests/domaincapsdata/qemu_10.0.0.s390x.xml    |   1 +
 .../qemu_10.0.0.x86_64+amdsev.xml             |   1 +
 tests/domaincapsdata/qemu_10.0.0.x86_64.xml   |   1 +
 .../qemu_10.1.0-q35.x86_64+inteltdx.xml       |   1 +
 .../domaincapsdata/qemu_10.1.0-q35.x86_64.xml |   1 +
 .../qemu_10.1.0-tcg.x86_64+inteltdx.xml       |   1 +
 .../domaincapsdata/qemu_10.1.0-tcg.x86_64.xml |   1 +
 tests/domaincapsdata/qemu_10.1.0.s390x.xml    |   1 +
 .../qemu_10.1.0.x86_64+inteltdx.xml           |   1 +
 tests/domaincapsdata/qemu_10.1.0.x86_64.xml   |   1 +
 .../qemu_10.2.0-q35.x86_64+mshv.xml           |   1 +
 .../domaincapsdata/qemu_10.2.0-q35.x86_64.xml |   1 +
 .../qemu_10.2.0-tcg.x86_64+mshv.xml           |   1 +
 .../domaincapsdata/qemu_10.2.0-tcg.x86_64.xml |   1 +
 .../qemu_10.2.0-virt.aarch64.xml              |   3 +
 tests/domaincapsdata/qemu_10.2.0.aarch64.xml  |   3 +
 .../qemu_10.2.0.x86_64+mshv.xml               |   1 +
 tests/domaincapsdata/qemu_10.2.0.x86_64.xml   |   1 +
 .../domaincapsdata/qemu_11.0.0-q35.x86_64.xml |   1 +
 .../domaincapsdata/qemu_11.0.0-tcg.x86_64.xml |   1 +
 .../qemu_11.0.0-virt.aarch64.xml              |   3 +
 tests/domaincapsdata/qemu_11.0.0.aarch64.xml  |   3 +
 tests/domaincapsdata/qemu_11.0.0.x86_64.xml   |   1 +
 .../domaincapsdata/qemu_6.2.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_6.2.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_6.2.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_6.2.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_7.0.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_7.0.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_7.0.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_7.0.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_7.1.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_7.1.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_7.1.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_7.1.0.x86_64.xml    |   1 +
 .../qemu_7.2.0-hvf.x86_64+hvf.xml             |   1 +
 .../domaincapsdata/qemu_7.2.0-q35.x86_64.xml  |   1 +
 .../qemu_7.2.0-tcg.x86_64+hvf.xml             |   1 +
 .../domaincapsdata/qemu_7.2.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_7.2.0.ppc.xml       |   1 +
 tests/domaincapsdata/qemu_7.2.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_8.0.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_8.0.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_8.0.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_8.1.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_8.1.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_8.1.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_8.1.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_8.2.0-q35.x86_64.xml  |   1 +
 .../qemu_8.2.0-tcg-virt.loongarch64.xml       |   1 +
 .../domaincapsdata/qemu_8.2.0-tcg.x86_64.xml  |   1 +
 .../qemu_8.2.0-virt.aarch64.xml               |   3 +
 .../qemu_8.2.0-virt.loongarch64.xml           |   1 +
 tests/domaincapsdata/qemu_8.2.0.aarch64.xml   |   3 +
 tests/domaincapsdata/qemu_8.2.0.armv7l.xml    |   1 +
 tests/domaincapsdata/qemu_8.2.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_8.2.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_9.0.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_9.0.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_9.0.0.sparc.xml     |   1 +
 tests/domaincapsdata/qemu_9.0.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_9.1.0-q35.x86_64.xml  |   1 +
 .../qemu_9.1.0-tcg-virt.riscv64.xml           |   1 +
 .../domaincapsdata/qemu_9.1.0-tcg.x86_64.xml  |   1 +
 .../qemu_9.1.0-virt.riscv64.xml               |   1 +
 tests/domaincapsdata/qemu_9.1.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_9.1.0.x86_64.xml    |   1 +
 .../qemu_9.2.0-hvf.aarch64+hvf.xml            |   3 +
 .../qemu_9.2.0-q35.x86_64+amdsev.xml          |   1 +
 .../domaincapsdata/qemu_9.2.0-q35.x86_64.xml  |   1 +
 .../qemu_9.2.0-tcg.x86_64+amdsev.xml          |   1 +
 .../domaincapsdata/qemu_9.2.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_9.2.0.s390x.xml     |   1 +
 .../qemu_9.2.0.x86_64+amdsev.xml              |   1 +
 tests/domaincapsdata/qemu_9.2.0.x86_64.xml    |   1 +
 .../caps_10.0.0_aarch64.xml                   |   1 +
 .../caps_10.0.0_x86_64+amdsev.xml             |   1 +
 .../caps_10.0.0_x86_64.xml                    |   1 +
 .../caps_10.1.0_s390x.xml                     |   1 +
 .../caps_10.1.0_x86_64+inteltdx.xml           |   1 +
 .../caps_10.1.0_x86_64.xml                    |   1 +
 .../caps_10.2.0_aarch64.xml                   |   1 +
 .../caps_10.2.0_x86_64+mshv.xml               |   1 +
 .../caps_10.2.0_x86_64.xml                    |   1 +
 .../caps_11.0.0_aarch64.xml                   |   1 +
 .../caps_11.0.0_x86_64.xml                    |   1 +
 .../etc/qemu/firmware/20-bios.json            |   1 -
 .../etc/qemu/firmware/20-libvirt-bios.json    |   1 +
 .../etc/qemu/firmware/59-combined.json        |   1 -
 .../qemu/firmware/59-libvirt-combined.json    |   1 +
 ...{92-masked.json => 92-libvirt-masked.json} |   0
 .../{10-bios.json => 10-libvirt-bios.json}    |   0
 ...0-edk2-ovmf-qemuvars-x64-sb-enrolled.json} |  15 +-
 .../70-edk2-qemuvars-aarch64-sb-enrolled.json |  28 +++
 ...json => 71-edk2-ovmf-qemuvars-x64-sb.json} |  16 +-
 .../firmware/71-edk2-qemuvars-aarch64-sb.json |  27 +++
 ...combined.json => 90-libvirt-combined.json} |   0
 .../{91-bios.json => 91-libvirt-bios.json}    |   2 +-
 ...{92-masked.json => 92-libvirt-masked.json} |   0
 ...3-invalid.json => 93-libvirt-invalid.json} |   0
 tests/qemufirmwaretest.c                      |  71 ++++---
 ...-auto-bios-not-stateless.x86_64-latest.err |   2 +-
 ...auto-bios-not-stateless.x86_64-latest.xml} |   6 +-
 ...firmware-auto-bios-nvram.x86_64-latest.err |   2 +-
 ...are-auto-bios-stateless.x86_64-latest.args |   2 +-
 ...ware-auto-bios-stateless.x86_64-latest.xml |   2 +-
 .../firmware-auto-bios.x86_64-latest.args     |   2 +-
 .../firmware-auto-bios.x86_64-latest.xml      |   2 +-
 ...fi-enrolled-keys-aarch64.aarch64-8.2.0.err |   1 +
 ...enrolled-keys-aarch64.aarch64-latest.args} |  12 +-
 ...i-enrolled-keys-aarch64.aarch64-latest.xml |  32 +++
 ...irmware-auto-efi-enrolled-keys-aarch64.xml |  20 ++
 ...-efi-varstore-aarch64.aarch64-latest.args} |  12 +-
 ...to-efi-varstore-aarch64.aarch64-latest.xml |  32 +++
 .../firmware-auto-efi-varstore-aarch64.xml    |  18 ++
 ...-auto-efi-varstore-q35.x86_64-latest.args} |   5 +-
 ...e-auto-efi-varstore-q35.x86_64-latest.xml} |  11 +-
 .../firmware-auto-efi-varstore-q35.xml        |  18 ++
 ...ual-bios-not-stateless.x86_64-latest.args} |   8 +-
 ...anual-bios-not-stateless.x86_64-latest.err |   1 -
 ...nual-bios-not-stateless.x86_64-latest.xml} |   2 +-
 ...re-manual-bios-stateless.x86_64-latest.xml |   6 +-
 .../firmware-manual-bios.x86_64-latest.xml    |   6 +-
 ...nual-efi-nvram-stateless.x86_64-latest.err |   2 +-
 ...nvram-template-stateless.x86_64-latest.err |   2 +-
 ...ware-manual-efi-rw-nvram.x86_64-latest.err |   2 +-
 ...ual-efi-varstore-aarch64.aarch64-8.2.0.err |   1 +
 ...-efi-varstore-aarch64.aarch64-latest.args} |  12 +-
 ...al-efi-varstore-aarch64.aarch64-latest.xml |  32 +++
 .../firmware-manual-efi-varstore-aarch64.xml  |  19 ++
 ...e-manual-efi-varstore-q35.x86_64-8.2.0.err |   1 +
 ...anual-efi-varstore-q35.x86_64-latest.args} |   5 +-
 ...manual-efi-varstore-q35.x86_64-latest.xml} |  11 +-
 .../firmware-manual-efi-varstore-q35.xml      |  19 ++
 tests/qemuxmlconftest.c                       |  16 +-
 tests/testutilsqemu.c                         |   2 +
 tools/virsh-domain.c                          |  55 ++++--
 tools/virsh-snapshot.c                        |   9 +-
 179 files changed, 1314 insertions(+), 380 deletions(-)
 delete mode 120000 tests/qemufirmwaredata/etc/qemu/firmware/20-bios.json
 create mode 120000 tests/qemufirmwaredata/etc/qemu/firmware/20-libvirt-bios.json
 delete mode 120000 tests/qemufirmwaredata/etc/qemu/firmware/59-combined.json
 create mode 120000 tests/qemufirmwaredata/etc/qemu/firmware/59-libvirt-combined.json
 rename tests/qemufirmwaredata/etc/qemu/firmware/{92-masked.json => 92-libvirt-masked.json} (100%)
 rename tests/qemufirmwaredata/home/user/.config/qemu/firmware/{10-bios.json => 10-libvirt-bios.json} (100%)
 copy tests/qemufirmwaredata/usr/share/qemu/firmware/{90-combined.json => 70-edk2-ovmf-qemuvars-x64-sb-enrolled.json} (55%)
 create mode 100644 tests/qemufirmwaredata/usr/share/qemu/firmware/70-edk2-qemuvars-aarch64-sb-enrolled.json
 copy tests/qemufirmwaredata/usr/share/qemu/firmware/{90-combined.json => 71-edk2-ovmf-qemuvars-x64-sb.json} (51%)
 create mode 100644 tests/qemufirmwaredata/usr/share/qemu/firmware/71-edk2-qemuvars-aarch64-sb.json
 rename tests/qemufirmwaredata/usr/share/qemu/firmware/{90-combined.json => 90-libvirt-combined.json} (100%)
 rename tests/qemufirmwaredata/usr/share/qemu/firmware/{91-bios.json => 91-libvirt-bios.json} (90%)
 rename tests/qemufirmwaredata/usr/share/qemu/firmware/{92-masked.json => 92-libvirt-masked.json} (100%)
 rename tests/qemufirmwaredata/usr/share/qemu/firmware/{93-invalid.json => 93-libvirt-invalid.json} (100%)
 copy tests/qemuxmlconfdata/{firmware-auto-bios.x86_64-latest.xml => firmware-auto-bios-not-stateless.x86_64-latest.xml} (84%)
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.aarch64-8.2.0.err
 copy tests/qemuxmlconfdata/{firmware-auto-bios.x86_64-latest.args => firmware-auto-efi-enrolled-keys-aarch64.aarch64-latest.args} (72%)
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.aarch64-latest.xml
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.xml
 copy tests/qemuxmlconfdata/{firmware-auto-bios.x86_64-latest.args => firmware-auto-efi-varstore-aarch64.aarch64-latest.args} (72%)
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.aarch64-latest.xml
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.xml
 copy tests/qemuxmlconfdata/{firmware-auto-bios-stateless.x86_64-latest.args => firmware-auto-efi-varstore-q35.x86_64-latest.args} (83%)
 copy tests/qemuxmlconfdata/{firmware-auto-bios-stateless.x86_64-latest.xml => firmware-auto-efi-varstore-q35.x86_64-latest.xml} (73%)
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.xml
 copy tests/qemuxmlconfdata/{firmware-auto-bios.x86_64-latest.args => firmware-manual-bios-not-stateless.x86_64-latest.args} (84%)
 delete mode 100644 tests/qemuxmlconfdata/firmware-manual-bios-not-stateless.x86_64-latest.err
 copy tests/qemuxmlconfdata/{firmware-manual-bios.x86_64-latest.xml => firmware-manual-bios-not-stateless.x86_64-latest.xml} (90%)
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.aarch64-8.2.0.err
 copy tests/qemuxmlconfdata/{firmware-auto-bios.x86_64-latest.args => firmware-manual-efi-varstore-aarch64.aarch64-latest.args} (73%)
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.aarch64-latest.xml
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.xml
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.x86_64-8.2.0.err
 copy tests/qemuxmlconfdata/{firmware-auto-bios.x86_64-latest.args => firmware-manual-efi-varstore-q35.x86_64-latest.args} (85%)
 copy tests/qemuxmlconfdata/{firmware-auto-bios-stateless.x86_64-latest.xml => firmware-manual-efi-varstore-q35.x86_64-latest.xml} (74%)
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.xml

-- 
2.53.0

On 2/18/26 13:05, Andrea Bolognani via Devel wrote:
> This series makes it possible to use Secure Boot with aarch64 VMs.
> 
> https://issues.redhat.com/browse/RHEL-82645
> 
> Note that, while I consider the entire series to be ready for review,
> there is one patch that is marked as DONOTMERGE: that's because it
> imports into the tree firmware descriptor that are not yet part of
> the Fedora edk2 package.
> 
> Changes from [v2]:
> 
>   * changes to the schema for JSON firmware descriptors have been
>     queued for merge in QEMU, so the corresponding patch is no longer
>     marked as DONOTMERGE;
> 
>   * improve documentation;
> 
>   * rebase on top of master, addressing conflicts that I have caused
>     with some recent changes related to this work.
> 
> Changes from [v1]:
> 
>   * rewrite based on review feedback: the <nvram> element is no
>     longer used, and a dedicated <varstore> element is introduced
>     instead;
> 
>   * additional test coverage, as well as fixes and improvements
>     related to firmware selection and its documentation, are present
>     as well.
> 
> [v2] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/WVWT3BX3J5HM4FKRG3IW7HAW6JMU2VOH/
> [v1] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/TGLFMPRXCATRPA6MPHH5KYXY5XCTSRDT/
> 
> Andrea Bolognani (38):
>   qemu_firmware: Only set format for custom loader if path is present
>   conf: Move type=rom default for loader to drivers
>   qemu_firmware: Improve matching when loader.type is absent
>   tests: Rename custom JSON firmware descriptors
>   tests: Update JSON firmware descriptor for BIOS
>   schema: Add varstore element
>   conf: Parse and format varstore element
>   conf: Update validation to consider varstore element
>   qemu_capabilities: Introduce QEMU_CAPS_DEVICE_UEFI_VARS
>   qemu: Validate presence of uefi-vars device
>   tests: Add firmware-manual-efi-varstore-q35
>   tests: Add firmware-manual-efi-varstore-aarch64
>   tests: Add firmware-auto-efi-varstore-q35
>   tests: Add firmware-auto-efi-varstore-aarch64
>   tests: Add firmware-auto-efi-enrolled-keys-aarch64
>   qemu_firmware: Parse host-uefi-vars firmware feature
>   qemu_firmware: Split sanity check
>   qemu_firmware: Consider host-uefi-vars feature in sanity check
>   qemu_firmware: Support extended syntax for ROM firmware descriptors
>   qemu_firmware: Report NVRAM template path for ROMs
>   schema: Add varstore element for domcaps
>   conf: Include varstore element in domcaps
>   qemu: Fill in varstore element in domcaps
>   qemu_firmware: Use of NVRAM implies stateful firmware
>   qemu_firmware: Allow matching stateful ROMs
>   qemu_firmware: Fill in varstore information
>   qemu: Introduce varstoreDir
>   qemu_firmware: Generate varstore path when necessary
>   DONOTMERGE: tests: Add firmware descriptors for uefi-vars builds
>   qemu_command: Use uefi-vars device where appropriate
>   qemu: Introduce qemuPrepareNVRAMFileCommon()
>   qemu: Create and delete varstore file
>   security: Mark ROMs as read only when using AppArmor
>   security: Handle varstore file
>   include: Mention varstore where applicable
>   virsh: Update for varstore handling
>   docs: Update for varstore and improve
>   news: Document support for uefi-vars device and firmwares

>  179 files changed, 1314 insertions(+), 380 deletions(-)

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

Michal

On Wed, Feb 18, 2026 at 01:05:23PM +0100, Andrea Bolognani via Devel wrote:
> This series makes it possible to use Secure Boot with aarch64 VMs.
> 
> https://issues.redhat.com/browse/RHEL-82645
> 
> Note that, while I consider the entire series to be ready for review,
> there is one patch that is marked as DONOTMERGE: that's because it
> imports into the tree firmware descriptor that are not yet part of
> the Fedora edk2 package.

Not being a libvirt expert I can't really comment library internals.
The test case data looks sane to me though, and I have not spotted
anything else which looks wrong to me.

Acked-by: Gerd Hoffmann <kraxel@redhat.com>

take care,
  Gerd