From nobody Tue Mar 3 05:10:35 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1771418810; cv=none; d=zohomail.com; s=zohoarc; b=SQIpl+IherXU3fJOnFpssvNzvVT6chT38JRviO2bKT2pK+UqZmkXTsESOUOAaAoWXtddhFoD54TJ7rRLBQlJzLQzzaKgHD638i8soZGMSVS7Cpkmz4lxSQCBLqvn3fmA7b+6wMrVLXXNIEUIHcP8gYbIZFU4K9aNwZWMrBhkpJY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1771418810; h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc; bh=zFkg5NU0BPEDXJReEcHqkgFrchHVOyF+ZeMpCBVwpq4=; b=cdkz/vOn48TXQyXphQ6GORN+OBtqD2kaWQx3alnpjN6JNlk8X+/saCb8vacX7DWKo1YYwCoISwUO6mOyZbrsG+oXVZCanUKjlGg1rJuE/K/XfigvIcbOA/yRZ4lIFWay6xht3c3A2C74mo9na59fRTAzK5PDE0Q3dqxx3IqKPgY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 177141881073091.69105475731135; Wed, 18 Feb 2026 04:46:50 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 993) id 1BFF83F36B; Wed, 18 Feb 2026 07:46:50 -0500 (EST) Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id 3A2B54454E; Wed, 18 Feb 2026 07:11:21 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 993) id 84A2641B7A; Wed, 18 Feb 2026 07:10:58 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 9403541BD2 for ; Wed, 18 Feb 2026 07:07:09 -0500 (EST) Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-517-Ds3IaVd2MGu6EM0QdE_bpw-1; Wed, 18 Feb 2026 07:07:07 -0500 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 234B719560A7 for ; Wed, 18 Feb 2026 12:07:07 +0000 (UTC) Received: from kinshicho.usersys.redhat.com (unknown [10.45.226.171]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id A3BA730001B9 for ; Wed, 18 Feb 2026 12:07:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1771416429; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zFkg5NU0BPEDXJReEcHqkgFrchHVOyF+ZeMpCBVwpq4=; b=dTjgua8qgugSWvvqdFA54tf2GFDmCW09hO4akCnSeqlAagRtcgi3BVqo9kTDBXoJlJ2/Z4 cjUsm9VRr1naTvRlRmP+Sd+4s+vZqB1JzRpfSQzYiQS74mov+I60jyfOc1VwANZmsmdwQ6 P+67dMwdKoZxaC4ufherxujAguw3hws= X-MC-Unique: Ds3IaVd2MGu6EM0QdE_bpw-1 X-Mimecast-MFC-AGG-ID: Ds3IaVd2MGu6EM0QdE_bpw_1771416427 To: devel@lists.libvirt.org Subject: [PATCH v3 37/38] docs: Update for varstore and improve Date: Wed, 18 Feb 2026 13:06:00 +0100 Message-ID: <20260218120601.230343-38-abologna@redhat.com> In-Reply-To: <20260218120601.230343-1-abologna@redhat.com> References: <20260218120601.230343-1-abologna@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: 37gCbs8yz91AlaABu8_WuqUhE6xi7zd1NF172JpMYC8_1771416427 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: F2IQXNUTSDSXYRXOTP7WAPIFUX4IJ7C5 X-Message-ID-Hash: F2IQXNUTSDSXYRXOTP7WAPIFUX4IJ7C5 X-MailFrom: abologna@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Andrea Bolognani via Devel Reply-To: Andrea Bolognani X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1771418812766154100 Content-Type: text/plain; charset="utf-8"; x-default="true" In addition to documenting the new element, rework the documentation to encourage the use of firmware autoselection and discourage configuring the firmware manually; moreover, rename the "BIOS bootloader" section to the far more accurate "guest firmware". Signed-off-by: Andrea Bolognani --- docs/formatcaps.rst | 2 +- docs/formatdomain.rst | 47 ++++++++++++++++------ docs/formatdomaincaps.rst | 85 ++++++++++++++++++++++++--------------- docs/kbase/secureboot.rst | 46 +++++++++++++-------- 4 files changed, 118 insertions(+), 62 deletions(-) diff --git a/docs/formatcaps.rst b/docs/formatcaps.rst index fa8ab5197f..9458e1289a 100644 --- a/docs/formatcaps.rst +++ b/docs/formatcaps.rst @@ -172,7 +172,7 @@ The ```` element will typically wrap up the fol= lowing elements: Emulator (device model) path, for use in `emulator `__ element of domain XML. ``loader`` - Loader path, for use in `loader `= __ + Loader path, for use in `loader `__ element of domain XML. ``machine`` Machine type, for use in diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst index 82788c15a2..7871613017 100644 --- a/docs/formatdomain.rst +++ b/docs/formatdomain.rst @@ -103,12 +103,16 @@ Operating system booting There are a number of different ways to boot virtual machines each with th= eir own pros and cons. =20 +Guest firmware +~~~~~~~~~~~~~~ =20 -BIOS bootloader -~~~~~~~~~~~~~~~ +.. container:: + :name: bios-bootloader + + .. this container only exists to keep old links working =20 -Booting via the BIOS is available for hypervisors supporting full -virtualization. In this case the BIOS has a boot order priority (floppy, +Booting via a guest firmware is available for hypervisors supporting full +virtualization. In this case the firmware has a boot order priority (flopp= y, harddisk, cdrom, network) determining where to obtain/find the boot image. =20 :: @@ -192,9 +196,9 @@ harddisk, cdrom, network) determining where to obtain/f= ind the boot image. =20 ``firmware`` The ``firmware`` attribute allows management applications to automatica= lly - fill ```` and ```` elements and possibly enable some - features required by selected firmware. Accepted values are ``bios`` and - ``efi``. + fill ```` and ```` or ```` elements and pos= sibly + enable some features required by selected firmware. Accepted values are + ``bios`` and ``efi``. The selection process scans for files describing installed firmware ima= ges in specified location and uses the most specific one which fulfills domain requirements. The locations in order of preference (from generic to most @@ -307,6 +311,23 @@ harddisk, cdrom, network) determining where to obtain/= find the boot image. It is not valid to provide this element if the loader is marked as stateless. =20 +``varstore`` + This works much the same way as the ```` element described abov= e, + except that variable storage is handled by the ``uefi-vars`` QEMU device + instead of being backed by a pflash device. :since:`Since 12.1.0 (QEMU = only)` + + The ``path`` attribute contains the path of the domain-specific file wh= ere + variables are stored, while the ``template`` attribute points to a temp= late + that the domain-specific file can be (re)generated from. Assuming that = the + necessary JSON firmware descriptor files are present, both attributes w= ill + be filled in automatically by libvirt. + + Using ```` instead of ```` is particularly useful on + non-x86 architectures such as aarch64, where it represent the only way = to + get Secure Boot working. It can be used on x86 too, and doing so will m= ake + it possible to keep UEFI authenticated variables safe from tampering wi= thout + requiring the use of SMM emulation. + ``boot`` The ``dev`` attribute takes one of the values "fd", "hd", "cdrom" or "network" and is used to specify the next boot device to consider. The @@ -411,10 +432,10 @@ and full virtualized guests. =20 ``type`` This element has the same semantics as described earlier in the - `BIOS bootloader`_ section. + `guest firmware`_ section. ``loader`` This element has the same semantics as described earlier in the - `BIOS bootloader`_ section. + `guest firmware`_ section. ``kernel`` The contents of this element specify the fully-qualified path to the ke= rnel image in the host OS. @@ -3752,7 +3773,7 @@ paravirtualized driver is specified via the ``disk`` = element. attribute is an 8 character string which can be queried by guests on S3= 90 via sclp or diag 308. Linux guests on S390 can use ``loadparm`` to select a= boot entry. :since:`Since 3.5.0` The per-device ``boot`` elements cannot be = used - together with general boot elements in `BIOS bootloader`_ + together with general boot elements in `guest firmware`_ section. :since:`Since 0.8.8` ``encryption`` since:`Since 3.9.0` the ``encryption`` element is preferred @@ -4917,7 +4938,7 @@ or: Specifies that the device is bootable. The ``order`` attribute determin= es the order in which devices will be tried during boot sequence. The per-devi= ce ``boot`` elements cannot be used together with general boot elements in - `BIOS bootloader`_ section. :since:`Since 0.8.8` for PCI + `guest firmware`_ section. :since:`Since 0.8.8` for PCI devices, :since:`Since 1.0.1` for USB devices. ``rom`` The ``rom`` element is used to change how a PCI device's ROM is present= ed to @@ -5144,7 +5165,7 @@ USB device redirection through a character device is = supported Specifies that the device is bootable. The ``order`` attribute determin= es the order in which devices will be tried during boot sequence. The per-devi= ce ``boot`` elements cannot be used together with general boot elements in - `BIOS bootloader`_ section. ( :since:`Since 1.0.1` ) + `guest firmware`_ section. ( :since:`Since 1.0.1` ) ``redirfilter`` The\ ``redirfilter``\ element is used for creating the filter rule to f= ilter out certain devices from redirection. It uses sub-element ```` = to @@ -6400,7 +6421,7 @@ Specifying boot order For hypervisors which support this, you can set a specific NIC to be used = for network boot. The ``order`` attribute determines the order in which device= s will be tried during boot sequence. The per-device ``boot`` elements cannot be = used -together with general boot elements in `BIOS bootloader`_ +together with general boot elements in `guest firmware`_ section. :since:`Since 0.8.8` =20 Interface ROM BIOS configuration diff --git a/docs/formatdomaincaps.rst b/docs/formatdomaincaps.rst index cca827923c..5a1d3f2670 100644 --- a/docs/formatdomaincaps.rst +++ b/docs/formatdomaincaps.rst @@ -72,11 +72,11 @@ The root element that emulator capability XML document = starts with has name Describes the `virtualization type `__ (or so called domain type). ``machine`` - The domain's `machine type `__. Sinc= e not + The domain's `machine type `__. Since= not every hypervisor has a sense of machine types this element might be omi= tted in such drivers. ``arch`` - The domain's `architecture `__. + The domain's `architecture `__. =20 CPU Allocation ~~~~~~~~~~~~~~ @@ -95,12 +95,17 @@ capabilities, e.g. virtual CPUs: ``vcpu`` The maximum number of supported virtual CPUs =20 -BIOS bootloader -~~~~~~~~~~~~~~~ +Guest firmware +~~~~~~~~~~~~~~ + +.. container:: + :name: bios-bootloader + + .. this container only exists to keep old links working =20 -Sometimes users might want to tweak some BIOS knobs or use UEFI. For cases= like -that, `os `__ element exposes what valu= es can -be passed to its children. +Exposes information about supported +`guest firmware `__ configurations for +domains. =20 :: =20 @@ -136,19 +141,22 @@ be passed to its children. no + ... =20 -The ``firmware`` enum corresponds to the ``firmware`` attribute of the ``o= s`` -element in the domain XML. The presence of this enum means libvirt is capa= ble of -the so-called firmware auto-selection feature. And the listed firmware val= ues -represent the accepted input in the domain XML. Note that the ``firmware``= enum -reports only those values for which a firmware "descriptor file" exists on= the -host. Firmware descriptor file is a small JSON document that describes det= ails -about a given BIOS or UEFI binary on the host, e.g. the firmware binary pa= th, -its architecture, supported machine types, NVRAM template, etc. This ensur= es -that the reported values won't cause a failure on guest boot. +The presence of the ``firmware`` enum means that libvirt can perform firmw= are +autoselection, and each of the values is guaranteed to be usable. In the +domain XML, firmware autoselection is enabled as follows: + +:: + + + ... + +Autoselection is the recommended mechanism for configuring the guest firmw= are. +Providing paths and other information manually is discouraged. =20 The ```` element :since:`(since 12.1.0)` contains one enum for each of the features that can be used to fine-tune the firmware @@ -191,27 +199,40 @@ such as: would not work, since ``no`` is not one of the valid values advertised by the ``secureBoot`` enum. =20 -For the ``loader`` element, the following can occur: +The information contained in the ```` element is not relevant when +using firmware autoselection, which is the recommended approach to guest +firmware configuration, and as such can largely be ignored. Its subelements +are the following: =20 ``value`` - List of known firmware binary paths. Currently this is used only to adv= ertise - the known location of OVMF binaries for QEMU. OVMF binaries will only be - listed if they actually exist on host. + One element for each known firmware binary present on the system. + + Note that a binary being present here indicates that the file exists an= d it + is compatible with the architecture/machine type, but does not provide = any + insight into which mechanism (see ``type`` below) should be used to loa= d it. ``type`` - Whether the boot loader is a typical BIOS (``rom``) or a UEFI firmware - (``pflash``). Each ``value`` sub-element under the ``type`` enum repres= ents a - possible value for the ``type`` attribute for the element in = the - domain XML. E.g. the presence of ``pfalsh`` under the ``type`` enum mea= ns - that a domain XML can use UEFI firmware via: type=3D"pflash" - ...>/path/to/the/firmware/binary/. + Whether firmware can be loaded using a ``pflash`` device (UEFI only) or= as + a ``rom`` (either UEFI or BIOS). ``readonly`` - Options for the ``readonly`` attribute of the element in the = domain - XML. + Supported values for the ``readonly`` attribute of the ```` el= ement + in the domain XML. ``secure`` - Options for the ``secure`` attribute of the element in the do= main - XML. Note that the value ``yes`` is listed only if libvirt detects a fi= rmware - descriptor file that has path to an OVMF binary that supports Secure bo= ot, - and lists its architecture and supported machine type. + Supported values for the ``secure`` attribute of the ```` elem= ent + in the domain XML. + + Note that the value ``yes`` is listed if libvirt detects a firmware + descriptor file that points to a firmware binary that implements Secure + Boot and is compatible with the architecture/machine type, but the UEFI + variable store template associated with it might not have the usual set= of + Secure Boot certificates enrolled. To figure out whether it's actually + possible to enforce Secure Boot, look at the ``enrolledKeys`` enum insi= de + the ```` element instead. + +The ```` element :since:`(since 12.1.0)` indicates whether UEFI +variable storage backed by the ``uefi-vars`` QEMU device can be used as an +alternative to pflash-based NVRAM storage. This is the only type of variab= le +storage compatible with Secure Boot on non-x86 architectures, but it can be +used on x86 too. =20 CPU configuration ~~~~~~~~~~~~~~~~~ diff --git a/docs/kbase/secureboot.rst b/docs/kbase/secureboot.rst index 6c22b08d22..0c8143bfba 100644 --- a/docs/kbase/secureboot.rst +++ b/docs/kbase/secureboot.rst @@ -74,8 +74,8 @@ Changing an existing VM =20 When a VM is defined, libvirt will pick the firmware that best satisfies the provided criteria and record this information for use -on subsequent boots. The resulting XML configuration will look like -this: +on subsequent boots. The resulting XML configuration will look either +like this: =20 :: =20 @@ -88,14 +88,28 @@ this: /var/lib= /libvirt/qemu/nvram/vm_VARS.fd =20 +or like this: + +:: + + + + + + + /usr/share/edk2/aarch64/QEMU_EFI.q= emuvars.fd + + + In order to force libvirt to repeat the firmware autoselection -process, it's necessary to remove the ```` and ```` -elements. Failure to do so will likely result in an error. +process, it's necessary to remove the ```` as well as the +```` or ```` elements, depending on what's +applicable. Failure to do so will likely result in an error. =20 Note that updating the XML configuration as described above is -**not** enough to change the Secure Boot status: the NVRAM file -associated with the VM has to be regenerated from its template as -well. +**not** enough to change the Secure Boot status: the NVRAM/varstore +file associated with the VM has to be regenerated from its template +as well. =20 In order to do that, update the XML and then start the VM with =20 @@ -107,9 +121,9 @@ This option is only available starting with libvirt 8.1= .0, so if your version of libvirt is older than that you will have to delete the NVRAM file manually before starting the VM. =20 -Most guest operating systems will be able to cope with the NVRAM file -being reinitialized, but in some cases the VM will be unable to boot -after the change. +Most guest operating systems will be able to cope with the +NVRAM/varstore file being reinitialized, but in some cases the VM +will be unable to boot after the change. =20 =20 Additional information @@ -126,15 +140,15 @@ can be used to validate the operating system signatur= e need to be provided as well. =20 Asking for the ``enrolled-keys`` firmware feature to be enabled will -cause libvirt to initialize the NVRAM file associated with the VM -from a template that contains a suitable set of keys. These keys -being present will cause the firmware to enforce the Secure Boot +cause libvirt to initialize the NVRAM/varstore file associated with +the VM from a template that contains a suitable set of keys. These +keys being present will cause the firmware to enforce the Secure Boot signing requirements. =20 The opposite configuration, where the feature is explicitly disabled, -will result in no keys being present in the NVRAM file. Unable to -verify signatures, the firmware will allow even unsigned operating -systems to run. +will result in no keys being present in the NVRAM/varstore file. +Unable to verify signatures, the firmware will allow even unsigned +operating systems to run. =20 If running unsigned code is desired, it's also possible to ask for the ``secure-boot`` feature to be disabled, which will cause libvirt --=20 2.53.0