From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771871635; cv=none;
	d=zohomail.com; s=zohoarc;
	b=NflWCMZ+m7JYMwLzXBuO88h8D5+VqU0T5+AsOtA8tDxtXeMcICfc48xv+Xawszgl5/LiROeDbtCy4n5UuMT21Kv0Fnoa6uKuKyDvkqExua0aKXXRrnba7C3sOPy0uDKJV538KbLSjt0vaaHohKOfRD/1g1Mja+N9OPgNVTDF7bc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771871635;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=j79ctdmpjUFEnPmL44ONQZsdVrE1ECbmbQg3CWFI6LM=;
	b=RXnygiUZn3KFYVaz6/hdci4nfG90vOpffXO3dtl1RyNyZRQp19RmdDx38tmKKlWLHUM6mTGTZN9o20EYWvi/kD9nmbJuuUHGR44JbUQ9aqi7SAi/L4S0NRLsm/2hU3yJjGSay6HLxnFNCH9t5A5dAOeNcOUI50teKDKc/n/GvW0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771871635123561.0806111964891;
 Mon, 23 Feb 2026 10:33:55 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 4D40F41B3F; Mon, 23 Feb 2026 13:33:54 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id B46D641BB5;
	Mon, 23 Feb 2026 13:31:35 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id EC5B2419C7; Mon, 23 Feb 2026 13:31:30 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 60FFC419C0
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:31:30 -0500 (EST)
Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-94-AlIoh8ZIMS6pMcMJ_d2jRg-1; Mon,
 23 Feb 2026 13:31:28 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 848661956075
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:27 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 9C1241955D71
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:26 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871490;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=j79ctdmpjUFEnPmL44ONQZsdVrE1ECbmbQg3CWFI6LM=;
	b=bsp4Wn87b0uATguRIv58DT5RqpTkfQq4b869mJopDKAujynqAqCr1u71XUBD5zhb8SXEto
	l+bArhS1/sH86unjKlkJaI0p7szoqOJYWgSAhBGwYHW+fv8olspQeoGQi4BmOW2dSyqJ/D
	TFb2bFGV7l6jcqoF9wJpkjVI2eRyquU=
X-MC-Unique: AlIoh8ZIMS6pMcMJ_d2jRg-1
X-Mimecast-MFC-AGG-ID: AlIoh8ZIMS6pMcMJ_d2jRg_1771871487
To: devel@lists.libvirt.org
Subject: [PATCH v4 01/36] docs: Rename "BIOS bootloader" section to "guest
 firmware"
Date: Mon, 23 Feb 2026 19:30:44 +0100
Message-ID: <20260223183119.501349-2-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: anVCaKrOz2AbXv8dxuQj8SYTodQ-8FM8O-H79rrKlRU_1771871487
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: VYVS3SBUNPEPJJUZ3OGF3LN4HZ2MKDZ2
X-Message-ID-Hash: VYVS3SBUNPEPJJUZ3OGF3LN4HZ2MKDZ2
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/VYVS3SBUNPEPJJUZ3OGF3LN4HZ2MKDZ2/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771871635993158500
Content-Type: text/plain; charset="utf-8"; x-default="true"

The new name is much more accurate since the documentation is
applicable to firmware other than BIOS, notably UEFI.

An empty container is used to keep old links working.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---
 docs/formatcaps.rst       |  2 +-
 docs/formatdomain.rst     | 24 ++++++++++++++----------
 docs/formatdomaincaps.rst | 19 ++++++++++++-------
 3 files changed, 27 insertions(+), 18 deletions(-)

diff --git a/docs/formatcaps.rst b/docs/formatcaps.rst
index fa8ab5197f..9458e1289a 100644
--- a/docs/formatcaps.rst
+++ b/docs/formatcaps.rst
@@ -172,7 +172,7 @@ The ``<guest/>`` element will typically wrap up the fol=
lowing elements:
       Emulator (device model) path, for use in
       `emulator <formatdomain.html#devices>`__ element of domain XML.
    ``loader``
-      Loader path, for use in `loader <formatdomain.html#bios-bootloader>`=
__
+      Loader path, for use in `loader <formatdomain.html#guest-firmware>`__
       element of domain XML.
    ``machine``
       Machine type, for use in
diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
index 82788c15a2..db664857af 100644
--- a/docs/formatdomain.rst
+++ b/docs/formatdomain.rst
@@ -103,12 +103,16 @@ Operating system booting
 There are a number of different ways to boot virtual machines each with th=
eir
 own pros and cons.
=20
+Guest firmware
+~~~~~~~~~~~~~~
=20
-BIOS bootloader
-~~~~~~~~~~~~~~~
+.. container::
+   :name: bios-bootloader
+
+   .. this container only exists to keep old links working
=20
-Booting via the BIOS is available for hypervisors supporting full
-virtualization. In this case the BIOS has a boot order priority (floppy,
+Booting via a guest firmware is available for hypervisors supporting full
+virtualization. In this case the firmware has a boot order priority (flopp=
y,
 harddisk, cdrom, network) determining where to obtain/find the boot image.
=20
 ::
@@ -411,10 +415,10 @@ and full virtualized guests.
=20
 ``type``
    This element has the same semantics as described earlier in the
-   `BIOS bootloader`_ section.
+   `guest firmware`_ section.
 ``loader``
    This element has the same semantics as described earlier in the
-   `BIOS bootloader`_ section.
+   `guest firmware`_ section.
 ``kernel``
    The contents of this element specify the fully-qualified path to the ke=
rnel
    image in the host OS.
@@ -3752,7 +3756,7 @@ paravirtualized driver is specified via the ``disk`` =
element.
    attribute is an 8 character string which can be queried by guests on S3=
90 via
    sclp or diag 308. Linux guests on S390 can use ``loadparm`` to select a=
 boot
    entry. :since:`Since 3.5.0` The per-device ``boot`` elements cannot be =
used
-   together with general boot elements in `BIOS bootloader`_
+   together with general boot elements in `guest firmware`_
    section. :since:`Since 0.8.8`
 ``encryption``
    since:`Since 3.9.0` the ``encryption`` element is preferred
@@ -4917,7 +4921,7 @@ or:
    Specifies that the device is bootable. The ``order`` attribute determin=
es the
    order in which devices will be tried during boot sequence. The per-devi=
ce
    ``boot`` elements cannot be used together with general boot elements in
-   `BIOS bootloader`_ section. :since:`Since 0.8.8` for PCI
+   `guest firmware`_ section. :since:`Since 0.8.8` for PCI
    devices, :since:`Since 1.0.1` for USB devices.
 ``rom``
    The ``rom`` element is used to change how a PCI device's ROM is present=
ed to
@@ -5144,7 +5148,7 @@ USB device redirection through a character device is =
supported
    Specifies that the device is bootable. The ``order`` attribute determin=
es the
    order in which devices will be tried during boot sequence. The per-devi=
ce
    ``boot`` elements cannot be used together with general boot elements in
-   `BIOS bootloader`_ section. ( :since:`Since 1.0.1` )
+   `guest firmware`_ section. ( :since:`Since 1.0.1` )
 ``redirfilter``
    The\ ``redirfilter``\ element is used for creating the filter rule to f=
ilter
    out certain devices from redirection. It uses sub-element ``<usbdev>`` =
to
@@ -6400,7 +6404,7 @@ Specifying boot order
 For hypervisors which support this, you can set a specific NIC to be used =
for
 network boot. The ``order`` attribute determines the order in which device=
s will
 be tried during boot sequence. The per-device ``boot`` elements cannot be =
used
-together with general boot elements in `BIOS bootloader`_
+together with general boot elements in `guest firmware`_
 section. :since:`Since 0.8.8`
=20
 Interface ROM BIOS configuration
diff --git a/docs/formatdomaincaps.rst b/docs/formatdomaincaps.rst
index cca827923c..22a6d5d067 100644
--- a/docs/formatdomaincaps.rst
+++ b/docs/formatdomaincaps.rst
@@ -72,11 +72,11 @@ The root element that emulator capability XML document =
starts with has name
    Describes the `virtualization type <formatdomain.html#element-and-attri=
bute-overview>`__ (or so
    called domain type).
 ``machine``
-   The domain's `machine type <formatdomain.html#bios-bootloader>`__. Sinc=
e not
+   The domain's `machine type <formatdomain.html#guest-firmware>`__. Since=
 not
    every hypervisor has a sense of machine types this element might be omi=
tted
    in such drivers.
 ``arch``
-   The domain's `architecture <formatdomain.html#bios-bootloader>`__.
+   The domain's `architecture <formatdomain.html#guest-firmware>`__.
=20
 CPU Allocation
 ~~~~~~~~~~~~~~
@@ -95,12 +95,17 @@ capabilities, e.g. virtual CPUs:
 ``vcpu``
    The maximum number of supported virtual CPUs
=20
-BIOS bootloader
-~~~~~~~~~~~~~~~
+Guest firmware
+~~~~~~~~~~~~~~
+
+.. container::
+   :name: bios-bootloader
+
+   .. this container only exists to keep old links working
=20
-Sometimes users might want to tweak some BIOS knobs or use UEFI. For cases=
 like
-that, `os <formatdomain.html#bios-bootloader>`__ element exposes what valu=
es can
-be passed to its children.
+Exposes information about supported
+`guest firmware <formatdomain.html#guest-firmware>`__ configurations for
+domains.
=20
 ::
=20
--=20
2.53.0
From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771871724; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Flv5h30oXfH+uMbKxCo/UUjaXoSLKKajLJZ71oiKScGA5GUKcvykgQWJ5CW9J0qQKgJapm28jRKPBHoDhzGOyx5gfDcyAiRR5Mq6A1c+Jh9FzC5NFhDsKfsED2REbvFgNSQ55YSK4oye2Eb8l0MsIKEmRGMjBxHmqmKdMbJ8LfE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771871724;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=+8bRe8ccxhh0YgPR91m84D7Ubk5bWIyzV/NXW3kt4ws=;
	b=W2/sz6fLtSug2fZzFVwT5vDVcZ7Urxpit7NvLjXozN4URBW368ahps9eS7g2Vd1f8FyaO0tqau06F5kAU9pWGfnIiGGti8/FRQYbIIHD4vPtD1rkFdTOYaKmFhKGp+CPK1odny4HHugQxQpLo8brSEG/ojGldcZYV5z69zANhZk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771871723907231.2848353986285;
 Mon, 23 Feb 2026 10:35:23 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 210E241BE8; Mon, 23 Feb 2026 13:35:23 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id BD01B41C04;
	Mon, 23 Feb 2026 13:31:56 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 05461419C9; Mon, 23 Feb 2026 13:31:52 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 7B74F41A55
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:31:32 -0500 (EST)
Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-696-SZjh6Jg0PuO4UkkQKC91hg-1; Mon,
 23 Feb 2026 13:31:30 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id A32481956094
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:29 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 5E2421955D71
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:27 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871492;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=+8bRe8ccxhh0YgPR91m84D7Ubk5bWIyzV/NXW3kt4ws=;
	b=PN1ShiqbvNuoelqP1f37zI/B2aDrVzOUGSTw3/Njc1phEMpziwo6VnYKH7mJ32yJpUGypI
	K4oiaxQp+7IhCqMbOKGnd4C4zGyQkdltqlsvnr6+WUUBnRC4hBAGNflLKXbe9qvpEf07dA
	HbYsLpPM3WS/QPbd7wWpFLZWB5FMdMA=
X-MC-Unique: SZjh6Jg0PuO4UkkQKC91hg-1
X-Mimecast-MFC-AGG-ID: SZjh6Jg0PuO4UkkQKC91hg_1771871489
To: devel@lists.libvirt.org
Subject: [PATCH v4 02/36] docs: Improvement related to firmware selection
Date: Mon, 23 Feb 2026 19:30:45 +0100
Message-ID: <20260223183119.501349-3-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: Py7fjhlscfvDFWTK8R4OtBJNP6mA7ud1bihPNMzDQdY_1771871489
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: WPI3J6DMI74AESOVDSQUGTZQEBVDVDOE
X-Message-ID-Hash: WPI3J6DMI74AESOVDSQUGTZQEBVDVDOE
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/WPI3J6DMI74AESOVDSQUGTZQEBVDVDOE/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771871726206158500
Content-Type: text/plain; charset="utf-8"; x-default="true"

Recommend that users take advantage of firmware autoselection
and discourage providing paths manually.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---
 docs/formatdomaincaps.rst | 59 ++++++++++++++++++++++-----------------
 1 file changed, 34 insertions(+), 25 deletions(-)

diff --git a/docs/formatdomaincaps.rst b/docs/formatdomaincaps.rst
index 22a6d5d067..3426b7c9cd 100644
--- a/docs/formatdomaincaps.rst
+++ b/docs/formatdomaincaps.rst
@@ -145,15 +145,17 @@ domains.
      ...
    <domainCapabilities>
=20
-The ``firmware`` enum corresponds to the ``firmware`` attribute of the ``o=
s``
-element in the domain XML. The presence of this enum means libvirt is capa=
ble of
-the so-called firmware auto-selection feature. And the listed firmware val=
ues
-represent the accepted input in the domain XML. Note that the ``firmware``=
 enum
-reports only those values for which a firmware "descriptor file" exists on=
 the
-host. Firmware descriptor file is a small JSON document that describes det=
ails
-about a given BIOS or UEFI binary on the host, e.g. the firmware binary pa=
th,
-its architecture, supported machine types, NVRAM template, etc. This ensur=
es
-that the reported values won't cause a failure on guest boot.
+The presence of the ``firmware`` enum means that libvirt can perform firmw=
are
+autoselection, and each of the values is guaranteed to be usable. In the
+domain XML, firmware autoselection is enabled as follows:
+
+::
+
+    <os firmware=3D'efi'>
+      ...
+
+Autoselection is the recommended mechanism for configuring the guest firmw=
are.
+Providing paths and other information manually is discouraged.
=20
 The ``<firmwareFeatures/>`` element :since:`(since 12.1.0)` contains one
 enum for each of the features that can be used to fine-tune the firmware
@@ -196,27 +198,34 @@ such as:
 would not work, since ``no`` is not one of the valid values advertised by
 the ``secureBoot`` enum.
=20
-For the ``loader`` element, the following can occur:
+The information contained in the ``<loader/>`` element is not relevant when
+using firmware autoselection, which is the recommended approach to guest
+firmware configuration, and as such can largely be ignored. Its subelements
+are the following:
=20
 ``value``
-   List of known firmware binary paths. Currently this is used only to adv=
ertise
-   the known location of OVMF binaries for QEMU. OVMF binaries will only be
-   listed if they actually exist on host.
+   One element for each known firmware binary present on the system.
+
+   Note that a binary being present here indicates that the file exists an=
d it
+   is compatible with the architecture/machine type, but does not provide =
any
+   insight into which mechanism (see ``type`` below) should be used to loa=
d it.
 ``type``
-   Whether the boot loader is a typical BIOS (``rom``) or a UEFI firmware
-   (``pflash``). Each ``value`` sub-element under the ``type`` enum repres=
ents a
-   possible value for the ``type`` attribute for the <loader/> element in =
the
-   domain XML. E.g. the presence of ``pfalsh`` under the ``type`` enum mea=
ns
-   that a domain XML can use UEFI firmware via: <loader/> type=3D"pflash"
-   ...>/path/to/the/firmware/binary/</loader>.
+   Whether firmware can be loaded using a ``pflash`` device (UEFI only) or=
 as
+   a ``rom`` (either UEFI or BIOS).
 ``readonly``
-   Options for the ``readonly`` attribute of the <loader/> element in the =
domain
-   XML.
+   Supported values for the ``readonly`` attribute of the ``<loader/>`` el=
ement
+   in the domain XML.
 ``secure``
-   Options for the ``secure`` attribute of the <loader/> element in the do=
main
-   XML. Note that the value ``yes`` is listed only if libvirt detects a fi=
rmware
-   descriptor file that has path to an OVMF binary that supports Secure bo=
ot,
-   and lists its architecture and supported machine type.
+   Supported values for the ``secure`` attribute of the ``<loader/>`` elem=
ent
+   in the domain XML.
+
+   Note that the value ``yes`` is listed if libvirt detects a firmware
+   descriptor file that points to a firmware binary that implements Secure
+   Boot and is compatible with the architecture/machine type, but the UEFI
+   variable store template associated with it might not have the usual set=
 of
+   Secure Boot certificates enrolled. To figure out whether it's actually
+   possible to enforce Secure Boot, look at the ``enrolledKeys`` enum insi=
de
+   the ``<firmwareFeatures/>`` element instead.
=20
 CPU configuration
 ~~~~~~~~~~~~~~~~~
--=20
2.53.0
From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771871779; cv=none;
	d=zohomail.com; s=zohoarc;
	b=cxJO2QuCxgKplKaahMkuuxliycir8n0vqreVO6d/qlFvTxBF9mKe9z1bI6YxHEu+9tkY2Ah0GDqpTCvC6tO/nro11Wzqm+RtZhgUfH3lwatA9SMYsACUHPzyOxECZ6kmpTtz5hmgIaSNsd5mDHHnQeHSep0U4CnWT59XpWcCXzc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771871779;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=yVHRSNbj3isDe27hDsdh/jwsSy+1ghh/6pnQHDl0Jo4=;
	b=QdvAIpjq8UMS9wWP+3qdeLJ2XfSthTsxmHfgF+9F3JRizZ2jsg6x1ukb3tfXFEnPWuH3mbp991SakLjVpZJSIK5nJepXnCdByeY6uR0ClDqMNAs/HKFArXrJQ3sqdr4PlqsXlowD5Csh/1KHdptEzt/ptCNVLknyqZAmVeZ/RQc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771871779004321.5352336328814;
 Mon, 23 Feb 2026 10:36:19 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 4172841C09; Mon, 23 Feb 2026 13:36:18 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 9A33A41C7F;
	Mon, 23 Feb 2026 13:32:08 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 7352241C2C; Mon, 23 Feb 2026 13:32:04 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 078FF41B02
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:31:33 -0500 (EST)
Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-127-SnWVwqq4OVekxwi1CwJDEQ-1; Mon,
 23 Feb 2026 13:31:32 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 68305195608A
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:31 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 5BAD01955D71
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:29 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871493;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=yVHRSNbj3isDe27hDsdh/jwsSy+1ghh/6pnQHDl0Jo4=;
	b=fxKv05o2P9y+A+F6qxqHJdAi/cQGzYQ3X4cwR0pbQ6YLQ3Q9Kkq2ADOxKfzULMjsXrgzK/
	f9QNe5l1wgKSlBYb2w7bp3uuhL4Co+i9pAD25QoGnhiaq2u29SNYlRsjdd6NR4+TX/Q9Cz
	lN/SiXK9B2ytPmQIHQZ5G++8EFlJIhc=
X-MC-Unique: SnWVwqq4OVekxwi1CwJDEQ-1
X-Mimecast-MFC-AGG-ID: SnWVwqq4OVekxwi1CwJDEQ_1771871491
To: devel@lists.libvirt.org
Subject: [PATCH v4 03/36] qemu_firmware: Only set format for custom loader if
 path is present
Date: Mon, 23 Feb 2026 19:30:46 +0100
Message-ID: <20260223183119.501349-4-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: F7GXrfGRelnb2s2lDhgjnpStJQPPZUETNxd1k1GJSZE_1771871491
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: MNNINCGEJD3ZTFAYFOK6ZA7NPT6TGTI2
X-Message-ID-Hash: MNNINCGEJD3ZTFAYFOK6ZA7NPT6TGTI2
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/MNNINCGEJD3ZTFAYFOK6ZA7NPT6TGTI2/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771871780512158500

We only set the template format if the template path is present,
and we should be consistent with that. The format on its own is
not very interesting anyway.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/qemu/qemu_firmware.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index 436b06c388..519828f6f9 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -1662,8 +1662,10 @@ qemuFirmwareFillDomainCustom(virDomainDef *def)
     if (!loader)
         return;
=20
-    if (!loader->format)
+    if (loader->path &&
+        !loader->format) {
         loader->format =3D VIR_STORAGE_FILE_RAW;
+    }
=20
     if (loader->nvramTemplate &&
         !loader->nvramTemplateFormat) {
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771871855; cv=none;
	d=zohomail.com; s=zohoarc;
	b=eM4B0+T+nNs2otXVIyKVBWqM/AWdzktDGwKQ9H/u+uH6BaJcw/dYk2tpdi6uZ6Fv3EPZ0FB6JFiwd/vkJ9bvQnwcwcINlzw8mucC+56aEb+1bZ8b2hVjw1NRYa073fv93gW241zK/n7kUvxMxFJwreQyiGafaBcZNEF5KguQGDs=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771871855;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=a/dL9q96yqNF+Otz1S6EJY8bFQM9ZHDq2dH4l9OG9e4=;
	b=iporaHKvZOA4i2QEiKUuWilkQziagt0Pj/eUBi4Xb2iH/pY9u6DIZwteWYxyuD0jrjT5sUvEYl3p0Wf7Q4gySE9Kz3r8ctzHpxDhENhDYIIlw/q5tBIrbAsdElQru264NvckBnbo3Nmfc7OzHif6lwGfqzaD1Te4NqF4klQs4N8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771871855668634.0889609511324;
 Mon, 23 Feb 2026 10:37:35 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id E5A5841C05; Mon, 23 Feb 2026 13:37:34 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 1207941B9C;
	Mon, 23 Feb 2026 13:34:01 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id CE61741B5B; Mon, 23 Feb 2026 13:33:55 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id B1F5841BB4
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:31:35 -0500 (EST)
Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-122-KXhgMxGpOz-0ZgkffLBLqA-1; Mon,
 23 Feb 2026 13:31:33 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 0AF3719560A7
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:33 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 29E6D1955D71
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:31 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871495;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=a/dL9q96yqNF+Otz1S6EJY8bFQM9ZHDq2dH4l9OG9e4=;
	b=iVFWslShy4Zh6cJ8uGlu4IOG9DMADnXECpAcaBJrkTyAc8gduCWLCxlLHI7eEPVM1v5Eir
	vOgBUe7VZ4LQJMrJxg2SjOCEhwr4bs0Fn115anvsrhEs2OTsF5ijGcr5fqZgOmCKcSaoy6
	SzbLfgGYFRI94VsSI792NXhHs/nhGAI=
X-MC-Unique: KXhgMxGpOz-0ZgkffLBLqA-1
X-Mimecast-MFC-AGG-ID: KXhgMxGpOz-0ZgkffLBLqA_1771871493
To: devel@lists.libvirt.org
Subject: [PATCH v4 04/36] conf: Move type=rom default for loader to drivers
Date: Mon, 23 Feb 2026 19:30:47 +0100
Message-ID: <20260223183119.501349-5-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: _egBtYD020B0xMCAy1j1fgUeC9jTJPqna3bnZmzZQ44_1771871493
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: DRZHAQG3HB77LN4LKT52SDTI73CCXA5B
X-Message-ID-Hash: DRZHAQG3HB77LN4LKT52SDTI73CCXA5B
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/DRZHAQG3HB77LN4LKT52SDTI73CCXA5B/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771871856842158500

Right now we set this default in the common parsing code, which
is not a big problem per se but would get in the way of some
upcoming changes.

Leave this choice to individual drivers instead. Only the QEMU
and Xen drivers use the value for anything, so we can limit the
amount of code duplication this change causes.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/conf/domain_postparse.c | 19 -------------------
 src/libxl/libxl_domain.c    |  6 ++++++
 src/qemu/qemu_firmware.c    |  5 +++++
 3 files changed, 11 insertions(+), 19 deletions(-)

diff --git a/src/conf/domain_postparse.c b/src/conf/domain_postparse.c
index 38e731348d..cbaae75c02 100644
--- a/src/conf/domain_postparse.c
+++ b/src/conf/domain_postparse.c
@@ -89,22 +89,6 @@ virDomainDefPostParseMemory(virDomainDef *def,
 }
=20
=20
-static int
-virDomainDefPostParseOs(virDomainDef *def)
-{
-    if (!def->os.loader)
-        return 0;
-
-    if (def->os.loader->path &&
-        def->os.loader->type =3D=3D VIR_DOMAIN_LOADER_TYPE_NONE) {
-        /* By default, loader is type of 'rom' */
-        def->os.loader->type =3D VIR_DOMAIN_LOADER_TYPE_ROM;
-    }
-
-    return 0;
-}
-
-
 static void
 virDomainDefPostParseMemtune(virDomainDef *def)
 {
@@ -1251,9 +1235,6 @@ virDomainDefPostParseCommon(virDomainDef *def,
     if (virDomainDefPostParseMemory(def, data->parseFlags) < 0)
         return -1;
=20
-    if (virDomainDefPostParseOs(def) < 0)
-        return -1;
-
     virDomainDefPostParseMemtune(def);
=20
     if (virDomainDefRejectDuplicateControllers(def) < 0)
diff --git a/src/libxl/libxl_domain.c b/src/libxl/libxl_domain.c
index 9842d6fece..c6717e31cf 100644
--- a/src/libxl/libxl_domain.c
+++ b/src/libxl/libxl_domain.c
@@ -279,6 +279,12 @@ libxlDomainDefPostParse(virDomainDef *def,
             def->features[VIR_DOMAIN_FEATURE_ACPI] =3D VIR_TRISTATE_SWITCH=
_ON;
     }
=20
+    if (def->os.loader &&
+        def->os.loader->path &&
+        !def->os.loader->type) {
+        def->os.loader->type =3D VIR_DOMAIN_LOADER_TYPE_ROM;
+    }
+
     /* add implicit balloon device */
     if (def->memballoon =3D=3D NULL) {
         virDomainMemballoonDef *memballoon;
diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index 519828f6f9..6a074055ca 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -1662,6 +1662,11 @@ qemuFirmwareFillDomainCustom(virDomainDef *def)
     if (!loader)
         return;
=20
+    if (loader->path &&
+        !loader->type) {
+        loader->type =3D VIR_DOMAIN_LOADER_TYPE_ROM;
+    }
+
     if (loader->path &&
         !loader->format) {
         loader->format =3D VIR_STORAGE_FILE_RAW;
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771871985; cv=none;
	d=zohomail.com; s=zohoarc;
	b=NshwWv/5r3UhCDntPuSsXqhNXVrIcV/p7intV7UaWbTCByCCMssxRDpLq33FcRSSBDA/BjRvX8iaNprWxqKcTJZ5zr7OCaMmkfAZmyZaTVctalleoz3sKFOr777kEhBu99xOe5DFr/s8PLcoEbxr/jkvUp6U5SStQmx6h6dF/X4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771871985;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=sx//IRWi8L8hAOEFetDHmxM0CnBkBzCQz29djigG2CY=;
	b=mAKnGlVR9kA9I5PBunZ43cVqbsgg8LNEzgEXwFKrfRRnfxUXHG4fzcBGisXJH5SDY5+saaXPqexuSFHgLerNV5v76fbDs4cvkx6BE9Xsbfi8IysoYCkupvlNkgTQBg39CatqhiCHTb/7AVgM0JTFHQSHOHebZYlCdrjC81vHY8M=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771871984981460.80077223492117;
 Mon, 23 Feb 2026 10:39:44 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 0DDDC41C78; Mon, 23 Feb 2026 13:39:44 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 014FA41A88;
	Mon, 23 Feb 2026 13:34:21 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 568B841B54; Mon, 23 Feb 2026 13:34:14 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 5C41D41AFC
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:31:37 -0500 (EST)
Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-325-KOcm-7jWPOmNgrot2WFI8Q-1; Mon,
 23 Feb 2026 13:31:35 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id EE5341956088
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:34 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id C50DF1955D71
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:33 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871497;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=sx//IRWi8L8hAOEFetDHmxM0CnBkBzCQz29djigG2CY=;
	b=iSpDLjp9MSkKB5jTJDqOBMk08yZ05LAOVJrd5kBOkGMi4FsJN87vVYrw1hU7a9WizgkSJc
	EiLKGq6InYK9PUAp/jJR67ILosop6mpvci/3UayMDS/PWu9MgQXgVf/TzCUaF+MF/Fr3Kg
	/rPrlEbItF0Z5MjvG67ilKjJUazQziw=
X-MC-Unique: KOcm-7jWPOmNgrot2WFI8Q-1
X-Mimecast-MFC-AGG-ID: KOcm-7jWPOmNgrot2WFI8Q_1771871495
To: devel@lists.libvirt.org
Subject: [PATCH v4 05/36] tests: Rename custom JSON firmware descriptors
Date: Mon, 23 Feb 2026 19:30:48 +0100
Message-ID: <20260223183119.501349-6-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: 4DnNLnVX5_94yL75T9-HZucrnCMEAVuHWmHi_aSze_M_1771871495
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 5TQM535C7CN73LOVWUUJPFXIALRVJZLU
X-Message-ID-Hash: 5TQM535C7CN73LOVWUUJPFXIALRVJZLU
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/5TQM535C7CN73LOVWUUJPFXIALRVJZLU/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771871985465158500

Most of the JSON firmware descriptors in our test suite come from
the Fedora package for edk2, but there are a few additional ones
that we have created ourselves to ensure coverage of uncommon or
problematic scenarios.

In order to make sure that such descriptors are clearly marked as
custom, rename them to include the string "libvirt" in the path.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 .../etc/qemu/firmware/20-bios.json               |  1 -
 .../etc/qemu/firmware/20-libvirt-bios.json       |  1 +
 .../etc/qemu/firmware/59-combined.json           |  1 -
 .../etc/qemu/firmware/59-libvirt-combined.json   |  1 +
 .../{92-masked.json =3D> 92-libvirt-masked.json}   |  0
 .../{10-bios.json =3D> 10-libvirt-bios.json}       |  0
 ...90-combined.json =3D> 90-libvirt-combined.json} |  0
 .../{91-bios.json =3D> 91-libvirt-bios.json}       |  0
 .../{92-masked.json =3D> 92-libvirt-masked.json}   |  0
 .../{93-invalid.json =3D> 93-libvirt-invalid.json} |  0
 tests/qemufirmwaretest.c                         | 16 ++++++++--------
 11 files changed, 10 insertions(+), 10 deletions(-)
 delete mode 120000 tests/qemufirmwaredata/etc/qemu/firmware/20-bios.json
 create mode 120000 tests/qemufirmwaredata/etc/qemu/firmware/20-libvirt-bio=
s.json
 delete mode 120000 tests/qemufirmwaredata/etc/qemu/firmware/59-combined.js=
on
 create mode 120000 tests/qemufirmwaredata/etc/qemu/firmware/59-libvirt-com=
bined.json
 rename tests/qemufirmwaredata/etc/qemu/firmware/{92-masked.json =3D> 92-li=
bvirt-masked.json} (100%)
 rename tests/qemufirmwaredata/home/user/.config/qemu/firmware/{10-bios.jso=
n =3D> 10-libvirt-bios.json} (100%)
 rename tests/qemufirmwaredata/usr/share/qemu/firmware/{90-combined.json =
=3D> 90-libvirt-combined.json} (100%)
 rename tests/qemufirmwaredata/usr/share/qemu/firmware/{91-bios.json =3D> 9=
1-libvirt-bios.json} (100%)
 rename tests/qemufirmwaredata/usr/share/qemu/firmware/{92-masked.json =3D>=
 92-libvirt-masked.json} (100%)
 rename tests/qemufirmwaredata/usr/share/qemu/firmware/{93-invalid.json =3D=
> 93-libvirt-invalid.json} (100%)

diff --git a/tests/qemufirmwaredata/etc/qemu/firmware/20-bios.json b/tests/=
qemufirmwaredata/etc/qemu/firmware/20-bios.json
deleted file mode 120000
index 2c274dddc2..0000000000
--- a/tests/qemufirmwaredata/etc/qemu/firmware/20-bios.json
+++ /dev/null
@@ -1 +0,0 @@
-../../../usr/share/qemu/firmware/91-bios.json
\ No newline at end of file
diff --git a/tests/qemufirmwaredata/etc/qemu/firmware/20-libvirt-bios.json =
b/tests/qemufirmwaredata/etc/qemu/firmware/20-libvirt-bios.json
new file mode 120000
index 0000000000..fab8877c3e
--- /dev/null
+++ b/tests/qemufirmwaredata/etc/qemu/firmware/20-libvirt-bios.json
@@ -0,0 +1 @@
+../../../usr/share/qemu/firmware/91-libvirt-bios.json
\ No newline at end of file
diff --git a/tests/qemufirmwaredata/etc/qemu/firmware/59-combined.json b/te=
sts/qemufirmwaredata/etc/qemu/firmware/59-combined.json
deleted file mode 120000
index da9099ffb7..0000000000
--- a/tests/qemufirmwaredata/etc/qemu/firmware/59-combined.json
+++ /dev/null
@@ -1 +0,0 @@
-../../../usr/share/qemu/firmware/90-combined.json
\ No newline at end of file
diff --git a/tests/qemufirmwaredata/etc/qemu/firmware/59-libvirt-combined.j=
son b/tests/qemufirmwaredata/etc/qemu/firmware/59-libvirt-combined.json
new file mode 120000
index 0000000000..74e63c4574
--- /dev/null
+++ b/tests/qemufirmwaredata/etc/qemu/firmware/59-libvirt-combined.json
@@ -0,0 +1 @@
+../../../usr/share/qemu/firmware/90-libvirt-combined.json
\ No newline at end of file
diff --git a/tests/qemufirmwaredata/etc/qemu/firmware/92-masked.json b/test=
s/qemufirmwaredata/etc/qemu/firmware/92-libvirt-masked.json
similarity index 100%
rename from tests/qemufirmwaredata/etc/qemu/firmware/92-masked.json
rename to tests/qemufirmwaredata/etc/qemu/firmware/92-libvirt-masked.json
diff --git a/tests/qemufirmwaredata/home/user/.config/qemu/firmware/10-bios=
.json b/tests/qemufirmwaredata/home/user/.config/qemu/firmware/10-libvirt-b=
ios.json
similarity index 100%
rename from tests/qemufirmwaredata/home/user/.config/qemu/firmware/10-bios.=
json
rename to tests/qemufirmwaredata/home/user/.config/qemu/firmware/10-libvirt=
-bios.json
diff --git a/tests/qemufirmwaredata/usr/share/qemu/firmware/90-combined.jso=
n b/tests/qemufirmwaredata/usr/share/qemu/firmware/90-libvirt-combined.json
similarity index 100%
rename from tests/qemufirmwaredata/usr/share/qemu/firmware/90-combined.json
rename to tests/qemufirmwaredata/usr/share/qemu/firmware/90-libvirt-combine=
d.json
diff --git a/tests/qemufirmwaredata/usr/share/qemu/firmware/91-bios.json b/=
tests/qemufirmwaredata/usr/share/qemu/firmware/91-libvirt-bios.json
similarity index 100%
rename from tests/qemufirmwaredata/usr/share/qemu/firmware/91-bios.json
rename to tests/qemufirmwaredata/usr/share/qemu/firmware/91-libvirt-bios.js=
on
diff --git a/tests/qemufirmwaredata/usr/share/qemu/firmware/92-masked.json =
b/tests/qemufirmwaredata/usr/share/qemu/firmware/92-libvirt-masked.json
similarity index 100%
rename from tests/qemufirmwaredata/usr/share/qemu/firmware/92-masked.json
rename to tests/qemufirmwaredata/usr/share/qemu/firmware/92-libvirt-masked.=
json
diff --git a/tests/qemufirmwaredata/usr/share/qemu/firmware/93-invalid.json=
 b/tests/qemufirmwaredata/usr/share/qemu/firmware/93-libvirt-invalid.json
similarity index 100%
rename from tests/qemufirmwaredata/usr/share/qemu/firmware/93-invalid.json
rename to tests/qemufirmwaredata/usr/share/qemu/firmware/93-libvirt-invalid=
.json
diff --git a/tests/qemufirmwaretest.c b/tests/qemufirmwaretest.c
index 2eb9d8e701..e09f50592b 100644
--- a/tests/qemufirmwaretest.c
+++ b/tests/qemufirmwaretest.c
@@ -84,7 +84,7 @@ testFWPrecedence(const void *opaque G_GNUC_UNUSED)
     g_autofree char *fakehome =3D NULL;
     g_auto(GStrv) fwList =3D NULL;
     const char *expected[] =3D {
-        SYSCONFDIR "/qemu/firmware/20-bios.json",
+        SYSCONFDIR "/qemu/firmware/20-libvirt-bios.json",
         PREFIX "/share/qemu/firmware/30-edk2-ovmf-4m-qcow2-x64-sb-enrolled=
.json",
         PREFIX "/share/qemu/firmware/31-edk2-ovmf-2m-raw-x64-sb-enrolled.j=
son",
         PREFIX "/share/qemu/firmware/40-edk2-ovmf-4m-qcow2-x64-sb.json",
@@ -98,12 +98,12 @@ testFWPrecedence(const void *opaque G_GNUC_UNUSED)
         PREFIX "/share/qemu/firmware/51-edk2-ovmf-2m-raw-x64-nosb.json",
         PREFIX "/share/qemu/firmware/52-edk2-aarch64-verbose-qcow2.json",
         PREFIX "/share/qemu/firmware/53-edk2-aarch64-verbose-raw.json",
-        SYSCONFDIR "/qemu/firmware/59-combined.json",
+        SYSCONFDIR "/qemu/firmware/59-libvirt-combined.json",
         PREFIX "/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json",
         PREFIX "/share/qemu/firmware/60-edk2-ovmf-x64-inteltdx.json",
-        PREFIX "/share/qemu/firmware/90-combined.json",
-        PREFIX "/share/qemu/firmware/91-bios.json",
-        PREFIX "/share/qemu/firmware/93-invalid.json",
+        PREFIX "/share/qemu/firmware/90-libvirt-combined.json",
+        PREFIX "/share/qemu/firmware/91-libvirt-bios.json",
+        PREFIX "/share/qemu/firmware/93-libvirt-invalid.json",
         NULL
     };
     const char **e;
@@ -285,9 +285,9 @@ mymain(void)
     DO_PARSE_TEST("usr/share/qemu/firmware/53-edk2-aarch64-verbose-raw.jso=
n");
     DO_PARSE_TEST("usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json");
     DO_PARSE_TEST("usr/share/qemu/firmware/60-edk2-ovmf-x64-inteltdx.json"=
);
-    DO_PARSE_TEST("usr/share/qemu/firmware/90-combined.json");
-    DO_PARSE_TEST("usr/share/qemu/firmware/91-bios.json");
-    DO_PARSE_FAILURE_TEST("usr/share/qemu/firmware/93-invalid.json");
+    DO_PARSE_TEST("usr/share/qemu/firmware/90-libvirt-combined.json");
+    DO_PARSE_TEST("usr/share/qemu/firmware/91-libvirt-bios.json");
+    DO_PARSE_FAILURE_TEST("usr/share/qemu/firmware/93-libvirt-invalid.json=
");
=20
     if (virTestRun("QEMU FW precedence test", testFWPrecedence, NULL) < 0)
         ret =3D -1;
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771871915; cv=none;
	d=zohomail.com; s=zohoarc;
	b=iIWfWtCwLzLWJeqhNTJ2Uqhh6BCjaB9y+BTRoxqbY8FkbIAJoXO3cZYaXrynMvoXzNA9Cvx/C1oRVHGyODvvUlPKyE1dlTmqadzR5mH7ZT7MdoESzr0KqBXIAhkLBHtMPTCuClDw0pCDB7uok6T/ookm5voa40kLpavCbbfnPqg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771871915;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=YPLRF0RjzPRMol61TFyvN0wRBTdEcu038pbkbGlWh2A=;
	b=d8LpF+VYXN1oGr3widD+B0w79tU8pVZzFNbd9QjTrfPWtsN7vtPo40sKV7Tn2LrH+yms7EQFwif4JWI5N+3a8xiSzOK1SALN0ECY8rTH8HXr3Q67A4zfP3KkyOu0jqqwJiYpzQNVG5LWoXI/UDcYeL9YKbETcPNjK1WUNb18DrI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771871915538580.1502253019809;
 Mon, 23 Feb 2026 10:38:35 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 6736B41BC5; Mon, 23 Feb 2026 13:38:34 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 8B40A41CA3;
	Mon, 23 Feb 2026 13:34:19 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id EC85741A07; Mon, 23 Feb 2026 13:34:13 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id BF917419EA
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:31:39 -0500 (EST)
Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-164-eOId_YerPUKjRTQQHTO-TQ-1; Mon,
 23 Feb 2026 13:31:37 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id C8EA81800451
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:36 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id A16441955D71
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:35 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871499;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=YPLRF0RjzPRMol61TFyvN0wRBTdEcu038pbkbGlWh2A=;
	b=YjCRoVKqURNQ47nOzG3xEBdQZBOo/SJRBsgIXQWdpuMS9XLTy/l06aj8GsGIN6w6wizE+u
	GSGJ75C6nVPIreef2gkAJ/eZn33e8pWJ48DHPumz+BJphycpzsw/TQiI8b47lx8n8WUEtU
	uTDokTrSDcU1pcRIydUdm/FdiRELON8=
X-MC-Unique: eOId_YerPUKjRTQQHTO-TQ-1
X-Mimecast-MFC-AGG-ID: eOId_YerPUKjRTQQHTO-TQ_1771871496
To: devel@lists.libvirt.org
Subject: [PATCH v4 06/36] schema: Introduce osnvram define
Date: Mon, 23 Feb 2026 19:30:49 +0100
Message-ID: <20260223183119.501349-7-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: EM9i7fgOJMjYByeAupqVoDw7MZRyP6twcxr5XxGqQSk_1771871496
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: Y327UK2ZLSE4VOVQ2OAQBBMHW26UWAFI
X-Message-ID-Hash: Y327UK2ZLSE4VOVQ2OAQBBMHW26UWAFI
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/Y327UK2ZLSE4VOVQ2OAQBBMHW26UWAFI/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771871917275158500
Content-Type: text/plain; charset="utf-8"; x-default="true"

This moves the definition of the <nvram> element out of the
fairly complex oshvm define and will make it easier to later
add the <varstore> element without making things unmanageable.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/conf/schemas/domaincommon.rng | 54 +++++++++++++++++--------------
 1 file changed, 29 insertions(+), 25 deletions(-)

diff --git a/src/conf/schemas/domaincommon.rng b/src/conf/schemas/domaincom=
mon.rng
index dafbdc63e7..e09f6e80f3 100644
--- a/src/conf/schemas/domaincommon.rng
+++ b/src/conf/schemas/domaincommon.rng
@@ -349,31 +349,7 @@
             </element>
           </optional>
           <optional>
-            <element name=3D"nvram">
-              <optional>
-                <attribute name=3D"template">
-                  <ref name=3D"absFilePath"/>
-                </attribute>
-              </optional>
-              <optional>
-                <attribute name=3D"templateFormat">
-                  <ref name=3D"pflashFormatTypes"/>
-                </attribute>
-              </optional>
-              <optional>
-                <ref name=3D"pflashFormat"/>
-              </optional>
-              <optional>
-                <choice>
-                  <group>
-                    <ref name=3D"absFilePath"/>
-                  </group>
-                  <group>
-                    <ref name=3D"diskSource"/>
-                  </group>
-                </choice>
-              </optional>
-            </element>
+            <ref name=3D"osnvram"/>
           </optional>
           <optional>
             <ref name=3D"osbootkernel"/>
@@ -452,6 +428,34 @@
     </element>
   </define>
=20
+  <define name=3D"osnvram">
+    <element name=3D"nvram">
+      <optional>
+        <attribute name=3D"template">
+          <ref name=3D"absFilePath"/>
+        </attribute>
+      </optional>
+      <optional>
+        <attribute name=3D"templateFormat">
+          <ref name=3D"pflashFormatTypes"/>
+        </attribute>
+      </optional>
+      <optional>
+        <ref name=3D"pflashFormat"/>
+      </optional>
+      <optional>
+        <choice>
+          <group>
+            <ref name=3D"absFilePath"/>
+          </group>
+          <group>
+            <ref name=3D"diskSource"/>
+          </group>
+        </choice>
+      </optional>
+    </element>
+  </define>
+
   <define name=3D"osexe">
     <element name=3D"os">
       <interleave>
--=20
2.53.0
From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771872071; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Wn21ym+HG+iNMaMgy/rje5duGZgtxWFV3Ccad/+98vBWmG4JUbjfQpNNMn/AXLGz9qpc8r9dKhRjFBPnSQSs+/miNtqtRz+uFed2N9R3ebBWq7uX71pP+j20TXje5cskZozZk5ITLubc3fVGaeWhMt750MXF5I6VLorh0xp4+/Q=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771872071;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=68uRN2TGu4stNLup+dSLgULnAdD7X/w0Gx4Ip0qCeLk=;
	b=GytwIeIZsu70yTuJvaKQKru4VgBG2hhvpUlIA7QvxDivZV7R+WspqHxZOYLec8kn3x7AJBh/xhUpKdYU9TNNBJAlbAsUcqYL9vsA1fnIBO14R1ajI+rkXhqk8DjIMFmuUNf/ZfZIsJnf5QbBwEO7qoVbsJsPbxxuNlMC8imXCOo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771872071416802.5524051570453;
 Mon, 23 Feb 2026 10:41:11 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 8494141BC1; Mon, 23 Feb 2026 13:41:10 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id B78FA41D29;
	Mon, 23 Feb 2026 13:34:24 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 87626419DD; Mon, 23 Feb 2026 13:34:14 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 09BF8419CA
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:31:42 -0500 (EST)
Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-624-GPGgBRRpOOaoLBBr3UqtiQ-1; Mon,
 23 Feb 2026 13:31:40 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 4CBA019560A5
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:39 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id A052F1955D71
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:37 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871501;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=68uRN2TGu4stNLup+dSLgULnAdD7X/w0Gx4Ip0qCeLk=;
	b=DMKj+YBUhm8gA3oiWK31hvE+D5D4khAre6lN6Rqki0XRH19Bxs+JGkhuPrfLD2QvWILM+l
	Ocps/yLs/zHbEDzXCqaxbq6oxoq3no0ss7e/dgM/9NtdWf4p6qJJn3Fub3B2k4MsA7uplE
	HyB74Rs+LLsuO0hkHO5JKsOsYs3+yoQ=
X-MC-Unique: GPGgBRRpOOaoLBBr3UqtiQ-1
X-Mimecast-MFC-AGG-ID: GPGgBRRpOOaoLBBr3UqtiQ_1771871499
To: devel@lists.libvirt.org
Subject: [PATCH v4 07/36] conf: Parse and format varstore element
Date: Mon, 23 Feb 2026 19:30:50 +0100
Message-ID: <20260223183119.501349-8-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: T9-kEIvHb8PlNiV4eoRWhz58O9BYaFWu018gtI_6Qpc_1771871499
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 2VWXEJTGP3J3GXIZWBYER7EDR74JJWXN
X-Message-ID-Hash: 2VWXEJTGP3J3GXIZWBYER7EDR74JJWXN
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/2VWXEJTGP3J3GXIZWBYER7EDR74JJWXN/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771872072036158500
Content-Type: text/plain; charset="utf-8"; x-default="true"

This will be used to configure the backing storage used by the
uefi-vars QEMU device.

Dealing with the element itself is trivial, however we have to
refactor the existing code which deals with the loader and nvram
elements slightly: in particular, we can no longer perform an
early exit if those elements are absent.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---
 docs/formatdomain.rst             | 23 +++++++--
 docs/kbase/secureboot.rst         | 46 +++++++++++-------
 src/conf/domain_conf.c            | 79 ++++++++++++++++++++++++++++---
 src/conf/domain_conf.h            |  9 ++++
 src/conf/schemas/domaincommon.rng | 22 ++++++++-
 src/conf/virconftypes.h           |  2 +
 src/libvirt_private.syms          |  2 +
 7 files changed, 156 insertions(+), 27 deletions(-)

diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
index db664857af..7871613017 100644
--- a/docs/formatdomain.rst
+++ b/docs/formatdomain.rst
@@ -196,9 +196,9 @@ harddisk, cdrom, network) determining where to obtain/f=
ind the boot image.
=20
 ``firmware``
    The ``firmware`` attribute allows management applications to automatica=
lly
-   fill ``<loader/>`` and ``<nvram/>`` elements and possibly enable some
-   features required by selected firmware. Accepted values are ``bios`` and
-   ``efi``.
+   fill ``<loader/>`` and ``<nvram/>`` or ``<varstore/>`` elements and pos=
sibly
+   enable some features required by selected firmware. Accepted values are
+   ``bios`` and ``efi``.
    The selection process scans for files describing installed firmware ima=
ges in
    specified location and uses the most specific one which fulfills domain
    requirements. The locations in order of preference (from generic to most
@@ -311,6 +311,23 @@ harddisk, cdrom, network) determining where to obtain/=
find the boot image.
    It is not valid to provide this element if the loader is marked as
    stateless.
=20
+``varstore``
+   This works much the same way as the ``<nvram/>`` element described abov=
e,
+   except that variable storage is handled by the ``uefi-vars`` QEMU device
+   instead of being backed by a pflash device. :since:`Since 12.1.0 (QEMU =
only)`
+
+   The ``path`` attribute contains the path of the domain-specific file wh=
ere
+   variables are stored, while the ``template`` attribute points to a temp=
late
+   that the domain-specific file can be (re)generated from. Assuming that =
the
+   necessary JSON firmware descriptor files are present, both attributes w=
ill
+   be filled in automatically by libvirt.
+
+   Using ``<varstore/>`` instead of ``<nvram/>`` is particularly useful on
+   non-x86 architectures such as aarch64, where it represent the only way =
to
+   get Secure Boot working. It can be used on x86 too, and doing so will m=
ake
+   it possible to keep UEFI authenticated variables safe from tampering wi=
thout
+   requiring the use of SMM emulation.
+
 ``boot``
    The ``dev`` attribute takes one of the values "fd", "hd", "cdrom" or
    "network" and is used to specify the next boot device to consider. The
diff --git a/docs/kbase/secureboot.rst b/docs/kbase/secureboot.rst
index 6c22b08d22..b411b65f00 100644
--- a/docs/kbase/secureboot.rst
+++ b/docs/kbase/secureboot.rst
@@ -74,8 +74,8 @@ Changing an existing VM
=20
 When a VM is defined, libvirt will pick the firmware that best
 satisfies the provided criteria and record this information for use
-on subsequent boots. The resulting XML configuration will look like
-this:
+on subsequent boots. The resulting XML configuration will look either
+like this:
=20
 ::
=20
@@ -88,14 +88,28 @@ this:
     <nvram template=3D'/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd'>/var/lib=
/libvirt/qemu/nvram/vm_VARS.fd</nvram>
   </os>
=20
+or like this:
+
+::
+
+  <os firmware=3D'efi'>
+    <firmware>
+      <feature enabled=3D'yes' name=3D'enrolled-keys'/>
+      <feature enabled=3D'yes' name=3D'secure-boot'/>
+    </firmware>
+    <loader type=3D'rom' format=3D'raw'>/usr/share/edk2/aarch64/QEMU_EFI.q=
emuvars.fd</loader>
+    <varstore template=3D'/usr/share/edk2/aarch64/vars.secboot.json' path=
=3D'/var/lib/libvirt/qemu/varstore/vm.json'/>
+  </os>
+
 In order to force libvirt to repeat the firmware autoselection
-process, it's necessary to remove the ``<loader>`` and ``<nvram>``
-elements. Failure to do so will likely result in an error.
+process, it's necessary to remove the ``<loader>`` as well as the
+``<nvram>`` or ``<varstore>`` elements, depending on what's
+applicable. Failure to do so will likely result in an error.
=20
 Note that updating the XML configuration as described above is
-**not** enough to change the Secure Boot status: the NVRAM file
-associated with the VM has to be regenerated from its template as
-well.
+**not** enough to change the Secure Boot status: the NVRAM/varstore
+file associated with the VM has to be regenerated from its template
+as well.
=20
 In order to do that, update the XML and then start the VM with
=20
@@ -107,9 +121,9 @@ This option is only available starting with libvirt 8.1=
.0, so if your
 version of libvirt is older than that you will have to delete the
 NVRAM file manually before starting the VM.
=20
-Most guest operating systems will be able to cope with the NVRAM file
-being reinitialized, but in some cases the VM will be unable to boot
-after the change.
+Most guest operating systems will be able to cope with the
+NVRAM/varstore file being reinitialized, but in some cases the VM
+will be unable to boot after the change.
=20
=20
 Additional information
@@ -126,15 +140,15 @@ can be used to validate the operating system signatur=
e need to be
 provided as well.
=20
 Asking for the ``enrolled-keys`` firmware feature to be enabled will
-cause libvirt to initialize the NVRAM file associated with the VM
-from a template that contains a suitable set of keys. These keys
-being present will cause the firmware to enforce the Secure Boot
+cause libvirt to initialize the NVRAM/varstore file associated with
+the VM from a template that contains a suitable set of keys. These
+keys being present will cause the firmware to enforce the Secure Boot
 signing requirements.
=20
 The opposite configuration, where the feature is explicitly disabled,
-will result in no keys being present in the NVRAM file. Unable to
-verify signatures, the firmware will allow even unsigned operating
-systems to run.
+will result in no keys being present in the NVRAM/varstore file.
+Unable to verify signatures, the firmware will allow even unsigned
+operating systems to run.
=20
 If running unsigned code is desired, it's also possible to ask for
 the ``secure-boot`` feature to be disabled, which will cause libvirt
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 453e301041..1384e9f3ab 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -3960,6 +3960,27 @@ virDomainLoaderDefFree(virDomainLoaderDef *loader)
     g_free(loader);
 }
=20
+virDomainVarstoreDef *
+virDomainVarstoreDefNew(void)
+{
+    virDomainVarstoreDef *def =3D NULL;
+
+    def =3D g_new0(virDomainVarstoreDef, 1);
+
+    return def;
+}
+
+void
+virDomainVarstoreDefFree(virDomainVarstoreDef *varstore)
+{
+    if (!varstore)
+        return;
+
+    g_free(varstore->path);
+    g_free(varstore->template);
+    g_free(varstore);
+}
+
=20
 static void
 virDomainResctrlMonDefFree(virDomainResctrlMonDef *domresmon)
@@ -4062,6 +4083,7 @@ virDomainOSDefClear(virDomainOSDef *os)
         virDomainOSACPITableDefFree(os->acpiTables[i]);
     g_free(os->acpiTables);
     virDomainLoaderDefFree(os->loader);
+    virDomainVarstoreDefFree(os->varstore);
     g_free(os->bootloader);
     g_free(os->bootloaderArgs);
 }
@@ -18088,6 +18110,17 @@ virDomainLoaderDefParseXMLLoader(virDomainLoaderDe=
f *loader,
 }
=20
=20
+static int
+virDomainVarstoreDefParseXML(virDomainVarstoreDef *varstore,
+                             xmlNodePtr varstoreNode)
+{
+    varstore->path =3D virXMLPropString(varstoreNode, "path");
+    varstore->template =3D virXMLPropString(varstoreNode, "template");
+
+    return 0;
+}
+
+
 static int
 virDomainLoaderDefParseXML(virDomainLoaderDef *loader,
                            xmlNodePtr loaderNode,
@@ -18535,16 +18568,29 @@ virDomainDefParseBootLoaderOptions(virDomainDef *=
def,
     xmlNodePtr loaderNode =3D virXPathNode("./os/loader[1]", ctxt);
     xmlNodePtr nvramNode =3D virXPathNode("./os/nvram[1]", ctxt);
     xmlNodePtr nvramSourceNode =3D virXPathNode("./os/nvram/source[1]", ct=
xt);
+    xmlNodePtr varstoreNode =3D virXPathNode("./os/varstore[1]", ctxt);
=20
-    if (!loaderNode && !nvramNode)
-        return 0;
+    if (nvramNode && varstoreNode) {
+        virReportError(VIR_ERR_XML_ERROR, "%s",
+                       _("Cannot have both <nvram> and <varstore>"));
+        return -1;
+    }
=20
-    def->os.loader =3D virDomainLoaderDefNew();
+    if (loaderNode || nvramNode) {
+        def->os.loader =3D virDomainLoaderDefNew();
=20
-    if (virDomainLoaderDefParseXML(def->os.loader,
-                                   loaderNode, nvramNode, nvramSourceNode,
-                                   ctxt, xmlopt, flags) < 0)
-        return -1;
+        if (virDomainLoaderDefParseXML(def->os.loader,
+                                       loaderNode, nvramNode, nvramSourceN=
ode,
+                                       ctxt, xmlopt, flags) < 0)
+            return -1;
+    }
+
+    if (varstoreNode) {
+        def->os.varstore =3D virDomainVarstoreDefNew();
+
+        if (virDomainVarstoreDefParseXML(def->os.varstore, varstoreNode) <=
 0)
+            return -1;
+    }
=20
     return 0;
 }
@@ -28248,6 +28294,20 @@ virDomainLoaderDefFormat(virBuffer *buf,
     return 0;
 }
=20
+static int
+virDomainVarstoreDefFormat(virBuffer *buf,
+                           virDomainVarstoreDef *varstore)
+{
+    g_auto(virBuffer) attrBuf =3D VIR_BUFFER_INITIALIZER;
+
+    virBufferEscapeString(&attrBuf, " template=3D'%s'", varstore->template=
);
+    virBufferEscapeString(&attrBuf, " path=3D'%s'", varstore->path);
+
+    virXMLFormatElementEmpty(buf, "varstore", &attrBuf, NULL);
+
+    return 0;
+}
+
 static void
 virDomainKeyWrapDefFormat(virBuffer *buf, virDomainKeyWrapDef *keywrap)
 {
@@ -29720,6 +29780,11 @@ virDomainDefFormatInternalSetRootName(virDomainDef=
 *def,
     if (def->os.loader &&
         virDomainLoaderDefFormat(buf, def->os.loader, xmlopt, flags) < 0)
         return -1;
+
+    if (def->os.varstore &&
+        virDomainVarstoreDefFormat(buf, def->os.varstore) < 0)
+        return -1;
+
     virBufferEscapeString(buf, "<kernel>%s</kernel>\n",
                           def->os.kernel);
     virBufferEscapeString(buf, "<initrd>%s</initrd>\n",
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index a13f6d79e9..e63230beec 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2423,6 +2423,14 @@ struct _virDomainLoaderDef {
 virDomainLoaderDef *virDomainLoaderDefNew(void);
 void virDomainLoaderDefFree(virDomainLoaderDef *loader);
=20
+struct _virDomainVarstoreDef {
+    char *path;
+    char *template;
+};
+
+virDomainVarstoreDef *virDomainVarstoreDefNew(void);
+void virDomainVarstoreDefFree(virDomainVarstoreDef *varstore);
+
 typedef enum {
     VIR_DOMAIN_IOAPIC_NONE =3D 0,
     VIR_DOMAIN_IOAPIC_QEMU,
@@ -2576,6 +2584,7 @@ struct _virDomainOSDef {
     size_t nacpiTables;
     virDomainOSACPITableDef **acpiTables;
     virDomainLoaderDef *loader;
+    virDomainVarstoreDef *varstore;
     char *bootloader;
     char *bootloaderArgs;
     int smbios_mode;
diff --git a/src/conf/schemas/domaincommon.rng b/src/conf/schemas/domaincom=
mon.rng
index e09f6e80f3..376218118d 100644
--- a/src/conf/schemas/domaincommon.rng
+++ b/src/conf/schemas/domaincommon.rng
@@ -349,7 +349,10 @@
             </element>
           </optional>
           <optional>
-            <ref name=3D"osnvram"/>
+            <choice>
+              <ref name=3D"osnvram"/>
+              <ref name=3D"osvarstore"/>
+            </choice>
           </optional>
           <optional>
             <ref name=3D"osbootkernel"/>
@@ -456,6 +459,23 @@
     </element>
   </define>
=20
+  <define name=3D"osvarstore">
+    <element name=3D"varstore">
+      <interleave>
+        <optional>
+          <attribute name=3D"template">
+            <ref name=3D"absFilePath"/>
+          </attribute>
+        </optional>
+        <optional>
+          <attribute name=3D"path">
+            <ref name=3D"absFilePath"/>
+          </attribute>
+        </optional>
+      </interleave>
+    </element>
+  </define>
+
   <define name=3D"osexe">
     <element name=3D"os">
       <interleave>
diff --git a/src/conf/virconftypes.h b/src/conf/virconftypes.h
index 6e2573035a..0596791a4d 100644
--- a/src/conf/virconftypes.h
+++ b/src/conf/virconftypes.h
@@ -164,6 +164,8 @@ typedef struct _virDomainLeaseDef virDomainLeaseDef;
=20
 typedef struct _virDomainLoaderDef virDomainLoaderDef;
=20
+typedef struct _virDomainVarstoreDef virDomainVarstoreDef;
+
 typedef struct _virDomainMemballoonDef virDomainMemballoonDef;
=20
 typedef struct _virDomainMemoryDef virDomainMemoryDef;
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index b200037189..19edf7eb12 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -719,6 +719,8 @@ virDomainTPMProfileRemoveDisabledTypeToString;
 virDomainTPMVersionTypeFromString;
 virDomainTPMVersionTypeToString;
 virDomainUSBDeviceDefForeach;
+virDomainVarstoreDefFree;
+virDomainVarstoreDefNew;
 virDomainVideoDefaultRAM;
 virDomainVideoDefClear;
 virDomainVideoDefFree;
--=20
2.53.0
From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771872250; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Q8ZQZxQGogCGKlGvkm7nQt3j5/pjSkiDkYtFZ7ONt91+KBiZFc1ZsbQsq3VEwwymIlc9YV7JnYGj9mMCKfFRxcLMHUfanymjmNKYeh9754wJg9r36DeQxzwOWSmQZsz0ubEWSaX5cAoA6gGS5X1Dp5GrVSgYSZyp2tkPjS8yLK0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771872250;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=keT7FYa8RvEzAB/RNjHpKZ8NZ3Gg/PhfzeJF9NrkHQs=;
	b=gFCqfluH4TvMU+8Nshcn3xDgi4YfQEhx8q0D2nveniNjm9m7MaaV0HDB1BQZtnVFcZg2FSjcNafFp2bzk17teQGtHbBsx8xhfffkkbaJuwQVEweb86kAjsk/I+4oYZXA08gHVsX9Gs773rHNPr0HfmQNs9LrqRBjSlvn5l2OxHg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771872250741863.034235560119;
 Mon, 23 Feb 2026 10:44:10 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id DB6BA41AF0; Mon, 23 Feb 2026 13:44:09 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id B4AC141DC7;
	Mon, 23 Feb 2026 13:34:30 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id D291741B17; Mon, 23 Feb 2026 13:34:15 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id B102641B1D
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:31:43 -0500 (EST)
Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-103-QkfhAZWNMJG08sTuxmx2tg-1; Mon,
 23 Feb 2026 13:31:42 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 564631800282
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:41 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 1908B1955D71
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:39 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871503;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=keT7FYa8RvEzAB/RNjHpKZ8NZ3Gg/PhfzeJF9NrkHQs=;
	b=Mhe7mafoEF5nJ5TKVAUA6Qb/zTu9Q8l/0M73u5v4EaZQCstL474IATY0HuFk/0G7UFZ/ML
	lKowjML3gWRJTdViGEOF3iYra9xq4ERR9KdrC4jDbTC+qnWBaR+dkdiexlMcE6yVG2J3k9
	tf3gGHNu+cc3vnkVAawn3bH4//KVB8Y=
X-MC-Unique: QkfhAZWNMJG08sTuxmx2tg-1
X-Mimecast-MFC-AGG-ID: QkfhAZWNMJG08sTuxmx2tg_1771871501
To: devel@lists.libvirt.org
Subject: [PATCH v4 08/36] conf: Update validation to consider varstore element
Date: Mon, 23 Feb 2026 19:30:51 +0100
Message-ID: <20260223183119.501349-9-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: pJOuHha1mif3tqg-n_Hz7L2uqnwXeIHNa9KPcEOgCUk_1771871501
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: GSK4C6EFOG52MGBX3GHEZHCRBFXZH5DN
X-Message-ID-Hash: GSK4C6EFOG52MGBX3GHEZHCRBFXZH5DN
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/GSK4C6EFOG52MGBX3GHEZHCRBFXZH5DN/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771872251219158500

The code is reworked quite significantly, but most of the
existing checks are preserved. Those that aren't, notably the
one that allowed pflash as the only acceptable non-stateless
firmware type, are intentionally removed because they will no
longer reflect reality once support for the uefi-vars QEMU
device is introduced.

As a side effect, reworking the function in this fashion
resolves a subtle bug: due to the early exits that were being
performed when the loader element was missing, the checks at
the bottom of the function (related to the shim and kernel
elements) were effectively never performed. This is no longer
the case.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/conf/domain_validate.c                    | 82 +++++++------------
 ...-auto-bios-not-stateless.x86_64-latest.err |  2 +-
 ...-auto-bios-not-stateless.x86_64-latest.xml | 35 ++++++++
 ...firmware-auto-bios-nvram.x86_64-latest.err |  2 +-
 ...nual-bios-not-stateless.x86_64-latest.args | 32 ++++++++
 ...anual-bios-not-stateless.x86_64-latest.err |  1 -
 ...anual-bios-not-stateless.x86_64-latest.xml | 28 +++++++
 ...nual-efi-nvram-stateless.x86_64-latest.err |  2 +-
 ...nvram-template-stateless.x86_64-latest.err |  2 +-
 ...ware-manual-efi-rw-nvram.x86_64-latest.err |  2 +-
 tests/qemuxmlconftest.c                       |  7 +-
 11 files changed, 135 insertions(+), 60 deletions(-)
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-bios-not-stateless.=
x86_64-latest.xml
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-bios-not-stateles=
s.x86_64-latest.args
 delete mode 100644 tests/qemuxmlconfdata/firmware-manual-bios-not-stateles=
s.x86_64-latest.err
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-bios-not-stateles=
s.x86_64-latest.xml

diff --git a/src/conf/domain_validate.c b/src/conf/domain_validate.c
index 1ad614935f..7e3da84767 100644
--- a/src/conf/domain_validate.c
+++ b/src/conf/domain_validate.c
@@ -1723,100 +1723,78 @@ virDomainDefOSValidate(const virDomainDef *def,
                        virDomainXMLOption *xmlopt)
 {
     virDomainLoaderDef *loader =3D def->os.loader;
+    virDomainVarstoreDef *varstore =3D def->os.varstore;
+    virDomainOsDefFirmware firmware =3D def->os.firmware;
+    int *firmwareFeatures =3D def->os.firmwareFeatures;
+    bool usesNvram =3D loader && (loader->nvram || loader->nvramTemplate |=
| loader->nvramTemplateFormat);
=20
-    if (def->os.firmware) {
+    if (firmware) {
         if (xmlopt && !(xmlopt->config.features & VIR_DOMAIN_DEF_FEATURE_F=
W_AUTOSELECT)) {
             virReportError(VIR_ERR_XML_DETAIL, "%s",
                            _("firmware auto selection not implemented for =
this driver"));
             return -1;
         }
=20
-        if (def->os.firmwareFeatures &&
-            def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_EN=
ROLLED_KEYS] =3D=3D VIR_TRISTATE_BOOL_YES &&
-            def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_SE=
CURE_BOOT] =3D=3D VIR_TRISTATE_BOOL_NO) {
+        if (firmwareFeatures &&
+            firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_ENROLLED_K=
EYS] =3D=3D VIR_TRISTATE_BOOL_YES &&
+            firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_SECURE_BOO=
T] =3D=3D VIR_TRISTATE_BOOL_NO) {
             virReportError(VIR_ERR_XML_DETAIL, "%s",
                            _("firmware feature 'enrolled-keys' cannot be e=
nabled when firmware feature 'secure-boot' is disabled"));
             return -1;
         }
-
-        if (!loader)
-            return 0;
-
-        if (loader->nvram && def->os.firmware !=3D VIR_DOMAIN_OS_DEF_FIRMW=
ARE_EFI) {
-            virReportError(VIR_ERR_XML_DETAIL,
-                           _("firmware type '%1$s' does not support nvram"=
),
-                           virDomainOsDefFirmwareTypeToString(def->os.firm=
ware));
-            return -1;
-        }
     } else {
-        if (def->os.firmwareFeatures) {
+        if (firmwareFeatures) {
             virReportError(VIR_ERR_XML_DETAIL, "%s",
                            _("cannot use feature-based firmware autoselect=
ion when firmware autoselection is disabled"));
             return -1;
         }
=20
-        if (!loader)
-            return 0;
-
-        if (!loader->path) {
+        if (loader && !loader->path) {
             virReportError(VIR_ERR_XML_DETAIL, "%s",
                            _("no loader path specified and firmware auto s=
election disabled"));
             return -1;
         }
     }
=20
-    if (loader->readonly =3D=3D VIR_TRISTATE_BOOL_NO) {
-        if (loader->type =3D=3D VIR_DOMAIN_LOADER_TYPE_ROM) {
+    if (loader && loader->type =3D=3D VIR_DOMAIN_LOADER_TYPE_ROM) {
+        if (loader->readonly =3D=3D VIR_TRISTATE_BOOL_NO) {
             virReportError(VIR_ERR_XML_DETAIL, "%s",
                            _("ROM loader type cannot be used as read/write=
"));
             return -1;
         }
=20
-        if (loader->nvramTemplate) {
-            virReportError(VIR_ERR_XML_DETAIL, "%s",
-                           _("NVRAM template is not permitted when loader =
is read/write"));
+        if (loader->format &&
+            loader->format !=3D VIR_STORAGE_FILE_RAW) {
+            virReportError(VIR_ERR_XML_DETAIL,
+                           _("Invalid format '%1$s' for ROM loader type"),
+                           virStorageFileFormatTypeToString(loader->format=
));
             return -1;
         }
+    }
=20
-        if (loader->nvram) {
+    if (usesNvram && varstore) {
             virReportError(VIR_ERR_XML_DETAIL, "%s",
-                           _("NVRAM is not permitted when loader is read/w=
rite"));
+                           _("Only one of NVRAM/varstore can be used"));
             return -1;
-        }
     }
=20
-    if (loader->stateless =3D=3D VIR_TRISTATE_BOOL_YES) {
-        if (loader->nvramTemplate) {
-            virReportError(VIR_ERR_XML_DETAIL, "%s",
-                           _("NVRAM template is not permitted when loader =
is stateless"));
+    if (usesNvram || varstore) {
+        if (firmware && firmware !=3D VIR_DOMAIN_OS_DEF_FIRMWARE_EFI) {
+            virReportError(VIR_ERR_XML_DETAIL,
+                           _("Firmware type '%1$s' does not support variab=
le storage (NVRAM/varstore)"),
+                           virDomainOsDefFirmwareTypeToString(firmware));
             return -1;
         }
=20
-        if (loader->nvram) {
-            virReportError(VIR_ERR_XML_DETAIL, "%s",
-                           _("NVRAM is not permitted when loader is statel=
ess"));
-            return -1;
-        }
-    } else if (loader->stateless =3D=3D VIR_TRISTATE_BOOL_NO) {
-        if (def->os.firmware =3D=3D VIR_DOMAIN_OS_DEF_FIRMWARE_NONE) {
-            if (def->os.loader->type !=3D VIR_DOMAIN_LOADER_TYPE_PFLASH) {
-                virReportError(VIR_ERR_XML_DETAIL, "%s",
-                               _("Only pflash loader type permits NVRAM"));
-                return -1;
-            }
-        } else if (def->os.firmware !=3D VIR_DOMAIN_OS_DEF_FIRMWARE_EFI) {
+        if (loader && loader->stateless =3D=3D VIR_TRISTATE_BOOL_YES) {
             virReportError(VIR_ERR_XML_DETAIL, "%s",
-                           _("Only EFI firmware permits NVRAM"));
+                           _("Variable storage (NVRAM/varstore) is not per=
mitted when loader is stateless"));
             return -1;
         }
-    }
=20
-    if (loader->type =3D=3D VIR_DOMAIN_LOADER_TYPE_ROM) {
-        if (loader->format &&
-            loader->format !=3D VIR_STORAGE_FILE_RAW) {
-            virReportError(VIR_ERR_XML_DETAIL,
-                           _("Invalid format '%1$s' for ROM loader type"),
-                           virStorageFileFormatTypeToString(loader->format=
));
+        if (loader && loader->readonly =3D=3D VIR_TRISTATE_BOOL_NO) {
+            virReportError(VIR_ERR_XML_DETAIL, "%s",
+                           _("Variable storage (NVRAM/varstore) is not per=
mitted when loader is read/write"));
             return -1;
         }
     }
diff --git a/tests/qemuxmlconfdata/firmware-auto-bios-not-stateless.x86_64-=
latest.err b/tests/qemuxmlconfdata/firmware-auto-bios-not-stateless.x86_64-=
latest.err
index b058f970a4..743fe27a97 100644
--- a/tests/qemuxmlconfdata/firmware-auto-bios-not-stateless.x86_64-latest.=
err
+++ b/tests/qemuxmlconfdata/firmware-auto-bios-not-stateless.x86_64-latest.=
err
@@ -1 +1 @@
-Only EFI firmware permits NVRAM
+operation failed: Unable to find 'bios' firmware that is compatible with t=
he current configuration
diff --git a/tests/qemuxmlconfdata/firmware-auto-bios-not-stateless.x86_64-=
latest.xml b/tests/qemuxmlconfdata/firmware-auto-bios-not-stateless.x86_64-=
latest.xml
new file mode 100644
index 0000000000..062835e351
--- /dev/null
+++ b/tests/qemuxmlconfdata/firmware-auto-bios-not-stateless.x86_64-latest.=
xml
@@ -0,0 +1,35 @@
+<domain type=3D'kvm'>
+  <name>guest</name>
+  <uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid>
+  <memory unit=3D'KiB'>1048576</memory>
+  <currentMemory unit=3D'KiB'>1048576</currentMemory>
+  <vcpu placement=3D'static'>1</vcpu>
+  <os firmware=3D'bios'>
+    <type arch=3D'x86_64' machine=3D'pc-q35-10.0'>hvm</type>
+    <loader stateless=3D'no' format=3D'raw'/>
+    <boot dev=3D'hd'/>
+  </os>
+  <features>
+    <acpi/>
+  </features>
+  <cpu mode=3D'custom' match=3D'exact' check=3D'none'>
+    <model fallback=3D'forbid'>qemu64</model>
+  </cpu>
+  <clock offset=3D'utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu-system-x86_64</emulator>
+    <controller type=3D'usb' index=3D'0' model=3D'none'/>
+    <controller type=3D'sata' index=3D'0'>
+      <address type=3D'pci' domain=3D'0x0000' bus=3D'0x00' slot=3D'0x1f' f=
unction=3D'0x2'/>
+    </controller>
+    <controller type=3D'pci' index=3D'0' model=3D'pcie-root'/>
+    <input type=3D'mouse' bus=3D'ps2'/>
+    <input type=3D'keyboard' bus=3D'ps2'/>
+    <audio id=3D'1' type=3D'none'/>
+    <watchdog model=3D'itco' action=3D'reset'/>
+    <memballoon model=3D'none'/>
+  </devices>
+</domain>
diff --git a/tests/qemuxmlconfdata/firmware-auto-bios-nvram.x86_64-latest.e=
rr b/tests/qemuxmlconfdata/firmware-auto-bios-nvram.x86_64-latest.err
index 772beb49e2..c4eeb92788 100644
--- a/tests/qemuxmlconfdata/firmware-auto-bios-nvram.x86_64-latest.err
+++ b/tests/qemuxmlconfdata/firmware-auto-bios-nvram.x86_64-latest.err
@@ -1 +1 @@
-firmware type 'bios' does not support nvram
+Firmware type 'bios' does not support variable storage (NVRAM/varstore)
diff --git a/tests/qemuxmlconfdata/firmware-manual-bios-not-stateless.x86_6=
4-latest.args b/tests/qemuxmlconfdata/firmware-manual-bios-not-stateless.x8=
6_64-latest.args
new file mode 100644
index 0000000000..969c7ad68c
--- /dev/null
+++ b/tests/qemuxmlconfdata/firmware-manual-bios-not-stateless.x86_64-lates=
t.args
@@ -0,0 +1,32 @@
+LC_ALL=3DC \
+PATH=3D/bin \
+HOME=3D/var/lib/libvirt/qemu/domain--1-guest \
+USER=3Dtest \
+LOGNAME=3Dtest \
+XDG_DATA_HOME=3D/var/lib/libvirt/qemu/domain--1-guest/.local/share \
+XDG_CACHE_HOME=3D/var/lib/libvirt/qemu/domain--1-guest/.cache \
+XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-guest/.config \
+/usr/bin/qemu-system-x86_64 \
+-name guest=3Dguest,debug-threads=3Don \
+-S \
+-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/va=
r/lib/libvirt/qemu/domain--1-guest/master-key.aes"}' \
+-machine pc-i440fx-10.0,usb=3Doff,dump-guest-core=3Doff,memory-backend=3Dp=
c.ram,acpi=3Doff \
+-accel tcg \
+-cpu qemu64 \
+-bios /usr/share/seabios/bios.bin \
+-m size=3D1048576k \
+-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":1073741824}=
' \
+-overcommit mem-lock=3Doff \
+-smp 1,sockets=3D1,cores=3D1,threads=3D1 \
+-uuid 63840878-0deb-4095-97e6-fc444d9bc9fa \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=3Dcharmonitor,fd=3D1729,server=3Don,wait=3Doff \
+-mon chardev=3Dcharmonitor,id=3Dmonitor,mode=3Dcontrol \
+-rtc base=3Dutc \
+-no-shutdown \
+-boot strict=3Don \
+-audiodev '{"id":"audio1","driver":"none"}' \
+-sandbox on,obsolete=3Ddeny,elevateprivileges=3Ddeny,spawn=3Ddeny,resource=
control=3Ddeny \
+-msg timestamp=3Don
diff --git a/tests/qemuxmlconfdata/firmware-manual-bios-not-stateless.x86_6=
4-latest.err b/tests/qemuxmlconfdata/firmware-manual-bios-not-stateless.x86=
_64-latest.err
deleted file mode 100644
index 188a5a4180..0000000000
--- a/tests/qemuxmlconfdata/firmware-manual-bios-not-stateless.x86_64-lates=
t.err
+++ /dev/null
@@ -1 +0,0 @@
-Only pflash loader type permits NVRAM
diff --git a/tests/qemuxmlconfdata/firmware-manual-bios-not-stateless.x86_6=
4-latest.xml b/tests/qemuxmlconfdata/firmware-manual-bios-not-stateless.x86=
_64-latest.xml
new file mode 100644
index 0000000000..075da36d00
--- /dev/null
+++ b/tests/qemuxmlconfdata/firmware-manual-bios-not-stateless.x86_64-lates=
t.xml
@@ -0,0 +1,28 @@
+<domain type=3D'qemu'>
+  <name>guest</name>
+  <uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid>
+  <memory unit=3D'KiB'>1048576</memory>
+  <currentMemory unit=3D'KiB'>1048576</currentMemory>
+  <vcpu placement=3D'static'>1</vcpu>
+  <os>
+    <type arch=3D'x86_64' machine=3D'pc-i440fx-10.0'>hvm</type>
+    <loader type=3D'rom' stateless=3D'no' format=3D'raw'>/usr/share/seabio=
s/bios.bin</loader>
+    <boot dev=3D'hd'/>
+  </os>
+  <cpu mode=3D'custom' match=3D'exact' check=3D'none'>
+    <model fallback=3D'forbid'>qemu64</model>
+  </cpu>
+  <clock offset=3D'utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu-system-x86_64</emulator>
+    <controller type=3D'usb' index=3D'0' model=3D'none'/>
+    <controller type=3D'pci' index=3D'0' model=3D'pci-root'/>
+    <input type=3D'mouse' bus=3D'ps2'/>
+    <input type=3D'keyboard' bus=3D'ps2'/>
+    <audio id=3D'1' type=3D'none'/>
+    <memballoon model=3D'none'/>
+  </devices>
+</domain>
diff --git a/tests/qemuxmlconfdata/firmware-manual-efi-nvram-stateless.x86_=
64-latest.err b/tests/qemuxmlconfdata/firmware-manual-efi-nvram-stateless.x=
86_64-latest.err
index de8db3763d..9bfd4465ab 100644
--- a/tests/qemuxmlconfdata/firmware-manual-efi-nvram-stateless.x86_64-late=
st.err
+++ b/tests/qemuxmlconfdata/firmware-manual-efi-nvram-stateless.x86_64-late=
st.err
@@ -1 +1 @@
-NVRAM is not permitted when loader is stateless
+Variable storage (NVRAM/varstore) is not permitted when loader is stateless
diff --git a/tests/qemuxmlconfdata/firmware-manual-efi-nvram-template-state=
less.x86_64-latest.err b/tests/qemuxmlconfdata/firmware-manual-efi-nvram-te=
mplate-stateless.x86_64-latest.err
index 95ec794c17..9bfd4465ab 100644
--- a/tests/qemuxmlconfdata/firmware-manual-efi-nvram-template-stateless.x8=
6_64-latest.err
+++ b/tests/qemuxmlconfdata/firmware-manual-efi-nvram-template-stateless.x8=
6_64-latest.err
@@ -1 +1 @@
-NVRAM template is not permitted when loader is stateless
+Variable storage (NVRAM/varstore) is not permitted when loader is stateless
diff --git a/tests/qemuxmlconfdata/firmware-manual-efi-rw-nvram.x86_64-late=
st.err b/tests/qemuxmlconfdata/firmware-manual-efi-rw-nvram.x86_64-latest.e=
rr
index d0cf62061a..708b4838d4 100644
--- a/tests/qemuxmlconfdata/firmware-manual-efi-rw-nvram.x86_64-latest.err
+++ b/tests/qemuxmlconfdata/firmware-manual-efi-rw-nvram.x86_64-latest.err
@@ -1 +1 @@
-NVRAM is not permitted when loader is read/write
+Variable storage (NVRAM/varstore) is not permitted when loader is read/wri=
te
diff --git a/tests/qemuxmlconftest.c b/tests/qemuxmlconftest.c
index d2ab4a71b5..18c2ac5701 100644
--- a/tests/qemuxmlconftest.c
+++ b/tests/qemuxmlconftest.c
@@ -1581,7 +1581,10 @@ mymain(void)
=20
     DO_TEST_CAPS_LATEST("firmware-manual-bios");
     DO_TEST_CAPS_LATEST("firmware-manual-bios-stateless");
-    DO_TEST_CAPS_LATEST_PARSE_ERROR("firmware-manual-bios-not-stateless");
+    /* This combination doesn't make sense (BIOS is stateless by definitio=
n)
+     * but unfortunately there's no way for libvirt to report an error in =
this
+     * scenario. The stateless=3Dno attribute will effectively be ignored =
*/
+    DO_TEST_CAPS_LATEST("firmware-manual-bios-not-stateless");
     DO_TEST_CAPS_LATEST_PARSE_ERROR("firmware-manual-bios-rw");
     DO_TEST_CAPS_LATEST("firmware-manual-efi");
     DO_TEST_CAPS_LATEST("firmware-manual-efi-features");
@@ -1634,7 +1637,7 @@ mymain(void)
     DO_TEST_CAPS_LATEST("firmware-auto-bios");
     DO_TEST_CAPS_LATEST("firmware-auto-bios-stateless");
     DO_TEST_CAPS_LATEST_FAILURE("firmware-auto-bios-rw");
-    DO_TEST_CAPS_LATEST_PARSE_ERROR("firmware-auto-bios-not-stateless");
+    DO_TEST_CAPS_LATEST_FAILURE("firmware-auto-bios-not-stateless");
     DO_TEST_CAPS_LATEST_PARSE_ERROR("firmware-auto-bios-nvram");
     DO_TEST_CAPS_LATEST("firmware-auto-efi");
     DO_TEST_CAPS_LATEST_ABI_UPDATE("firmware-auto-efi");
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771872143; cv=none;
	d=zohomail.com; s=zohoarc;
	b=QKXVCMPfGWakg1g3pYMizVVAG1oxwE1AR67NmCOaxO4WMdZgAWBm0QO6EG6Ld9ZI3Pj7g7rLVTHH+tkY2sVBtHLoy+hWUtiEMEPRV24b2Zmnt2c3zcEUWSPnXB0fNc8Usdd0XmWWXn5YgXiYANekFK35uymnbut7b/bumT/r1EY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771872143;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=MYi6R96RyjIhfFFN5AwUvpdr933OpZ/zg+TbeFJblOg=;
	b=GP8/8PhBPU+gBYTw2kh58kLWmjMG4k56/TbUEWCKuBfHQWiqodfNNOgDB8EB776XEYvkjaqRM9IFGT0GgaEjuulOP/koSNrj3q7fbQH/y6dxV9sHdcQqFb2OyHOOZYH2r6ZWjsadid7ZGzgxw6wnToEYU/Os9zTfIZWGdrSnSYc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771872143014740.878104999103;
 Mon, 23 Feb 2026 10:42:23 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 2ADD741BAD; Mon, 23 Feb 2026 13:42:22 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 06D3641D6F;
	Mon, 23 Feb 2026 13:34:27 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id A66D241B17; Mon, 23 Feb 2026 13:34:15 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id DC73141BCE
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:31:45 -0500 (EST)
Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-294-H21NGFbWODG9Gi9gjlqalQ-1; Mon,
 23 Feb 2026 13:31:43 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id F2D7C1956052
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:42 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 0B92E1955D71
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:41 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871505;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=MYi6R96RyjIhfFFN5AwUvpdr933OpZ/zg+TbeFJblOg=;
	b=ULuaFbL+CnJhEpWskEkLDI2J2zR2iaFyU6rK0mD5fEk0u9E091WiCj2UJkiy/jjrHqC2a3
	yyBBF87OSd/qlOXv8rgstBuR/9QPDJGzmBM8Cf+dIA1rlPF48dUCyezGgV+r5eQQCbLEP1
	DxwPDVw6zeFRSetlIy9N4jxmN2PxL2I=
X-MC-Unique: H21NGFbWODG9Gi9gjlqalQ-1
X-Mimecast-MFC-AGG-ID: H21NGFbWODG9Gi9gjlqalQ_1771871503
To: devel@lists.libvirt.org
Subject: [PATCH v4 09/36] qemu_capabilities: Introduce
 QEMU_CAPS_DEVICE_UEFI_VARS
Date: Mon, 23 Feb 2026 19:30:52 +0100
Message-ID: <20260223183119.501349-10-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: eQoeqvx48kKBNLXAJDmtOO7QeKmWICWswNdRd7M9DE0_1771871503
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: IT43DKE2L6HML6VYSV5CQT5Z3MWNT2Q4
X-Message-ID-Hash: IT43DKE2L6HML6VYSV5CQT5Z3MWNT2Q4
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/IT43DKE2L6HML6VYSV5CQT5Z3MWNT2Q4/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771872144451158501

This capability indicates the availability of the uefi-vars
device.

The actual name of the QEMU device varies slightly depending on
the architecture: it's uefi-vars-x64 on x86_64, uefi-vars-sysbus
on other UEFI architectures (aarch64, riscv64, loongarch64).

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/qemu/qemu_capabilities.c                               | 3 +++
 src/qemu/qemu_capabilities.h                               | 1 +
 tests/qemucapabilitiesdata/caps_10.0.0_aarch64.xml         | 1 +
 tests/qemucapabilitiesdata/caps_10.0.0_x86_64+amdsev.xml   | 1 +
 tests/qemucapabilitiesdata/caps_10.0.0_x86_64.xml          | 1 +
 tests/qemucapabilitiesdata/caps_10.1.0_s390x.xml           | 1 +
 tests/qemucapabilitiesdata/caps_10.1.0_x86_64+inteltdx.xml | 1 +
 tests/qemucapabilitiesdata/caps_10.1.0_x86_64.xml          | 1 +
 tests/qemucapabilitiesdata/caps_10.2.0_aarch64.xml         | 1 +
 tests/qemucapabilitiesdata/caps_10.2.0_x86_64+mshv.xml     | 1 +
 tests/qemucapabilitiesdata/caps_10.2.0_x86_64.xml          | 1 +
 tests/qemucapabilitiesdata/caps_11.0.0_aarch64.xml         | 1 +
 tests/qemucapabilitiesdata/caps_11.0.0_x86_64.xml          | 1 +
 13 files changed, 15 insertions(+)

diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 9af58c912a..048ef66c12 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -761,6 +761,7 @@ VIR_ENUM_IMPL(virQEMUCaps,
               /* 490 */
               "scsi-block.migrate-pr", /* QEMU_CAPS_DEVICE_SCSI_BLOCK_MIGR=
ATE_PR */
               "iommufd", /* QEMU_CAPS_OBJECT_IOMMUFD */
+              "uefi-vars", /* QEMU_CAPS_DEVICE_UEFI_VARS */
     );
=20
=20
@@ -1469,6 +1470,8 @@ struct virQEMUCapsStringFlags virQEMUCapsObjectTypes[=
] =3D {
     { "tpm-passthrough", QEMU_CAPS_DEVICE_TPM_PASSTHROUGH },
     { "acpi-generic-initiator", QEMU_CAPS_ACPI_GENERIC_INITIATOR },
     { "iommufd", QEMU_CAPS_OBJECT_IOMMUFD },
+    { "uefi-vars-x64", QEMU_CAPS_DEVICE_UEFI_VARS },
+    { "uefi-vars-sysbus", QEMU_CAPS_DEVICE_UEFI_VARS },
 };
=20
=20
diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index 8d5c5cc94c..a48e1d0367 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -735,6 +735,7 @@ typedef enum { /* virQEMUCapsFlags grouping marker for =
syntax-check */
     /* 490 */
     QEMU_CAPS_DEVICE_SCSI_BLOCK_MIGRATE_PR, /* persistent reservation migr=
ation support */
     QEMU_CAPS_OBJECT_IOMMUFD, /* -object iommufd */
+    QEMU_CAPS_DEVICE_UEFI_VARS, /* -device uefi-vars-{x64,sysbus} */
=20
     QEMU_CAPS_LAST /* this must always be the last item */
 } virQEMUCapsFlags;
diff --git a/tests/qemucapabilitiesdata/caps_10.0.0_aarch64.xml b/tests/qem=
ucapabilitiesdata/caps_10.0.0_aarch64.xml
index e5f55f461a..b6434e6019 100644
--- a/tests/qemucapabilitiesdata/caps_10.0.0_aarch64.xml
+++ b/tests/qemucapabilitiesdata/caps_10.0.0_aarch64.xml
@@ -165,6 +165,7 @@
   <flag name=3D'acpi-generic-initiator'/>
   <flag name=3D'virtio-iommu.aw-bits'/>
   <flag name=3D'iommufd'/>
+  <flag name=3D'uefi-vars'/>
   <version>10000000</version>
   <microcodeVersion>61700285</microcodeVersion>
   <package>v10.0.0</package>
diff --git a/tests/qemucapabilitiesdata/caps_10.0.0_x86_64+amdsev.xml b/tes=
ts/qemucapabilitiesdata/caps_10.0.0_x86_64+amdsev.xml
index 74a68c8402..43f848db25 100644
--- a/tests/qemucapabilitiesdata/caps_10.0.0_x86_64+amdsev.xml
+++ b/tests/qemucapabilitiesdata/caps_10.0.0_x86_64+amdsev.xml
@@ -211,6 +211,7 @@
   <flag name=3D'acpi-generic-initiator'/>
   <flag name=3D'virtio-iommu.aw-bits'/>
   <flag name=3D'iommufd'/>
+  <flag name=3D'uefi-vars'/>
   <version>10000000</version>
   <microcodeVersion>43100285</microcodeVersion>
   <package>v10.0.0</package>
diff --git a/tests/qemucapabilitiesdata/caps_10.0.0_x86_64.xml b/tests/qemu=
capabilitiesdata/caps_10.0.0_x86_64.xml
index d593dd1ab8..138c34fd47 100644
--- a/tests/qemucapabilitiesdata/caps_10.0.0_x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_10.0.0_x86_64.xml
@@ -211,6 +211,7 @@
   <flag name=3D'acpi-generic-initiator'/>
   <flag name=3D'virtio-iommu.aw-bits'/>
   <flag name=3D'iommufd'/>
+  <flag name=3D'uefi-vars'/>
   <version>10000000</version>
   <microcodeVersion>43100285</microcodeVersion>
   <package>v10.0.0</package>
diff --git a/tests/qemucapabilitiesdata/caps_10.1.0_s390x.xml b/tests/qemuc=
apabilitiesdata/caps_10.1.0_s390x.xml
index 3e271824c6..f33b366db8 100644
--- a/tests/qemucapabilitiesdata/caps_10.1.0_s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_10.1.0_s390x.xml
@@ -142,6 +142,7 @@
   <flag name=3D'qom-list-get'/>
   <flag name=3D'virtio-iommu.aw-bits'/>
   <flag name=3D'iommufd'/>
+  <flag name=3D'uefi-vars'/>
   <version>10001000</version>
   <microcodeVersion>39100286</microcodeVersion>
   <package>v10.1.0</package>
diff --git a/tests/qemucapabilitiesdata/caps_10.1.0_x86_64+inteltdx.xml b/t=
ests/qemucapabilitiesdata/caps_10.1.0_x86_64+inteltdx.xml
index 512186a341..2a7cd9cac1 100644
--- a/tests/qemucapabilitiesdata/caps_10.1.0_x86_64+inteltdx.xml
+++ b/tests/qemucapabilitiesdata/caps_10.1.0_x86_64+inteltdx.xml
@@ -194,6 +194,7 @@
   <flag name=3D'acpi-generic-initiator'/>
   <flag name=3D'virtio-iommu.aw-bits'/>
   <flag name=3D'iommufd'/>
+  <flag name=3D'uefi-vars'/>
   <version>10001000</version>
   <microcodeVersion>43100286</microcodeVersion>
   <package>v10.1.0</package>
diff --git a/tests/qemucapabilitiesdata/caps_10.1.0_x86_64.xml b/tests/qemu=
capabilitiesdata/caps_10.1.0_x86_64.xml
index d6f1009c77..71311fceaf 100644
--- a/tests/qemucapabilitiesdata/caps_10.1.0_x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_10.1.0_x86_64.xml
@@ -216,6 +216,7 @@
   <flag name=3D'acpi-generic-initiator'/>
   <flag name=3D'virtio-iommu.aw-bits'/>
   <flag name=3D'iommufd'/>
+  <flag name=3D'uefi-vars'/>
   <version>10001000</version>
   <microcodeVersion>43100286</microcodeVersion>
   <package>v10.1.0</package>
diff --git a/tests/qemucapabilitiesdata/caps_10.2.0_aarch64.xml b/tests/qem=
ucapabilitiesdata/caps_10.2.0_aarch64.xml
index 54d10e1433..ac8f50b984 100644
--- a/tests/qemucapabilitiesdata/caps_10.2.0_aarch64.xml
+++ b/tests/qemucapabilitiesdata/caps_10.2.0_aarch64.xml
@@ -184,6 +184,7 @@
   <flag name=3D'query-accelerators'/>
   <flag name=3D'virtio-iommu.aw-bits'/>
   <flag name=3D'iommufd'/>
+  <flag name=3D'uefi-vars'/>
   <version>10002000</version>
   <microcodeVersion>61700287</microcodeVersion>
   <package>v10.2.0</package>
diff --git a/tests/qemucapabilitiesdata/caps_10.2.0_x86_64+mshv.xml b/tests=
/qemucapabilitiesdata/caps_10.2.0_x86_64+mshv.xml
index 38f6a0f6c3..d7a556b4a6 100644
--- a/tests/qemucapabilitiesdata/caps_10.2.0_x86_64+mshv.xml
+++ b/tests/qemucapabilitiesdata/caps_10.2.0_x86_64+mshv.xml
@@ -204,6 +204,7 @@
   <flag name=3D'mshv'/>
   <flag name=3D'virtio-iommu.aw-bits'/>
   <flag name=3D'iommufd'/>
+  <flag name=3D'uefi-vars'/>
   <version>10002000</version>
   <microcodeVersion>43100287</microcodeVersion>
   <package>v10.2.0</package>
diff --git a/tests/qemucapabilitiesdata/caps_10.2.0_x86_64.xml b/tests/qemu=
capabilitiesdata/caps_10.2.0_x86_64.xml
index 1ed21b9bf7..699dad3e20 100644
--- a/tests/qemucapabilitiesdata/caps_10.2.0_x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_10.2.0_x86_64.xml
@@ -217,6 +217,7 @@
   <flag name=3D'query-accelerators'/>
   <flag name=3D'virtio-iommu.aw-bits'/>
   <flag name=3D'iommufd'/>
+  <flag name=3D'uefi-vars'/>
   <version>10002000</version>
   <microcodeVersion>43100287</microcodeVersion>
   <package>v10.2.0</package>
diff --git a/tests/qemucapabilitiesdata/caps_11.0.0_aarch64.xml b/tests/qem=
ucapabilitiesdata/caps_11.0.0_aarch64.xml
index 4e6edf8df9..233f325224 100644
--- a/tests/qemucapabilitiesdata/caps_11.0.0_aarch64.xml
+++ b/tests/qemucapabilitiesdata/caps_11.0.0_aarch64.xml
@@ -185,6 +185,7 @@
   <flag name=3D'virtio-iommu.aw-bits'/>
   <flag name=3D'scsi-block.migrate-pr'/>
   <flag name=3D'iommufd'/>
+  <flag name=3D'uefi-vars'/>
   <version>10002050</version>
   <microcodeVersion>61700286</microcodeVersion>
   <package>v10.2.0-1114-gb3abdfa486</package>
diff --git a/tests/qemucapabilitiesdata/caps_11.0.0_x86_64.xml b/tests/qemu=
capabilitiesdata/caps_11.0.0_x86_64.xml
index 22eaff6545..85d2790b49 100644
--- a/tests/qemucapabilitiesdata/caps_11.0.0_x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_11.0.0_x86_64.xml
@@ -218,6 +218,7 @@
   <flag name=3D'virtio-iommu.aw-bits'/>
   <flag name=3D'scsi-block.migrate-pr'/>
   <flag name=3D'iommufd'/>
+  <flag name=3D'uefi-vars'/>
   <version>10002050</version>
   <microcodeVersion>43100286</microcodeVersion>
   <package>v10.2.0-1114-gb3abdfa486</package>
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771872294; cv=none;
	d=zohomail.com; s=zohoarc;
	b=QkcIDyX5m/6YaK+xBKfqlPJBVbl6h7vOgWi/jXa/2/NsnJJ/CXzoQLPhutq4cWcHD0Y18Cwr50Owp5tKJx94eeqxDStWcNicPOMnKVajXuc4g0SpzE5Ww5h4EXbjZg3Kzpy7XHQqhXarw72OgmGj6b/aqtcSR78hNrxpR1aFt2E=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771872294;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=sK7wcwCDMXcrYO88DqmeagENtPerq436nVfMWIZ1J/w=;
	b=UQv2FgrMih67G57cVlF6qzHg5AsTzWJoDS8E5wsmMNUW83Ht78PlVq1bzqmAZbc2fBH5vzYho7hzxOODSZo8DzsjM3wYLLvLxD25iXM1WIg7QHHEzHeE51WX9lLqtV9dBJh14vzDisra2ND8oGWUmTvKgQ4OK512NfVI0VyRr1M=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771872294364536.3334924467872;
 Mon, 23 Feb 2026 10:44:54 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 7886E41A20; Mon, 23 Feb 2026 13:44:53 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 852A741E28;
	Mon, 23 Feb 2026 13:34:32 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 28D4541CFA; Mon, 23 Feb 2026 13:34:23 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 4CA1741BBA
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:31:48 -0500 (EST)
Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-484-btLZ-upqOeOz9o2_u30Mig-1; Mon,
 23 Feb 2026 13:31:45 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id E3F6318002C1
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:44 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id C05F3195419A
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:43 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871508;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=sK7wcwCDMXcrYO88DqmeagENtPerq436nVfMWIZ1J/w=;
	b=SZ/5e7aXHqi1f+bLxSKnHpe59ZmdQl69/PT3rS8ve4cngWu2GLwuWMVfeoi/sDILa2DvTd
	ABZ6oXIFhTHU0lK6g4w/fEXlff3K8qGecfvueQyvEcksZLEdmllCRrgm3GT4b0OEvSKPfw
	Dt90KEv2JWWiWfQVovZ7p0V0BLV6C+o=
X-MC-Unique: btLZ-upqOeOz9o2_u30Mig-1
X-Mimecast-MFC-AGG-ID: btLZ-upqOeOz9o2_u30Mig_1771871505
To: devel@lists.libvirt.org
Subject: [PATCH v4 10/36] qemu: Validate presence of uefi-vars device
Date: Mon, 23 Feb 2026 19:30:53 +0100
Message-ID: <20260223183119.501349-11-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: AtXHA3EPXrxgeRdtMPluZaSqVmxVm-YUKeYuo3OMw80_1771871505
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: JK2TIQCXCEMN6XUX7D474V6RFCBNQDOY
X-Message-ID-Hash: JK2TIQCXCEMN6XUX7D474V6RFCBNQDOY
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/JK2TIQCXCEMN6XUX7D474V6RFCBNQDOY/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771872295107158500

The use of varstore requires the uefi-vars device to be present
in the QEMU binary.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/qemu/qemu_validate.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
index 16dd5fef1a..0eb5d5ea3b 100644
--- a/src/qemu/qemu_validate.c
+++ b/src/qemu/qemu_validate.c
@@ -753,6 +753,23 @@ qemuValidateDomainDefNvram(const virDomainDef *def,
 }
=20
=20
+static int
+qemuValidateDomainDefVarstore(const virDomainDef *def,
+                              virQEMUCaps *qemuCaps)
+{
+    if (!def->os.varstore)
+        return 0;
+
+    if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_DEVICE_UEFI_VARS)) {
+        virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                       _("The uefi-vars device is not supported by this QE=
MU binary"));
+        return -1;
+    }
+
+    return 0;
+}
+
+
 static int
 qemuValidateDomainDefBoot(const virDomainDef *def,
                           virQEMUCaps *qemuCaps)
@@ -796,6 +813,9 @@ qemuValidateDomainDefBoot(const virDomainDef *def,
=20
         if (qemuValidateDomainDefNvram(def, qemuCaps) < 0)
             return -1;
+
+        if (qemuValidateDomainDefVarstore(def, qemuCaps) < 0)
+            return -1;
     }
=20
     for (i =3D 0; i < def->os.nacpiTables; i++) {
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771872358; cv=none;
	d=zohomail.com; s=zohoarc;
	b=L0cQnhovD+1bkGvHbLYDLFXxdotG/dXF07TPcrbQa93ZTFAzTehGJgIsEqpiN9a4hcsetkGMAUXaF22F5YeXp52cVQxHQeYuY8svwcLAoe/oELTlRAuktFCVXRZw4PzdP+v5/zLnbegg1xNLX1DXtvxEghvHvw0iK2943tXwQM0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771872358;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=5jjZ7KbkRimkDVDafE0KeKu/2i908HPXXv/112XZd3I=;
	b=TgHq1/4f/g+oOa7sqnc5vGLv0k5b7GV4h36FdsWC1XsQfc/0JyX1RuAg+NzoBqgbWrG6btlIvjHy7JgRSlpFQM26R/oJbkmsTwu9GPXqvzKTa1aARaP+QenjMDIusfJURy5+vIQaiQ4Z2kAk7FLODBzZlgxNahlrogZAxdJZsUg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771872358617612.4132321239362;
 Mon, 23 Feb 2026 10:45:58 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id B0E4D41B4F; Mon, 23 Feb 2026 13:45:57 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id B2E86419F9;
	Mon, 23 Feb 2026 13:34:33 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id EC23641D0D; Mon, 23 Feb 2026 13:34:23 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 0AEFC41ADC
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:31:50 -0500 (EST)
Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-493-0kDThAe7NXWS1yFhVR9UaA-1; Mon,
 23 Feb 2026 13:31:47 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id F0FC9180034A
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:46 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id B330A195419A
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:45 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871509;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=5jjZ7KbkRimkDVDafE0KeKu/2i908HPXXv/112XZd3I=;
	b=U2XrW4Lxg6buHGdhk/ardiDInvsE8lUiLFq7nZ//gJaoW+BXzjs2D2S+mFNfXxb5okhYXW
	YgBeZ/tBJbo42oq9C27jq00M0shzMSVf0w7aMTi+AF2K12VWhpLpKACyIGg4aqYSFLACjk
	tF6UyvjP++TFv4ZzcRc9/sATM+Dt+W0=
X-MC-Unique: 0kDThAe7NXWS1yFhVR9UaA-1
X-Mimecast-MFC-AGG-ID: 0kDThAe7NXWS1yFhVR9UaA_1771871507
To: devel@lists.libvirt.org
Subject: [PATCH v4 11/36] tests: Add firmware-manual-efi-varstore-q35
Date: Mon, 23 Feb 2026 19:30:54 +0100
Message-ID: <20260223183119.501349-12-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: UF_v7mB7xsXeKRkvdQkFLaVfU1UtJPq8sbJ-79dbTH8_1771871507
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: MDB65TLNNKOMTWRYSFNUEMLPFN2GNFYA
X-Message-ID-Hash: MDB65TLNNKOMTWRYSFNUEMLPFN2GNFYA
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/MDB65TLNNKOMTWRYSFNUEMLPFN2GNFYA/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771872359707158500

This test case demonstrates how to manually configure an x86_64
guest to use the uefi-vars device.

It fails when using an older version of QEMU which didn't have
the device, and succeeds when using the latest version. The
relevant bits of the QEMU command line are not generated yet,
but that will come in a later commit.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 ...e-manual-efi-varstore-q35.x86_64-8.2.0.err |  1 +
 ...manual-efi-varstore-q35.x86_64-latest.args | 34 ++++++++++++++++++
 ...-manual-efi-varstore-q35.x86_64-latest.xml | 36 +++++++++++++++++++
 .../firmware-manual-efi-varstore-q35.xml      | 19 ++++++++++
 tests/qemuxmlconftest.c                       |  3 ++
 5 files changed, 93 insertions(+)
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.=
x86_64-8.2.0.err
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.=
x86_64-latest.args
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.=
x86_64-latest.xml
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.=
xml

diff --git a/tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.x86_64-=
8.2.0.err b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.x86_64-8=
.2.0.err
new file mode 100644
index 0000000000..e64c2b21aa
--- /dev/null
+++ b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.x86_64-8.2.0.e=
rr
@@ -0,0 +1 @@
+unsupported configuration: The uefi-vars device is not supported by this Q=
EMU binary
diff --git a/tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.x86_64-=
latest.args b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.x86_64=
-latest.args
new file mode 100644
index 0000000000..9a899c2a65
--- /dev/null
+++ b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.x86_64-latest.=
args
@@ -0,0 +1,34 @@
+LC_ALL=3DC \
+PATH=3D/bin \
+HOME=3D/var/lib/libvirt/qemu/domain--1-guest \
+USER=3Dtest \
+LOGNAME=3Dtest \
+XDG_DATA_HOME=3D/var/lib/libvirt/qemu/domain--1-guest/.local/share \
+XDG_CACHE_HOME=3D/var/lib/libvirt/qemu/domain--1-guest/.cache \
+XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-guest/.config \
+/usr/bin/qemu-system-x86_64 \
+-name guest=3Dguest,debug-threads=3Don \
+-S \
+-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/va=
r/lib/libvirt/qemu/domain--1-guest/master-key.aes"}' \
+-machine pc-q35-8.2,usb=3Doff,dump-guest-core=3Doff,memory-backend=3Dpc.ra=
m,acpi=3Don \
+-accel kvm \
+-cpu qemu64 \
+-bios /usr/share/edk2/ovmf/OVMF.qemuvars.fd \
+-m size=3D1048576k \
+-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":1073741824}=
' \
+-overcommit mem-lock=3Doff \
+-smp 1,sockets=3D1,cores=3D1,threads=3D1 \
+-uuid 63840878-0deb-4095-97e6-fc444d9bc9fa \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=3Dcharmonitor,fd=3D1729,server=3Don,wait=3Doff \
+-mon chardev=3Dcharmonitor,id=3Dmonitor,mode=3Dcontrol \
+-rtc base=3Dutc \
+-no-shutdown \
+-boot strict=3Don \
+-audiodev '{"id":"audio1","driver":"none"}' \
+-global ICH9-LPC.noreboot=3Doff \
+-watchdog-action reset \
+-sandbox on,obsolete=3Ddeny,elevateprivileges=3Ddeny,spawn=3Ddeny,resource=
control=3Ddeny \
+-msg timestamp=3Don
diff --git a/tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.x86_64-=
latest.xml b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.x86_64-=
latest.xml
new file mode 100644
index 0000000000..296c6e8f59
--- /dev/null
+++ b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.x86_64-latest.=
xml
@@ -0,0 +1,36 @@
+<domain type=3D'kvm'>
+  <name>guest</name>
+  <uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid>
+  <memory unit=3D'KiB'>1048576</memory>
+  <currentMemory unit=3D'KiB'>1048576</currentMemory>
+  <vcpu placement=3D'static'>1</vcpu>
+  <os>
+    <type arch=3D'x86_64' machine=3D'pc-q35-8.2'>hvm</type>
+    <loader type=3D'rom' format=3D'raw'>/usr/share/edk2/ovmf/OVMF.qemuvars=
.fd</loader>
+    <varstore path=3D'/path/to/guest.json'/>
+    <boot dev=3D'hd'/>
+  </os>
+  <features>
+    <acpi/>
+  </features>
+  <cpu mode=3D'custom' match=3D'exact' check=3D'none'>
+    <model fallback=3D'forbid'>qemu64</model>
+  </cpu>
+  <clock offset=3D'utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu-system-x86_64</emulator>
+    <controller type=3D'usb' index=3D'0' model=3D'none'/>
+    <controller type=3D'sata' index=3D'0'>
+      <address type=3D'pci' domain=3D'0x0000' bus=3D'0x00' slot=3D'0x1f' f=
unction=3D'0x2'/>
+    </controller>
+    <controller type=3D'pci' index=3D'0' model=3D'pcie-root'/>
+    <input type=3D'mouse' bus=3D'ps2'/>
+    <input type=3D'keyboard' bus=3D'ps2'/>
+    <audio id=3D'1' type=3D'none'/>
+    <watchdog model=3D'itco' action=3D'reset'/>
+    <memballoon model=3D'none'/>
+  </devices>
+</domain>
diff --git a/tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.xml b/t=
ests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.xml
new file mode 100644
index 0000000000..c1dc00fde8
--- /dev/null
+++ b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.xml
@@ -0,0 +1,19 @@
+<domain type=3D'kvm'>
+  <name>guest</name>
+  <uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid>
+  <memory unit=3D'KiB'>1048576</memory>
+  <vcpu placement=3D'static'>1</vcpu>
+  <os>
+    <type arch=3D'x86_64' machine=3D'pc-q35-8.2'>hvm</type>
+    <loader type=3D'rom'>/usr/share/edk2/ovmf/OVMF.qemuvars.fd</loader>
+    <varstore path=3D'/path/to/guest.json'/>
+  </os>
+  <features>
+    <acpi/>
+  </features>
+  <devices>
+    <emulator>/usr/bin/qemu-system-x86_64</emulator>
+    <controller type=3D'usb' model=3D'none'/>
+    <memballoon model=3D'none'/>
+  </devices>
+</domain>
diff --git a/tests/qemuxmlconftest.c b/tests/qemuxmlconftest.c
index 18c2ac5701..d75540042e 100644
--- a/tests/qemuxmlconftest.c
+++ b/tests/qemuxmlconftest.c
@@ -1618,6 +1618,9 @@ mymain(void)
                                   ARG_CAPS_VARIANT, "+inteltdx",
                                   ARG_END);
=20
+    DO_TEST_CAPS_LATEST("firmware-manual-efi-varstore-q35");
+    DO_TEST_CAPS_VER_PARSE_ERROR("firmware-manual-efi-varstore-q35", "8.2.=
0");
+
     /* Make sure all combinations of ACPI and UEFI behave as expected */
     DO_TEST_CAPS_ARCH_LATEST("firmware-manual-efi-acpi-aarch64", "aarch64"=
);
     DO_TEST_CAPS_LATEST("firmware-manual-efi-acpi-q35");
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771872404; cv=none;
	d=zohomail.com; s=zohoarc;
	b=GDHV9N4/dsRA5F7Y29rOugNjurzxxKbXmalOgyB2HQhSdRyOdGODf+Meq/2iJoYIucLrhZBPOp6PBF1sRweDniQraSDy7qeG/BAL57kUziZMBJkDieV+5bwVBdBFI+lDm43UOddxR9L3RSPL2F/6Q4ebMtXvnK28mNUZ33NZgpQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771872404;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=NH9cz07CHH22zShggH4JYePBLsXiZz9cZGLBOwnDPbI=;
	b=WdwGDWrT5fM+eZfH4s+lZllXSYH/WwRq1Z6RRG8dVZcEV97FWHzxnSkqZguBdFTy0SQnL9Vm4gtZRjB+tK9MQw+eeEo5jtaZA7XyfIjlHuTV/dFgcCnUstlNoqsbL6LLrkZ5hPL0SUDIDMFshKpC0Jzrsk27eGf5Idi9NHDVRcY=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771872404132759.0826681859634;
 Mon, 23 Feb 2026 10:46:44 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 2A50541BC1; Mon, 23 Feb 2026 13:46:43 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id EB47743DFE;
	Mon, 23 Feb 2026 13:34:42 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id C324041BEA; Mon, 23 Feb 2026 13:34:36 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id EB009419F2
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:31:50 -0500 (EST)
Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-278-hTxe6w1SOPiHC7LuOgnW7A-1; Mon,
 23 Feb 2026 13:31:49 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 808591955F2D
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:48 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 8DBEB195419A
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:47 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871510;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=NH9cz07CHH22zShggH4JYePBLsXiZz9cZGLBOwnDPbI=;
	b=Dx7G5wKBSjMCuR60fORu5FO38Pr0ePdFIYa0pjZd4zAHnwp6AewInIo86/ex83NaHiDdWt
	lpvzq/7Qmrx8z+Wup8DivqVrz9SNnPU8XiX/ETKxOGWsU2fejJlLhQzQk50DwhioqmybrA
	DThEM1mjZHWJIkwyTp56P9BDEy2SLAI=
X-MC-Unique: hTxe6w1SOPiHC7LuOgnW7A-1
X-Mimecast-MFC-AGG-ID: hTxe6w1SOPiHC7LuOgnW7A_1771871508
To: devel@lists.libvirt.org
Subject: [PATCH v4 12/36] tests: Add firmware-manual-efi-varstore-aarch64
Date: Mon, 23 Feb 2026 19:30:55 +0100
Message-ID: <20260223183119.501349-13-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: yTzlKWuhTDlWsXu3skmMO8ZmANqeMhuSvdwG2hb2ENI_1771871508
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: K2DK6QI55VKENPVPQ4U6VC4CDB5UGAMX
X-Message-ID-Hash: K2DK6QI55VKENPVPQ4U6VC4CDB5UGAMX
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/K2DK6QI55VKENPVPQ4U6VC4CDB5UGAMX/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771872405790158500

This test case demonstrates how to manually configure an aarch64
guest to use the uefi-vars device.

It currently fails because the QEMU driver does not yet recognize
the firmware type as EFI, and so rejects the attempt to use ACPI
together with it. That will change in a future commit.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 ...ual-efi-varstore-aarch64.aarch64-8.2.0.err |  1 +
 ...al-efi-varstore-aarch64.aarch64-latest.err |  1 +
 .../firmware-manual-efi-varstore-aarch64.xml  | 19 +++++++++++++++++++
 tests/qemuxmlconftest.c                       |  2 ++
 4 files changed, 23 insertions(+)
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarc=
h64.aarch64-8.2.0.err
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarc=
h64.aarch64-latest.err
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarc=
h64.xml

diff --git a/tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.aar=
ch64-8.2.0.err b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64=
.aarch64-8.2.0.err
new file mode 100644
index 0000000000..4fe79bdacf
--- /dev/null
+++ b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.aarch64-8.=
2.0.err
@@ -0,0 +1 @@
+unsupported configuration: ACPI requires UEFI on this architecture
diff --git a/tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.aar=
ch64-latest.err b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch6=
4.aarch64-latest.err
new file mode 100644
index 0000000000..4fe79bdacf
--- /dev/null
+++ b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.aarch64-la=
test.err
@@ -0,0 +1 @@
+unsupported configuration: ACPI requires UEFI on this architecture
diff --git a/tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.xml=
 b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.xml
new file mode 100644
index 0000000000..5c545fe0ab
--- /dev/null
+++ b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.xml
@@ -0,0 +1,19 @@
+<domain type=3D'kvm'>
+  <name>guest</name>
+  <uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid>
+  <memory unit=3D'KiB'>1048576</memory>
+  <vcpu placement=3D'static'>1</vcpu>
+  <os>
+    <type arch=3D'aarch64' machine=3D'virt-8.2'>hvm</type>
+    <loader type=3D'rom'>/usr/share/edk2/aarch64/QEMU_EFI.qemuvars.fd</loa=
der>
+    <varstore path=3D'/path/to/guest.json'/>
+  </os>
+  <features>
+    <acpi/>
+  </features>
+  <devices>
+    <emulator>/usr/bin/qemu-system-aarch64</emulator>
+    <controller type=3D'usb' model=3D'none'/>
+    <memballoon model=3D'none'/>
+  </devices>
+</domain>
diff --git a/tests/qemuxmlconftest.c b/tests/qemuxmlconftest.c
index d75540042e..615a30fd38 100644
--- a/tests/qemuxmlconftest.c
+++ b/tests/qemuxmlconftest.c
@@ -1620,6 +1620,8 @@ mymain(void)
=20
     DO_TEST_CAPS_LATEST("firmware-manual-efi-varstore-q35");
     DO_TEST_CAPS_VER_PARSE_ERROR("firmware-manual-efi-varstore-q35", "8.2.=
0");
+    DO_TEST_CAPS_ARCH_LATEST_PARSE_ERROR("firmware-manual-efi-varstore-aar=
ch64", "aarch64");
+    DO_TEST_CAPS_ARCH_VER_PARSE_ERROR("firmware-manual-efi-varstore-aarch6=
4", "aarch64", "8.2.0");
=20
     /* Make sure all combinations of ACPI and UEFI behave as expected */
     DO_TEST_CAPS_ARCH_LATEST("firmware-manual-efi-acpi-aarch64", "aarch64"=
);
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771872444; cv=none;
	d=zohomail.com; s=zohoarc;
	b=YBd5GgCrVzC1tC7ea0h+npshb268beQmJoCViD2vw2JCRar7w9VDqmHvO0m9ZFLnP1QTNnw8MmeVXa4FH9b1dcuhMLxxamBL0PmiOV0ArpON1Bw+sePH4HrERuQzZJ5TbC/JBnRnYD6YskwSINaZ4wR/2Q/aI0Ol+sWjla1ocPE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771872444;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=rthUxVQWxppva1lZP7mHXb9hnIfcdLHTShsaIiUcR+g=;
	b=eRye1ndVmHSVsGUnWthBK5OO7IYcVT2oBsIK2U1C2/v/drum0OBZEPSjCxGDPCl8BWeRYO9LGbrGDc8DsFMM862PnVIBkRywtbTDcLgFA0c06oCUsxB4JGUrOfIIgQy8hQzI/FA3hWUZIsKMvPOdmDUMwdnSBq4xIoPmWiUcAsc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771872444370806.3790479034028;
 Mon, 23 Feb 2026 10:47:24 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 87B8041B80; Mon, 23 Feb 2026 13:47:23 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 0C9EF43E48;
	Mon, 23 Feb 2026 13:34:44 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id F0A8241B20; Mon, 23 Feb 2026 13:34:36 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 21E2541AD3
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:31:53 -0500 (EST)
Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-258-Fyx9-IsANZa5OpaPQe1JXg-1; Mon,
 23 Feb 2026 13:31:51 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 8ADAA1956078
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:50 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 4DA391955D71
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:48 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871512;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=rthUxVQWxppva1lZP7mHXb9hnIfcdLHTShsaIiUcR+g=;
	b=Duq3zy2qu1O9wvGEAwHfSRz7Ho5xILGEi7G1tRW7Vya0/ceywxmRcKa7eY403QJSJvBBQb
	WdLbL1HEPxxK5WVGAgT5lWuQFAFlb3rjZKCk64paoDkU2aQi5u9N+sXPf3i6vUAoDSyDej
	Dg034V4IcjgLsdkPdKyBFTaBCJGb8kA=
X-MC-Unique: Fyx9-IsANZa5OpaPQe1JXg-1
X-Mimecast-MFC-AGG-ID: Fyx9-IsANZa5OpaPQe1JXg_1771871510
To: devel@lists.libvirt.org
Subject: [PATCH v4 13/36] tests: Add firmware-auto-efi-varstore-q35
Date: Mon, 23 Feb 2026 19:30:56 +0100
Message-ID: <20260223183119.501349-14-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: JUdCValgGY4sxxHvPFOEEpUBO9igbMhB_8DFcbsfZ-I_1771871510
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: SKAVOBS6MMUPNST6ZL4SURQSMESDO62Y
X-Message-ID-Hash: SKAVOBS6MMUPNST6ZL4SURQSMESDO62Y
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/SKAVOBS6MMUPNST6ZL4SURQSMESDO62Y/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771872446011158500

This test case demonstrates how to explicitly opt into using
the uefi-vars device for an x86_64 guest.

Normally the firmware autoselection process will pick a UEFI
build that is loaded via pflash, but by including the <varstore>
element in the input XML we can tell the QEMU driver that we
want want the uefi-vars device to be used instead.

Currently this results in an error, because the firmware
autoselection algorithm doesn't yet know how to properly handle
the scenario. A future commit will address this and make things
work as expected.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 ...are-auto-efi-varstore-q35.x86_64-latest.err |  1 +
 .../firmware-auto-efi-varstore-q35.xml         | 18 ++++++++++++++++++
 tests/qemuxmlconftest.c                        |  1 +
 3 files changed, 20 insertions(+)
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x8=
6_64-latest.err
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.xml

diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x86_64-la=
test.err b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x86_64-late=
st.err
new file mode 100644
index 0000000000..b45d304221
--- /dev/null
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x86_64-latest.err
@@ -0,0 +1 @@
+Only one of NVRAM/varstore can be used
diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.xml b/tes=
ts/qemuxmlconfdata/firmware-auto-efi-varstore-q35.xml
new file mode 100644
index 0000000000..9cda95403e
--- /dev/null
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.xml
@@ -0,0 +1,18 @@
+<domain type=3D'kvm'>
+  <name>guest</name>
+  <uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid>
+  <memory unit=3D'KiB'>1048576</memory>
+  <vcpu placement=3D'static'>1</vcpu>
+  <os firmware=3D'efi'>
+    <type arch=3D'x86_64' machine=3D'pc-q35-8.2'>hvm</type>
+    <varstore/>
+  </os>
+  <features>
+    <acpi/>
+  </features>
+  <devices>
+    <emulator>/usr/bin/qemu-system-x86_64</emulator>
+    <controller type=3D'usb' model=3D'none'/>
+    <memballoon model=3D'none'/>
+  </devices>
+</domain>
diff --git a/tests/qemuxmlconftest.c b/tests/qemuxmlconftest.c
index 615a30fd38..9e330e2935 100644
--- a/tests/qemuxmlconftest.c
+++ b/tests/qemuxmlconftest.c
@@ -1671,6 +1671,7 @@ mymain(void)
     DO_TEST_CAPS_LATEST("firmware-auto-efi-nvram-file");
     DO_TEST_CAPS_LATEST("firmware-auto-efi-nvram-network-nbd");
     DO_TEST_CAPS_LATEST("firmware-auto-efi-nvram-network-iscsi");
+    DO_TEST_CAPS_LATEST_PARSE_ERROR("firmware-auto-efi-varstore-q35");
=20
     DO_TEST_CAPS_LATEST("firmware-auto-efi-format-loader-qcow2");
     DO_TEST_CAPS_LATEST_PARSE_ERROR("firmware-auto-efi-format-loader-qcow2=
-rom");
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771872493; cv=none;
	d=zohomail.com; s=zohoarc;
	b=jM4RwleI09f7anP2Hp2ubiSVJ48r1UkriszOeM9dSj8tTn53S5nWYMzMqud6P0UT+R5vpkyebOJHYKFwt9w/2BeTF4Zx8BHcEjh2YxxoLmRDFoSdIAQ6fqWb7iwr/rbJr1StXe5A2a8mlTE7qAUQAUOcATNOyVwkjGhBn8Fkvjg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771872493;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=ItNzYbx1nOek4UYgSUZbXKti47pYRNyzo43Y4uXuwt0=;
	b=EYyET2n11usB6hknnlE4uUos+P/GfEved2BOEyiXpa/1Uvtl6Wbq84R/XERCjFJnZWw7UkI+r4PFThqf/BZIJFOiA8J7MhmeWApjiXC31HlN637AO/eZtjA0jSK6vK4vXo9u/ZVIRefl7h3SB/KcW2KMjF2Vd4HWb+OgoV3g5zQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771872493058346.9458085935098;
 Mon, 23 Feb 2026 10:48:13 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 3928A41BA3; Mon, 23 Feb 2026 13:48:12 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id A667D43EA7;
	Mon, 23 Feb 2026 13:34:46 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id F3AC841A98; Mon, 23 Feb 2026 13:34:36 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id A56B641BDC
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:31:55 -0500 (EST)
Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-633-rPuxNHMEOeGWaBErfDLUhw-1; Mon,
 23 Feb 2026 13:31:53 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 685451955F02
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:52 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 593E9195419A
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:50 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871515;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=ItNzYbx1nOek4UYgSUZbXKti47pYRNyzo43Y4uXuwt0=;
	b=WHYVLcxMog+vBIz4jmjAgAZzOo1IvwpbvsKDIPVxmW1Ui11PikDHpm1gqLAMQf458xsHs2
	0+jZwbNl4GvmtV2TkKPGzCGmicK1M6OyOt7CVGXXSF/xkp9xQ4d79xEsVG0t5iZ/lUiNcf
	7HfWr/Oy+NPyLodL1sgcp0s1536lnds=
X-MC-Unique: rPuxNHMEOeGWaBErfDLUhw-1
X-Mimecast-MFC-AGG-ID: rPuxNHMEOeGWaBErfDLUhw_1771871512
To: devel@lists.libvirt.org
Subject: [PATCH v4 14/36] tests: Add firmware-auto-efi-varstore-aarch64
Date: Mon, 23 Feb 2026 19:30:57 +0100
Message-ID: <20260223183119.501349-15-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: MitMTFVGuE-jP6XL5ZxZd0uBjGfH9DC_Gcer5-K9lXw_1771871512
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: ESHIYTKR5QU5SE4WLXNJMT44YMADMTLN
X-Message-ID-Hash: ESHIYTKR5QU5SE4WLXNJMT44YMADMTLN
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/ESHIYTKR5QU5SE4WLXNJMT44YMADMTLN/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771872494235158500

This test case demonstrates how to explicitly opt into using
the uefi-vars device for an aarch64 guest.

Normally the firmware autoselection process will pick a UEFI
build that is loaded via pflash, but by including the <varstore>
element in the input XML we can tell the QEMU driver that we
want want the uefi-vars device to be used instead.

Currently this results in an error, because the firmware
autoselection algorithm doesn't yet know how to properly handle
the scenario. A future commit will address this and make things
work as expected.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 ...uto-efi-varstore-aarch64.aarch64-latest.err |  1 +
 .../firmware-auto-efi-varstore-aarch64.xml     | 18 ++++++++++++++++++
 tests/qemuxmlconftest.c                        |  1 +
 3 files changed, 20 insertions(+)
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch6=
4.aarch64-latest.err
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch6=
4.xml

diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.aarch=
64-latest.err b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.aa=
rch64-latest.err
new file mode 100644
index 0000000000..b45d304221
--- /dev/null
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.aarch64-late=
st.err
@@ -0,0 +1 @@
+Only one of NVRAM/varstore can be used
diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.xml b=
/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.xml
new file mode 100644
index 0000000000..e403c60643
--- /dev/null
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.xml
@@ -0,0 +1,18 @@
+<domain type=3D'kvm'>
+  <name>guest</name>
+  <uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid>
+  <memory unit=3D'KiB'>1048576</memory>
+  <vcpu placement=3D'static'>1</vcpu>
+  <os firmware=3D'efi'>
+    <type arch=3D'aarch64' machine=3D'virt-8.2'>hvm</type>
+    <varstore/>
+  </os>
+  <features>
+    <acpi/>
+  </features>
+  <devices>
+    <emulator>/usr/bin/qemu-system-aarch64</emulator>
+    <controller type=3D'usb' model=3D'none'/>
+    <memballoon model=3D'none'/>
+  </devices>
+</domain>
diff --git a/tests/qemuxmlconftest.c b/tests/qemuxmlconftest.c
index 9e330e2935..24168b98af 100644
--- a/tests/qemuxmlconftest.c
+++ b/tests/qemuxmlconftest.c
@@ -1672,6 +1672,7 @@ mymain(void)
     DO_TEST_CAPS_LATEST("firmware-auto-efi-nvram-network-nbd");
     DO_TEST_CAPS_LATEST("firmware-auto-efi-nvram-network-iscsi");
     DO_TEST_CAPS_LATEST_PARSE_ERROR("firmware-auto-efi-varstore-q35");
+    DO_TEST_CAPS_ARCH_LATEST_PARSE_ERROR("firmware-auto-efi-varstore-aarch=
64", "aarch64");
=20
     DO_TEST_CAPS_LATEST("firmware-auto-efi-format-loader-qcow2");
     DO_TEST_CAPS_LATEST_PARSE_ERROR("firmware-auto-efi-format-loader-qcow2=
-rom");
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771872611; cv=none;
	d=zohomail.com; s=zohoarc;
	b=jQ4iJIMb/b22Uk5NlmLXwAwr1Zeks2USfkPma+E6VVVN6I4mnyo8EIrAUtb2Jtd9mW80dT7QuiB/19kw3ZKnJaHgz4j3byQx/IF4iwU8WZP5EPW9pe+ckVI6EHRgoRqxmB9IgaGIs76ozDUQGonDN/RYKDuL4yP4X+Em02mKabk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771872611;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=69a0TVAVHcW3pvYYFr3HLNSYOQzT9hbp5inyQXrBvkQ=;
	b=Qy/BA1aaHBkJNHA+pTt89xBb6LHD2QfVY7J2b8dFLeUGBRKvacoS5p0NVmjiWZx6f7eBbQ7Kirl7hCaijDeBIySHRDgLoWOVxm8gI3s4wwe/SvpoZMB1FpP4AggPbv/CiyvzHRcnetZhKXP0b+YwdgAFVtyuveOlJYSHg+Pllxs=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771872611776644.82613059497;
 Mon, 23 Feb 2026 10:50:11 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 0136441BFA; Mon, 23 Feb 2026 13:50:12 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 192A941B2E;
	Mon, 23 Feb 2026 13:35:37 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id A74B341D4C; Mon, 23 Feb 2026 13:35:27 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 2A74841AC6
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:32:02 -0500 (EST)
Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-246-rmMvdcjpNMW48rMufgZ7eg-1; Mon,
 23 Feb 2026 13:31:58 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 298EE1828AA7
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:54 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 0935B1955D71
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:52 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871521;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=69a0TVAVHcW3pvYYFr3HLNSYOQzT9hbp5inyQXrBvkQ=;
	b=aXwW5XU0YnBByJi//T9UBXZVW8+vzreAtjqEfmH0Exe39QcLfbN2LGz/60nnLvw64yiJKV
	ZoQdjsd+xlPRB59o087swVxIBqGxiHCRxa4J1AV7/IL/fgCLd/KqSKrITN0et7ahFgEWXT
	sXyjztAtHbUFE7iVFB5SfWUmeZHaLMQ=
X-MC-Unique: rmMvdcjpNMW48rMufgZ7eg-1
X-Mimecast-MFC-AGG-ID: rmMvdcjpNMW48rMufgZ7eg_1771871514
To: devel@lists.libvirt.org
Subject: [PATCH v4 15/36] tests: Add firmware-auto-efi-enrolled-keys-aarch64
Date: Mon, 23 Feb 2026 19:30:58 +0100
Message-ID: <20260223183119.501349-16-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: 7J6LS-39nuhlcpTUzs2jqkzpvhbedkIezC-pciyLfmY_1771871514
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 6MN3ER4HHIFZIQH4BI2CEDFJWDWNIADQ
X-Message-ID-Hash: 6MN3ER4HHIFZIQH4BI2CEDFJWDWNIADQ
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/6MN3ER4HHIFZIQH4BI2CEDFJWDWNIADQ/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771872618074158500

This test case demonstrates how to automatically configure an
aarch64 guest so that Secure Boot support is available and only
signed operating systems are allowed to boot.

It currently fails because there is no firmware descriptor that
describes a suitable firmware build yet. That will change in a
future commit.

In addition to the latest version, the test case is also executed
against QEMU 8.2.0 specifically. This version of the test case is
intended to fail, because the uefi-vars device that we need to
support Secure Boot on aarch64 was not yet available in that
version of QEMU. The exact error message will change down the
line.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 ...fi-enrolled-keys-aarch64.aarch64-8.2.0.err |  1 +
 ...fi-enrolled-keys-aarch64.aarch64-8.2.0.xml | 30 +++++++++++++++++++
 ...i-enrolled-keys-aarch64.aarch64-latest.err |  1 +
 ...i-enrolled-keys-aarch64.aarch64-latest.xml | 30 +++++++++++++++++++
 ...irmware-auto-efi-enrolled-keys-aarch64.xml | 20 +++++++++++++
 tests/qemuxmlconftest.c                       |  2 ++
 6 files changed, 84 insertions(+)
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-a=
arch64.aarch64-8.2.0.err
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-a=
arch64.aarch64-8.2.0.xml
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-a=
arch64.aarch64-latest.err
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-a=
arch64.aarch64-latest.xml
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-a=
arch64.xml

diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.=
aarch64-8.2.0.err b/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-a=
arch64.aarch64-8.2.0.err
new file mode 100644
index 0000000000..3edb2b3451
--- /dev/null
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.aarch64=
-8.2.0.err
@@ -0,0 +1 @@
+operation failed: Unable to find 'efi' firmware that is compatible with th=
e current configuration
diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.=
aarch64-8.2.0.xml b/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-a=
arch64.aarch64-8.2.0.xml
new file mode 100644
index 0000000000..5213a41b90
--- /dev/null
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.aarch64=
-8.2.0.xml
@@ -0,0 +1,30 @@
+<domain type=3D'kvm'>
+  <name>guest</name>
+  <uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid>
+  <memory unit=3D'KiB'>1048576</memory>
+  <currentMemory unit=3D'KiB'>1048576</currentMemory>
+  <vcpu placement=3D'static'>1</vcpu>
+  <os firmware=3D'efi'>
+    <type arch=3D'aarch64' machine=3D'virt-8.2'>hvm</type>
+    <firmware>
+      <feature enabled=3D'yes' name=3D'enrolled-keys'/>
+    </firmware>
+    <loader format=3D'raw'/>
+    <boot dev=3D'hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <gic version=3D'3'/>
+  </features>
+  <clock offset=3D'utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu-system-aarch64</emulator>
+    <controller type=3D'usb' index=3D'0' model=3D'none'/>
+    <controller type=3D'pci' index=3D'0' model=3D'pcie-root'/>
+    <audio id=3D'1' type=3D'none'/>
+    <memballoon model=3D'none'/>
+  </devices>
+</domain>
diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.=
aarch64-latest.err b/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-=
aarch64.aarch64-latest.err
new file mode 100644
index 0000000000..3edb2b3451
--- /dev/null
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.aarch64=
-latest.err
@@ -0,0 +1 @@
+operation failed: Unable to find 'efi' firmware that is compatible with th=
e current configuration
diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.=
aarch64-latest.xml b/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-=
aarch64.aarch64-latest.xml
new file mode 100644
index 0000000000..908a8435f9
--- /dev/null
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.aarch64=
-latest.xml
@@ -0,0 +1,30 @@
+<domain type=3D'kvm'>
+  <name>guest</name>
+  <uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid>
+  <memory unit=3D'KiB'>1048576</memory>
+  <currentMemory unit=3D'KiB'>1048576</currentMemory>
+  <vcpu placement=3D'static'>1</vcpu>
+  <os firmware=3D'efi'>
+    <type arch=3D'aarch64' machine=3D'virt-8.2'>hvm</type>
+    <firmware>
+      <feature enabled=3D'yes' name=3D'enrolled-keys'/>
+    </firmware>
+    <loader format=3D'raw'/>
+    <boot dev=3D'hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <gic version=3D'2'/>
+  </features>
+  <clock offset=3D'utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu-system-aarch64</emulator>
+    <controller type=3D'usb' index=3D'0' model=3D'none'/>
+    <controller type=3D'pci' index=3D'0' model=3D'pcie-root'/>
+    <audio id=3D'1' type=3D'none'/>
+    <memballoon model=3D'none'/>
+  </devices>
+</domain>
diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.=
xml b/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.xml
new file mode 100644
index 0000000000..6cd382d0fa
--- /dev/null
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.xml
@@ -0,0 +1,20 @@
+<domain type=3D'kvm'>
+  <name>guest</name>
+  <uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid>
+  <memory unit=3D'KiB'>1048576</memory>
+  <vcpu placement=3D'static'>1</vcpu>
+  <os firmware=3D'efi'>
+    <type arch=3D'aarch64' machine=3D'virt-8.2'>hvm</type>
+    <firmware>
+      <feature enabled=3D'yes' name=3D'enrolled-keys'/>
+    </firmware>
+  </os>
+  <features>
+    <acpi/>
+  </features>
+  <devices>
+    <emulator>/usr/bin/qemu-system-aarch64</emulator>
+    <controller type=3D'usb' model=3D'none'/>
+    <memballoon model=3D'none'/>
+  </devices>
+</domain>
diff --git a/tests/qemuxmlconftest.c b/tests/qemuxmlconftest.c
index 24168b98af..ca00dc96f0 100644
--- a/tests/qemuxmlconftest.c
+++ b/tests/qemuxmlconftest.c
@@ -1657,6 +1657,8 @@ mymain(void)
     DO_TEST_CAPS_LATEST("firmware-auto-efi-secboot");
     DO_TEST_CAPS_LATEST("firmware-auto-efi-no-secboot");
     DO_TEST_CAPS_LATEST("firmware-auto-efi-enrolled-keys");
+    DO_TEST_CAPS_ARCH_LATEST_FAILURE("firmware-auto-efi-enrolled-keys-aarc=
h64", "aarch64");
+    DO_TEST_CAPS_ARCH_VER_FAILURE("firmware-auto-efi-enrolled-keys-aarch64=
", "aarch64", "8.2.0");
     DO_TEST_CAPS_LATEST("firmware-auto-efi-no-enrolled-keys");
     DO_TEST_CAPS_LATEST_PARSE_ERROR("firmware-auto-efi-enrolled-keys-no-se=
cboot");
     DO_TEST_CAPS_LATEST("firmware-auto-efi-smm-off");
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771872566; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Ue/TMExOH8NwmUSp/XlDuPQDjNwQhVw1DQiYLVxO/QmqjnIYp+9bhbzTmKG5IVmUbChMFJJrkyYxGMnBS5wkOkYXwKdq/ZIWockNzLk7q24tqxVeoBigEuujxjdDQfkCk8Fkif72c7uAfdNcS9NE/5XyWamabcsFHufHSl3i2nQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771872566;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=mv45OKIVMLYE1U+F1Ng4USG8/2TRvv73O/xUm7S/3bQ=;
	b=K9YEA4wvrEInDHC+9dusz5BwwcObihXxJDjQzZIFlCVHk4U1mXTcakkRTG3/dz9rUMAgFmFJ+QuNwgngPu3lSN8N+8Tl8S8loYQp88zRfjhI5V5VpmFV44zTs6hZNYOv0vWKjsZSjOY3qX0uWPM116H5MZkEGCOuJh6GJUq4i/I=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771872565954562.2130082403787;
 Mon, 23 Feb 2026 10:49:25 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 310953F35C; Mon, 23 Feb 2026 13:49:25 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 6FD2141C01;
	Mon, 23 Feb 2026 13:35:35 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 01EB141BE8; Mon, 23 Feb 2026 13:35:27 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 5F31241C2B
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:31:59 -0500 (EST)
Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-526-1CkIDgK4NKazWekZ20UqjA-1; Mon,
 23 Feb 2026 13:31:57 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 5DB411828AD7
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:55 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 6AE78195419E
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:54 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS,UPPERCASE_50_75
	autolearn=unavailable autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871519;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=mv45OKIVMLYE1U+F1Ng4USG8/2TRvv73O/xUm7S/3bQ=;
	b=Lm1oYLsrBCaqdN3Pr0A7DojjozvMcNMrRfXc7K2eElIsvOtX+JIJ6IFk7ysk6qtXMF32GL
	o16ygFZ5ojtobt7S9mIXBkeehXkyioEQClI2mcXHkyAALB6uA+VscGpN903hFEr92k0vBJ
	3ujYfMlSTowRZfSbiTqj24k29HHu5IM=
X-MC-Unique: 1CkIDgK4NKazWekZ20UqjA-1
X-Mimecast-MFC-AGG-ID: 1CkIDgK4NKazWekZ20UqjA_1771871517
To: devel@lists.libvirt.org
Subject: [PATCH v4 16/36] qemu_firmware: Parse host-uefi-vars firmware feature
Date: Mon, 23 Feb 2026 19:30:59 +0100
Message-ID: <20260223183119.501349-17-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: fY4Crf4aZVnlvTP_iQ5o7CwmppSBhNjoCnbz_F8TBCg_1771871517
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: KM5EQBEGCNYKS75W32FZOPAK2GUEBYM4
X-Message-ID-Hash: KM5EQBEGCNYKS75W32FZOPAK2GUEBYM4
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/KM5EQBEGCNYKS75W32FZOPAK2GUEBYM4/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771872566621158500

When present in a firmware descriptor, this feature indicates that
the corresponding executable expects to access variable storage
through the uefi-vars QEMU device.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/qemu/qemu_firmware.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index 6a074055ca..8b9b0d91ff 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -145,6 +145,7 @@ typedef enum {
     QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS,
     QEMU_FIRMWARE_FEATURE_REQUIRES_SMM,
     QEMU_FIRMWARE_FEATURE_SECURE_BOOT,
+    QEMU_FIRMWARE_FEATURE_HOST_UEFI_VARS,
     QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC,
     QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC,
=20
@@ -164,6 +165,7 @@ VIR_ENUM_IMPL(qemuFirmwareFeature,
               "enrolled-keys",
               "requires-smm",
               "secure-boot",
+              "host-uefi-vars",
               "verbose-dynamic",
               "verbose-static"
 );
@@ -1181,6 +1183,7 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
             hasEnrolledKeys =3D true;
             break;
=20
+        case QEMU_FIRMWARE_FEATURE_HOST_UEFI_VARS:
         case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
         case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
         case QEMU_FIRMWARE_FEATURE_NONE:
@@ -1515,6 +1518,7 @@ qemuFirmwareEnableFeaturesModern(virDomainDef *def,
         case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
         case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
         case QEMU_FIRMWARE_FEATURE_INTEL_TDX:
+        case QEMU_FIRMWARE_FEATURE_HOST_UEFI_VARS:
         case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
         case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
         case QEMU_FIRMWARE_FEATURE_NONE:
@@ -1570,6 +1574,7 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw,
         case QEMU_FIRMWARE_FEATURE_NONE:
         case QEMU_FIRMWARE_FEATURE_ACPI_S3:
         case QEMU_FIRMWARE_FEATURE_ACPI_S4:
+        case QEMU_FIRMWARE_FEATURE_HOST_UEFI_VARS:
         case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
         case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
         case QEMU_FIRMWARE_FEATURE_LAST:
@@ -2084,6 +2089,7 @@ qemuFirmwareGetSupported(const char *machine,
             case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
             case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
             case QEMU_FIRMWARE_FEATURE_INTEL_TDX:
+            case QEMU_FIRMWARE_FEATURE_HOST_UEFI_VARS:
             case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
             case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
             case QEMU_FIRMWARE_FEATURE_LAST:
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771872530; cv=none;
	d=zohomail.com; s=zohoarc;
	b=QBFOt7vET8by2lI+vvBeedcDYpSwvO4rWDriMTJ1ac9OMNUjmoK3eU6ZWsbmbM9W7yPUL8yfXBR3W47wki/5TBNYSRzZvinlewHvL4vXYbwGqcGtAO9ifLMxLDsK8JnE17kpxvBKoomMVxj2zBina82JHp0f4su4nMjXaMDqXkI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771872530;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=yhhr2Av9ghpENteYqOLr3B1t7+CcI5D9+h2d28qdQYo=;
	b=KvdKOFyUvkHdFfqUT+VA9LLH5DdVbfdHrR9RtvkpHypwZ9Cs5iPaWbRbIhNj9jEMyMAwDVxTK238o4HkjNLVCHZ5Df0j+RUiox+nBbN0FhyqlUkiAkELAbAqpiu/KibRqs438NdOS+7dg2au3hZ7ONb3q28xW6EllLgesIazuik=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771872529997932.5128529877366;
 Mon, 23 Feb 2026 10:48:49 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 1A74241B29; Mon, 23 Feb 2026 13:48:49 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 274F843EC1;
	Mon, 23 Feb 2026 13:35:33 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id E106041DE1; Mon, 23 Feb 2026 13:35:26 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 1238141C2D
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:32:04 -0500 (EST)
Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-591-0YwrLTEUPUOFyHS0ZLyIZA-1; Mon,
 23 Feb 2026 13:32:03 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 5822718601C7
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:57 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 2BC3A1955D71
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:55 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871524;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=yhhr2Av9ghpENteYqOLr3B1t7+CcI5D9+h2d28qdQYo=;
	b=dkGDFoyJP6MTtV0gw1UdbvPxrIIKE0kKoEf4RZR35o8TPIBK3ez2G9hSrR9vT4t7RQAY16
	daMMOQh8iw6awkCoXpE+blhuDU/NnxPbuBEx6EgWkB52auNzCUB7FWiLzti5A0Vn14KOUk
	nfNPgn1tDY+TXN6fyZN4CegnIft+Y0Y=
X-MC-Unique: 0YwrLTEUPUOFyHS0ZLyIZA-1
X-Mimecast-MFC-AGG-ID: 0YwrLTEUPUOFyHS0ZLyIZA_1771871522
To: devel@lists.libvirt.org
Subject: [PATCH v4 17/36] qemu_firmware: Split sanity check
Date: Mon, 23 Feb 2026 19:31:00 +0100
Message-ID: <20260223183119.501349-18-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: MuyeYAOclgtMsEazuc97zjwyBVP9F9oGwwykeqFN0eE_1771871522
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: N76GGHV6JM5UVURCCTWA725FRTTSVLQR
X-Message-ID-Hash: N76GGHV6JM5UVURCCTWA725FRTTSVLQR
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/N76GGHV6JM5UVURCCTWA725FRTTSVLQR/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771872530430158500

The two checks are semantically different, so it makes sense to
perform them separately. We will soon extend the first one.

While at it, start printing out the value of isConfidential. We
could print the value of each firmware feature it's derived from,
but that would make things unnecessarily verbose; at the same
time, knowing that libvirt believes that the firmware build is
targeting the confidential use case can be useful for debugging
so it's worth including it.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/qemu/qemu_firmware.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index 8b9b0d91ff..5c923b5a02 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -1589,16 +1589,23 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw,
      * VMs also don't support EFI variable storage in NVRAM, instead
      * the secureboot state is hardcoded to enabled.
      */
-    if ((!isConfidential &&
-         (supportsSecureBoot !=3D requiresSMM)) ||
-        (hasEnrolledKeys && !supportsSecureBoot)) {
+    if (!isConfidential &&
+        supportsSecureBoot !=3D requiresSMM) {
         VIR_WARN("Firmware description '%s' has invalid set of features: "
-                 "%s =3D %d, %s =3D %d, %s =3D %d",
+                 "%s =3D %d, %s =3D %d (isConfidential =3D %d)",
                  filename,
                  qemuFirmwareFeatureTypeToString(QEMU_FIRMWARE_FEATURE_REQ=
UIRES_SMM),
                  requiresSMM,
                  qemuFirmwareFeatureTypeToString(QEMU_FIRMWARE_FEATURE_SEC=
URE_BOOT),
                  supportsSecureBoot,
+                 isConfidential);
+    }
+    if (hasEnrolledKeys && !supportsSecureBoot) {
+        VIR_WARN("Firmware description '%s' has invalid set of features: "
+                 "%s =3D %d, %s =3D %d",
+                 filename,
+                 qemuFirmwareFeatureTypeToString(QEMU_FIRMWARE_FEATURE_SEC=
URE_BOOT),
+                 supportsSecureBoot,
                  qemuFirmwareFeatureTypeToString(QEMU_FIRMWARE_FEATURE_ENR=
OLLED_KEYS),
                  hasEnrolledKeys);
     }
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771872662; cv=none;
	d=zohomail.com; s=zohoarc;
	b=V4RAO2wh4kMMIPxu2CuEPcKsd4D5sjCjs29TE4TOU5JnEhanmPs8RvN4gbpBTSERiK9JqhqX5w4VVOWbShJiA1wVmYNHQ2o67S9IFlQN9lPVc7TkL6OK51Xf1R3GQHhfK2KmmTiPlnMTFXBVZ8uQ4N9u+CTGw78hNdz+2kRmyQQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771872662;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=THferTqnNGyvOsgDxWDZMIiKUHmYEIEixaxlqT3aL7o=;
	b=Jq6L6hKdWSy/XdJkfmAoy3YwSx63cxqaCF8NqJtF1setIJC6CFo1mYXTGviCT2DGcLSL1tjDsMl2JOWkkFKSoHBlLFpW5YP2q/3/jvZ6KL+6Fryn9wfX8LB27DKYPiWuIDJfkyQLvUFd53IcM1Eouy8/wOZIfvBwC7Qhx3XNK6U=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771872662497810.0860543693586;
 Mon, 23 Feb 2026 10:51:02 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 9F58E3F367; Mon, 23 Feb 2026 13:51:01 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 3F38543F6C;
	Mon, 23 Feb 2026 13:36:26 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id A531D41C20; Mon, 23 Feb 2026 13:36:21 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id AD25B41C85
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:32:08 -0500 (EST)
Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-672-fH9U2wsON6SdF-vNTH14oA-1; Mon,
 23 Feb 2026 13:32:06 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 9C6071845430
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:58 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id D064A1955D71
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:57 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871528;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=THferTqnNGyvOsgDxWDZMIiKUHmYEIEixaxlqT3aL7o=;
	b=exQhmCcH21vWbAIInRa7Gdc5uVKm9rTIB0a5xp+RONCr1e0uXd8OQtCWhcI0chRp55vwho
	P8m+I3DYFqrpsnBWwmblKQ043CzobwVlFYVWVoHKd2yaakF2I9n+VaGaIZVuTDf1FGUWrE
	Jwwj+mLQQ3EuqjBOOvy8LmWIYFTsjuI=
X-MC-Unique: fH9U2wsON6SdF-vNTH14oA-1
X-Mimecast-MFC-AGG-ID: fH9U2wsON6SdF-vNTH14oA_1771871526
To: devel@lists.libvirt.org
Subject: [PATCH v4 18/36] qemu_firmware: Consider host-uefi-vars feature in
 sanity check
Date: Mon, 23 Feb 2026 19:31:01 +0100
Message-ID: <20260223183119.501349-19-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: 0-iNQVJztqy2HFkioHo4peqgHHM5LIdi1_jAh-qtRok_1771871526
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: USGZS2YUS5HZQJ6WE5A4BGFZOMXZWDP6
X-Message-ID-Hash: USGZS2YUS5HZQJ6WE5A4BGFZOMXZWDP6
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/USGZS2YUS5HZQJ6WE5A4BGFZOMXZWDP6/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771872663126158500

Just like with firmware builds targeting the confidential use
case, use of the uefi-vars device obviates the need to have SMM
emulation enabled while still guaranteeing that protected EFI
variables work as intended.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/qemu/qemu_firmware.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index 5c923b5a02..f9cb9058ac 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -1552,6 +1552,7 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw,
     bool requiresSMM =3D false;
     bool supportsSecureBoot =3D false;
     bool hasEnrolledKeys =3D false;
+    bool usesUefiVarsDevice =3D false;
     bool isConfidential =3D false;
=20
     for (i =3D 0; i < fw->nfeatures; i++) {
@@ -1565,6 +1566,9 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw,
         case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS:
             hasEnrolledKeys =3D true;
             break;
+        case QEMU_FIRMWARE_FEATURE_HOST_UEFI_VARS:
+            usesUefiVarsDevice =3D true;
+            break;
         case QEMU_FIRMWARE_FEATURE_AMD_SEV:
         case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
         case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
@@ -1574,7 +1578,6 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw,
         case QEMU_FIRMWARE_FEATURE_NONE:
         case QEMU_FIRMWARE_FEATURE_ACPI_S3:
         case QEMU_FIRMWARE_FEATURE_ACPI_S4:
-        case QEMU_FIRMWARE_FEATURE_HOST_UEFI_VARS:
         case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
         case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
         case QEMU_FIRMWARE_FEATURE_LAST:
@@ -1588,14 +1591,21 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw,
      * support SMM. This is OK, because EFI binaries for confidential
      * VMs also don't support EFI variable storage in NVRAM, instead
      * the secureboot state is hardcoded to enabled.
+     *
+     * Similarly, use of the uefi-vars QEMU device guarantees that
+     * protected EFI variables work as expected without requiring SMM
+     * emulation.
      */
     if (!isConfidential &&
+        !usesUefiVarsDevice &&
         supportsSecureBoot !=3D requiresSMM) {
         VIR_WARN("Firmware description '%s' has invalid set of features: "
-                 "%s =3D %d, %s =3D %d (isConfidential =3D %d)",
+                 "%s =3D %d, %s =3D %d, %s =3D %d (isConfidential =3D %d)",
                  filename,
                  qemuFirmwareFeatureTypeToString(QEMU_FIRMWARE_FEATURE_REQ=
UIRES_SMM),
                  requiresSMM,
+                 qemuFirmwareFeatureTypeToString(QEMU_FIRMWARE_FEATURE_HOS=
T_UEFI_VARS),
+                 usesUefiVarsDevice,
                  qemuFirmwareFeatureTypeToString(QEMU_FIRMWARE_FEATURE_SEC=
URE_BOOT),
                  supportsSecureBoot,
                  isConfidential);
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771872699; cv=none;
	d=zohomail.com; s=zohoarc;
	b=VEMTE8VDNQCzoTjJZ6dVk5O5bZoWyzyLhDzzADUOLvICgouqE+ISduSaqXVxiwdU3nD6t05TrSGb35PAcyR7GHKa6G+UE32MNnAc/jynXIaypFswNyk66HZtqMSGkpDINhVtl5vdG1HNc+glFrf9ev3tHkNZnBWkiXD6fOxdCtM=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771872699;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=bunRlRfTIYp+Kir8BIMYyX62C1hKIhhbu/KoZiGkBwc=;
	b=YQXlNVenw1qqmXwSilc8frXpfyqkLvDtF8P3RV3BxNMw86YozwyzYj9HUd8H+Sq9dMTHYyUwet1wQr1Rrn4J8C5Bu3Cwx+h2FD6NScaHL9SpaF3zKyG036prKRQiXPUk8Y8flfmOzBJA2seL4SFlVHPACNH0K9IQC5VDppQfNiI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 177187269890994.29844238295243;
 Mon, 23 Feb 2026 10:51:38 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 2AFB1419EA; Mon, 23 Feb 2026 13:51:38 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id E3C2F43FB1;
	Mon, 23 Feb 2026 13:36:28 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id B942541C42; Mon, 23 Feb 2026 13:36:21 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 78490419EF
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:32:13 -0500 (EST)
Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-144-TTnWoSeON-64vdGQ80arzQ-1; Mon,
 23 Feb 2026 13:32:11 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 30BA21830199
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:00 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 20B981955D71
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:31:58 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871533;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=bunRlRfTIYp+Kir8BIMYyX62C1hKIhhbu/KoZiGkBwc=;
	b=YVqxocoR0JapDI9NTlR9jM45rrZhLPpS6PMA5ImsMVhQwDjjipXHOg5cn3G8ceCLHFP8lT
	SM1gUJzQ++pXXsubLQ0J+sCKKlGKS/XzmsJ3ieCun7hTSpZUgtJqe6vmUDbUe+l80e7WH1
	OmXOBbmstU9Ww8TmB92cLdcIkdeVIVo=
X-MC-Unique: TTnWoSeON-64vdGQ80arzQ-1
X-Mimecast-MFC-AGG-ID: TTnWoSeON-64vdGQ80arzQ_1771871531
To: devel@lists.libvirt.org
Subject: [PATCH v4 19/36] qemu_firmware: Support extended syntax for ROM
 firmware descriptors
Date: Mon, 23 Feb 2026 19:31:02 +0100
Message-ID: <20260223183119.501349-20-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: HJCorqY9FeKflbmLNWfYjYE8hHt5bbHvvt_fRFhuFCo_1771871531
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: JNOF4H23M4WJQXVN5SJSNKH2PCOIAZMR
X-Message-ID-Hash: JNOF4H23M4WJQXVN5SJSNKH2PCOIAZMR
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/JNOF4H23M4WJQXVN5SJSNKH2PCOIAZMR/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771872701349158500

The existing syntax can only describe stateless firmware builds,
while the extended one can additionally describe builds intended
for use with the uefi-vars device. This involves including the
path to the corresponding varstore template.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/qemu/qemu_firmware.c | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index f9cb9058ac..7af3f32b85 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -95,6 +95,7 @@ struct _qemuFirmwareMappingFlash {
 typedef struct _qemuFirmwareMappingMemory qemuFirmwareMappingMemory;
 struct _qemuFirmwareMappingMemory {
     char *filename;
+    char *template;
 };
=20
=20
@@ -219,6 +220,7 @@ static void
 qemuFirmwareMappingMemoryFreeContent(qemuFirmwareMappingMemory *memory)
 {
     g_free(memory->filename);
+    g_free(memory->template);
 }
=20
=20
@@ -406,7 +408,11 @@ qemuFirmwareMappingMemoryParse(const char *path,
                                virJSONValue *doc,
                                qemuFirmwareMappingMemory *memory)
 {
+    virJSONValue *uefi_vars;
     const char *filename;
+    const char *template;
+
+    uefi_vars =3D virJSONValueObjectGet(doc, "uefi-vars");
=20
     if (!(filename =3D virJSONValueObjectGetString(doc, "filename"))) {
         VIR_DEBUG("missing 'filename' in '%s'", path);
@@ -415,6 +421,15 @@ qemuFirmwareMappingMemoryParse(const char *path,
=20
     memory->filename =3D g_strdup(filename);
=20
+    if (uefi_vars) {
+        if (!(template =3D virJSONValueObjectGetString(uefi_vars, "templat=
e"))) {
+            VIR_DEBUG("missing 'template' for 'uefi-vars' in '%s'", path);
+            return -1;
+        }
+
+        memory->template =3D g_strdup(template);
+    }
+
     return 0;
 }
=20
@@ -702,6 +717,20 @@ qemuFirmwareMappingMemoryFormat(virJSONValue *mapping,
                                        memory->filename) < 0)
         return -1;
=20
+    if (memory->template) {
+        g_autoptr(virJSONValue) uefi_vars =3D virJSONValueNewObject();
+
+        if (virJSONValueObjectAppendString(uefi_vars,
+                                           "template",
+                                           memory->template) < 0)
+            return -1;
+
+        if (virJSONValueObjectAppend(mapping,
+                                     "uefi-vars",
+                                     &uefi_vars) < 0)
+            return -1;
+    }
+
     return 0;
 }
=20
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771872733; cv=none;
	d=zohomail.com; s=zohoarc;
	b=YCXIEkTpK0KgHEmXrmXxXFCyUXmuq7axS7WkofmDSKRKF/9qmhZDw+SatFMLqxMhKAM6WTqsKf0y7+EJaSoUzOMQqFt9onPb76nGb8mMI6fukflbsOnc3oyKfovVCuFPv3xTPHLOuwLExN8cF/zarpSB6v3115jCKCOgoCzRSec=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771872733;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=unZ8Zka7LBAHWSiQED94RGCqC24W/ZDTcw5cEJXV6Ig=;
	b=PFx5datjGmzKg/8bnksLQfeBB0kb2fYj5YQInQ1F1gbj3geInNJc0cBtecw/1IEWfy2ZkoCxsqymphKjjYaxfHVv00edEKlXZGmEbJ0XKqj3x/DJv8rjdQPweTjeyfHCkD7elsH4o/iH1gheihQNtvWSpfFeqMXceeNuFzBKg74=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 177187273337031.619200086748606;
 Mon, 23 Feb 2026 10:52:13 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 6609A41B53; Mon, 23 Feb 2026 13:52:12 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 8555A43FFD;
	Mon, 23 Feb 2026 13:36:32 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 21ED941A4F; Mon, 23 Feb 2026 13:36:22 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 0FE0041A0C
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:32:15 -0500 (EST)
Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-108-AUwLXQvsOLC8G0jwdXt-sw-1; Mon,
 23 Feb 2026 13:32:13 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 4A7CD1828A96
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:02 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id EA50F1955D71
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:00 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871534;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=unZ8Zka7LBAHWSiQED94RGCqC24W/ZDTcw5cEJXV6Ig=;
	b=NrJ3/0jH2/iy9WdUYwmEz3vQ1yqeumaWhSB6oULyRB1eGmPu6JorZv66sSLU6yynCVqEIi
	ymE2Lx5sVrIN9MDHnvMuxSsTgZ4BtaVVybVLw7p1zLzmpiCBzqrBPl7qpwlmNsP1kl3vnf
	SALyjOriNn5nJV3lYi2XylpVBLL+Cvs=
X-MC-Unique: AUwLXQvsOLC8G0jwdXt-sw-1
X-Mimecast-MFC-AGG-ID: AUwLXQvsOLC8G0jwdXt-sw_1771871532
To: devel@lists.libvirt.org
Subject: [PATCH v4 20/36] qemu_firmware: Report NVRAM template path for ROMs
Date: Mon, 23 Feb 2026 19:31:03 +0100
Message-ID: <20260223183119.501349-21-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: M4k9FYcCe5yKKkITtIerkX5Ht-1TbxJmFrm_5E13ZTY_1771871532
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: TSA6SPSLL6SOCM54WCQH3UV5WSTMQTHP
X-Message-ID-Hash: TSA6SPSLL6SOCM54WCQH3UV5WSTMQTHP
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/TSA6SPSLL6SOCM54WCQH3UV5WSTMQTHP/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771872735448158500

This was not necessary until now since ROMs couldn't have an
associate NVRAM template, and technically speaking they still
can't; however, the varstore template serves essentialy the
same purpose.

The qemuFirmwareGetSupported() helper is used in two places:
one is the code that is responsible for filling in domaincaps,
where templates are ignored so this change has no impact on it;
the other is the qemufirmware test program, where this value
being reported is useful as it will allow us to confirm that
the JSON firmware descriptors for uefi-vars enabled builds are
parsed correctly.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/qemu/qemu_firmware.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index 7af3f32b85..72aae73dcb 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -2161,6 +2161,7 @@ qemuFirmwareGetSupported(const char *machine,
=20
         case QEMU_FIRMWARE_DEVICE_MEMORY:
             fwpath =3D memory->filename;
+            nvrampath =3D memory->template;
             break;
=20
         case QEMU_FIRMWARE_DEVICE_NONE:
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771872992; cv=none;
	d=zohomail.com; s=zohoarc;
	b=AdGmZlnzj//sD8U0J1X+vh1Fai/NMBDOB4G6pNVAf+75UwrrLTClx5CDUd9o6da7nvGlC55IgxIFyrNnmpKRTEHoLDn7/TvK1dbPaicGPX6Uw8MLweESGkwp9prO3eu2GdbDVgIlLTgPALNlFWaK6TSvYFUKhwExGZdexvZUP/g=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771872992;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=OeWxj+wzUPDkcHvZ9gB89wiUBhT8Sm4DmuIzw3rAaYM=;
	b=SG8fX8J8t+yOOm4lJGNMcEygK9xbCRLLRpkVK3q1mzYt9aYJsXv4YGUF94u1QpGHYyPAvGLnXZhOZIXcHunhTXMRltRUFWJ1tdjIvWulyM+shjX4OEJ0nPpCFAclvR0F2NcQcOrTA6tArq7WMC+/n/WWsQHWkDPDXSkUdDNlt8U=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771872992562414.8297796212918;
 Mon, 23 Feb 2026 10:56:32 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id B87F041C79; Mon, 23 Feb 2026 13:56:31 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id BF260441A5;
	Mon, 23 Feb 2026 13:36:45 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 6560441A8D; Mon, 23 Feb 2026 13:36:23 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 79B7441C2E
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:32:17 -0500 (EST)
Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-390-XxoUfP8wPOOUJTXX4fVyDA-1; Mon,
 23 Feb 2026 13:32:15 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 73EAA1828B5B
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:09 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id C042D1955D71
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:02 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871537;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=OeWxj+wzUPDkcHvZ9gB89wiUBhT8Sm4DmuIzw3rAaYM=;
	b=gi8G+PMFiOzqyseIhFZwXUkwBXohagUKFg4Qwuy5PtfP9JupqKsEGmVfqnwjXEcLhDI2PY
	mAcS4PP+yg1NCR3zGNeIEMrXQDARPiHx6HomcMXnzx2toHTKeIs0OBSp9EijHkrHlWeieu
	srP6ZWfxsp9wYU/y35s9DYdyY2lvmu4=
X-MC-Unique: XxoUfP8wPOOUJTXX4fVyDA-1
X-Mimecast-MFC-AGG-ID: XxoUfP8wPOOUJTXX4fVyDA_1771871534
To: devel@lists.libvirt.org
Subject: [PATCH v4 21/36] conf: Include varstore element in domcaps
Date: Mon, 23 Feb 2026 19:31:04 +0100
Message-ID: <20260223183119.501349-22-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: jqXNyR4-Q4MvYrxOHJRoltWEOcAEHzM18Dv0YygGkf4_1771871534
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: AFYMCPNRS47F7SGZ7LZJ3YMXNSABDTW5
X-Message-ID-Hash: AFYMCPNRS47F7SGZ7LZJ3YMXNSABDTW5
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/AFYMCPNRS47F7SGZ7LZJ3YMXNSABDTW5/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771872992704158500
Content-Type: text/plain; charset="utf-8"; x-default="true"

We want to advertise whether the element is usable when
defining new domains.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---
 docs/formatdomaincaps.rst       |  7 +++++++
 src/conf/domain_capabilities.c  | 10 ++++++++++
 src/conf/domain_capabilities.h  |  6 ++++++
 src/conf/schemas/domaincaps.rng |  9 +++++++++
 4 files changed, 32 insertions(+)

diff --git a/docs/formatdomaincaps.rst b/docs/formatdomaincaps.rst
index 3426b7c9cd..5a1d3f2670 100644
--- a/docs/formatdomaincaps.rst
+++ b/docs/formatdomaincaps.rst
@@ -141,6 +141,7 @@ domains.
            <value>no</value>
          </enum>
        </loader>
+       <varstore supported=3D'yes'/>
      </os>
      ...
    <domainCapabilities>
@@ -227,6 +228,12 @@ are the following:
    possible to enforce Secure Boot, look at the ``enrolledKeys`` enum insi=
de
    the ``<firmwareFeatures/>`` element instead.
=20
+The ``<varstore/>`` element :since:`(since 12.1.0)` indicates whether UEFI
+variable storage backed by the ``uefi-vars`` QEMU device can be used as an
+alternative to pflash-based NVRAM storage. This is the only type of variab=
le
+storage compatible with Secure Boot on non-x86 architectures, but it can be
+used on x86 too.
+
 CPU configuration
 ~~~~~~~~~~~~~~~~~
=20
diff --git a/src/conf/domain_capabilities.c b/src/conf/domain_capabilities.c
index 9b3577cd08..78b8e6e6e1 100644
--- a/src/conf/domain_capabilities.c
+++ b/src/conf/domain_capabilities.c
@@ -449,12 +449,21 @@ virDomainCapsLoaderFormat(virBuffer *buf,
     FORMAT_EPILOGUE(loader);
 }
=20
+static void
+virDomainCapsVarstoreFormat(virBuffer *buf,
+                            const virDomainCapsVarstore *varstore)
+{
+    FORMAT_PROLOGUE(varstore);
+    FORMAT_EPILOGUE(varstore);
+}
+
 static void
 virDomainCapsOSFormat(virBuffer *buf,
                       const virDomainCapsOS *os)
 {
     const virDomainCapsFirmwareFeatures *firmwareFeatures =3D &os->firmwar=
eFeatures;
     const virDomainCapsLoader *loader =3D &os->loader;
+    const virDomainCapsVarstore *varstore =3D &os->varstore;
=20
     FORMAT_PROLOGUE(os);
=20
@@ -462,6 +471,7 @@ virDomainCapsOSFormat(virBuffer *buf,
=20
     virDomainCapsFirmwareFeaturesFormat(&childBuf, firmwareFeatures);
     virDomainCapsLoaderFormat(&childBuf, loader);
+    virDomainCapsVarstoreFormat(&childBuf, varstore);
=20
     FORMAT_EPILOGUE(os);
 }
diff --git a/src/conf/domain_capabilities.h b/src/conf/domain_capabilities.h
index a68fafe235..02344fd9b6 100644
--- a/src/conf/domain_capabilities.h
+++ b/src/conf/domain_capabilities.h
@@ -61,6 +61,11 @@ struct _virDomainCapsLoader {
     virDomainCapsEnum secure;   /* Info about secure:virTristateBool */
 };
=20
+typedef struct _virDomainCapsVarstore virDomainCapsVarstore;
+struct _virDomainCapsVarstore {
+    virTristateBool supported;
+};
+
 STATIC_ASSERT_ENUM(VIR_DOMAIN_OS_DEF_FIRMWARE_LAST);
 typedef struct _virDomainCapsOS virDomainCapsOS;
 struct _virDomainCapsOS {
@@ -68,6 +73,7 @@ struct _virDomainCapsOS {
     virDomainCapsEnum firmware;     /* Info about virDomainOsDefFirmware */
     virDomainCapsFirmwareFeatures firmwareFeatures;
     virDomainCapsLoader loader;     /* Info about virDomainLoaderDef */
+    virDomainCapsVarstore varstore;
 };
=20
 STATIC_ASSERT_ENUM(VIR_DOMAIN_MEMORY_SOURCE_LAST);
diff --git a/src/conf/schemas/domaincaps.rng b/src/conf/schemas/domaincaps.=
rng
index 3b24caeca6..4682abbf41 100644
--- a/src/conf/schemas/domaincaps.rng
+++ b/src/conf/schemas/domaincaps.rng
@@ -87,6 +87,12 @@
     </element>
   </define>
=20
+  <define name=3D"varstore">
+    <element name=3D"varstore">
+      <ref name=3D"supported"/>
+    </element>
+  </define>
+
   <define name=3D"os">
     <element name=3D"os">
       <interleave>
@@ -98,6 +104,9 @@
         <optional>
           <ref name=3D"loader"/>
         </optional>
+        <optional>
+          <ref name=3D"varstore"/>
+        </optional>
       </interleave>
     </element>
   </define>
--=20
2.53.0
From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771873186; cv=none;
	d=zohomail.com; s=zohoarc;
	b=WXpFZ1ndQmijbRASpjzUeTW5T5BD3KqFZUkZ5HvvSIDAcL9oKNKCojrv2WrhaEUdnAhahE1xFEuuqFjrxRLBN+P0qBp1zJfq1w6PphiIlSJHlairNyDChrzE6lY5P/JwNUzCdqewIPrJH5v4Zw9yJTkmjc2qC8jxHw7JhiFWyv8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771873186;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=tqN6NBOaun0waZxyEINh/wWX5VyxBJEiNS32DgdlPvo=;
	b=PfxODhBZ6JT5pLqYjbvgRkNPw4y5T4AfkXXIOn7fMOF8kQfQ1HVi85m2/qz2YTJYEiVSJ2Xh51hkS/sJYKoEQXmUmn9tVDAd0cqmmclcrp468Akmv8EzWMXJGNOs6Kw0M3OebrPqBLkDtYo6HVUchcRBrBSgoxm3b3R8LLoNHe0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771873186091275.47910719312415;
 Mon, 23 Feb 2026 10:59:46 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 16F7441A9A; Mon, 23 Feb 2026 13:59:45 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id E9AC044218;
	Mon, 23 Feb 2026 13:36:52 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id AF0F643F70; Mon, 23 Feb 2026 13:36:26 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 6839C41AC5
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:32:17 -0500 (EST)
Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-674-tMkc_inAMj2IDyBt_PzZZg-1; Mon,
 23 Feb 2026 13:32:15 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 73E9718608EB
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:09 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 5AB44195419A
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:03 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871537;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=tqN6NBOaun0waZxyEINh/wWX5VyxBJEiNS32DgdlPvo=;
	b=JcvVS9pYQ3ZQw7yR+9+1s1QK9ioHNjE+rKimRNmQdtp1NrFEZjzdcLHEtO6EVyW23nEQWz
	g37M8mf0pk+3f8ehJjsKyv7bGsG6k4ZrQ5/2qJJm9RzCtRJ1WjPbdj4EJTjh1L2P3dVQU8
	F7TUCuJT1rNRUvtAQtb5T08xuQZWdqk=
X-MC-Unique: tMkc_inAMj2IDyBt_PzZZg-1
X-Mimecast-MFC-AGG-ID: tMkc_inAMj2IDyBt_PzZZg_1771871534
To: devel@lists.libvirt.org
Subject: [PATCH v4 22/36] qemu: Fill in varstore element in domcaps
Date: Mon, 23 Feb 2026 19:31:05 +0100
Message-ID: <20260223183119.501349-23-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: XvtC7yz5__J5_E3oBv9HoGsYUGzJkhGCCgzDXKta4co_1771871534
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: NL3E5XMDIKW5425WQCKFI2FIJSV62R6D
X-Message-ID-Hash: NL3E5XMDIKW5425WQCKFI2FIJSV62R6D
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/NL3E5XMDIKW5425WQCKFI2FIJSV62R6D/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771873187646158500

The element should only be advertised as supported if the QEMU
binary contains the necessary device and a suitable JSON firmware
descriptor is found on the system. Right now the latter
requirement is not satisfied, so it's marked as not supported
across the board.

The qemufirmware test is extended to cover the new attribute.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/qemu/qemu_capabilities.c                  | 26 +++++++++++++++-
 src/qemu/qemu_firmware.c                      |  6 ++++
 src/qemu/qemu_firmware.h                      |  1 +
 .../qemu_10.0.0-q35.x86_64+amdsev.xml         |  1 +
 .../domaincapsdata/qemu_10.0.0-q35.x86_64.xml |  1 +
 .../qemu_10.0.0-tcg.x86_64+amdsev.xml         |  1 +
 .../domaincapsdata/qemu_10.0.0-tcg.x86_64.xml |  1 +
 .../qemu_10.0.0-virt.aarch64.xml              |  1 +
 tests/domaincapsdata/qemu_10.0.0.aarch64.xml  |  1 +
 tests/domaincapsdata/qemu_10.0.0.ppc64.xml    |  1 +
 tests/domaincapsdata/qemu_10.0.0.s390x.xml    |  1 +
 .../qemu_10.0.0.x86_64+amdsev.xml             |  1 +
 tests/domaincapsdata/qemu_10.0.0.x86_64.xml   |  1 +
 .../qemu_10.1.0-q35.x86_64+inteltdx.xml       |  1 +
 .../domaincapsdata/qemu_10.1.0-q35.x86_64.xml |  1 +
 .../qemu_10.1.0-tcg.x86_64+inteltdx.xml       |  1 +
 .../domaincapsdata/qemu_10.1.0-tcg.x86_64.xml |  1 +
 tests/domaincapsdata/qemu_10.1.0.s390x.xml    |  1 +
 .../qemu_10.1.0.x86_64+inteltdx.xml           |  1 +
 tests/domaincapsdata/qemu_10.1.0.x86_64.xml   |  1 +
 .../qemu_10.2.0-q35.x86_64+mshv.xml           |  1 +
 .../domaincapsdata/qemu_10.2.0-q35.x86_64.xml |  1 +
 .../qemu_10.2.0-tcg.x86_64+mshv.xml           |  1 +
 .../domaincapsdata/qemu_10.2.0-tcg.x86_64.xml |  1 +
 .../qemu_10.2.0-virt.aarch64.xml              |  1 +
 tests/domaincapsdata/qemu_10.2.0.aarch64.xml  |  1 +
 .../qemu_10.2.0.x86_64+mshv.xml               |  1 +
 tests/domaincapsdata/qemu_10.2.0.x86_64.xml   |  1 +
 .../domaincapsdata/qemu_11.0.0-q35.x86_64.xml |  1 +
 .../domaincapsdata/qemu_11.0.0-tcg.x86_64.xml |  1 +
 .../qemu_11.0.0-virt.aarch64.xml              |  1 +
 tests/domaincapsdata/qemu_11.0.0.aarch64.xml  |  1 +
 tests/domaincapsdata/qemu_11.0.0.x86_64.xml   |  1 +
 .../domaincapsdata/qemu_6.2.0-q35.x86_64.xml  |  1 +
 .../domaincapsdata/qemu_6.2.0-tcg.x86_64.xml  |  1 +
 tests/domaincapsdata/qemu_6.2.0.ppc64.xml     |  1 +
 tests/domaincapsdata/qemu_6.2.0.x86_64.xml    |  1 +
 .../domaincapsdata/qemu_7.0.0-q35.x86_64.xml  |  1 +
 .../domaincapsdata/qemu_7.0.0-tcg.x86_64.xml  |  1 +
 tests/domaincapsdata/qemu_7.0.0.ppc64.xml     |  1 +
 tests/domaincapsdata/qemu_7.0.0.x86_64.xml    |  1 +
 .../domaincapsdata/qemu_7.1.0-q35.x86_64.xml  |  1 +
 .../domaincapsdata/qemu_7.1.0-tcg.x86_64.xml  |  1 +
 tests/domaincapsdata/qemu_7.1.0.ppc64.xml     |  1 +
 tests/domaincapsdata/qemu_7.1.0.x86_64.xml    |  1 +
 .../qemu_7.2.0-hvf.x86_64+hvf.xml             |  1 +
 .../domaincapsdata/qemu_7.2.0-q35.x86_64.xml  |  1 +
 .../qemu_7.2.0-tcg.x86_64+hvf.xml             |  1 +
 .../domaincapsdata/qemu_7.2.0-tcg.x86_64.xml  |  1 +
 tests/domaincapsdata/qemu_7.2.0.ppc.xml       |  1 +
 tests/domaincapsdata/qemu_7.2.0.x86_64.xml    |  1 +
 .../domaincapsdata/qemu_8.0.0-q35.x86_64.xml  |  1 +
 .../domaincapsdata/qemu_8.0.0-tcg.x86_64.xml  |  1 +
 tests/domaincapsdata/qemu_8.0.0.x86_64.xml    |  1 +
 .../domaincapsdata/qemu_8.1.0-q35.x86_64.xml  |  1 +
 .../domaincapsdata/qemu_8.1.0-tcg.x86_64.xml  |  1 +
 tests/domaincapsdata/qemu_8.1.0.s390x.xml     |  1 +
 tests/domaincapsdata/qemu_8.1.0.x86_64.xml    |  1 +
 .../domaincapsdata/qemu_8.2.0-q35.x86_64.xml  |  1 +
 .../qemu_8.2.0-tcg-virt.loongarch64.xml       |  1 +
 .../domaincapsdata/qemu_8.2.0-tcg.x86_64.xml  |  1 +
 .../qemu_8.2.0-virt.aarch64.xml               |  1 +
 .../qemu_8.2.0-virt.loongarch64.xml           |  1 +
 tests/domaincapsdata/qemu_8.2.0.aarch64.xml   |  1 +
 tests/domaincapsdata/qemu_8.2.0.armv7l.xml    |  1 +
 tests/domaincapsdata/qemu_8.2.0.s390x.xml     |  1 +
 tests/domaincapsdata/qemu_8.2.0.x86_64.xml    |  1 +
 .../domaincapsdata/qemu_9.0.0-q35.x86_64.xml  |  1 +
 .../domaincapsdata/qemu_9.0.0-tcg.x86_64.xml  |  1 +
 tests/domaincapsdata/qemu_9.0.0.sparc.xml     |  1 +
 tests/domaincapsdata/qemu_9.0.0.x86_64.xml    |  1 +
 .../domaincapsdata/qemu_9.1.0-q35.x86_64.xml  |  1 +
 .../qemu_9.1.0-tcg-virt.riscv64.xml           |  1 +
 .../domaincapsdata/qemu_9.1.0-tcg.x86_64.xml  |  1 +
 .../qemu_9.1.0-virt.riscv64.xml               |  1 +
 tests/domaincapsdata/qemu_9.1.0.s390x.xml     |  1 +
 tests/domaincapsdata/qemu_9.1.0.x86_64.xml    |  1 +
 .../qemu_9.2.0-hvf.aarch64+hvf.xml            |  1 +
 .../qemu_9.2.0-q35.x86_64+amdsev.xml          |  1 +
 .../domaincapsdata/qemu_9.2.0-q35.x86_64.xml  |  1 +
 .../qemu_9.2.0-tcg.x86_64+amdsev.xml          |  1 +
 .../domaincapsdata/qemu_9.2.0-tcg.x86_64.xml  |  1 +
 tests/domaincapsdata/qemu_9.2.0.s390x.xml     |  1 +
 .../qemu_9.2.0.x86_64+amdsev.xml              |  1 +
 tests/domaincapsdata/qemu_9.2.0.x86_64.xml    |  1 +
 tests/qemufirmwaretest.c                      | 31 +++++++++++++------
 86 files changed, 135 insertions(+), 11 deletions(-)

diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 048ef66c12..5d75c23072 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -6518,8 +6518,26 @@ virQEMUCapsFillDomainLoaderCaps(virDomainCapsLoader =
*capsLoader,
 }
=20
=20
+static int
+virQEMUCapsFillDomainVarstoreCaps(virDomainCapsVarstore *capsVarstore,
+                                  bool varstore,
+                                  virQEMUCaps *qemuCaps)
+{
+    /* varstore is advertised as supported only if firmware
+     * descriptors that use it exist and the QEMU binary has the
+     * necessary device compiled in */
+    if (varstore && virQEMUCapsGet(qemuCaps, QEMU_CAPS_DEVICE_UEFI_VARS))
+        capsVarstore->supported =3D VIR_TRISTATE_BOOL_YES;
+    else
+        capsVarstore->supported =3D VIR_TRISTATE_BOOL_NO;
+
+    return 0;
+}
+
+
 static int
 virQEMUCapsFillDomainOSCaps(virDomainCapsOS *os,
+                            virQEMUCaps *qemuCaps,
                             const char *machine,
                             virArch arch,
                             bool privileged,
@@ -6528,10 +6546,12 @@ virQEMUCapsFillDomainOSCaps(virDomainCapsOS *os,
 {
     virDomainCapsFirmwareFeatures *firmwareFeatures =3D &os->firmwareFeatu=
res;
     virDomainCapsLoader *capsLoader =3D &os->loader;
+    virDomainCapsVarstore *capsVarstore =3D &os->varstore;
     uint64_t autoFirmwares =3D 0;
     uint64_t featureSecureBoot =3D 0;
     uint64_t featureEnrolledKeys =3D 0;
     bool secure =3D false;
+    bool varstore =3D false;
     virFirmware **firmwaresAlt =3D NULL;
     size_t nfirmwaresAlt =3D 0;
     int ret =3D -1;
@@ -6541,7 +6561,7 @@ virQEMUCapsFillDomainOSCaps(virDomainCapsOS *os,
=20
     if (qemuFirmwareGetSupported(machine, arch, privileged, &autoFirmwares,
                                  &featureSecureBoot, &featureEnrolledKeys,
-                                 &secure,
+                                 &secure, &varstore,
                                  &firmwaresAlt, &nfirmwaresAlt) < 0)
         return -1;
=20
@@ -6568,6 +6588,9 @@ virQEMUCapsFillDomainOSCaps(virDomainCapsOS *os,
                                         firmwaresAlt ? nfirmwaresAlt : nfi=
rmwares) < 0)
         goto cleanup;
=20
+    if (virQEMUCapsFillDomainVarstoreCaps(capsVarstore, varstore, qemuCaps=
) < 0)
+        goto cleanup;
+
     ret =3D 0;
  cleanup:
     virFirmwareFreeList(firmwaresAlt, nfirmwaresAlt);
@@ -7289,6 +7312,7 @@ virQEMUCapsFillDomainCaps(virQEMUDriverConfig *cfg,
     }
=20
     if (virQEMUCapsFillDomainOSCaps(os,
+                                    qemuCaps,
                                     domCaps->machine,
                                     domCaps->arch,
                                     privileged,
diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index 72aae73dcb..60cc92e46a 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -2033,6 +2033,7 @@ qemuFirmwareFillDomain(virQEMUDriver *driver,
  * @featureSecureBoot: bitmap of virTristateBool values for secure-boot fe=
ature
  * @featureEnrolledKeys: bitmap of virTristateBool values for enrolled-key=
s feature
  * @secure: true if at least one secure boot enabled FW was found
+ * @varstore: true if at least one FW using varstore was found
  * @fws: (optional) list of found firmwares
  * @nfws: (optional) number of members in @fws
  *
@@ -2064,6 +2065,7 @@ qemuFirmwareGetSupported(const char *machine,
                          uint64_t *featureSecureBoot,
                          uint64_t *featureEnrolledKeys,
                          bool *secure,
+                         bool *varstore,
                          virFirmware ***fws,
                          size_t *nfws)
 {
@@ -2075,6 +2077,7 @@ qemuFirmwareGetSupported(const char *machine,
     *featureSecureBoot =3D VIR_TRISTATE_BOOL_ABSENT;
     *featureEnrolledKeys =3D VIR_TRISTATE_BOOL_ABSENT;
     *secure =3D false;
+    *varstore =3D false;
=20
     if (fws) {
         *fws =3D NULL;
@@ -2162,6 +2165,9 @@ qemuFirmwareGetSupported(const char *machine,
         case QEMU_FIRMWARE_DEVICE_MEMORY:
             fwpath =3D memory->filename;
             nvrampath =3D memory->template;
+
+            if (memory->template)
+                *varstore =3D true;
             break;
=20
         case QEMU_FIRMWARE_DEVICE_NONE:
diff --git a/src/qemu/qemu_firmware.h b/src/qemu/qemu_firmware.h
index 6789ec83f7..bcd3801da8 100644
--- a/src/qemu/qemu_firmware.h
+++ b/src/qemu/qemu_firmware.h
@@ -55,6 +55,7 @@ qemuFirmwareGetSupported(const char *machine,
                          uint64_t *featureSecureBoot,
                          uint64_t *featureEnrolledKeys,
                          bool *secure,
+                         bool *varstore,
                          virFirmware ***fws,
                          size_t *nfws);
=20
diff --git a/tests/domaincapsdata/qemu_10.0.0-q35.x86_64+amdsev.xml b/tests=
/domaincapsdata/qemu_10.0.0-q35.x86_64+amdsev.xml
index b68767d7b3..1fff8c7fc7 100644
--- a/tests/domaincapsdata/qemu_10.0.0-q35.x86_64+amdsev.xml
+++ b/tests/domaincapsdata/qemu_10.0.0-q35.x86_64+amdsev.xml
@@ -36,6 +36,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.0.0-q35.x86_64.xml b/tests/domain=
capsdata/qemu_10.0.0-q35.x86_64.xml
index 70da32ccf1..6c26e5b422 100644
--- a/tests/domaincapsdata/qemu_10.0.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_10.0.0-q35.x86_64.xml
@@ -36,6 +36,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.0.0-tcg.x86_64+amdsev.xml b/tests=
/domaincapsdata/qemu_10.0.0-tcg.x86_64+amdsev.xml
index 6d2723f950..fb031b916e 100644
--- a/tests/domaincapsdata/qemu_10.0.0-tcg.x86_64+amdsev.xml
+++ b/tests/domaincapsdata/qemu_10.0.0-tcg.x86_64+amdsev.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'no'/>
diff --git a/tests/domaincapsdata/qemu_10.0.0-tcg.x86_64.xml b/tests/domain=
capsdata/qemu_10.0.0-tcg.x86_64.xml
index cbddffef6b..8a5348d2a8 100644
--- a/tests/domaincapsdata/qemu_10.0.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_10.0.0-tcg.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'no'/>
diff --git a/tests/domaincapsdata/qemu_10.0.0-virt.aarch64.xml b/tests/doma=
incapsdata/qemu_10.0.0-virt.aarch64.xml
index bacd5665ad..97064ea009 100644
--- a/tests/domaincapsdata/qemu_10.0.0-virt.aarch64.xml
+++ b/tests/domaincapsdata/qemu_10.0.0-virt.aarch64.xml
@@ -32,6 +32,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.0.0.aarch64.xml b/tests/domaincap=
sdata/qemu_10.0.0.aarch64.xml
index bacd5665ad..97064ea009 100644
--- a/tests/domaincapsdata/qemu_10.0.0.aarch64.xml
+++ b/tests/domaincapsdata/qemu_10.0.0.aarch64.xml
@@ -32,6 +32,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.0.0.ppc64.xml b/tests/domaincapsd=
ata/qemu_10.0.0.ppc64.xml
index a913d20b3e..8082fb9556 100644
--- a/tests/domaincapsdata/qemu_10.0.0.ppc64.xml
+++ b/tests/domaincapsdata/qemu_10.0.0.ppc64.xml
@@ -26,6 +26,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.0.0.s390x.xml b/tests/domaincapsd=
ata/qemu_10.0.0.s390x.xml
index 22a4bee3fd..ca741192ba 100644
--- a/tests/domaincapsdata/qemu_10.0.0.s390x.xml
+++ b/tests/domaincapsdata/qemu_10.0.0.s390x.xml
@@ -26,6 +26,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.0.0.x86_64+amdsev.xml b/tests/dom=
aincapsdata/qemu_10.0.0.x86_64+amdsev.xml
index 7227638020..6a4ea003f7 100644
--- a/tests/domaincapsdata/qemu_10.0.0.x86_64+amdsev.xml
+++ b/tests/domaincapsdata/qemu_10.0.0.x86_64+amdsev.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.0.0.x86_64.xml b/tests/domaincaps=
data/qemu_10.0.0.x86_64.xml
index 38edf287f4..f12dd845ba 100644
--- a/tests/domaincapsdata/qemu_10.0.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_10.0.0.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.1.0-q35.x86_64+inteltdx.xml b/tes=
ts/domaincapsdata/qemu_10.1.0-q35.x86_64+inteltdx.xml
index 1bca29f971..3537dd01f6 100644
--- a/tests/domaincapsdata/qemu_10.1.0-q35.x86_64+inteltdx.xml
+++ b/tests/domaincapsdata/qemu_10.1.0-q35.x86_64+inteltdx.xml
@@ -36,6 +36,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.1.0-q35.x86_64.xml b/tests/domain=
capsdata/qemu_10.1.0-q35.x86_64.xml
index c48ba4e218..e55d7d8ba6 100644
--- a/tests/domaincapsdata/qemu_10.1.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_10.1.0-q35.x86_64.xml
@@ -36,6 +36,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.1.0-tcg.x86_64+inteltdx.xml b/tes=
ts/domaincapsdata/qemu_10.1.0-tcg.x86_64+inteltdx.xml
index e75c2e2234..4afecf627f 100644
--- a/tests/domaincapsdata/qemu_10.1.0-tcg.x86_64+inteltdx.xml
+++ b/tests/domaincapsdata/qemu_10.1.0-tcg.x86_64+inteltdx.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'no'/>
diff --git a/tests/domaincapsdata/qemu_10.1.0-tcg.x86_64.xml b/tests/domain=
capsdata/qemu_10.1.0-tcg.x86_64.xml
index 50087d531f..b3c7bc60b5 100644
--- a/tests/domaincapsdata/qemu_10.1.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_10.1.0-tcg.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'no'/>
diff --git a/tests/domaincapsdata/qemu_10.1.0.s390x.xml b/tests/domaincapsd=
ata/qemu_10.1.0.s390x.xml
index 1b4ff5c35d..976943491e 100644
--- a/tests/domaincapsdata/qemu_10.1.0.s390x.xml
+++ b/tests/domaincapsdata/qemu_10.1.0.s390x.xml
@@ -26,6 +26,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.1.0.x86_64+inteltdx.xml b/tests/d=
omaincapsdata/qemu_10.1.0.x86_64+inteltdx.xml
index 5e2b2b47c6..7d33362f0e 100644
--- a/tests/domaincapsdata/qemu_10.1.0.x86_64+inteltdx.xml
+++ b/tests/domaincapsdata/qemu_10.1.0.x86_64+inteltdx.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.1.0.x86_64.xml b/tests/domaincaps=
data/qemu_10.1.0.x86_64.xml
index 8f7bff70f3..9cb65712a4 100644
--- a/tests/domaincapsdata/qemu_10.1.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_10.1.0.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.2.0-q35.x86_64+mshv.xml b/tests/d=
omaincapsdata/qemu_10.2.0-q35.x86_64+mshv.xml
index 313e7c24a4..43fe2bff93 100644
--- a/tests/domaincapsdata/qemu_10.2.0-q35.x86_64+mshv.xml
+++ b/tests/domaincapsdata/qemu_10.2.0-q35.x86_64+mshv.xml
@@ -35,6 +35,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.2.0-q35.x86_64.xml b/tests/domain=
capsdata/qemu_10.2.0-q35.x86_64.xml
index 4955ad7ac5..2c1b38b4ec 100644
--- a/tests/domaincapsdata/qemu_10.2.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_10.2.0-q35.x86_64.xml
@@ -36,6 +36,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.2.0-tcg.x86_64+mshv.xml b/tests/d=
omaincapsdata/qemu_10.2.0-tcg.x86_64+mshv.xml
index cc3427cef7..771ef3a0f6 100644
--- a/tests/domaincapsdata/qemu_10.2.0-tcg.x86_64+mshv.xml
+++ b/tests/domaincapsdata/qemu_10.2.0-tcg.x86_64+mshv.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'no'/>
diff --git a/tests/domaincapsdata/qemu_10.2.0-tcg.x86_64.xml b/tests/domain=
capsdata/qemu_10.2.0-tcg.x86_64.xml
index 4c90f1d7be..f0e08907ff 100644
--- a/tests/domaincapsdata/qemu_10.2.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_10.2.0-tcg.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'no'/>
diff --git a/tests/domaincapsdata/qemu_10.2.0-virt.aarch64.xml b/tests/doma=
incapsdata/qemu_10.2.0-virt.aarch64.xml
index 808cf0226e..fa1d3c490b 100644
--- a/tests/domaincapsdata/qemu_10.2.0-virt.aarch64.xml
+++ b/tests/domaincapsdata/qemu_10.2.0-virt.aarch64.xml
@@ -32,6 +32,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.2.0.aarch64.xml b/tests/domaincap=
sdata/qemu_10.2.0.aarch64.xml
index 808cf0226e..fa1d3c490b 100644
--- a/tests/domaincapsdata/qemu_10.2.0.aarch64.xml
+++ b/tests/domaincapsdata/qemu_10.2.0.aarch64.xml
@@ -32,6 +32,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.2.0.x86_64+mshv.xml b/tests/domai=
ncapsdata/qemu_10.2.0.x86_64+mshv.xml
index 84be18497b..87c35d229c 100644
--- a/tests/domaincapsdata/qemu_10.2.0.x86_64+mshv.xml
+++ b/tests/domaincapsdata/qemu_10.2.0.x86_64+mshv.xml
@@ -32,6 +32,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.2.0.x86_64.xml b/tests/domaincaps=
data/qemu_10.2.0.x86_64.xml
index 013317b4f2..a838126991 100644
--- a/tests/domaincapsdata/qemu_10.2.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_10.2.0.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_11.0.0-q35.x86_64.xml b/tests/domain=
capsdata/qemu_11.0.0-q35.x86_64.xml
index cd4e05cdca..109f3ae0ae 100644
--- a/tests/domaincapsdata/qemu_11.0.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_11.0.0-q35.x86_64.xml
@@ -36,6 +36,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_11.0.0-tcg.x86_64.xml b/tests/domain=
capsdata/qemu_11.0.0-tcg.x86_64.xml
index 3d4d62ca95..0bfe92db7d 100644
--- a/tests/domaincapsdata/qemu_11.0.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_11.0.0-tcg.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'no'/>
diff --git a/tests/domaincapsdata/qemu_11.0.0-virt.aarch64.xml b/tests/doma=
incapsdata/qemu_11.0.0-virt.aarch64.xml
index 6c10d43386..db47c5ee98 100644
--- a/tests/domaincapsdata/qemu_11.0.0-virt.aarch64.xml
+++ b/tests/domaincapsdata/qemu_11.0.0-virt.aarch64.xml
@@ -32,6 +32,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_11.0.0.aarch64.xml b/tests/domaincap=
sdata/qemu_11.0.0.aarch64.xml
index 6c10d43386..db47c5ee98 100644
--- a/tests/domaincapsdata/qemu_11.0.0.aarch64.xml
+++ b/tests/domaincapsdata/qemu_11.0.0.aarch64.xml
@@ -32,6 +32,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_11.0.0.x86_64.xml b/tests/domaincaps=
data/qemu_11.0.0.x86_64.xml
index f44fc12f90..29e15817c8 100644
--- a/tests/domaincapsdata/qemu_11.0.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_11.0.0.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_6.2.0-q35.x86_64.xml b/tests/domainc=
apsdata/qemu_6.2.0-q35.x86_64.xml
index 4465574814..96dcc32019 100644
--- a/tests/domaincapsdata/qemu_6.2.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_6.2.0-q35.x86_64.xml
@@ -36,6 +36,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_6.2.0-tcg.x86_64.xml b/tests/domainc=
apsdata/qemu_6.2.0-tcg.x86_64.xml
index ba9ad68ad2..a92050ad5b 100644
--- a/tests/domaincapsdata/qemu_6.2.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_6.2.0-tcg.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'no'/>
diff --git a/tests/domaincapsdata/qemu_6.2.0.ppc64.xml b/tests/domaincapsda=
ta/qemu_6.2.0.ppc64.xml
index 9f3e6a7f3f..958d20e74c 100644
--- a/tests/domaincapsdata/qemu_6.2.0.ppc64.xml
+++ b/tests/domaincapsdata/qemu_6.2.0.ppc64.xml
@@ -26,6 +26,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_6.2.0.x86_64.xml b/tests/domaincapsd=
ata/qemu_6.2.0.x86_64.xml
index d804bd64ce..eb347adce9 100644
--- a/tests/domaincapsdata/qemu_6.2.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_6.2.0.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_7.0.0-q35.x86_64.xml b/tests/domainc=
apsdata/qemu_7.0.0-q35.x86_64.xml
index 40170cea50..0c3d00865e 100644
--- a/tests/domaincapsdata/qemu_7.0.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_7.0.0-q35.x86_64.xml
@@ -36,6 +36,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_7.0.0-tcg.x86_64.xml b/tests/domainc=
apsdata/qemu_7.0.0-tcg.x86_64.xml
index 6f424760a8..6b5dff857b 100644
--- a/tests/domaincapsdata/qemu_7.0.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_7.0.0-tcg.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'no'/>
diff --git a/tests/domaincapsdata/qemu_7.0.0.ppc64.xml b/tests/domaincapsda=
ta/qemu_7.0.0.ppc64.xml
index 604aa5e0ad..d6a6e75bec 100644
--- a/tests/domaincapsdata/qemu_7.0.0.ppc64.xml
+++ b/tests/domaincapsdata/qemu_7.0.0.ppc64.xml
@@ -26,6 +26,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_7.0.0.x86_64.xml b/tests/domaincapsd=
ata/qemu_7.0.0.x86_64.xml
index a67e929551..c568ae3d80 100644
--- a/tests/domaincapsdata/qemu_7.0.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_7.0.0.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_7.1.0-q35.x86_64.xml b/tests/domainc=
apsdata/qemu_7.1.0-q35.x86_64.xml
index 71c48d74dc..5e13f1f7fb 100644
--- a/tests/domaincapsdata/qemu_7.1.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_7.1.0-q35.x86_64.xml
@@ -36,6 +36,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_7.1.0-tcg.x86_64.xml b/tests/domainc=
apsdata/qemu_7.1.0-tcg.x86_64.xml
index 682137ec8d..f9114422bd 100644
--- a/tests/domaincapsdata/qemu_7.1.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_7.1.0-tcg.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'no'/>
diff --git a/tests/domaincapsdata/qemu_7.1.0.ppc64.xml b/tests/domaincapsda=
ta/qemu_7.1.0.ppc64.xml
index 399eeb3b18..0b3518a5a8 100644
--- a/tests/domaincapsdata/qemu_7.1.0.ppc64.xml
+++ b/tests/domaincapsdata/qemu_7.1.0.ppc64.xml
@@ -26,6 +26,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_7.1.0.x86_64.xml b/tests/domaincapsd=
ata/qemu_7.1.0.x86_64.xml
index 966abb1b0a..f574894ad0 100644
--- a/tests/domaincapsdata/qemu_7.1.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_7.1.0.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_7.2.0-hvf.x86_64+hvf.xml b/tests/dom=
aincapsdata/qemu_7.2.0-hvf.x86_64+hvf.xml
index c8d889287c..1fdde871f8 100644
--- a/tests/domaincapsdata/qemu_7.2.0-hvf.x86_64+hvf.xml
+++ b/tests/domaincapsdata/qemu_7.2.0-hvf.x86_64+hvf.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_7.2.0-q35.x86_64.xml b/tests/domainc=
apsdata/qemu_7.2.0-q35.x86_64.xml
index 995ad7f220..b4c4153953 100644
--- a/tests/domaincapsdata/qemu_7.2.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_7.2.0-q35.x86_64.xml
@@ -36,6 +36,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_7.2.0-tcg.x86_64+hvf.xml b/tests/dom=
aincapsdata/qemu_7.2.0-tcg.x86_64+hvf.xml
index 1bbd737021..989c3e274c 100644
--- a/tests/domaincapsdata/qemu_7.2.0-tcg.x86_64+hvf.xml
+++ b/tests/domaincapsdata/qemu_7.2.0-tcg.x86_64+hvf.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'no'/>
diff --git a/tests/domaincapsdata/qemu_7.2.0-tcg.x86_64.xml b/tests/domainc=
apsdata/qemu_7.2.0-tcg.x86_64.xml
index 1bbd737021..989c3e274c 100644
--- a/tests/domaincapsdata/qemu_7.2.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_7.2.0-tcg.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'no'/>
diff --git a/tests/domaincapsdata/qemu_7.2.0.ppc.xml b/tests/domaincapsdata=
/qemu_7.2.0.ppc.xml
index 223387444c..b4bdf3b651 100644
--- a/tests/domaincapsdata/qemu_7.2.0.ppc.xml
+++ b/tests/domaincapsdata/qemu_7.2.0.ppc.xml
@@ -25,6 +25,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_7.2.0.x86_64.xml b/tests/domaincapsd=
ata/qemu_7.2.0.x86_64.xml
index be0ee62910..6efa244ffa 100644
--- a/tests/domaincapsdata/qemu_7.2.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_7.2.0.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_8.0.0-q35.x86_64.xml b/tests/domainc=
apsdata/qemu_8.0.0-q35.x86_64.xml
index f225cf0a8e..70a3b9c7d7 100644
--- a/tests/domaincapsdata/qemu_8.0.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_8.0.0-q35.x86_64.xml
@@ -36,6 +36,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_8.0.0-tcg.x86_64.xml b/tests/domainc=
apsdata/qemu_8.0.0-tcg.x86_64.xml
index e770746f74..0010cfa60e 100644
--- a/tests/domaincapsdata/qemu_8.0.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_8.0.0-tcg.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'no'/>
diff --git a/tests/domaincapsdata/qemu_8.0.0.x86_64.xml b/tests/domaincapsd=
ata/qemu_8.0.0.x86_64.xml
index 4c8a36eeb0..ac8c8980e7 100644
--- a/tests/domaincapsdata/qemu_8.0.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_8.0.0.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_8.1.0-q35.x86_64.xml b/tests/domainc=
apsdata/qemu_8.1.0-q35.x86_64.xml
index 5d08abbe3b..e9d807828a 100644
--- a/tests/domaincapsdata/qemu_8.1.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_8.1.0-q35.x86_64.xml
@@ -36,6 +36,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_8.1.0-tcg.x86_64.xml b/tests/domainc=
apsdata/qemu_8.1.0-tcg.x86_64.xml
index ea506799bf..e834e3eb82 100644
--- a/tests/domaincapsdata/qemu_8.1.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_8.1.0-tcg.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'no'/>
diff --git a/tests/domaincapsdata/qemu_8.1.0.s390x.xml b/tests/domaincapsda=
ta/qemu_8.1.0.s390x.xml
index 4237262f31..37417ec648 100644
--- a/tests/domaincapsdata/qemu_8.1.0.s390x.xml
+++ b/tests/domaincapsdata/qemu_8.1.0.s390x.xml
@@ -26,6 +26,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_8.1.0.x86_64.xml b/tests/domaincapsd=
ata/qemu_8.1.0.x86_64.xml
index bab985379c..5de8bc1cd8 100644
--- a/tests/domaincapsdata/qemu_8.1.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_8.1.0.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_8.2.0-q35.x86_64.xml b/tests/domainc=
apsdata/qemu_8.2.0-q35.x86_64.xml
index c5c08d8fd1..a2f9591382 100644
--- a/tests/domaincapsdata/qemu_8.2.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_8.2.0-q35.x86_64.xml
@@ -36,6 +36,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_8.2.0-tcg-virt.loongarch64.xml b/tes=
ts/domaincapsdata/qemu_8.2.0-tcg-virt.loongarch64.xml
index 6228916208..1625ddf4e0 100644
--- a/tests/domaincapsdata/qemu_8.2.0-tcg-virt.loongarch64.xml
+++ b/tests/domaincapsdata/qemu_8.2.0-tcg-virt.loongarch64.xml
@@ -32,6 +32,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'no'/>
diff --git a/tests/domaincapsdata/qemu_8.2.0-tcg.x86_64.xml b/tests/domainc=
apsdata/qemu_8.2.0-tcg.x86_64.xml
index da3121b8de..ac1c1b840e 100644
--- a/tests/domaincapsdata/qemu_8.2.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_8.2.0-tcg.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'no'/>
diff --git a/tests/domaincapsdata/qemu_8.2.0-virt.aarch64.xml b/tests/domai=
ncapsdata/qemu_8.2.0-virt.aarch64.xml
index c1dceda12d..420fbedd72 100644
--- a/tests/domaincapsdata/qemu_8.2.0-virt.aarch64.xml
+++ b/tests/domaincapsdata/qemu_8.2.0-virt.aarch64.xml
@@ -32,6 +32,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_8.2.0-virt.loongarch64.xml b/tests/d=
omaincapsdata/qemu_8.2.0-virt.loongarch64.xml
index 8206dc0486..af75894ff1 100644
--- a/tests/domaincapsdata/qemu_8.2.0-virt.loongarch64.xml
+++ b/tests/domaincapsdata/qemu_8.2.0-virt.loongarch64.xml
@@ -32,6 +32,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_8.2.0.aarch64.xml b/tests/domaincaps=
data/qemu_8.2.0.aarch64.xml
index c1dceda12d..420fbedd72 100644
--- a/tests/domaincapsdata/qemu_8.2.0.aarch64.xml
+++ b/tests/domaincapsdata/qemu_8.2.0.aarch64.xml
@@ -32,6 +32,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_8.2.0.armv7l.xml b/tests/domaincapsd=
ata/qemu_8.2.0.armv7l.xml
index b64779c84a..a1ad0529e5 100644
--- a/tests/domaincapsdata/qemu_8.2.0.armv7l.xml
+++ b/tests/domaincapsdata/qemu_8.2.0.armv7l.xml
@@ -25,6 +25,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_8.2.0.s390x.xml b/tests/domaincapsda=
ta/qemu_8.2.0.s390x.xml
index 9f92c3c192..84be7cd967 100644
--- a/tests/domaincapsdata/qemu_8.2.0.s390x.xml
+++ b/tests/domaincapsdata/qemu_8.2.0.s390x.xml
@@ -26,6 +26,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_8.2.0.x86_64.xml b/tests/domaincapsd=
ata/qemu_8.2.0.x86_64.xml
index 83ea8565d8..e423689076 100644
--- a/tests/domaincapsdata/qemu_8.2.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_8.2.0.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_9.0.0-q35.x86_64.xml b/tests/domainc=
apsdata/qemu_9.0.0-q35.x86_64.xml
index a4521f150e..2851138ffe 100644
--- a/tests/domaincapsdata/qemu_9.0.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_9.0.0-q35.x86_64.xml
@@ -36,6 +36,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_9.0.0-tcg.x86_64.xml b/tests/domainc=
apsdata/qemu_9.0.0-tcg.x86_64.xml
index 00d3e1b8d1..253bed40ed 100644
--- a/tests/domaincapsdata/qemu_9.0.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_9.0.0-tcg.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'no'/>
diff --git a/tests/domaincapsdata/qemu_9.0.0.sparc.xml b/tests/domaincapsda=
ta/qemu_9.0.0.sparc.xml
index 7eb384d512..f999c8ed71 100644
--- a/tests/domaincapsdata/qemu_9.0.0.sparc.xml
+++ b/tests/domaincapsdata/qemu_9.0.0.sparc.xml
@@ -25,6 +25,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_9.0.0.x86_64.xml b/tests/domaincapsd=
ata/qemu_9.0.0.x86_64.xml
index d61070b968..2316859d5b 100644
--- a/tests/domaincapsdata/qemu_9.0.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_9.0.0.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_9.1.0-q35.x86_64.xml b/tests/domainc=
apsdata/qemu_9.1.0-q35.x86_64.xml
index 226aad41b2..1cf269504c 100644
--- a/tests/domaincapsdata/qemu_9.1.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_9.1.0-q35.x86_64.xml
@@ -36,6 +36,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_9.1.0-tcg-virt.riscv64.xml b/tests/d=
omaincapsdata/qemu_9.1.0-tcg-virt.riscv64.xml
index c32d4380aa..85dffd3455 100644
--- a/tests/domaincapsdata/qemu_9.1.0-tcg-virt.riscv64.xml
+++ b/tests/domaincapsdata/qemu_9.1.0-tcg-virt.riscv64.xml
@@ -32,6 +32,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'no'/>
diff --git a/tests/domaincapsdata/qemu_9.1.0-tcg.x86_64.xml b/tests/domainc=
apsdata/qemu_9.1.0-tcg.x86_64.xml
index d18c62d268..76b2707b9c 100644
--- a/tests/domaincapsdata/qemu_9.1.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_9.1.0-tcg.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'no'/>
diff --git a/tests/domaincapsdata/qemu_9.1.0-virt.riscv64.xml b/tests/domai=
ncapsdata/qemu_9.1.0-virt.riscv64.xml
index 7a013e77c4..c052b8329b 100644
--- a/tests/domaincapsdata/qemu_9.1.0-virt.riscv64.xml
+++ b/tests/domaincapsdata/qemu_9.1.0-virt.riscv64.xml
@@ -31,6 +31,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_9.1.0.s390x.xml b/tests/domaincapsda=
ta/qemu_9.1.0.s390x.xml
index e26cab26f3..bc62fdfaa4 100644
--- a/tests/domaincapsdata/qemu_9.1.0.s390x.xml
+++ b/tests/domaincapsdata/qemu_9.1.0.s390x.xml
@@ -26,6 +26,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_9.1.0.x86_64.xml b/tests/domaincapsd=
ata/qemu_9.1.0.x86_64.xml
index a27712673a..baaa17f68d 100644
--- a/tests/domaincapsdata/qemu_9.1.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_9.1.0.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_9.2.0-hvf.aarch64+hvf.xml b/tests/do=
maincapsdata/qemu_9.2.0-hvf.aarch64+hvf.xml
index 06bb829a2a..f998177636 100644
--- a/tests/domaincapsdata/qemu_9.2.0-hvf.aarch64+hvf.xml
+++ b/tests/domaincapsdata/qemu_9.2.0-hvf.aarch64+hvf.xml
@@ -32,6 +32,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_9.2.0-q35.x86_64+amdsev.xml b/tests/=
domaincapsdata/qemu_9.2.0-q35.x86_64+amdsev.xml
index aac1d4d923..a21c69e416 100644
--- a/tests/domaincapsdata/qemu_9.2.0-q35.x86_64+amdsev.xml
+++ b/tests/domaincapsdata/qemu_9.2.0-q35.x86_64+amdsev.xml
@@ -36,6 +36,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_9.2.0-q35.x86_64.xml b/tests/domainc=
apsdata/qemu_9.2.0-q35.x86_64.xml
index ef6ee01d00..df0d995276 100644
--- a/tests/domaincapsdata/qemu_9.2.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_9.2.0-q35.x86_64.xml
@@ -36,6 +36,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_9.2.0-tcg.x86_64+amdsev.xml b/tests/=
domaincapsdata/qemu_9.2.0-tcg.x86_64+amdsev.xml
index 0ec1a9900d..2b860a23ca 100644
--- a/tests/domaincapsdata/qemu_9.2.0-tcg.x86_64+amdsev.xml
+++ b/tests/domaincapsdata/qemu_9.2.0-tcg.x86_64+amdsev.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'no'/>
diff --git a/tests/domaincapsdata/qemu_9.2.0-tcg.x86_64.xml b/tests/domainc=
apsdata/qemu_9.2.0-tcg.x86_64.xml
index c8a0da3d22..24113a3514 100644
--- a/tests/domaincapsdata/qemu_9.2.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_9.2.0-tcg.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'no'/>
diff --git a/tests/domaincapsdata/qemu_9.2.0.s390x.xml b/tests/domaincapsda=
ta/qemu_9.2.0.s390x.xml
index e00d7efd99..bba9ce7558 100644
--- a/tests/domaincapsdata/qemu_9.2.0.s390x.xml
+++ b/tests/domaincapsdata/qemu_9.2.0.s390x.xml
@@ -26,6 +26,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_9.2.0.x86_64+amdsev.xml b/tests/doma=
incapsdata/qemu_9.2.0.x86_64+amdsev.xml
index d6e3f8dc12..f12c89f40b 100644
--- a/tests/domaincapsdata/qemu_9.2.0.x86_64+amdsev.xml
+++ b/tests/domaincapsdata/qemu_9.2.0.x86_64+amdsev.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_9.2.0.x86_64.xml b/tests/domaincapsd=
ata/qemu_9.2.0.x86_64.xml
index 89e081a0e1..529415bcb4 100644
--- a/tests/domaincapsdata/qemu_9.2.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_9.2.0.x86_64.xml
@@ -33,6 +33,7 @@
         <value>no</value>
       </enum>
     </loader>
+    <varstore supported=3D'no'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/qemufirmwaretest.c b/tests/qemufirmwaretest.c
index e09f50592b..ee585b67d2 100644
--- a/tests/qemufirmwaretest.c
+++ b/tests/qemufirmwaretest.c
@@ -143,6 +143,7 @@ struct supportedData {
     const char *machine;
     virArch arch;
     bool secure;
+    bool varstore;
     const char *fwlist;
     unsigned int *interfaces;
     size_t ninterfaces;
@@ -158,6 +159,7 @@ testSupportedFW(const void *opaque)
     uint64_t actualFeatureSecureBoot;
     uint64_t actualFeatureEnrolledKeys;
     bool actualSecure;
+    bool actualVarstore;
     virFirmware **expFWs =3D NULL;
     size_t nexpFWs =3D 0;
     virFirmware **actFWs =3D NULL;
@@ -187,7 +189,8 @@ testSupportedFW(const void *opaque)
                                  &actualInterfaces,
                                  &actualFeatureSecureBoot,
                                  &actualFeatureEnrolledKeys,
-                                 &actualSecure, &actFWs, &nactFWs) < 0) {
+                                 &actualSecure, &actualVarstore,
+                                 &actFWs, &nactFWs) < 0) {
         fprintf(stderr, "Unable to get list of supported interfaces\n");
         goto cleanup;
     }
@@ -208,6 +211,14 @@ testSupportedFW(const void *opaque)
         goto cleanup;
     }
=20
+    if (actualVarstore !=3D data->varstore) {
+        fprintf(stderr,
+                "Mismatch in varstore support. "
+                "Expected %d got %d\n",
+                data->varstore, actualVarstore);
+        goto cleanup;
+    }
+
     for (i =3D 0; i < nactFWs; i++) {
         virFirmware *actFW =3D actFWs[i];
         virFirmware *expFW =3D NULL;
@@ -295,26 +306,26 @@ mymain(void)
     /* The @fwlist contains pairs of ${FW}:${NVRAM}. If there's
      * no NVRAM expected pass literal "NULL" and test fixes that
      * later. */
-#define DO_SUPPORTED_TEST(machine, arch, secure, fwlist, ...) \
+#define DO_SUPPORTED_TEST(machine, arch, secure, varstore, fwlist, ...) \
     do { \
         unsigned int interfaces[] =3D {__VA_ARGS__}; \
-        struct supportedData data =3D {machine, arch, secure, fwlist, \
+        struct supportedData data =3D {machine, arch, secure, varstore, fw=
list, \
                                      interfaces, G_N_ELEMENTS(interfaces)}=
; \
         if (virTestRun("QEMU FW SUPPORTED " machine " " #arch, \
                        testSupportedFW, &data) < 0) \
             ret =3D -1; \
     } while (0)
=20
-    DO_SUPPORTED_TEST("pc-i440fx-3.1", VIR_ARCH_X86_64, false,
+    DO_SUPPORTED_TEST("pc-i440fx-3.1", VIR_ARCH_X86_64, false, false,
                       "/usr/share/seabios/bios-256k.bin:NULL:"
                       "/usr/share/edk2/ovmf/OVMF_CODE_4M.qcow2:/usr/share/=
edk2/ovmf/OVMF_VARS_4M.qcow2:"
                       "/usr/share/edk2/ovmf/OVMF_CODE.fd:/usr/share/edk2/o=
vmf/OVMF_VARS.fd",
                       VIR_DOMAIN_OS_DEF_FIRMWARE_BIOS,
                       VIR_DOMAIN_OS_DEF_FIRMWARE_EFI);
-    DO_SUPPORTED_TEST("pc-i440fx-3.1", VIR_ARCH_I686, false,
+    DO_SUPPORTED_TEST("pc-i440fx-3.1", VIR_ARCH_I686, false, false,
                       "/usr/share/seabios/bios-256k.bin:NULL",
                       VIR_DOMAIN_OS_DEF_FIRMWARE_BIOS);
-    DO_SUPPORTED_TEST("pc-q35-3.1", VIR_ARCH_X86_64, true,
+    DO_SUPPORTED_TEST("pc-q35-3.1", VIR_ARCH_X86_64, true, false,
                       "/usr/share/seabios/bios-256k.bin:NULL:"
                       "/usr/share/edk2/ovmf/OVMF_CODE_4M.secboot.qcow2:/us=
r/share/edk2/ovmf/OVMF_VARS_4M.secboot.qcow2:"
                       "/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd:/usr/shar=
e/edk2/ovmf/OVMF_VARS.secboot.fd:"
@@ -327,19 +338,19 @@ mymain(void)
                       "/usr/share/edk2/ovmf/OVMF.inteltdx.secboot.fd:NULL",
                       VIR_DOMAIN_OS_DEF_FIRMWARE_BIOS,
                       VIR_DOMAIN_OS_DEF_FIRMWARE_EFI);
-    DO_SUPPORTED_TEST("pc-q35-3.1", VIR_ARCH_I686, false,
+    DO_SUPPORTED_TEST("pc-q35-3.1", VIR_ARCH_I686, false, false,
                       "/usr/share/seabios/bios-256k.bin:NULL",
                       VIR_DOMAIN_OS_DEF_FIRMWARE_BIOS);
-    DO_SUPPORTED_TEST("microvm", VIR_ARCH_X86_64, false,
+    DO_SUPPORTED_TEST("microvm", VIR_ARCH_X86_64, false, false,
                       "/usr/share/edk2/ovmf/MICROVM.fd:NULL",
                       VIR_DOMAIN_OS_DEF_FIRMWARE_EFI);
-    DO_SUPPORTED_TEST("virt-3.1", VIR_ARCH_AARCH64, false,
+    DO_SUPPORTED_TEST("virt-3.1", VIR_ARCH_AARCH64, false, false,
                       "/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.qcow=
2:/usr/share/edk2/aarch64/vars-template-pflash.qcow2:"
                       "/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.raw:=
/usr/share/edk2/aarch64/vars-template-pflash.raw:"
                       "/usr/share/edk2/aarch64/QEMU_EFI-pflash.qcow2:/usr/=
share/edk2/aarch64/vars-template-pflash.qcow2:"
                       "/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw:/usr/sh=
are/edk2/aarch64/vars-template-pflash.raw",
                       VIR_DOMAIN_OS_DEF_FIRMWARE_EFI);
-    DO_SUPPORTED_TEST("virt", VIR_ARCH_RISCV64, false,
+    DO_SUPPORTED_TEST("virt", VIR_ARCH_RISCV64, false, false,
                       "/usr/share/edk2/riscv/RISCV_VIRT_CODE.qcow2:/usr/sh=
are/edk2/riscv/RISCV_VIRT_VARS.qcow2",
                       VIR_DOMAIN_OS_DEF_FIRMWARE_EFI);
=20
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771872767; cv=none;
	d=zohomail.com; s=zohoarc;
	b=V+sONmaC3FrrHzhwwctZBZ2MtkCCB4/FUeW7gYW6RX4AxhdyFR7kVwAukBu34W4ZbRZdOPYzq5HOltxC7d4VGiFWA7i3b6sYDOaOrt6n6LNSTHc56oooRbjs1Trhp9Q61oYTbCJBSQ6tEBDe+Ls7hIzu20BheHZ/nchOf95MlAU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771872767;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=2XCv1LcfWJe0MrDkKYMDkOVwhpxPmGYQzNYUBNapJCw=;
	b=jKphEqxLtojJS53tyelaaCDfXBfmZzOkhVq92LxLfgnt6l+cFxclE5Rfmqzlo7T/wZzvlU1pFoqDQYjSnN4HAeR7AGEqxxHeUD/fIBpigT0D7WA+cGQvcEHKcFS4y8CnaJS8DBx0kaDBZ0qYaOhr8JpsO4bQvjuChVlThe6oKl8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771872767282124.48409246840879;
 Mon, 23 Feb 2026 10:52:47 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 69A2B419C0; Mon, 23 Feb 2026 13:52:46 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 18E3A44042;
	Mon, 23 Feb 2026 13:36:34 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 5367241A4F; Mon, 23 Feb 2026 13:36:22 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 98897419FE
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:32:12 -0500 (EST)
Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-79-NIrALWpGM9aOC4n7jUbCIA-1; Mon,
 23 Feb 2026 13:32:11 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 73E5E1955E7E
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:09 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 4D79E195419E
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:06 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871532;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=2XCv1LcfWJe0MrDkKYMDkOVwhpxPmGYQzNYUBNapJCw=;
	b=A7E6qIwxCLNKGL8zD5NOAU3+DPU3mm6nBZJTdhXdn+hYllegCZ7tfwSBgl8vVXEFrxaNj0
	dBi4tdAQfygNTTef4cxO8Bt6RR/oevKD4fxQEKJvZd+E4G/asWr22LTEg0+Fjs5na9yb/o
	ecBNXhDlhdOYSX8HFxkZXgfIsfBwffI=
X-MC-Unique: NIrALWpGM9aOC4n7jUbCIA-1
X-Mimecast-MFC-AGG-ID: NIrALWpGM9aOC4n7jUbCIA_1771871530
To: devel@lists.libvirt.org
Subject: [PATCH v4 23/36] qemu_firmware: Use of NVRAM implies stateful
 firmware
Date: Mon, 23 Feb 2026 19:31:06 +0100
Message-ID: <20260223183119.501349-24-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: nY1qrDMakdPr283bda6VJd9agsu0P2NrZ148TsuEQB4_1771871530
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 2LEGZMGNQL7PDNNMUU3VR3OYSDZCN2PZ
X-Message-ID-Hash: 2LEGZMGNQL7PDNNMUU3VR3OYSDZCN2PZ
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/2LEGZMGNQL7PDNNMUU3VR3OYSDZCN2PZ/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771872767600158500

Currently we only look at the value for the stateless attribute
itself when matching, but the <nvram> element being included in
the input XML is likewise a clear sign that a stateless firmware
build will not satisfy the user's requirements.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/qemu/qemu_firmware.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index 60cc92e46a..1851ed4a80 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -1288,13 +1288,19 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
         /* Explicit requests for either a stateless or stateful
          * firmware should be fulfilled, but if no preference is
          * provided either one is fine as long as the other match
-         * criteria are satisfied */
+         * criteria are satisfied. NVRAM implies stateful */
         if (loader &&
             loader->stateless =3D=3D VIR_TRISTATE_BOOL_NO &&
             flash->mode =3D=3D QEMU_FIRMWARE_FLASH_MODE_STATELESS) {
             VIR_DEBUG("Discarding stateless loader");
             return false;
         }
+        if (loader &&
+            loader->nvram &&
+            flash->mode =3D=3D QEMU_FIRMWARE_FLASH_MODE_STATELESS) {
+            VIR_DEBUG("Discarding stateless loader");
+            return false;
+        }
         if (loader &&
             loader->stateless =3D=3D VIR_TRISTATE_BOOL_YES &&
             flash->mode !=3D QEMU_FIRMWARE_FLASH_MODE_STATELESS) {
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771872914; cv=none;
	d=zohomail.com; s=zohoarc;
	b=WErs/O/ZDteAwcc9ReRuSze0z5tvQwBpfMMFrGzNuJm+qxRkut56T5FZCA4Rk0VHMI/Augpjjx2VTaKbSPrKnWsDxBgMUUeu6ES8MW2jFIP5g/gs/fw04DH1px0PRb6/niGysxWZxDJKo2HXuqgTTbhm0XPkyUs4ojLtP3Kinvw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771872914;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=3NTK+Kyww/LUlrGj2YaBSOhSkwWlyJkCz0H/5X7jxls=;
	b=ZCCTlVSbPt8SyKLcZ9VcTEU4MR91CZCw+feKbZHiP2NpKd/3un4OzjMbvMzubVyvPgMlQqbagUHAQHtatSopFvzqPGanYKPGyvxILOq+ZjoIGe5riIQG524TrhR2GIFocasujHuWkffRGG0GLHB3Kw7JNmh2oKTaydCpbsnwbiU=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771872914011198.8444695462864;
 Mon, 23 Feb 2026 10:55:14 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 33CE141C69; Mon, 23 Feb 2026 13:55:13 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id B364C4411C;
	Mon, 23 Feb 2026 13:36:40 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 36FE441A9D; Mon, 23 Feb 2026 13:36:23 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 2CA6241BDA
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:32:17 -0500 (EST)
Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-75-EZ3e8w_QPly0zVp-vcVgdA-1; Mon,
 23 Feb 2026 13:32:15 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 73CED1828AC6
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:09 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 0E55519541AA
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:07 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871536;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=3NTK+Kyww/LUlrGj2YaBSOhSkwWlyJkCz0H/5X7jxls=;
	b=TQx6EDHJiVhgyxO7ZbikFIldQxI7Qypek1IRD5v9gq6J2wGBdKmtH+g6Mo4HQtgIc/CVDE
	9aDElUODh/pjKpZf0ySD7FDQm6ExyCL0819V9IOczYJMxqIynnFffsydY4bSPNjUsqaFTX
	MoBZEvsrPs25fks0ylykGMIpNC3NEvo=
X-MC-Unique: EZ3e8w_QPly0zVp-vcVgdA-1
X-Mimecast-MFC-AGG-ID: EZ3e8w_QPly0zVp-vcVgdA_1771871534
To: devel@lists.libvirt.org
Subject: [PATCH v4 24/36] qemu_firmware: Allow matching stateful ROMs
Date: Mon, 23 Feb 2026 19:31:07 +0100
Message-ID: <20260223183119.501349-25-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: dvrusUFNvT5EZA46pHv4Ha2H0ohEJXofkUaWQrByfCI_1771871534
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: FRQ7NJ3PDW4C3BTZCH4EXGPINCSRQ7KK
X-Message-ID-Hash: FRQ7NJ3PDW4C3BTZCH4EXGPINCSRQ7KK
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/FRQ7NJ3PDW4C3BTZCH4EXGPINCSRQ7KK/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771872914569158500

Stateful ROMs are those that use the uefi-vars QEMU device to
implement access to UEFI variable storage.

Matching works much the same as it does for pflash-based
firmware images. Notably, the <varstore> element is only
allowed for ROM and the <nvram> element is only allowed for
pflash.

The firmware-auto-efi-varstore-q35 and
firmware-auto-efi-varstore-aarch64 fail in a different way
after this change: the input XML is now considered valid, and
the only remaining issue is that the firmware autoselection
process is unable to find a match.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/qemu/qemu_firmware.c                      | 40 +++++++++++++++++--
 ...to-efi-varstore-aarch64.aarch64-latest.err |  2 +-
 ...to-efi-varstore-aarch64.aarch64-latest.xml | 28 +++++++++++++
 ...re-auto-efi-varstore-q35.x86_64-latest.err |  2 +-
 ...re-auto-efi-varstore-q35.x86_64-latest.xml | 36 +++++++++++++++++
 tests/qemuxmlconftest.c                       |  4 +-
 6 files changed, 104 insertions(+), 8 deletions(-)
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch6=
4.aarch64-latest.xml
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x8=
6_64-latest.xml

diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index 1851ed4a80..60635b559f 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -893,15 +893,18 @@ qemuFirmwareMatchesMachineArch(const qemuFirmware *fw,
  * qemuFirmwareMatchesPaths:
  * @fw: firmware definition
  * @loader: loader definition
+ * @varstore: varstore definition
  *
  * Checks whether @fw is compatible with the information provided as
  * part of the domain definition.
  *
- * Returns: true if @fw is compatible with @loader, false otherwise
+ * Returns: true if @fw is compatible with @loader and @varstore,
+ *          false otherwise
  */
 static bool
 qemuFirmwareMatchesPaths(const qemuFirmware *fw,
-                         const virDomainLoaderDef *loader)
+                         const virDomainLoaderDef *loader,
+                         const virDomainVarstoreDef *varstore)
 {
     const qemuFirmwareMappingFlash *flash =3D &fw->mapping.data.flash;
     const qemuFirmwareMappingMemory *memory =3D &fw->mapping.data.memory;
@@ -922,6 +925,9 @@ qemuFirmwareMatchesPaths(const qemuFirmware *fw,
         if (loader && loader->path &&
             !virFileComparePaths(loader->path, memory->filename))
             return false;
+        if (varstore && varstore->template &&
+            !virFileComparePaths(varstore->template, memory->template))
+            return false;
         break;
     case QEMU_FIRMWARE_DEVICE_NONE:
     case QEMU_FIRMWARE_DEVICE_LAST:
@@ -1112,6 +1118,7 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
                         const char *path)
 {
     const virDomainLoaderDef *loader =3D def->os.loader;
+    const virDomainVarstoreDef *varstore =3D def->os.varstore;
     size_t i;
     qemuFirmwareOSInterface want;
     bool wantUEFI =3D false;
@@ -1166,7 +1173,7 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
         return false;
     }
=20
-    if (!qemuFirmwareMatchesPaths(fw, def->os.loader)) {
+    if (!qemuFirmwareMatchesPaths(fw, def->os.loader, def->os.varstore)) {
         VIR_DEBUG("No matching path in '%s'", path);
         return false;
     }
@@ -1279,6 +1286,9 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
     if (fw->mapping.device =3D=3D QEMU_FIRMWARE_DEVICE_FLASH) {
         const qemuFirmwareMappingFlash *flash =3D &fw->mapping.data.flash;
=20
+        if (varstore)
+            return false;
+
         if (loader && loader->type &&
             loader->type !=3D VIR_DOMAIN_LOADER_TYPE_PFLASH) {
             VIR_DEBUG("Discarding flash loader");
@@ -1377,16 +1387,38 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
             }
         }
     } else if (fw->mapping.device =3D=3D QEMU_FIRMWARE_DEVICE_MEMORY) {
+        const qemuFirmwareMappingMemory *memory =3D &fw->mapping.data.memo=
ry;
+
+        if (loader && loader->nvram)
+            return false;
+
         if (loader && loader->type &&
             loader->type !=3D VIR_DOMAIN_LOADER_TYPE_ROM) {
             VIR_DEBUG("Discarding rom loader");
             return false;
         }
=20
-        if (loader && loader->stateless =3D=3D VIR_TRISTATE_BOOL_NO) {
+        /* Explicit requests for either a stateless or stateful
+         * firmware should be fulfilled, but if no preference is
+         * provided either one is fine as long as the other match
+         * criteria are satisfied. varstore implies stateful */
+        if (loader &&
+            loader->stateless =3D=3D VIR_TRISTATE_BOOL_NO &&
+            !memory->template) {
+            VIR_DEBUG("Discarding stateless loader");
+            return false;
+        }
+        if (varstore &&
+            !memory->template) {
             VIR_DEBUG("Discarding stateless loader");
             return false;
         }
+        if (loader &&
+            loader->stateless =3D=3D VIR_TRISTATE_BOOL_YES &&
+            memory->template) {
+            VIR_DEBUG("Discarding non-stateless loader");
+            return false;
+        }
=20
         if (loader && loader->readonly =3D=3D VIR_TRISTATE_BOOL_NO) {
             VIR_DEBUG("Discarding readonly loader");
diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.aarch=
64-latest.err b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.aa=
rch64-latest.err
index b45d304221..3edb2b3451 100644
--- a/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.aarch64-late=
st.err
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.aarch64-late=
st.err
@@ -1 +1 @@
-Only one of NVRAM/varstore can be used
+operation failed: Unable to find 'efi' firmware that is compatible with th=
e current configuration
diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.aarch=
64-latest.xml b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.aa=
rch64-latest.xml
new file mode 100644
index 0000000000..b0fa092509
--- /dev/null
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.aarch64-late=
st.xml
@@ -0,0 +1,28 @@
+<domain type=3D'kvm'>
+  <name>guest</name>
+  <uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid>
+  <memory unit=3D'KiB'>1048576</memory>
+  <currentMemory unit=3D'KiB'>1048576</currentMemory>
+  <vcpu placement=3D'static'>1</vcpu>
+  <os firmware=3D'efi'>
+    <type arch=3D'aarch64' machine=3D'virt-8.2'>hvm</type>
+    <loader format=3D'raw'/>
+    <varstore/>
+    <boot dev=3D'hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <gic version=3D'2'/>
+  </features>
+  <clock offset=3D'utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu-system-aarch64</emulator>
+    <controller type=3D'usb' index=3D'0' model=3D'none'/>
+    <controller type=3D'pci' index=3D'0' model=3D'pcie-root'/>
+    <audio id=3D'1' type=3D'none'/>
+    <memballoon model=3D'none'/>
+  </devices>
+</domain>
diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x86_64-la=
test.err b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x86_64-late=
st.err
index b45d304221..3edb2b3451 100644
--- a/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x86_64-latest.err
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x86_64-latest.err
@@ -1 +1 @@
-Only one of NVRAM/varstore can be used
+operation failed: Unable to find 'efi' firmware that is compatible with th=
e current configuration
diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x86_64-la=
test.xml b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x86_64-late=
st.xml
new file mode 100644
index 0000000000..c4d70c9fc5
--- /dev/null
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x86_64-latest.xml
@@ -0,0 +1,36 @@
+<domain type=3D'kvm'>
+  <name>guest</name>
+  <uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid>
+  <memory unit=3D'KiB'>1048576</memory>
+  <currentMemory unit=3D'KiB'>1048576</currentMemory>
+  <vcpu placement=3D'static'>1</vcpu>
+  <os firmware=3D'efi'>
+    <type arch=3D'x86_64' machine=3D'pc-q35-8.2'>hvm</type>
+    <loader format=3D'raw'/>
+    <varstore/>
+    <boot dev=3D'hd'/>
+  </os>
+  <features>
+    <acpi/>
+  </features>
+  <cpu mode=3D'custom' match=3D'exact' check=3D'none'>
+    <model fallback=3D'forbid'>qemu64</model>
+  </cpu>
+  <clock offset=3D'utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu-system-x86_64</emulator>
+    <controller type=3D'usb' index=3D'0' model=3D'none'/>
+    <controller type=3D'sata' index=3D'0'>
+      <address type=3D'pci' domain=3D'0x0000' bus=3D'0x00' slot=3D'0x1f' f=
unction=3D'0x2'/>
+    </controller>
+    <controller type=3D'pci' index=3D'0' model=3D'pcie-root'/>
+    <input type=3D'mouse' bus=3D'ps2'/>
+    <input type=3D'keyboard' bus=3D'ps2'/>
+    <audio id=3D'1' type=3D'none'/>
+    <watchdog model=3D'itco' action=3D'reset'/>
+    <memballoon model=3D'none'/>
+  </devices>
+</domain>
diff --git a/tests/qemuxmlconftest.c b/tests/qemuxmlconftest.c
index ca00dc96f0..43e994fc93 100644
--- a/tests/qemuxmlconftest.c
+++ b/tests/qemuxmlconftest.c
@@ -1673,8 +1673,8 @@ mymain(void)
     DO_TEST_CAPS_LATEST("firmware-auto-efi-nvram-file");
     DO_TEST_CAPS_LATEST("firmware-auto-efi-nvram-network-nbd");
     DO_TEST_CAPS_LATEST("firmware-auto-efi-nvram-network-iscsi");
-    DO_TEST_CAPS_LATEST_PARSE_ERROR("firmware-auto-efi-varstore-q35");
-    DO_TEST_CAPS_ARCH_LATEST_PARSE_ERROR("firmware-auto-efi-varstore-aarch=
64", "aarch64");
+    DO_TEST_CAPS_LATEST_FAILURE("firmware-auto-efi-varstore-q35");
+    DO_TEST_CAPS_ARCH_LATEST_FAILURE("firmware-auto-efi-varstore-aarch64",=
 "aarch64");
=20
     DO_TEST_CAPS_LATEST("firmware-auto-efi-format-loader-qcow2");
     DO_TEST_CAPS_LATEST_PARSE_ERROR("firmware-auto-efi-format-loader-qcow2=
-rom");
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771872802; cv=none;
	d=zohomail.com; s=zohoarc;
	b=RKEsPdtCSTJvCg0se0Dc6OyCvhWRy9PJJFN09ni4XWGumc+ZXFr0u3Ajaozh7ohv9guNk+Qyp2fPycLFlnXPIg2Obu6xAPwQ2iEmtFpKhreY+ih1pJUFd82td/qKaa6D3wmYSPSDfaSQfmMsnF19Rbd4humRbU3SDC3tNU/87K0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771872802;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=xJy8f6tZV4a2dqxHUpkVgECenTwiyfPioFiRq9NVo/0=;
	b=CuUNBTPnel1GNp0fn+DZuMuLBc9tz3heWEPI0Nvt2sRvKsbgVtNwRvyW4qXLXdn3xPgcaIGAfxfTx3po03/3Ps4sCf4U0dFEVRSKm1Rl5xuT4pFASYxf53lybkT0oMUvDwq7a4aZSmpkTOoNj3ZvNp31O2VosIRuve6jQK3tHC4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 17718728024542.210815371012359;
 Mon, 23 Feb 2026 10:53:22 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 9164941B65; Mon, 23 Feb 2026 13:53:21 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 7349644022;
	Mon, 23 Feb 2026 13:36:36 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id C1FB041A9D; Mon, 23 Feb 2026 13:36:22 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 7857041A0A
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:32:15 -0500 (EST)
Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-203-JqmxQ3puP7uJIt6irAyPag-1; Mon,
 23 Feb 2026 13:32:13 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id AF38A195609E
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:10 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 90BC81955D71
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:09 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871535;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=xJy8f6tZV4a2dqxHUpkVgECenTwiyfPioFiRq9NVo/0=;
	b=U19B3TVHuUE9FVlMrVcuzE41s8eBaxFghWfqRZCGtxjr62mTd8QFry921ZlkYoeIKHbrNT
	V67E8tkTDgdC7Ln9iHrb1rZZW0GWUyPLupK0VcK4FVHaOBLVyPG6ZPAapAitVJL3PcCu7h
	7m4FEciZr2utFRYVc8MxdrNNjUk36yI=
X-MC-Unique: JqmxQ3puP7uJIt6irAyPag-1
X-Mimecast-MFC-AGG-ID: JqmxQ3puP7uJIt6irAyPag_1771871533
To: devel@lists.libvirt.org
Subject: [PATCH v4 25/36] qemu_firmware: Fill in varstore information
Date: Mon, 23 Feb 2026 19:31:08 +0100
Message-ID: <20260223183119.501349-26-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: XCgnKA_qa8hlKwmEOu-z8ZxTeQ2UGKECue-L0DN9hI0_1771871533
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: HTSA3YSLCFLMZAHKIWBPSJNM2OGEM3XO
X-Message-ID-Hash: HTSA3YSLCFLMZAHKIWBPSJNM2OGEM3XO
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/HTSA3YSLCFLMZAHKIWBPSJNM2OGEM3XO/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771872803768158500

If the matching firmware requires the use of varstore, we
have to bubble up information about it, namely the path to
the template. If the struct member doesn't exist yet, we need
to allocate it.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/qemu/qemu_firmware.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index 60635b559f..5a07e3181f 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -1492,6 +1492,7 @@ qemuFirmwareEnableFeaturesModern(virDomainDef *def,
     const qemuFirmwareMappingFlash *flash =3D &fw->mapping.data.flash;
     const qemuFirmwareMappingMemory *memory =3D &fw->mapping.data.memory;
     virDomainLoaderDef *loader =3D NULL;
+    virDomainVarstoreDef *varstore =3D NULL;
     virStorageFileFormat format;
     bool hasSecureBoot =3D false;
     bool hasEnrolledKeys =3D false;
@@ -1552,8 +1553,17 @@ qemuFirmwareEnableFeaturesModern(virDomainDef *def,
         VIR_FREE(loader->path);
         loader->path =3D g_strdup(memory->filename);
=20
-        VIR_DEBUG("decided on loader '%s'",
-                  loader->path);
+        if (memory->template) {
+            if (!def->os.varstore)
+                def->os.varstore =3D virDomainVarstoreDefNew();
+            varstore =3D def->os.varstore;
+
+            VIR_FREE(varstore->template);
+            varstore->template =3D g_strdup(memory->template);
+        }
+
+        VIR_DEBUG("decided on loader '%s' template '%s'",
+                  loader->path, NULLSTR(varstore ? varstore->template : NU=
LL));
         break;
=20
     case QEMU_FIRMWARE_DEVICE_NONE:
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771872851; cv=none;
	d=zohomail.com; s=zohoarc;
	b=U5yqawl7uczvoPHkjqdO3IzdDVHKRtBXJABQRGHKkYGxPXA1UfIxtnU3rRulrwE/1rq4GanN3nkhbIyxyB+XqTQLwXmapIJxFboQ6cgoF90eQVakic/tn6B/Uc2Jzvg41r7QVJOyHxlry9V0Kk4U9pEIfUgDHKQRNFCTltp06Yo=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771872851;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=aWGBSi56k4EZYsiqFJUVEqVFYzkPYmLt+/dzf3hH/bc=;
	b=KvyKPLcIzUahN7QWsd/rik57SP2TLghK/wi3HYU1kuHIXZL1nJwR498jYfwt2PfQFTZZI9B48j4sdy14WvZMxCrYALVjQy/I7/FktnMX940141E7+YW8g5lU2oDAdaeU6jYD6ZhKLccetYZlRrsKuVp6WFt8Kk4avGMvSwmzTmQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771872851206823.5287275168017;
 Mon, 23 Feb 2026 10:54:11 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 5F43341BA0; Mon, 23 Feb 2026 13:54:10 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 7A910440C5;
	Mon, 23 Feb 2026 13:36:38 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 0509A41B54; Mon, 23 Feb 2026 13:36:23 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 2C8ED41A7F
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:32:16 -0500 (EST)
Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-217-OWVyJyOhO-id93AZhl6m-g-1; Mon,
 23 Feb 2026 13:32:14 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id B1E401956069
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:12 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 7C2AC1920D5C
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:10 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871535;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=aWGBSi56k4EZYsiqFJUVEqVFYzkPYmLt+/dzf3hH/bc=;
	b=AEBJL6AJFbM24hELiQiCejzybnN2sF35EAXUJZG+Hty4MRxIDhrXi+NujVmx/y311nDMvL
	liWZvqOjcrAxhh6Mp2qgupqVjxg42PeSeTj6xNwPqCVXrSkhxTVfgMlgDea2EtAHaQb/ar
	LrlzcbgX4g1WLj+KfTSRwFd9hy4oCu4=
X-MC-Unique: OWVyJyOhO-id93AZhl6m-g-1
X-Mimecast-MFC-AGG-ID: OWVyJyOhO-id93AZhl6m-g_1771871533
To: devel@lists.libvirt.org
Subject: [PATCH v4 26/36] qemu: Introduce varstoreDir
Date: Mon, 23 Feb 2026 19:31:09 +0100
Message-ID: <20260223183119.501349-27-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: 6u6DMnXOHM6FVw81CvOw2kVWwm5hniAoTEi9Ja3kLmo_1771871533
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: O6UNACGMTS7JJK76VDQEQAUNHEV5ZA5C
X-Message-ID-Hash: O6UNACGMTS7JJK76VDQEQAUNHEV5ZA5C
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/O6UNACGMTS7JJK76VDQEQAUNHEV5ZA5C/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771872852053158500

This is the same as the existing nvramDir, except it will be
used to store the files used with the uefi-vars QEMU device.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 libvirt.spec.in        |  1 +
 src/qemu/meson.build   |  1 +
 src/qemu/qemu_conf.c   |  4 ++++
 src/qemu/qemu_conf.h   |  1 +
 src/qemu/qemu_driver.c | 12 ++++++++++++
 tests/testutilsqemu.c  |  2 ++
 6 files changed, 21 insertions(+)

diff --git a/libvirt.spec.in b/libvirt.spec.in
index 0ba7bf4197..00316a03f2 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -2349,6 +2349,7 @@ exit 0
 %dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvir=
t/qemu/ram/
 %dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvir=
t/qemu/save/
 %dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvir=
t/qemu/snapshot/
+%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvir=
t/qemu/varstore/
 %dir %attr(0750, root, root) %{_localstatedir}/cache/libvirt/qemu/
 %{_datadir}/augeas/lenses/libvirtd_qemu.aug
 %{_datadir}/augeas/lenses/tests/test_libvirtd_qemu.aug
diff --git a/src/qemu/meson.build b/src/qemu/meson.build
index ff9a904277..b4fb62f14f 100644
--- a/src/qemu/meson.build
+++ b/src/qemu/meson.build
@@ -223,6 +223,7 @@ if conf.has('WITH_QEMU')
     localstatedir / 'lib' / 'libvirt' / 'qemu' / 'ram',
     localstatedir / 'lib' / 'libvirt' / 'qemu' / 'save',
     localstatedir / 'lib' / 'libvirt' / 'qemu' / 'snapshot',
+    localstatedir / 'lib' / 'libvirt' / 'qemu' / 'varstore',
     localstatedir / 'lib' / 'libvirt' / 'swtpm',
     localstatedir / 'log' / 'libvirt' / 'qemu',
     localstatedir / 'log' / 'swtpm' / 'libvirt' / 'qemu',
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index de6e51177a..3ea42da502 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -167,6 +167,7 @@ virQEMUDriverConfig *virQEMUDriverConfigNew(bool privil=
eged,
         cfg->checkpointDir =3D g_strdup_printf("%s/checkpoint", cfg->libDi=
r);
         cfg->autoDumpPath =3D g_strdup_printf("%s/dump", cfg->libDir);
         cfg->nvramDir =3D g_strdup_printf("%s/nvram", cfg->libDir);
+        cfg->varstoreDir =3D g_strdup_printf("%s/varstore", cfg->libDir);
         cfg->memoryBackingDir =3D g_strdup_printf("%s/ram", cfg->libDir);
     } else if (privileged) {
         cfg->logDir =3D g_strdup_printf("%s/log/libvirt/qemu", LOCALSTATED=
IR);
@@ -188,6 +189,7 @@ virQEMUDriverConfig *virQEMUDriverConfigNew(bool privil=
eged,
         cfg->checkpointDir =3D g_strdup_printf("%s/checkpoint", cfg->libDi=
r);
         cfg->autoDumpPath =3D g_strdup_printf("%s/dump", cfg->libDir);
         cfg->nvramDir =3D g_strdup_printf("%s/nvram", cfg->libDir);
+        cfg->varstoreDir =3D g_strdup_printf("%s/varstore", cfg->libDir);
         cfg->memoryBackingDir =3D g_strdup_printf("%s/ram", cfg->libDir);
         cfg->swtpmStorageDir =3D g_strdup_printf("%s/lib/libvirt/swtpm",
                                                LOCALSTATEDIR);
@@ -215,6 +217,7 @@ virQEMUDriverConfig *virQEMUDriverConfigNew(bool privil=
eged,
                                              cfg->configBaseDir);
         cfg->autoDumpPath =3D g_strdup_printf("%s/qemu/dump", cfg->configB=
aseDir);
         cfg->nvramDir =3D g_strdup_printf("%s/qemu/nvram", cfg->configBase=
Dir);
+        cfg->varstoreDir =3D g_strdup_printf("%s/qemu/varstore", cfg->conf=
igBaseDir);
         cfg->memoryBackingDir =3D g_strdup_printf("%s/qemu/ram", cfg->conf=
igBaseDir);
         cfg->swtpmStorageDir =3D g_strdup_printf("%s/qemu/swtpm",
                                                cfg->configBaseDir);
@@ -367,6 +370,7 @@ static void virQEMUDriverConfigDispose(void *obj)
     g_free(cfg->checkpointDir);
     g_free(cfg->channelTargetDir);
     g_free(cfg->nvramDir);
+    g_free(cfg->varstoreDir);
=20
     g_free(cfg->defaultTLSx509certdir);
     g_free(cfg->defaultTLSx509secretUUID);
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index c284e108a1..aa2bac6891 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -121,6 +121,7 @@ struct _virQEMUDriverConfig {
     char *checkpointDir;
     char *channelTargetDir;
     char *nvramDir;
+    char *varstoreDir;
     char *swtpmStorageDir;
=20
     char *defaultTLSx509certdir;
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 3126d997de..8a4947b60b 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -626,6 +626,11 @@ qemuStateInitialize(bool privileged,
                              cfg->nvramDir);
         goto error;
     }
+    if (g_mkdir_with_parents(cfg->varstoreDir, 0777) < 0) {
+        virReportSystemError(errno, _("Failed to create varstore dir %1$s"=
),
+                             cfg->varstoreDir);
+        goto error;
+    }
     if (g_mkdir_with_parents(cfg->memoryBackingDir, 0777) < 0) {
         virReportSystemError(errno, _("Failed to create memory backing dir=
 %1$s"),
                              cfg->memoryBackingDir);
@@ -784,6 +789,13 @@ qemuStateInitialize(bool privileged,
                                  (int)cfg->group);
             goto error;
         }
+        if (chown(cfg->varstoreDir, cfg->user, cfg->group) < 0) {
+            virReportSystemError(errno,
+                                 _("unable to set ownership of '%1$s' to %=
2$d:%3$d"),
+                                 cfg->varstoreDir, (int)cfg->user,
+                                 (int)cfg->group);
+            goto error;
+        }
         if (chown(cfg->memoryBackingDir, cfg->user, cfg->group) < 0) {
             virReportSystemError(errno,
                                  _("unable to set ownership of '%1$s' to %=
2$d:%3$d"),
diff --git a/tests/testutilsqemu.c b/tests/testutilsqemu.c
index 78ec521266..21dfd3141d 100644
--- a/tests/testutilsqemu.c
+++ b/tests/testutilsqemu.c
@@ -336,6 +336,8 @@ int qemuTestDriverInit(virQEMUDriver *driver)
     cfg->memoryBackingDir =3D g_strdup("/var/lib/libvirt/qemu/ram");
     VIR_FREE(cfg->nvramDir);
     cfg->nvramDir =3D g_strdup("/var/lib/libvirt/qemu/nvram");
+    VIR_FREE(cfg->varstoreDir);
+    cfg->varstoreDir =3D g_strdup("/var/lib/libvirt/qemu/varstore");
     VIR_FREE(cfg->passtStateDir);
     cfg->passtStateDir =3D g_strdup("/var/run/libvirt/qemu/passt");
     VIR_FREE(cfg->dbusStateDir);
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771872951; cv=none;
	d=zohomail.com; s=zohoarc;
	b=dumNK2IUmhijmtm2ZHI/0HFqpsxaH2G8nns3MPfVgh0Tgy2QixdroH+JwDHvAUhVv7LOzNulcP61ngJfA0wa9XoyZYb44+81FKRGxMZbQh0Mng/LNQo53cNgjV7fWoZbhGMUJPh/8uYF5z1Ck5Ge+9bpI+aq7U5d6AUP+XDVnRk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771872951;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=DNGRxvU/30pYG/EaSY8RjjK/O3Gnja3bue56AYIRLY0=;
	b=fNJDkb/xDzLBQWaZgxJunb5iwKewRRKP1TBHgWQwEmI/dS1aCxdHSaLRwD0edgkUhsomszwknF6R+6Ay2SHektGYDKBRscP0U/PwtvHNC9AQzvhHwgeTlop2cBTn83LC/GuauM+BNVqUWN90lM+sw9zWcc/yrG8HMmWgQskU+D4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771872951374165.36432547325956;
 Mon, 23 Feb 2026 10:55:51 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 9675E419A0; Mon, 23 Feb 2026 13:55:50 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 534C14415E;
	Mon, 23 Feb 2026 13:36:44 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 6095B41A0A; Mon, 23 Feb 2026 13:36:23 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id EB00C41A8D
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:32:17 -0500 (EST)
Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-500-rfayWCpyP626swPP5Segxw-1; Mon,
 23 Feb 2026 13:32:16 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 7D03E1954B17
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:14 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 304D0195419A
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:12 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871537;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=DNGRxvU/30pYG/EaSY8RjjK/O3Gnja3bue56AYIRLY0=;
	b=SnKtNbfGTuNn27D9JTbUPI7j20aw6v7d313Rh69RdTo/Egs/f/ufHWlW4rA2yMdBukuTOD
	oYl332367CbuP1XUxztjpyHjENY6jovb+Nkc/lSgwWvzMExd2fGwAAyRefjESTwqTFt4yO
	zuJdMvavJhIhby3AiH8dlF2tfs71GtE=
X-MC-Unique: rfayWCpyP626swPP5Segxw-1
X-Mimecast-MFC-AGG-ID: rfayWCpyP626swPP5Segxw_1771871535
To: devel@lists.libvirt.org
Subject: [PATCH v4 27/36] qemu_firmware: Generate varstore path when necessary
Date: Mon, 23 Feb 2026 19:31:10 +0100
Message-ID: <20260223183119.501349-28-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: cQAmfGcS3kJfAgHQfZqEmLQ-iW5yu-flejIM-EanYfI_1771871535
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: LIINELLAD26PKUA4MMF4HB2O3XF2D25E
X-Message-ID-Hash: LIINELLAD26PKUA4MMF4HB2O3XF2D25E
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/LIINELLAD26PKUA4MMF4HB2O3XF2D25E/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771872952502158500

Introduce qemuFirmwareEnsureVarstore(), which performs the same
task as the existing qemuFirmwareEnsureNVRAM() but for the
varstore element.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/qemu/qemu_firmware.c | 39 ++++++++++++++++++++++++++++++++++++---
 1 file changed, 36 insertions(+), 3 deletions(-)

diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index 5a07e3181f..d8633c6b28 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -1069,6 +1069,38 @@ qemuFirmwareEnsureNVRAM(virDomainDef *def,
 }
=20
=20
+/**
+ * qemuFirmwareEnsureVarstore:
+ * @def: domain definition
+ * @driver: QEMU driver
+ *
+ * Make sure that information for the varstore is present. This might
+ * involve automatically generating the corresponding path.
+ */
+static void
+qemuFirmwareEnsureVarstore(virDomainDef *def,
+                           virQEMUDriver *driver)
+{
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
+    virDomainLoaderDef *loader =3D def->os.loader;
+    virDomainVarstoreDef *varstore =3D def->os.varstore;
+
+    if (!loader)
+        return;
+
+    if (loader->type !=3D VIR_DOMAIN_LOADER_TYPE_ROM)
+        return;
+
+    if (!varstore)
+        return;
+
+    if (varstore->path)
+        return;
+
+    varstore->path =3D g_strdup_printf("%s/%s.json",
+                                     cfg->varstoreDir, def->name);
+}
+
=20
 /**
  * qemuFirmwareSetOsFeatures:
@@ -2063,10 +2095,11 @@ qemuFirmwareFillDomain(virQEMUDriver *driver,
         }
     }
=20
-    /* Always ensure that the NVRAM path is present, even if we
-     * haven't found a match: the configuration might simply be
-     * referring to a custom firmware build */
+    /* Always ensure that the NVRAM/varstore is configured where
+     * appropriate, even if we haven't found a match: the configuration
+     * might simply be referring to a custom firmware build */
     qemuFirmwareEnsureNVRAM(def, driver, abiUpdate);
+    qemuFirmwareEnsureVarstore(def, driver);
=20
     return 0;
 }
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771873289; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Nra0zRdWhbq2J+a1CQ+gO4BN78JZt2C0EP4im3TaL1uYUTHRmEcLk8srtvh/dmNsqNbFwk/+ColgMairh9Sh2VfbTGG2GRe01quw3AQIsUSwpT2xOBmjVrmnZoRi4XLMPDhfgy33y4LT8p9UDq7YMu3bXk+17oTboPGYcwtLEQk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771873289;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=K22trZUg4euBemqjE1DN3UH3tld3+y9/yEt1WAI47sQ=;
	b=GZLFRuf/hcvOLO6Es5rFFoo+EemQEo90Vc8xLAJMywT+eoE3qKm9soy1+w00g2KYE5zQsDjPy1j4XFz/DX43oGQ1Vh8bqLzrRbAMaSBNhsnvBUfd1ygthe23QCC/SSMlUIx9JrnxyvkABc3BJ0roV8Xv1TxKNYmhYF3rHeusNgI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771873289790820.1229048341188;
 Mon, 23 Feb 2026 11:01:29 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 07BA341B83; Mon, 23 Feb 2026 14:01:29 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 86C5B442B9;
	Mon, 23 Feb 2026 13:36:57 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 3625B44192; Mon, 23 Feb 2026 13:36:47 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id D4B2841C6F
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:32:21 -0500 (EST)
Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-302-aLF-GLPuNfuKktFpy77jvg-1; Mon,
 23 Feb 2026 13:32:18 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 282C318011CC
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:16 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id EF76F1944CC4
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:14 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871541;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=K22trZUg4euBemqjE1DN3UH3tld3+y9/yEt1WAI47sQ=;
	b=QFt9JVjU3dmJ5TP9w9CDjBtbYraA8T1Yd2iLE2qlEqjK+Oo9GAlin6GcH0S9sRMysXu2XA
	Kaayd6bMQrW4VsVMJuGWKyOk76viObgAss2C1G9l7IHDNWQat6EZj82SjTYAvYlJQ2Q4Hk
	cAy609Lwxi6Rx6sWe3eUFSIY6SXEE0k=
X-MC-Unique: aLF-GLPuNfuKktFpy77jvg-1
X-Mimecast-MFC-AGG-ID: aLF-GLPuNfuKktFpy77jvg_1771871538
To: devel@lists.libvirt.org
Subject: [PATCH v4 28/36] qemu: Introduce qemuPrepareNVRAMFileCommon()
Date: Mon, 23 Feb 2026 19:31:11 +0100
Message-ID: <20260223183119.501349-29-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: Vga9zIUiccvnRrkL-wdOretNYyhGmkMDfNyDVXUH2eE_1771871538
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: JZW5K62V2SQ54GHPD6IFSXDVHP3UO6CV
X-Message-ID-Hash: JZW5K62V2SQ54GHPD6IFSXDVHP3UO6CV
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/JZW5K62V2SQ54GHPD6IFSXDVHP3UO6CV/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771873290514158500

Most of the code in the qemuPrepareNVRAMFile() function can
be reused to create a varstore file from template. Move the
common parts to a generic helper, leaving only the parts
that are NVRAM-specific in the original function.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/qemu/qemu_process.c | 56 +++++++++++++++++++++++++++--------------
 1 file changed, 37 insertions(+), 19 deletions(-)

diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 371b64faac..db43b035c1 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -4918,45 +4918,40 @@ qemuPrepareNVRAMBlock(virDomainLoaderDef *loader,
=20
=20
 static int
-qemuPrepareNVRAMFile(virQEMUDriver *driver,
-                     virDomainLoaderDef *loader,
-                     bool reset_nvram)
+qemuPrepareNVRAMFileCommon(virQEMUDriver *driver,
+                           const char *path,
+                           const char *template,
+                           bool reset_nvram)
 {
     g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
     VIR_AUTOCLOSE srcFD =3D -1;
     struct qemuPrepareNVRAMHelperData data;
=20
-    if (virFileExists(loader->nvram->path) && !reset_nvram)
+    if (!path)
         return 0;
=20
-    if (!loader->nvramTemplate) {
+    if (virFileExists(path) && !reset_nvram)
+        return 0;
+
+    if (!template) {
         virReportError(VIR_ERR_OPERATION_FAILED,
                        _("unable to find any master var store for loader: =
%1$s"),
-                       loader->path);
+                       path);
         return -1;
     }
=20
-    /* If 'nvramTemplateFormat' is empty it means that it's a user-provided
-     * template which we couldn't verify. Assume the user knows what they'=
re doing */
-    if (loader->nvramTemplateFormat !=3D VIR_STORAGE_FILE_NONE &&
-        loader->nvram->format !=3D loader->nvramTemplateFormat) {
-        virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
-                       _("conversion of the nvram template to another targ=
et format is not supported"));
-        return -1;
-    }
-
-    if ((srcFD =3D virFileOpenAs(loader->nvramTemplate, O_RDONLY,
+    if ((srcFD =3D virFileOpenAs(template, O_RDONLY,
                                0, -1, -1, 0)) < 0) {
         virReportSystemError(-srcFD,
                              _("Failed to open file '%1$s'"),
-                             loader->nvramTemplate);
+                             template);
         return -1;
     }
=20
     data.srcFD =3D srcFD;
-    data.srcPath =3D loader->nvramTemplate;
+    data.srcPath =3D template;
=20
-    if (virFileRewrite(loader->nvram->path,
+    if (virFileRewrite(path,
                        S_IRUSR | S_IWUSR,
                        cfg->user, cfg->group,
                        qemuPrepareNVRAMHelper,
@@ -4968,6 +4963,29 @@ qemuPrepareNVRAMFile(virQEMUDriver *driver,
 }
=20
=20
+static int
+qemuPrepareNVRAMFile(virQEMUDriver *driver,
+                     virDomainLoaderDef *loader,
+                     bool reset_nvram)
+{
+    /* If 'nvramTemplateFormat' is empty it means that it's a user-provided
+     * template which we couldn't verify. Assume the user knows what they'=
re doing */
+    if (loader && loader->nvram &&
+        loader->nvramTemplateFormat !=3D VIR_STORAGE_FILE_NONE &&
+        loader->nvram->format !=3D loader->nvramTemplateFormat) {
+        virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
+                       _("conversion of the nvram template to another targ=
et format is not supported"));
+        return -1;
+    }
+
+    if (qemuPrepareNVRAMFileCommon(driver, loader->nvram->path,
+                                   loader->nvramTemplate, reset_nvram) < 0)
+        return -1;
+
+    return 0;
+}
+
+
 int
 qemuPrepareNVRAM(virQEMUDriver *driver,
                  virDomainDef *def,
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771873043; cv=none;
	d=zohomail.com; s=zohoarc;
	b=I5irYDFdGPjmdULCjg3nV/xq8yAxGpsjmlFC5SBsY30M8X90c9QMLxo4rqCwAbsDnIkZHhHsj/+wotP8HrEqW25074foPk9RxyfdpW2L72O39C5prth68qiz9GvAP8H5AWZkurMfn7sqfZvrZwsEZ58nB2ZVHZ1WYfyBEy9o9Gk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771873043;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=z4RvON2IVYeyooFzrKoqVLd71+gWzRDpTC+QwmXnToU=;
	b=EVLLGtHGn10Wyv1h8LytuI871FaKFUQnd/Fu25wcFOsk1PQ4fOFQJExSDOny6ONQV88khCpG+3jHuLC1BYsS5oSmurvTExT61BoHlJAc3Jo9DyjRPToJi12d47bCvFHzcwVERBmH0ZS6lZK5WMLTiWYCOIeACtgNI6Qirzf55KY=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771873043136209.83884458002035;
 Mon, 23 Feb 2026 10:57:23 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 15A7041A24; Mon, 23 Feb 2026 13:57:22 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 0D2B3441F5;
	Mon, 23 Feb 2026 13:36:50 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 19C8441A0A; Mon, 23 Feb 2026 13:36:24 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 6AD4941A82
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:32:20 -0500 (EST)
Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-147-RXLaja61MpCH626CrOs_EQ-1; Mon,
 23 Feb 2026 13:32:18 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id E0E3319560A5
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:17 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id C62F719541AA
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:16 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871540;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=z4RvON2IVYeyooFzrKoqVLd71+gWzRDpTC+QwmXnToU=;
	b=I+l1tiIx9+y9k8IHFzdFVfM7wa5g9o1Lij1A9be1qQcyH0GrN+3/f+lxV4jGRDuRL7sbf/
	VmjHnd/mlMt4K5btXp75WrRaUqtkwMg/mSXfbzn4sxEEalGKgKtcq45tD4MY18JdI1zXO6
	LeWwupbsI6l3vJzW8Rjr2ntQ+5j7JVE=
X-MC-Unique: RXLaja61MpCH626CrOs_EQ-1
X-Mimecast-MFC-AGG-ID: RXLaja61MpCH626CrOs_EQ_1771871538
To: devel@lists.libvirt.org
Subject: [PATCH v4 29/36] qemu: Create and delete varstore file
Date: Mon, 23 Feb 2026 19:31:12 +0100
Message-ID: <20260223183119.501349-30-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: TPR1ZD7UG_H75HtJGq_bokk7-oQUBFSwDKXFUr1twyQ_1771871538
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: TYMNBIPQJADDDCZU6J6EAJJBPNFU4SUY
X-Message-ID-Hash: TYMNBIPQJADDDCZU6J6EAJJBPNFU4SUY
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/TYMNBIPQJADDDCZU6J6EAJJBPNFU4SUY/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771873045417158500

Simply mimicking what is currently done for NVRAM files does
the trick. A few user-visible messages are updated to reflect
the fact that they apply both to NVRAM and varstore.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/qemu/qemu_driver.c  | 14 +++++++++-----
 src/qemu/qemu_process.c | 28 ++++++++++++++++++++++++++--
 2 files changed, 35 insertions(+), 7 deletions(-)

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 8a4947b60b..9e4d0f8640 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -6644,22 +6644,26 @@ qemuDomainUndefineFlags(virDomainPtr dom,
         }
     }
=20
-    if (vm->def->os.loader && vm->def->os.loader->nvram &&
-        virStorageSourceIsLocalStorage(vm->def->os.loader->nvram)) {
-        nvram_path =3D g_strdup(vm->def->os.loader->nvram->path);
+    if (vm->def->os.loader) {
+        if (vm->def->os.loader->nvram &&
+            virStorageSourceIsLocalStorage(vm->def->os.loader->nvram)) {
+            nvram_path =3D g_strdup(vm->def->os.loader->nvram->path);
+        } else if (vm->def->os.varstore && vm->def->os.varstore->path) {
+            nvram_path =3D g_strdup(vm->def->os.varstore->path);
+        }
     }
=20
     if (nvram_path && virFileExists(nvram_path)) {
         if ((flags & VIR_DOMAIN_UNDEFINE_NVRAM)) {
             if (unlink(nvram_path) < 0) {
                 virReportSystemError(errno,
-                                     _("failed to remove nvram: %1$s"),
+                                     _("Failed to remove NVRAM/varstore: %=
1$s"),
                                      nvram_path);
                 goto endjob;
             }
         } else if (!(flags & VIR_DOMAIN_UNDEFINE_KEEP_NVRAM)) {
             virReportError(VIR_ERR_OPERATION_INVALID, "%s",
-                           _("cannot undefine domain with nvram"));
+                           _("Cannot undefine domain with NVRAM/varstore")=
);
             goto endjob;
         }
     }
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index db43b035c1..a82ee4b15e 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -5029,6 +5029,27 @@ qemuPrepareNVRAM(virQEMUDriver *driver,
 }
=20
=20
+static int
+qemuPrepareVarstore(virQEMUDriver *driver,
+                    virDomainDef *def,
+                    bool reset_nvram)
+{
+    virDomainLoaderDef *loader =3D def->os.loader;
+    virDomainVarstoreDef *varstore =3D def->os.varstore;
+
+    if (!loader || !varstore)
+        return 0;
+
+    VIR_DEBUG("varstore=3D'%s'", NULLSTR(varstore->path));
+
+    if (qemuPrepareNVRAMFileCommon(driver, varstore->path,
+                                   varstore->template, reset_nvram) < 0)
+        return -1;
+
+    return 0;
+}
+
+
 static void
 qemuLogOperation(virDomainObj *vm,
                  const char *msg,
@@ -7799,6 +7820,7 @@ qemuProcessPrepareHost(virQEMUDriver *driver,
     unsigned int hostdev_flags =3D 0;
     qemuDomainObjPrivate *priv =3D vm->privateData;
     g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
+    bool reset_nvram =3D !!(flags & VIR_QEMU_PROCESS_START_RESET_NVRAM);
=20
     /*
      * Create all per-domain directories in order to make sure domain
@@ -7808,8 +7830,10 @@ qemuProcessPrepareHost(virQEMUDriver *driver,
         qemuProcessMakeDir(driver, vm, priv->channelTargetDir) < 0)
         return -1;
=20
-    if (qemuPrepareNVRAM(driver, vm->def,
-                         !!(flags & VIR_QEMU_PROCESS_START_RESET_NVRAM)) <=
 0)
+    if (qemuPrepareNVRAM(driver, vm->def, reset_nvram) < 0)
+        return -1;
+
+    if (qemuPrepareVarstore(driver, vm->def, reset_nvram) < 0)
         return -1;
=20
     if (vm->def->vsock) {
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771873226; cv=none;
	d=zohomail.com; s=zohoarc;
	b=DXYCaCyvD5rKMTgKRYsRSKZnsZq5p1gOiw2rUSUj3HK/+xUvvcBl5XGp1NlCxhqkiIRzmrt2XP6GDxbD9p9yShrGLq8fmXXfHLXyict1t1HbQqXFW+4EbinPOiTtjqoZksieob+gJZwJJg0Vj1iJZKyXB4YSsja3TINBpm+kZ8Y=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771873226;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=sPKeJGeOveuvFVDhAlQ0G8LhiBL3xVYV5GxaEHx7+F4=;
	b=TgFHsZgs7ZlZr6U0JX8u+onX34af8xbuHenctohvBQAWE0M2+sEJXsYI8a2koPftSQp7MKsu4riZgH54VJL7myHAN4nT+Pei6+FIbphLsi0YoRoItfeZJarfwf8ArOYy2PWuoz+MVcEoEXpjWt06Sg34qAkzG8Hm3gBzd6YJQw4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771873226628941.7491878756506;
 Mon, 23 Feb 2026 11:00:26 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id A28363F97A; Mon, 23 Feb 2026 14:00:25 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 6B6A24426B;
	Mon, 23 Feb 2026 13:36:55 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id E37A141C27; Mon, 23 Feb 2026 13:36:46 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 4A4FC41C05
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:32:24 -0500 (EST)
Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-322-cjr4vJ_ENwK98HTEAZRh5w-1; Mon,
 23 Feb 2026 13:32:21 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id D18EE18002E2
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:19 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id ADAEF195419A
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:18 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871544;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=sPKeJGeOveuvFVDhAlQ0G8LhiBL3xVYV5GxaEHx7+F4=;
	b=gbMSpW8XsTOBvhJKfxiJWjCjvZF8Wlau0N0YKT+dR1EDXnvKo5jt72K82pEMY5ypVOUPAs
	VmNASrtoKHZqZOdSfVv5QpSkK5+CNZVu4RaNUWOqH76Mh8mVvNjekO5YwiEJvEJUkVk6VG
	PQi8j3PlN1WJ5Qek2pRq+H4cPDVFGMA=
X-MC-Unique: cjr4vJ_ENwK98HTEAZRh5w-1
X-Mimecast-MFC-AGG-ID: cjr4vJ_ENwK98HTEAZRh5w_1771871540
To: devel@lists.libvirt.org
Subject: [PATCH v4 30/36] security: Mark ROMs as read only when using AppArmor
Date: Mon, 23 Feb 2026 19:31:13 +0100
Message-ID: <20260223183119.501349-31-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: lJR8rfRKTH_QGW6tu43OTobmUrNJj_30NGu8fuSC4p0_1771871540
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: VI6RVVTGSEKGIEWUKY6RR7I7LK56OMWS
X-Message-ID-Hash: VI6RVVTGSEKGIEWUKY6RR7I7LK56OMWS
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/VI6RVVTGSEKGIEWUKY6RR7I7LK56OMWS/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771873228088158501

Before this, attempting to use a ROM that was not explictly
marked at read only resulted in an error at startup time.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/security/virt-aa-helper.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index f4ec6b7826..3ac4740fb5 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1021,7 +1021,15 @@ get_files(vahControl * ctl)
=20
     if (ctl->def->os.loader && ctl->def->os.loader->path) {
         bool readonly =3D false;
+
+        /* Look at the readonly attribute, but also keep in mind that ROMs
+         * are always loaded read-only regardless of whether the attribute
+         * is present. Validation ensures that nonsensical configurations
+         * (type=3Drom readonly=3Dno) are rejected long before we get here=
 */
         virTristateBoolToBool(ctl->def->os.loader->readonly, &readonly);
+        if (ctl->def->os.loader->type =3D=3D VIR_DOMAIN_LOADER_TYPE_ROM)
+            readonly =3D true;
+
         if (vah_add_file(&buf,
                          ctl->def->os.loader->path,
                          readonly ? "rk" : "rwk") !=3D 0) {
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771873336; cv=none;
	d=zohomail.com; s=zohoarc;
	b=e1lG1d9toU2F0DahIpf8FPwgxZ/zapJw5o0DsFmz33WDquvCbqnmCfKFgBZcdHTlCdxevMJq8Y6wL0+xJiJN1M2RZR1nasUgnSxGj/HQcVKfHEy+MrG2XMZS3mSfoM3eWJ8HaNgY/iXfBtlPm6Jglrn2LwwM+rCo6Jg0RKYsVXU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771873336;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=/bwlfCuqFqHTc5GqkTKTgLey9LDJ9ROHyUCxksS6bmk=;
	b=fy6A33HGOoiZbdXt5+Yxygd0zcwQPVYJgsS8jAQvRTK82G8bih8Llju31/Z+tGQiNEnCsbPcUYzcL4Tqg2Ct94ujRhJMm8e2fi770eXfeYZdn9bPmcCAAR3wn+77xzaoS9P7lxCdBcEDoMdu7OlJVxyUG911V4ujJ26qzPMtBwI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 17718733365741014.4275507161396;
 Mon, 23 Feb 2026 11:02:16 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id B565841C87; Mon, 23 Feb 2026 14:02:15 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 7FC55442FF;
	Mon, 23 Feb 2026 13:36:59 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 3885841A9D; Mon, 23 Feb 2026 13:36:48 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 6DAFD41C86
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:32:24 -0500 (EST)
Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-569-hLX78XEyOfWHq-Lauv4MXw-1; Mon,
 23 Feb 2026 13:32:22 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id C42AF18004A9
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:21 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 9FA7A1955D71
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:20 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871544;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=/bwlfCuqFqHTc5GqkTKTgLey9LDJ9ROHyUCxksS6bmk=;
	b=RHkKM8PM/pwILyVv7ek2s/OnPEWoYtpQB7GsmVC9uPBgVTPw8FucPxLQK4fMPn+OrpiWOf
	NpCw0IDewVyhayqoUo6n7QClYtgpncs1kp43SCIuSOGa0dr0/bSd/tT5Aw6lwTLyBlMWzG
	1DQYe80LVEkULjQP7Fb76DhzdmFipkE=
X-MC-Unique: hLX78XEyOfWHq-Lauv4MXw-1
X-Mimecast-MFC-AGG-ID: hLX78XEyOfWHq-Lauv4MXw_1771871541
To: devel@lists.libvirt.org
Subject: [PATCH v4 31/36] security: Handle varstore file
Date: Mon, 23 Feb 2026 19:31:14 +0100
Message-ID: <20260223183119.501349-32-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: gTH672sSUCa4MKMd4LoEYjaQR-3JJuqy_2kJkZVlFi4_1771871541
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 3HUPY2LC72GJLM5JJONCYJS6IVQZXDHE
X-Message-ID-Hash: 3HUPY2LC72GJLM5JJONCYJS6IVQZXDHE
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/3HUPY2LC72GJLM5JJONCYJS6IVQZXDHE/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771873336871158502

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/security/security_dac.c     | 22 +++++++++++---
 src/security/security_selinux.c | 53 +++++++++++++++++++++------------
 src/security/virt-aa-helper.c   | 44 ++++++++++++++++-----------
 3 files changed, 78 insertions(+), 41 deletions(-)

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 704c8dbfec..390dfc7578 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -2061,11 +2061,17 @@ virSecurityDACRestoreAllLabel(virSecurityManager *m=
gr,
             rc =3D -1;
     }
=20
-    if (def->os.loader && def->os.loader->nvram) {
-        if (virSecurityDACRestoreImageLabelInt(mgr, sharedFilesystems,
+    if (def->os.loader) {
+        if (def->os.loader->nvram &&
+            virSecurityDACRestoreImageLabelInt(mgr, sharedFilesystems,
                                                def, def->os.loader->nvram,
                                                migrated) < 0)
             rc =3D -1;
+
+        if (def->os.varstore &&
+            def->os.varstore->path &&
+            virSecurityDACRestoreFileLabel(mgr, def->os.varstore->path) < =
0)
+            rc =3D -1;
     }
=20
     if (def->os.kernel &&
@@ -2310,12 +2316,20 @@ virSecurityDACSetAllLabel(virSecurityManager *mgr,
             return -1;
     }
=20
-    if (def->os.loader && def->os.loader->nvram) {
-        if (virSecurityDACSetImageLabel(mgr, sharedFilesystems,
+    if (def->os.loader) {
+        if (def->os.loader->nvram &&
+            virSecurityDACSetImageLabel(mgr, sharedFilesystems,
                                         def, def->os.loader->nvram,
                                         VIR_SECURITY_DOMAIN_IMAGE_LABEL_BA=
CKING_CHAIN |
                                         VIR_SECURITY_DOMAIN_IMAGE_PARENT_C=
HAIN_TOP) < 0)
             return -1;
+
+        if (def->os.varstore &&
+            def->os.varstore->path &&
+            virSecurityDACSetOwnership(mgr, NULL,
+                                       def->os.varstore->path,
+                                       user, group, true) < 0)
+            return -1;
     }
=20
     if (def->os.kernel &&
diff --git a/src/security/security_selinux.c b/src/security/security_selinu=
x.c
index 4a5f61d16b..9c498ab5f8 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2993,11 +2993,18 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManage=
r *mgr,
             rc =3D -1;
     }
=20
-    if (def->os.loader && def->os.loader->nvram) {
-        if (virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
+    if (def->os.loader) {
+        if (def->os.loader->nvram &&
+            virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
                                                    def, def->os.loader->nv=
ram,
                                                    migrated) < 0)
             rc =3D -1;
+
+        if (def->os.varstore &&
+            def->os.varstore->path &&
+            virSecuritySELinuxRestoreFileLabel(mgr, def->os.varstore->path,
+                                               true, false) < 0)
+            rc =3D -1;
     }
=20
     if (def->os.kernel &&
@@ -3341,6 +3348,22 @@ virSecuritySELinuxSetSysinfoLabel(virSecurityManager=
 *mgr,
 }
=20
=20
+static int
+virSecuritySELinuxDomainSetPathLabel(virSecurityManager *mgr,
+                                     virDomainDef *def,
+                                     const char *path,
+                                     bool allowSubtree G_GNUC_UNUSED)
+{
+    virSecurityLabelDef *seclabel;
+
+    seclabel =3D virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAM=
E);
+    if (!seclabel || !seclabel->relabel)
+        return 0;
+
+    return virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel, t=
rue);
+}
+
+
 static int
 virSecuritySELinuxSetAllLabel(virSecurityManager *mgr,
                               char *const *sharedFilesystems,
@@ -3421,12 +3444,19 @@ virSecuritySELinuxSetAllLabel(virSecurityManager *m=
gr,
             return -1;
     }
=20
-    if (def->os.loader && def->os.loader->nvram) {
-        if (virSecuritySELinuxSetImageLabel(mgr, sharedFilesystems,
+    if (def->os.loader) {
+        if (def->os.loader->nvram &&
+            virSecuritySELinuxSetImageLabel(mgr, sharedFilesystems,
                                             def, def->os.loader->nvram,
                                             VIR_SECURITY_DOMAIN_IMAGE_LABE=
L_BACKING_CHAIN |
                                             VIR_SECURITY_DOMAIN_IMAGE_PARE=
NT_CHAIN_TOP) < 0)
             return -1;
+
+        if (def->os.varstore &&
+            def->os.varstore->path &&
+            virSecuritySELinuxDomainSetPathLabel(mgr, def,
+                                                 def->os.varstore->path, t=
rue) < 0)
+            return -1;
     }
=20
     if (def->os.kernel &&
@@ -3593,21 +3623,6 @@ virSecuritySELinuxGetSecurityMountOptions(virSecurit=
yManager *mgr,
     return opts;
 }
=20
-static int
-virSecuritySELinuxDomainSetPathLabel(virSecurityManager *mgr,
-                                     virDomainDef *def,
-                                     const char *path,
-                                     bool allowSubtree G_GNUC_UNUSED)
-{
-    virSecurityLabelDef *seclabel;
-
-    seclabel =3D virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAM=
E);
-    if (!seclabel || !seclabel->relabel)
-        return 0;
-
-    return virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel, t=
rue);
-}
-
 static int
 virSecuritySELinuxDomainSetPathLabelRO(virSecurityManager *mgr,
                                        virDomainDef *def,
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 3ac4740fb5..e932e79dab 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1019,27 +1019,35 @@ get_files(vahControl * ctl)
         return -1;
     }
=20
-    if (ctl->def->os.loader && ctl->def->os.loader->path) {
-        bool readonly =3D false;
-
-        /* Look at the readonly attribute, but also keep in mind that ROMs
-         * are always loaded read-only regardless of whether the attribute
-         * is present. Validation ensures that nonsensical configurations
-         * (type=3Drom readonly=3Dno) are rejected long before we get here=
 */
-        virTristateBoolToBool(ctl->def->os.loader->readonly, &readonly);
-        if (ctl->def->os.loader->type =3D=3D VIR_DOMAIN_LOADER_TYPE_ROM)
-            readonly =3D true;
-
-        if (vah_add_file(&buf,
-                         ctl->def->os.loader->path,
-                         readonly ? "rk" : "rwk") !=3D 0) {
+    if (ctl->def->os.loader) {
+        if (ctl->def->os.loader->path) {
+            bool readonly =3D false;
+
+            /* Look at the readonly attribute, but also keep in mind that =
ROMs
+             * are always loaded read-only regardless of whether the attri=
bute
+             * is present. Validation ensures that nonsensical configurati=
ons
+             * (type=3Drom readonly=3Dno) are rejected long before we get =
here */
+            virTristateBoolToBool(ctl->def->os.loader->readonly, &readonly=
);
+            if (ctl->def->os.loader->type =3D=3D VIR_DOMAIN_LOADER_TYPE_RO=
M)
+                readonly =3D true;
+
+            if (vah_add_file(&buf,
+                             ctl->def->os.loader->path,
+                             readonly ? "rk" : "rwk") !=3D 0) {
+                return -1;
+            }
+        }
+
+        if (ctl->def->os.loader->nvram &&
+            storage_source_add_files(ctl->def->os.loader->nvram, &buf, 0) =
< 0) {
             return -1;
         }
-    }
=20
-    if (ctl->def->os.loader && ctl->def->os.loader->nvram &&
-        storage_source_add_files(ctl->def->os.loader->nvram, &buf, 0) < 0)=
 {
-        return -1;
+        if (ctl->def->os.varstore &&
+            ctl->def->os.varstore->path &&
+            vah_add_file(&buf, ctl->def->os.varstore->path, "rw") !=3D 0) {
+            return -1;
+        }
     }
=20
     for (i =3D 0; i < ctl->def->ngraphics; i++) {
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771873637; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ZXNiJZoMHU7HzhGesGknC0hee5LMxTkt6kEJf11MSTPJGJ2BeKXxcPnWmmP/zv0J7vZtm6n7lqLc3wlBWirjlTQyymPyi/kBmX0kz6/7Vuog/MQYf9DXY7JOQi8U+8VD3EztFjolW/MbqNh2qOAPUf4I3S62HJyCF+WPMHweqr8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771873637;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=A0jU8/WgGbquXN13EYzRiNCDcmhuVPAitbrpKLZi1II=;
	b=ZTO/1elhigdiZGXpR3tsH9TcamSD9KeVW8t1xewmwGuGIwJjitbg5yepfR9bzh5P/c8XBrWuXPGRiT7JYmHrSF4LKKPopobjwhNgSwpWTMP7tHomMayeRKt0wBbObKSHSr0IJNyR8nkmtojouur0xjPcn7BK2zFv4fk6+slXqXg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771873637932844.8759045124295;
 Mon, 23 Feb 2026 11:07:17 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 0F6143F93E; Mon, 23 Feb 2026 14:07:17 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 12B6A44534;
	Mon, 23 Feb 2026 13:37:10 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 9EBB64422B; Mon, 23 Feb 2026 13:36:52 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 9745641C69
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:32:26 -0500 (EST)
Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-168-Vt7jPdy2MWmcB1N8CWjHCg-1; Mon,
 23 Feb 2026 13:32:24 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id B6F841800365
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:23 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 7974D1955D71
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:22 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871546;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=A0jU8/WgGbquXN13EYzRiNCDcmhuVPAitbrpKLZi1II=;
	b=a0V1IvW9lg5vn7hP+r9PBzsfEqGXUzjAhS5FhZ74qxwqtGWQx7oneb8idRdfhEOjRroC3H
	MRtyLjxPCFxgnowMrIgcqhruttGvL4hLPX2dFgLYje/+uzxqO0/iErQTb8Xlhrr+XVaupO
	ExoOSkwKPIVNAlufvG585O8ueE0xsEI=
X-MC-Unique: Vt7jPdy2MWmcB1N8CWjHCg-1
X-Mimecast-MFC-AGG-ID: Vt7jPdy2MWmcB1N8CWjHCg_1771871543
To: devel@lists.libvirt.org
Subject: [PATCH v4 32/36] tests: Add firmware descriptors for uefi-vars builds
Date: Mon, 23 Feb 2026 19:31:15 +0100
Message-ID: <20260223183119.501349-33-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: 5rTSt1eM_yJu_4lpc430SaROVZ6lLnfGnmxmQeyGqNE_1771871543
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: OCDMA6SC44KE4CIW7QL6BAY4ZKEQYD2K
X-Message-ID-Hash: OCDMA6SC44KE4CIW7QL6BAY4ZKEQYD2K
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/OCDMA6SC44KE4CIW7QL6BAY4ZKEQYD2K/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771873638993158500

Now that everything else is in place, we can finally add the
firmware descriptors for the edk2 builds that use the uefi-vars
QEMU device.

Several existing test cases that were failing up until this
point can pass now. This includes firmware-auto-efi-varstore-q35,
firmware-auto-efi-varstore-aarch64 and
firmware-auto-efi-enrolled-keys-aarch64, which were only failing
because a matching firmware descriptor could not be found.

firmware-manual-efi-varstore-aarch64 also passes now, because
with the firmware descriptor in place libvirt is able to figure
out that the manually-provided path corresponds to a UEFI
firmware build, which means that the use of ACPI is fine.

The test cases using older version of QEMU still fail, as is
expected, though the error message is now slightly different and
reflect the actual reason why that is.

The qemufirmware and domaincaps tests are updated in the
expected ways. In particular, versions QEMU 10.0 and newer now
advertise varstore support as available.

https://issues.redhat.com/browse/RHEL-82645

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 .../qemu_10.0.0-q35.x86_64+amdsev.xml         |  2 +-
 .../domaincapsdata/qemu_10.0.0-q35.x86_64.xml |  2 +-
 .../qemu_10.0.0-virt.aarch64.xml              |  4 ++-
 tests/domaincapsdata/qemu_10.0.0.aarch64.xml  |  4 ++-
 .../qemu_10.1.0-q35.x86_64+inteltdx.xml       |  2 +-
 .../domaincapsdata/qemu_10.1.0-q35.x86_64.xml |  2 +-
 .../qemu_10.2.0-q35.x86_64+mshv.xml           |  2 +-
 .../domaincapsdata/qemu_10.2.0-q35.x86_64.xml |  2 +-
 .../qemu_10.2.0-virt.aarch64.xml              |  4 ++-
 tests/domaincapsdata/qemu_10.2.0.aarch64.xml  |  4 ++-
 .../domaincapsdata/qemu_11.0.0-q35.x86_64.xml |  2 +-
 .../qemu_11.0.0-virt.aarch64.xml              |  4 ++-
 tests/domaincapsdata/qemu_11.0.0.aarch64.xml  |  4 ++-
 .../qemu_8.2.0-virt.aarch64.xml               |  2 ++
 tests/domaincapsdata/qemu_8.2.0.aarch64.xml   |  2 ++
 .../qemu_9.2.0-hvf.aarch64+hvf.xml            |  2 ++
 .../90-edk2-aarch64-qemuvars-sb-enrolled.json | 29 ++++++++++++++++
 ...90-edk2-ovmf-qemuvars-x64-sb-enrolled.json | 31 +++++++++++++++++
 .../firmware/91-edk2-aarch64-qemuvars-sb.json | 28 +++++++++++++++
 .../91-edk2-ovmf-qemuvars-x64-sb.json         | 30 ++++++++++++++++
 tests/qemufirmwaretest.c                      | 20 ++++++++---
 ...fi-enrolled-keys-aarch64.aarch64-8.2.0.err |  2 +-
 ...-enrolled-keys-aarch64.aarch64-latest.args | 31 +++++++++++++++++
 ...i-enrolled-keys-aarch64.aarch64-latest.err |  1 -
 ...i-enrolled-keys-aarch64.aarch64-latest.xml |  4 ++-
 ...o-efi-varstore-aarch64.aarch64-latest.args | 31 +++++++++++++++++
 ...to-efi-varstore-aarch64.aarch64-latest.err |  1 -
 ...to-efi-varstore-aarch64.aarch64-latest.xml |  8 +++--
 ...e-auto-efi-varstore-q35.x86_64-latest.args | 34 +++++++++++++++++++
 ...re-auto-efi-varstore-q35.x86_64-latest.err |  1 -
 ...re-auto-efi-varstore-q35.x86_64-latest.xml |  8 +++--
 ...ual-efi-varstore-aarch64.aarch64-8.2.0.err |  2 +-
 ...l-efi-varstore-aarch64.aarch64-latest.args | 31 +++++++++++++++++
 ...al-efi-varstore-aarch64.aarch64-latest.err |  1 -
 ...l-efi-varstore-aarch64.aarch64-latest.xml} |  6 ++--
 ...-manual-efi-varstore-q35.x86_64-latest.xml |  8 +++--
 tests/qemuxmlconftest.c                       | 10 +++---
 37 files changed, 324 insertions(+), 37 deletions(-)
 create mode 100644 tests/qemufirmwaredata/usr/share/qemu/firmware/90-edk2-=
aarch64-qemuvars-sb-enrolled.json
 create mode 100644 tests/qemufirmwaredata/usr/share/qemu/firmware/90-edk2-=
ovmf-qemuvars-x64-sb-enrolled.json
 create mode 100644 tests/qemufirmwaredata/usr/share/qemu/firmware/91-edk2-=
aarch64-qemuvars-sb.json
 create mode 100644 tests/qemufirmwaredata/usr/share/qemu/firmware/91-edk2-=
ovmf-qemuvars-x64-sb.json
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-a=
arch64.aarch64-latest.args
 delete mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-a=
arch64.aarch64-latest.err
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch6=
4.aarch64-latest.args
 delete mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch6=
4.aarch64-latest.err
 create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x8=
6_64-latest.args
 delete mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x8=
6_64-latest.err
 create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarc=
h64.aarch64-latest.args
 delete mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarc=
h64.aarch64-latest.err
 rename tests/qemuxmlconfdata/{firmware-auto-efi-enrolled-keys-aarch64.aarc=
h64-8.2.0.xml =3D> firmware-manual-efi-varstore-aarch64.aarch64-latest.xml}=
 (76%)

diff --git a/tests/domaincapsdata/qemu_10.0.0-q35.x86_64+amdsev.xml b/tests=
/domaincapsdata/qemu_10.0.0-q35.x86_64+amdsev.xml
index 1fff8c7fc7..bf6393dc03 100644
--- a/tests/domaincapsdata/qemu_10.0.0-q35.x86_64+amdsev.xml
+++ b/tests/domaincapsdata/qemu_10.0.0-q35.x86_64+amdsev.xml
@@ -36,7 +36,7 @@
         <value>no</value>
       </enum>
     </loader>
-    <varstore supported=3D'no'/>
+    <varstore supported=3D'yes'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.0.0-q35.x86_64.xml b/tests/domain=
capsdata/qemu_10.0.0-q35.x86_64.xml
index 6c26e5b422..d6f710e56e 100644
--- a/tests/domaincapsdata/qemu_10.0.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_10.0.0-q35.x86_64.xml
@@ -36,7 +36,7 @@
         <value>no</value>
       </enum>
     </loader>
-    <varstore supported=3D'no'/>
+    <varstore supported=3D'yes'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.0.0-virt.aarch64.xml b/tests/doma=
incapsdata/qemu_10.0.0-virt.aarch64.xml
index 97064ea009..334aa5e31f 100644
--- a/tests/domaincapsdata/qemu_10.0.0-virt.aarch64.xml
+++ b/tests/domaincapsdata/qemu_10.0.0-virt.aarch64.xml
@@ -11,9 +11,11 @@
     </enum>
     <firmwareFeatures supported=3D'yes'>
       <enum name=3D'secureBoot'>
+        <value>yes</value>
         <value>no</value>
       </enum>
       <enum name=3D'enrolledKeys'>
+        <value>yes</value>
         <value>no</value>
       </enum>
     </firmwareFeatures>
@@ -32,7 +34,7 @@
         <value>no</value>
       </enum>
     </loader>
-    <varstore supported=3D'no'/>
+    <varstore supported=3D'yes'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.0.0.aarch64.xml b/tests/domaincap=
sdata/qemu_10.0.0.aarch64.xml
index 97064ea009..334aa5e31f 100644
--- a/tests/domaincapsdata/qemu_10.0.0.aarch64.xml
+++ b/tests/domaincapsdata/qemu_10.0.0.aarch64.xml
@@ -11,9 +11,11 @@
     </enum>
     <firmwareFeatures supported=3D'yes'>
       <enum name=3D'secureBoot'>
+        <value>yes</value>
         <value>no</value>
       </enum>
       <enum name=3D'enrolledKeys'>
+        <value>yes</value>
         <value>no</value>
       </enum>
     </firmwareFeatures>
@@ -32,7 +34,7 @@
         <value>no</value>
       </enum>
     </loader>
-    <varstore supported=3D'no'/>
+    <varstore supported=3D'yes'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.1.0-q35.x86_64+inteltdx.xml b/tes=
ts/domaincapsdata/qemu_10.1.0-q35.x86_64+inteltdx.xml
index 3537dd01f6..6c370de5dd 100644
--- a/tests/domaincapsdata/qemu_10.1.0-q35.x86_64+inteltdx.xml
+++ b/tests/domaincapsdata/qemu_10.1.0-q35.x86_64+inteltdx.xml
@@ -36,7 +36,7 @@
         <value>no</value>
       </enum>
     </loader>
-    <varstore supported=3D'no'/>
+    <varstore supported=3D'yes'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.1.0-q35.x86_64.xml b/tests/domain=
capsdata/qemu_10.1.0-q35.x86_64.xml
index e55d7d8ba6..60cc9eee3d 100644
--- a/tests/domaincapsdata/qemu_10.1.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_10.1.0-q35.x86_64.xml
@@ -36,7 +36,7 @@
         <value>no</value>
       </enum>
     </loader>
-    <varstore supported=3D'no'/>
+    <varstore supported=3D'yes'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.2.0-q35.x86_64+mshv.xml b/tests/d=
omaincapsdata/qemu_10.2.0-q35.x86_64+mshv.xml
index 43fe2bff93..e30b64e068 100644
--- a/tests/domaincapsdata/qemu_10.2.0-q35.x86_64+mshv.xml
+++ b/tests/domaincapsdata/qemu_10.2.0-q35.x86_64+mshv.xml
@@ -35,7 +35,7 @@
         <value>no</value>
       </enum>
     </loader>
-    <varstore supported=3D'no'/>
+    <varstore supported=3D'yes'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.2.0-q35.x86_64.xml b/tests/domain=
capsdata/qemu_10.2.0-q35.x86_64.xml
index 2c1b38b4ec..fde3055148 100644
--- a/tests/domaincapsdata/qemu_10.2.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_10.2.0-q35.x86_64.xml
@@ -36,7 +36,7 @@
         <value>no</value>
       </enum>
     </loader>
-    <varstore supported=3D'no'/>
+    <varstore supported=3D'yes'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.2.0-virt.aarch64.xml b/tests/doma=
incapsdata/qemu_10.2.0-virt.aarch64.xml
index fa1d3c490b..beb9a49ee3 100644
--- a/tests/domaincapsdata/qemu_10.2.0-virt.aarch64.xml
+++ b/tests/domaincapsdata/qemu_10.2.0-virt.aarch64.xml
@@ -11,9 +11,11 @@
     </enum>
     <firmwareFeatures supported=3D'yes'>
       <enum name=3D'secureBoot'>
+        <value>yes</value>
         <value>no</value>
       </enum>
       <enum name=3D'enrolledKeys'>
+        <value>yes</value>
         <value>no</value>
       </enum>
     </firmwareFeatures>
@@ -32,7 +34,7 @@
         <value>no</value>
       </enum>
     </loader>
-    <varstore supported=3D'no'/>
+    <varstore supported=3D'yes'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_10.2.0.aarch64.xml b/tests/domaincap=
sdata/qemu_10.2.0.aarch64.xml
index fa1d3c490b..beb9a49ee3 100644
--- a/tests/domaincapsdata/qemu_10.2.0.aarch64.xml
+++ b/tests/domaincapsdata/qemu_10.2.0.aarch64.xml
@@ -11,9 +11,11 @@
     </enum>
     <firmwareFeatures supported=3D'yes'>
       <enum name=3D'secureBoot'>
+        <value>yes</value>
         <value>no</value>
       </enum>
       <enum name=3D'enrolledKeys'>
+        <value>yes</value>
         <value>no</value>
       </enum>
     </firmwareFeatures>
@@ -32,7 +34,7 @@
         <value>no</value>
       </enum>
     </loader>
-    <varstore supported=3D'no'/>
+    <varstore supported=3D'yes'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_11.0.0-q35.x86_64.xml b/tests/domain=
capsdata/qemu_11.0.0-q35.x86_64.xml
index 109f3ae0ae..aa62aa1502 100644
--- a/tests/domaincapsdata/qemu_11.0.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_11.0.0-q35.x86_64.xml
@@ -36,7 +36,7 @@
         <value>no</value>
       </enum>
     </loader>
-    <varstore supported=3D'no'/>
+    <varstore supported=3D'yes'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_11.0.0-virt.aarch64.xml b/tests/doma=
incapsdata/qemu_11.0.0-virt.aarch64.xml
index db47c5ee98..4d41b6427d 100644
--- a/tests/domaincapsdata/qemu_11.0.0-virt.aarch64.xml
+++ b/tests/domaincapsdata/qemu_11.0.0-virt.aarch64.xml
@@ -11,9 +11,11 @@
     </enum>
     <firmwareFeatures supported=3D'yes'>
       <enum name=3D'secureBoot'>
+        <value>yes</value>
         <value>no</value>
       </enum>
       <enum name=3D'enrolledKeys'>
+        <value>yes</value>
         <value>no</value>
       </enum>
     </firmwareFeatures>
@@ -32,7 +34,7 @@
         <value>no</value>
       </enum>
     </loader>
-    <varstore supported=3D'no'/>
+    <varstore supported=3D'yes'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_11.0.0.aarch64.xml b/tests/domaincap=
sdata/qemu_11.0.0.aarch64.xml
index db47c5ee98..4d41b6427d 100644
--- a/tests/domaincapsdata/qemu_11.0.0.aarch64.xml
+++ b/tests/domaincapsdata/qemu_11.0.0.aarch64.xml
@@ -11,9 +11,11 @@
     </enum>
     <firmwareFeatures supported=3D'yes'>
       <enum name=3D'secureBoot'>
+        <value>yes</value>
         <value>no</value>
       </enum>
       <enum name=3D'enrolledKeys'>
+        <value>yes</value>
         <value>no</value>
       </enum>
     </firmwareFeatures>
@@ -32,7 +34,7 @@
         <value>no</value>
       </enum>
     </loader>
-    <varstore supported=3D'no'/>
+    <varstore supported=3D'yes'/>
   </os>
   <cpu>
     <mode name=3D'host-passthrough' supported=3D'yes'>
diff --git a/tests/domaincapsdata/qemu_8.2.0-virt.aarch64.xml b/tests/domai=
ncapsdata/qemu_8.2.0-virt.aarch64.xml
index 420fbedd72..83fc9e37a7 100644
--- a/tests/domaincapsdata/qemu_8.2.0-virt.aarch64.xml
+++ b/tests/domaincapsdata/qemu_8.2.0-virt.aarch64.xml
@@ -11,9 +11,11 @@
     </enum>
     <firmwareFeatures supported=3D'yes'>
       <enum name=3D'secureBoot'>
+        <value>yes</value>
         <value>no</value>
       </enum>
       <enum name=3D'enrolledKeys'>
+        <value>yes</value>
         <value>no</value>
       </enum>
     </firmwareFeatures>
diff --git a/tests/domaincapsdata/qemu_8.2.0.aarch64.xml b/tests/domaincaps=
data/qemu_8.2.0.aarch64.xml
index 420fbedd72..83fc9e37a7 100644
--- a/tests/domaincapsdata/qemu_8.2.0.aarch64.xml
+++ b/tests/domaincapsdata/qemu_8.2.0.aarch64.xml
@@ -11,9 +11,11 @@
     </enum>
     <firmwareFeatures supported=3D'yes'>
       <enum name=3D'secureBoot'>
+        <value>yes</value>
         <value>no</value>
       </enum>
       <enum name=3D'enrolledKeys'>
+        <value>yes</value>
         <value>no</value>
       </enum>
     </firmwareFeatures>
diff --git a/tests/domaincapsdata/qemu_9.2.0-hvf.aarch64+hvf.xml b/tests/do=
maincapsdata/qemu_9.2.0-hvf.aarch64+hvf.xml
index f998177636..65bb9dc9bd 100644
--- a/tests/domaincapsdata/qemu_9.2.0-hvf.aarch64+hvf.xml
+++ b/tests/domaincapsdata/qemu_9.2.0-hvf.aarch64+hvf.xml
@@ -11,9 +11,11 @@
     </enum>
     <firmwareFeatures supported=3D'yes'>
       <enum name=3D'secureBoot'>
+        <value>yes</value>
         <value>no</value>
       </enum>
       <enum name=3D'enrolledKeys'>
+        <value>yes</value>
         <value>no</value>
       </enum>
     </firmwareFeatures>
diff --git a/tests/qemufirmwaredata/usr/share/qemu/firmware/90-edk2-aarch64=
-qemuvars-sb-enrolled.json b/tests/qemufirmwaredata/usr/share/qemu/firmware=
/90-edk2-aarch64-qemuvars-sb-enrolled.json
new file mode 100644
index 0000000000..9142d8fecd
--- /dev/null
+++ b/tests/qemufirmwaredata/usr/share/qemu/firmware/90-edk2-aarch64-qemuva=
rs-sb-enrolled.json
@@ -0,0 +1,29 @@
+{
+    "description": "UEFI firmware for ARM64 virtual machines, SB enabled, =
MS certs enrolled",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "memory",
+        "filename": "/usr/share/edk2/aarch64/QEMU_EFI.qemuvars.fd",
+        "uefi-vars": {
+            "template": "/usr/share/edk2/aarch64/vars.secboot.json"
+        }
+    },
+    "targets": [
+        {
+            "architecture": "aarch64",
+            "machines": [
+                "virt-*"
+            ]
+        }
+    ],
+    "features": [
+        "enrolled-keys",
+        "secure-boot",
+        "host-uefi-vars"
+    ],
+    "tags": [
+
+    ]
+}
diff --git a/tests/qemufirmwaredata/usr/share/qemu/firmware/90-edk2-ovmf-qe=
muvars-x64-sb-enrolled.json b/tests/qemufirmwaredata/usr/share/qemu/firmwar=
e/90-edk2-ovmf-qemuvars-x64-sb-enrolled.json
new file mode 100644
index 0000000000..5b1b483c1c
--- /dev/null
+++ b/tests/qemufirmwaredata/usr/share/qemu/firmware/90-edk2-ovmf-qemuvars-=
x64-sb-enrolled.json
@@ -0,0 +1,31 @@
+{
+    "description": "OVMF for qemu uefi-vars, SB enabled, MS certs enrolled=
",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "memory",
+        "filename": "/usr/share/edk2/ovmf/OVMF.qemuvars.fd",
+        "uefi-vars": {
+            "template": "/usr/share/edk2/ovmf/vars.secboot.json"
+        }
+    },
+    "targets": [
+        {
+            "architecture": "x86_64",
+            "machines": [
+                "pc-q35-*"
+            ]
+        }
+    ],
+    "features": [
+        "acpi-s3",
+        "enrolled-keys",
+        "secure-boot",
+        "host-uefi-vars",
+        "verbose-dynamic"
+    ],
+    "tags": [
+
+    ]
+}
diff --git a/tests/qemufirmwaredata/usr/share/qemu/firmware/91-edk2-aarch64=
-qemuvars-sb.json b/tests/qemufirmwaredata/usr/share/qemu/firmware/91-edk2-=
aarch64-qemuvars-sb.json
new file mode 100644
index 0000000000..95c25981dd
--- /dev/null
+++ b/tests/qemufirmwaredata/usr/share/qemu/firmware/91-edk2-aarch64-qemuva=
rs-sb.json
@@ -0,0 +1,28 @@
+{
+    "description": "UEFI firmware for ARM64 virtual machines, SB disabled",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "memory",
+        "filename": "/usr/share/edk2/aarch64/QEMU_EFI.qemuvars.fd",
+        "uefi-vars": {
+            "template": "/usr/share/edk2/aarch64/vars.blank.json"
+        }
+    },
+    "targets": [
+        {
+            "architecture": "aarch64",
+            "machines": [
+                "virt-*"
+            ]
+        }
+    ],
+    "features": [
+        "secure-boot",
+        "host-uefi-vars"
+    ],
+    "tags": [
+
+    ]
+}
diff --git a/tests/qemufirmwaredata/usr/share/qemu/firmware/91-edk2-ovmf-qe=
muvars-x64-sb.json b/tests/qemufirmwaredata/usr/share/qemu/firmware/91-edk2=
-ovmf-qemuvars-x64-sb.json
new file mode 100644
index 0000000000..b3fb98cbce
--- /dev/null
+++ b/tests/qemufirmwaredata/usr/share/qemu/firmware/91-edk2-ovmf-qemuvars-=
x64-sb.json
@@ -0,0 +1,30 @@
+{
+    "description": "OVMF for qemu uefi-vars, SB disabled",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "memory",
+        "filename": "/usr/share/edk2/ovmf/OVMF.qemuvars.fd",
+        "uefi-vars": {
+            "template": "/usr/share/edk2/ovmf/vars.blank.json"
+        }
+    },
+    "targets": [
+        {
+            "architecture": "x86_64",
+            "machines": [
+                "pc-q35-*"
+            ]
+        }
+    ],
+    "features": [
+        "acpi-s3",
+        "secure-boot",
+        "host-uefi-vars",
+        "verbose-dynamic"
+    ],
+    "tags": [
+
+    ]
+}
diff --git a/tests/qemufirmwaretest.c b/tests/qemufirmwaretest.c
index ee585b67d2..075e3e1d4c 100644
--- a/tests/qemufirmwaretest.c
+++ b/tests/qemufirmwaretest.c
@@ -101,7 +101,11 @@ testFWPrecedence(const void *opaque G_GNUC_UNUSED)
         SYSCONFDIR "/qemu/firmware/59-libvirt-combined.json",
         PREFIX "/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json",
         PREFIX "/share/qemu/firmware/60-edk2-ovmf-x64-inteltdx.json",
+        PREFIX "/share/qemu/firmware/90-edk2-aarch64-qemuvars-sb-enrolled.=
json",
+        PREFIX "/share/qemu/firmware/90-edk2-ovmf-qemuvars-x64-sb-enrolled=
.json",
         PREFIX "/share/qemu/firmware/90-libvirt-combined.json",
+        PREFIX "/share/qemu/firmware/91-edk2-aarch64-qemuvars-sb.json",
+        PREFIX "/share/qemu/firmware/91-edk2-ovmf-qemuvars-x64-sb.json",
         PREFIX "/share/qemu/firmware/91-libvirt-bios.json",
         PREFIX "/share/qemu/firmware/93-libvirt-invalid.json",
         NULL
@@ -296,7 +300,11 @@ mymain(void)
     DO_PARSE_TEST("usr/share/qemu/firmware/53-edk2-aarch64-verbose-raw.jso=
n");
     DO_PARSE_TEST("usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json");
     DO_PARSE_TEST("usr/share/qemu/firmware/60-edk2-ovmf-x64-inteltdx.json"=
);
+    DO_PARSE_TEST("usr/share/qemu/firmware/90-edk2-ovmf-qemuvars-x64-sb-en=
rolled.json");
+    DO_PARSE_TEST("usr/share/qemu/firmware/90-edk2-aarch64-qemuvars-sb-enr=
olled.json");
     DO_PARSE_TEST("usr/share/qemu/firmware/90-libvirt-combined.json");
+    DO_PARSE_TEST("usr/share/qemu/firmware/91-edk2-ovmf-qemuvars-x64-sb.js=
on");
+    DO_PARSE_TEST("usr/share/qemu/firmware/91-edk2-aarch64-qemuvars-sb.jso=
n");
     DO_PARSE_TEST("usr/share/qemu/firmware/91-libvirt-bios.json");
     DO_PARSE_FAILURE_TEST("usr/share/qemu/firmware/93-libvirt-invalid.json=
");
=20
@@ -325,7 +333,7 @@ mymain(void)
     DO_SUPPORTED_TEST("pc-i440fx-3.1", VIR_ARCH_I686, false, false,
                       "/usr/share/seabios/bios-256k.bin:NULL",
                       VIR_DOMAIN_OS_DEF_FIRMWARE_BIOS);
-    DO_SUPPORTED_TEST("pc-q35-3.1", VIR_ARCH_X86_64, true, false,
+    DO_SUPPORTED_TEST("pc-q35-3.1", VIR_ARCH_X86_64, true, true,
                       "/usr/share/seabios/bios-256k.bin:NULL:"
                       "/usr/share/edk2/ovmf/OVMF_CODE_4M.secboot.qcow2:/us=
r/share/edk2/ovmf/OVMF_VARS_4M.secboot.qcow2:"
                       "/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd:/usr/shar=
e/edk2/ovmf/OVMF_VARS.secboot.fd:"
@@ -335,7 +343,9 @@ mymain(void)
                       "/usr/share/edk2/ovmf/OVMF_CODE.fd:/usr/share/edk2/o=
vmf/OVMF_VARS.fd:"
                       "/usr/share/edk2/ovmf/OVMF.combined.fd:NULL:"
                       "/usr/share/edk2/ovmf/OVMF.amdsev.fd:NULL:"
-                      "/usr/share/edk2/ovmf/OVMF.inteltdx.secboot.fd:NULL",
+                      "/usr/share/edk2/ovmf/OVMF.inteltdx.secboot.fd:NULL:"
+                      "/usr/share/edk2/ovmf/OVMF.qemuvars.fd:/usr/share/ed=
k2/ovmf/vars.secboot.json:"
+                      "/usr/share/edk2/ovmf/OVMF.qemuvars.fd:/usr/share/ed=
k2/ovmf/vars.blank.json",
                       VIR_DOMAIN_OS_DEF_FIRMWARE_BIOS,
                       VIR_DOMAIN_OS_DEF_FIRMWARE_EFI);
     DO_SUPPORTED_TEST("pc-q35-3.1", VIR_ARCH_I686, false, false,
@@ -344,11 +354,13 @@ mymain(void)
     DO_SUPPORTED_TEST("microvm", VIR_ARCH_X86_64, false, false,
                       "/usr/share/edk2/ovmf/MICROVM.fd:NULL",
                       VIR_DOMAIN_OS_DEF_FIRMWARE_EFI);
-    DO_SUPPORTED_TEST("virt-3.1", VIR_ARCH_AARCH64, false, false,
+    DO_SUPPORTED_TEST("virt-3.1", VIR_ARCH_AARCH64, false, true,
                       "/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.qcow=
2:/usr/share/edk2/aarch64/vars-template-pflash.qcow2:"
                       "/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.raw:=
/usr/share/edk2/aarch64/vars-template-pflash.raw:"
                       "/usr/share/edk2/aarch64/QEMU_EFI-pflash.qcow2:/usr/=
share/edk2/aarch64/vars-template-pflash.qcow2:"
-                      "/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw:/usr/sh=
are/edk2/aarch64/vars-template-pflash.raw",
+                      "/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw:/usr/sh=
are/edk2/aarch64/vars-template-pflash.raw:"
+                      "/usr/share/edk2/aarch64/QEMU_EFI.qemuvars.fd:/usr/s=
hare/edk2/aarch64/vars.secboot.json:"
+                      "/usr/share/edk2/aarch64/QEMU_EFI.qemuvars.fd:/usr/s=
hare/edk2/aarch64/vars.blank.json",
                       VIR_DOMAIN_OS_DEF_FIRMWARE_EFI);
     DO_SUPPORTED_TEST("virt", VIR_ARCH_RISCV64, false, false,
                       "/usr/share/edk2/riscv/RISCV_VIRT_CODE.qcow2:/usr/sh=
are/edk2/riscv/RISCV_VIRT_VARS.qcow2",
diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.=
aarch64-8.2.0.err b/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-a=
arch64.aarch64-8.2.0.err
index 3edb2b3451..e64c2b21aa 100644
--- a/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.aarch64=
-8.2.0.err
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.aarch64=
-8.2.0.err
@@ -1 +1 @@
-operation failed: Unable to find 'efi' firmware that is compatible with th=
e current configuration
+unsupported configuration: The uefi-vars device is not supported by this Q=
EMU binary
diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.=
aarch64-latest.args b/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys=
-aarch64.aarch64-latest.args
new file mode 100644
index 0000000000..abc934692a
--- /dev/null
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.aarch64=
-latest.args
@@ -0,0 +1,31 @@
+LC_ALL=3DC \
+PATH=3D/bin \
+HOME=3D/var/lib/libvirt/qemu/domain--1-guest \
+USER=3Dtest \
+LOGNAME=3Dtest \
+XDG_DATA_HOME=3D/var/lib/libvirt/qemu/domain--1-guest/.local/share \
+XDG_CACHE_HOME=3D/var/lib/libvirt/qemu/domain--1-guest/.cache \
+XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-guest/.config \
+/usr/bin/qemu-system-aarch64 \
+-name guest=3Dguest,debug-threads=3Don \
+-S \
+-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/va=
r/lib/libvirt/qemu/domain--1-guest/master-key.aes"}' \
+-machine virt-8.2,usb=3Doff,gic-version=3D2,dump-guest-core=3Doff,memory-b=
ackend=3Dmach-virt.ram,acpi=3Don \
+-accel kvm \
+-bios /usr/share/edk2/aarch64/QEMU_EFI.qemuvars.fd \
+-m size=3D1048576k \
+-object '{"qom-type":"memory-backend-ram","id":"mach-virt.ram","size":1073=
741824}' \
+-overcommit mem-lock=3Doff \
+-smp 1,sockets=3D1,cores=3D1,threads=3D1 \
+-uuid 63840878-0deb-4095-97e6-fc444d9bc9fa \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=3Dcharmonitor,fd=3D1729,server=3Don,wait=3Doff \
+-mon chardev=3Dcharmonitor,id=3Dmonitor,mode=3Dcontrol \
+-rtc base=3Dutc \
+-no-shutdown \
+-boot strict=3Don \
+-audiodev '{"id":"audio1","driver":"none"}' \
+-sandbox on,obsolete=3Ddeny,elevateprivileges=3Ddeny,spawn=3Ddeny,resource=
control=3Ddeny \
+-msg timestamp=3Don
diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.=
aarch64-latest.err b/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-=
aarch64.aarch64-latest.err
deleted file mode 100644
index 3edb2b3451..0000000000
--- a/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.aarch64=
-latest.err
+++ /dev/null
@@ -1 +0,0 @@
-operation failed: Unable to find 'efi' firmware that is compatible with th=
e current configuration
diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.=
aarch64-latest.xml b/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-=
aarch64.aarch64-latest.xml
index 908a8435f9..8c288d7d0c 100644
--- a/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.aarch64=
-latest.xml
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.aarch64=
-latest.xml
@@ -8,8 +8,10 @@
     <type arch=3D'aarch64' machine=3D'virt-8.2'>hvm</type>
     <firmware>
       <feature enabled=3D'yes' name=3D'enrolled-keys'/>
+      <feature enabled=3D'yes' name=3D'secure-boot'/>
     </firmware>
-    <loader format=3D'raw'/>
+    <loader type=3D'rom' format=3D'raw'>/usr/share/edk2/aarch64/QEMU_EFI.q=
emuvars.fd</loader>
+    <varstore template=3D'/usr/share/edk2/aarch64/vars.secboot.json' path=
=3D'/var/lib/libvirt/qemu/varstore/guest.json'/>
     <boot dev=3D'hd'/>
   </os>
   <features>
diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.aarch=
64-latest.args b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.a=
arch64-latest.args
new file mode 100644
index 0000000000..abc934692a
--- /dev/null
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.aarch64-late=
st.args
@@ -0,0 +1,31 @@
+LC_ALL=3DC \
+PATH=3D/bin \
+HOME=3D/var/lib/libvirt/qemu/domain--1-guest \
+USER=3Dtest \
+LOGNAME=3Dtest \
+XDG_DATA_HOME=3D/var/lib/libvirt/qemu/domain--1-guest/.local/share \
+XDG_CACHE_HOME=3D/var/lib/libvirt/qemu/domain--1-guest/.cache \
+XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-guest/.config \
+/usr/bin/qemu-system-aarch64 \
+-name guest=3Dguest,debug-threads=3Don \
+-S \
+-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/va=
r/lib/libvirt/qemu/domain--1-guest/master-key.aes"}' \
+-machine virt-8.2,usb=3Doff,gic-version=3D2,dump-guest-core=3Doff,memory-b=
ackend=3Dmach-virt.ram,acpi=3Don \
+-accel kvm \
+-bios /usr/share/edk2/aarch64/QEMU_EFI.qemuvars.fd \
+-m size=3D1048576k \
+-object '{"qom-type":"memory-backend-ram","id":"mach-virt.ram","size":1073=
741824}' \
+-overcommit mem-lock=3Doff \
+-smp 1,sockets=3D1,cores=3D1,threads=3D1 \
+-uuid 63840878-0deb-4095-97e6-fc444d9bc9fa \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=3Dcharmonitor,fd=3D1729,server=3Don,wait=3Doff \
+-mon chardev=3Dcharmonitor,id=3Dmonitor,mode=3Dcontrol \
+-rtc base=3Dutc \
+-no-shutdown \
+-boot strict=3Don \
+-audiodev '{"id":"audio1","driver":"none"}' \
+-sandbox on,obsolete=3Ddeny,elevateprivileges=3Ddeny,spawn=3Ddeny,resource=
control=3Ddeny \
+-msg timestamp=3Don
diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.aarch=
64-latest.err b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.aa=
rch64-latest.err
deleted file mode 100644
index 3edb2b3451..0000000000
--- a/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.aarch64-late=
st.err
+++ /dev/null
@@ -1 +0,0 @@
-operation failed: Unable to find 'efi' firmware that is compatible with th=
e current configuration
diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.aarch=
64-latest.xml b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.aa=
rch64-latest.xml
index b0fa092509..8c288d7d0c 100644
--- a/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.aarch64-late=
st.xml
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.aarch64-late=
st.xml
@@ -6,8 +6,12 @@
   <vcpu placement=3D'static'>1</vcpu>
   <os firmware=3D'efi'>
     <type arch=3D'aarch64' machine=3D'virt-8.2'>hvm</type>
-    <loader format=3D'raw'/>
-    <varstore/>
+    <firmware>
+      <feature enabled=3D'yes' name=3D'enrolled-keys'/>
+      <feature enabled=3D'yes' name=3D'secure-boot'/>
+    </firmware>
+    <loader type=3D'rom' format=3D'raw'>/usr/share/edk2/aarch64/QEMU_EFI.q=
emuvars.fd</loader>
+    <varstore template=3D'/usr/share/edk2/aarch64/vars.secboot.json' path=
=3D'/var/lib/libvirt/qemu/varstore/guest.json'/>
     <boot dev=3D'hd'/>
   </os>
   <features>
diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x86_64-la=
test.args b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x86_64-lat=
est.args
new file mode 100644
index 0000000000..9a899c2a65
--- /dev/null
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x86_64-latest.ar=
gs
@@ -0,0 +1,34 @@
+LC_ALL=3DC \
+PATH=3D/bin \
+HOME=3D/var/lib/libvirt/qemu/domain--1-guest \
+USER=3Dtest \
+LOGNAME=3Dtest \
+XDG_DATA_HOME=3D/var/lib/libvirt/qemu/domain--1-guest/.local/share \
+XDG_CACHE_HOME=3D/var/lib/libvirt/qemu/domain--1-guest/.cache \
+XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-guest/.config \
+/usr/bin/qemu-system-x86_64 \
+-name guest=3Dguest,debug-threads=3Don \
+-S \
+-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/va=
r/lib/libvirt/qemu/domain--1-guest/master-key.aes"}' \
+-machine pc-q35-8.2,usb=3Doff,dump-guest-core=3Doff,memory-backend=3Dpc.ra=
m,acpi=3Don \
+-accel kvm \
+-cpu qemu64 \
+-bios /usr/share/edk2/ovmf/OVMF.qemuvars.fd \
+-m size=3D1048576k \
+-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":1073741824}=
' \
+-overcommit mem-lock=3Doff \
+-smp 1,sockets=3D1,cores=3D1,threads=3D1 \
+-uuid 63840878-0deb-4095-97e6-fc444d9bc9fa \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=3Dcharmonitor,fd=3D1729,server=3Don,wait=3Doff \
+-mon chardev=3Dcharmonitor,id=3Dmonitor,mode=3Dcontrol \
+-rtc base=3Dutc \
+-no-shutdown \
+-boot strict=3Don \
+-audiodev '{"id":"audio1","driver":"none"}' \
+-global ICH9-LPC.noreboot=3Doff \
+-watchdog-action reset \
+-sandbox on,obsolete=3Ddeny,elevateprivileges=3Ddeny,spawn=3Ddeny,resource=
control=3Ddeny \
+-msg timestamp=3Don
diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x86_64-la=
test.err b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x86_64-late=
st.err
deleted file mode 100644
index 3edb2b3451..0000000000
--- a/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x86_64-latest.err
+++ /dev/null
@@ -1 +0,0 @@
-operation failed: Unable to find 'efi' firmware that is compatible with th=
e current configuration
diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x86_64-la=
test.xml b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x86_64-late=
st.xml
index c4d70c9fc5..cfce35de3f 100644
--- a/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x86_64-latest.xml
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x86_64-latest.xml
@@ -6,8 +6,12 @@
   <vcpu placement=3D'static'>1</vcpu>
   <os firmware=3D'efi'>
     <type arch=3D'x86_64' machine=3D'pc-q35-8.2'>hvm</type>
-    <loader format=3D'raw'/>
-    <varstore/>
+    <firmware>
+      <feature enabled=3D'yes' name=3D'enrolled-keys'/>
+      <feature enabled=3D'yes' name=3D'secure-boot'/>
+    </firmware>
+    <loader type=3D'rom' format=3D'raw'>/usr/share/edk2/ovmf/OVMF.qemuvars=
.fd</loader>
+    <varstore template=3D'/usr/share/edk2/ovmf/vars.secboot.json' path=3D'=
/var/lib/libvirt/qemu/varstore/guest.json'/>
     <boot dev=3D'hd'/>
   </os>
   <features>
diff --git a/tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.aar=
ch64-8.2.0.err b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64=
.aarch64-8.2.0.err
index 4fe79bdacf..e64c2b21aa 100644
--- a/tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.aarch64-8.=
2.0.err
+++ b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.aarch64-8.=
2.0.err
@@ -1 +1 @@
-unsupported configuration: ACPI requires UEFI on this architecture
+unsupported configuration: The uefi-vars device is not supported by this Q=
EMU binary
diff --git a/tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.aar=
ch64-latest.args b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch=
64.aarch64-latest.args
new file mode 100644
index 0000000000..abc934692a
--- /dev/null
+++ b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.aarch64-la=
test.args
@@ -0,0 +1,31 @@
+LC_ALL=3DC \
+PATH=3D/bin \
+HOME=3D/var/lib/libvirt/qemu/domain--1-guest \
+USER=3Dtest \
+LOGNAME=3Dtest \
+XDG_DATA_HOME=3D/var/lib/libvirt/qemu/domain--1-guest/.local/share \
+XDG_CACHE_HOME=3D/var/lib/libvirt/qemu/domain--1-guest/.cache \
+XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-guest/.config \
+/usr/bin/qemu-system-aarch64 \
+-name guest=3Dguest,debug-threads=3Don \
+-S \
+-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/va=
r/lib/libvirt/qemu/domain--1-guest/master-key.aes"}' \
+-machine virt-8.2,usb=3Doff,gic-version=3D2,dump-guest-core=3Doff,memory-b=
ackend=3Dmach-virt.ram,acpi=3Don \
+-accel kvm \
+-bios /usr/share/edk2/aarch64/QEMU_EFI.qemuvars.fd \
+-m size=3D1048576k \
+-object '{"qom-type":"memory-backend-ram","id":"mach-virt.ram","size":1073=
741824}' \
+-overcommit mem-lock=3Doff \
+-smp 1,sockets=3D1,cores=3D1,threads=3D1 \
+-uuid 63840878-0deb-4095-97e6-fc444d9bc9fa \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=3Dcharmonitor,fd=3D1729,server=3Don,wait=3Doff \
+-mon chardev=3Dcharmonitor,id=3Dmonitor,mode=3Dcontrol \
+-rtc base=3Dutc \
+-no-shutdown \
+-boot strict=3Don \
+-audiodev '{"id":"audio1","driver":"none"}' \
+-sandbox on,obsolete=3Ddeny,elevateprivileges=3Ddeny,spawn=3Ddeny,resource=
control=3Ddeny \
+-msg timestamp=3Don
diff --git a/tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.aar=
ch64-latest.err b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch6=
4.aarch64-latest.err
deleted file mode 100644
index 4fe79bdacf..0000000000
--- a/tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.aarch64-la=
test.err
+++ /dev/null
@@ -1 +0,0 @@
-unsupported configuration: ACPI requires UEFI on this architecture
diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.=
aarch64-8.2.0.xml b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarc=
h64.aarch64-latest.xml
similarity index 76%
rename from tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.a=
arch64-8.2.0.xml
rename to tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.aarch6=
4-latest.xml
index 5213a41b90..83faf68426 100644
--- a/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.aarch64=
-8.2.0.xml
+++ b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.aarch64-la=
test.xml
@@ -8,13 +8,15 @@
     <type arch=3D'aarch64' machine=3D'virt-8.2'>hvm</type>
     <firmware>
       <feature enabled=3D'yes' name=3D'enrolled-keys'/>
+      <feature enabled=3D'yes' name=3D'secure-boot'/>
     </firmware>
-    <loader format=3D'raw'/>
+    <loader type=3D'rom' format=3D'raw'>/usr/share/edk2/aarch64/QEMU_EFI.q=
emuvars.fd</loader>
+    <varstore template=3D'/usr/share/edk2/aarch64/vars.secboot.json' path=
=3D'/path/to/guest.json'/>
     <boot dev=3D'hd'/>
   </os>
   <features>
     <acpi/>
-    <gic version=3D'3'/>
+    <gic version=3D'2'/>
   </features>
   <clock offset=3D'utc'/>
   <on_poweroff>destroy</on_poweroff>
diff --git a/tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.x86_64-=
latest.xml b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.x86_64-=
latest.xml
index 296c6e8f59..a7b54a3fac 100644
--- a/tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.x86_64-latest.=
xml
+++ b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.x86_64-latest.=
xml
@@ -4,10 +4,14 @@
   <memory unit=3D'KiB'>1048576</memory>
   <currentMemory unit=3D'KiB'>1048576</currentMemory>
   <vcpu placement=3D'static'>1</vcpu>
-  <os>
+  <os firmware=3D'efi'>
     <type arch=3D'x86_64' machine=3D'pc-q35-8.2'>hvm</type>
+    <firmware>
+      <feature enabled=3D'yes' name=3D'enrolled-keys'/>
+      <feature enabled=3D'yes' name=3D'secure-boot'/>
+    </firmware>
     <loader type=3D'rom' format=3D'raw'>/usr/share/edk2/ovmf/OVMF.qemuvars=
.fd</loader>
-    <varstore path=3D'/path/to/guest.json'/>
+    <varstore template=3D'/usr/share/edk2/ovmf/vars.secboot.json' path=3D'=
/path/to/guest.json'/>
     <boot dev=3D'hd'/>
   </os>
   <features>
diff --git a/tests/qemuxmlconftest.c b/tests/qemuxmlconftest.c
index 43e994fc93..187f90c9dc 100644
--- a/tests/qemuxmlconftest.c
+++ b/tests/qemuxmlconftest.c
@@ -1620,7 +1620,7 @@ mymain(void)
=20
     DO_TEST_CAPS_LATEST("firmware-manual-efi-varstore-q35");
     DO_TEST_CAPS_VER_PARSE_ERROR("firmware-manual-efi-varstore-q35", "8.2.=
0");
-    DO_TEST_CAPS_ARCH_LATEST_PARSE_ERROR("firmware-manual-efi-varstore-aar=
ch64", "aarch64");
+    DO_TEST_CAPS_ARCH_LATEST("firmware-manual-efi-varstore-aarch64", "aarc=
h64");
     DO_TEST_CAPS_ARCH_VER_PARSE_ERROR("firmware-manual-efi-varstore-aarch6=
4", "aarch64", "8.2.0");
=20
     /* Make sure all combinations of ACPI and UEFI behave as expected */
@@ -1657,8 +1657,8 @@ mymain(void)
     DO_TEST_CAPS_LATEST("firmware-auto-efi-secboot");
     DO_TEST_CAPS_LATEST("firmware-auto-efi-no-secboot");
     DO_TEST_CAPS_LATEST("firmware-auto-efi-enrolled-keys");
-    DO_TEST_CAPS_ARCH_LATEST_FAILURE("firmware-auto-efi-enrolled-keys-aarc=
h64", "aarch64");
-    DO_TEST_CAPS_ARCH_VER_FAILURE("firmware-auto-efi-enrolled-keys-aarch64=
", "aarch64", "8.2.0");
+    DO_TEST_CAPS_ARCH_LATEST("firmware-auto-efi-enrolled-keys-aarch64", "a=
arch64");
+    DO_TEST_CAPS_ARCH_VER_PARSE_ERROR("firmware-auto-efi-enrolled-keys-aar=
ch64", "aarch64", "8.2.0");
     DO_TEST_CAPS_LATEST("firmware-auto-efi-no-enrolled-keys");
     DO_TEST_CAPS_LATEST_PARSE_ERROR("firmware-auto-efi-enrolled-keys-no-se=
cboot");
     DO_TEST_CAPS_LATEST("firmware-auto-efi-smm-off");
@@ -1673,8 +1673,8 @@ mymain(void)
     DO_TEST_CAPS_LATEST("firmware-auto-efi-nvram-file");
     DO_TEST_CAPS_LATEST("firmware-auto-efi-nvram-network-nbd");
     DO_TEST_CAPS_LATEST("firmware-auto-efi-nvram-network-iscsi");
-    DO_TEST_CAPS_LATEST_FAILURE("firmware-auto-efi-varstore-q35");
-    DO_TEST_CAPS_ARCH_LATEST_FAILURE("firmware-auto-efi-varstore-aarch64",=
 "aarch64");
+    DO_TEST_CAPS_LATEST("firmware-auto-efi-varstore-q35");
+    DO_TEST_CAPS_ARCH_LATEST("firmware-auto-efi-varstore-aarch64", "aarch6=
4");
=20
     DO_TEST_CAPS_LATEST("firmware-auto-efi-format-loader-qcow2");
     DO_TEST_CAPS_LATEST_PARSE_ERROR("firmware-auto-efi-format-loader-qcow2=
-rom");
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771873475; cv=none;
	d=zohomail.com; s=zohoarc;
	b=UGihwfNZlwhjdTzs6IaU4g/scZHYPTsxlOW04IPZ+WhHjSMRadYO+yD6edsFoexo/oQ6KtuxXZctegS94hVMERXGug4i6P9UW3RxVW29P8rxnUjQbFcQUOTzcpRObG0rVTlOXxOwaScA62dt0pKHWFRE1y9DmXsznxi94NI1dlQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771873475;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=O44+SD5xtRzWtPbNOQUbC8aWHZDpqMN8+jozhPfXl9o=;
	b=IcZZf3kNHlkaf9RD1WplCPesu61g899ElI8O4uQSvXjT1dA033zcrfu0KQWJalpWQugEqy6NbQOVQ2GnVCTcyd3PzB2LQ/u5WjxvS+0sloF8b6aAPtOzPIJwDNkJIupavdnFX3j1ct79YhKcysNGgNfe2sK8K47PNCsi7ZRDK1o=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771873475142213.48785677866124;
 Mon, 23 Feb 2026 11:04:35 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 70AD141CC3; Mon, 23 Feb 2026 14:04:35 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id D31FD4449A;
	Mon, 23 Feb 2026 13:37:05 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id B11E041C74; Mon, 23 Feb 2026 13:36:49 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id AA2CE41C74
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:32:28 -0500 (EST)
Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-623-FiJd-SVZOVq2TSjqv_G6Iw-1; Mon,
 23 Feb 2026 13:32:26 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id A30671800267
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:25 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 857191955D71
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:24 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871548;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=O44+SD5xtRzWtPbNOQUbC8aWHZDpqMN8+jozhPfXl9o=;
	b=UDZt9A02Yx6u++nNLVDB7QJwM2ls2g4Sv/s4XsT7kgm4iNJDhPxvIEMq2lVDnxwXbNt+3J
	qvBJPR9W20GzQqI7njT/TQmZmzV1RhxY5l5lKOCPvsNth1HvpkJhshpYDqGgg/qAE2n3SP
	EMXOu0IqIIaQDRJlt2i+tqRyrhVyA1o=
X-MC-Unique: FiJd-SVZOVq2TSjqv_G6Iw-1
X-Mimecast-MFC-AGG-ID: FiJd-SVZOVq2TSjqv_G6Iw_1771871545
To: devel@lists.libvirt.org
Subject: [PATCH v4 33/36] qemu_command: Use uefi-vars device where appropriate
Date: Mon, 23 Feb 2026 19:31:16 +0100
Message-ID: <20260223183119.501349-34-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: WpA940f6nHxfNqqlsUn90UEDk6EW-rltR2sQ2lbePE4_1771871545
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: NF4C7X2ER5IXRYGNPT5YARBD3CG2UIHK
X-Message-ID-Hash: NF4C7X2ER5IXRYGNPT5YARBD3CG2UIHK
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/NF4C7X2ER5IXRYGNPT5YARBD3CG2UIHK/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771873490546158500
Content-Type: text/plain; charset="utf-8"; x-default="true"

This makes guests actually functional.

https://issues.redhat.com/browse/RHEL-82645

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/qemu/qemu_command.c                       | 34 +++++++++++++++++++
 ...-enrolled-keys-aarch64.aarch64-latest.args |  1 +
 ...o-efi-varstore-aarch64.aarch64-latest.args |  1 +
 ...e-auto-efi-varstore-q35.x86_64-latest.args |  1 +
 ...l-efi-varstore-aarch64.aarch64-latest.args |  1 +
 ...manual-efi-varstore-q35.x86_64-latest.args |  1 +
 6 files changed, 39 insertions(+)

diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index a742998e4c..ba300f3551 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -9815,6 +9815,37 @@ qemuBuildDomainLoaderCommandLine(virCommand *cmd,
 }
=20
=20
+static int
+qemuBuildUefiVarsCommandLine(virCommand *cmd,
+                             const virDomainDef *def,
+                             virQEMUCaps *qemuCaps)
+{
+    virDomainLoaderDef *loader =3D def->os.loader;
+    virDomainVarstoreDef *varstore =3D def->os.varstore;
+    g_autoptr(virJSONValue) props =3D NULL;
+    const char *model =3D NULL;
+
+    if (!loader || !varstore || !varstore->path)
+        return 0;
+
+    if (ARCH_IS_X86(def->os.arch))
+        model =3D "uefi-vars-x64";
+    else
+        model =3D "uefi-vars-sysbus";
+
+    if (virJSONValueObjectAdd(&props,
+                              "s:driver", model,
+                              "s:jsonfile", varstore->path,
+                              NULL) < 0)
+        return -1;
+
+    if (qemuBuildDeviceCommandlineFromJSON(cmd, props, def, qemuCaps) < 0)
+        return -1;
+
+    return 0;
+}
+
+
 static int
 qemuBuildTPMDevCmd(virCommand *cmd,
                    const virDomainDef *def,
@@ -10889,6 +10920,9 @@ qemuBuildCommandLine(virDomainObj *vm,
=20
     qemuBuildDomainLoaderCommandLine(cmd, def);
=20
+    if (qemuBuildUefiVarsCommandLine(cmd, def, qemuCaps) < 0)
+        return NULL;
+
     if (qemuBuildMemCommandLine(cmd, def, qemuCaps, priv) < 0)
         return NULL;
=20
diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.=
aarch64-latest.args b/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys=
-aarch64.aarch64-latest.args
index abc934692a..10f1a5a6a4 100644
--- a/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.aarch64=
-latest.args
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.aarch64=
-latest.args
@@ -13,6 +13,7 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-guest/.=
config \
 -machine virt-8.2,usb=3Doff,gic-version=3D2,dump-guest-core=3Doff,memory-b=
ackend=3Dmach-virt.ram,acpi=3Don \
 -accel kvm \
 -bios /usr/share/edk2/aarch64/QEMU_EFI.qemuvars.fd \
+-device '{"driver":"uefi-vars-sysbus","jsonfile":"/var/lib/libvirt/qemu/va=
rstore/guest.json"}' \
 -m size=3D1048576k \
 -object '{"qom-type":"memory-backend-ram","id":"mach-virt.ram","size":1073=
741824}' \
 -overcommit mem-lock=3Doff \
diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.aarch=
64-latest.args b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.a=
arch64-latest.args
index abc934692a..10f1a5a6a4 100644
--- a/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.aarch64-late=
st.args
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.aarch64-late=
st.args
@@ -13,6 +13,7 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-guest/.=
config \
 -machine virt-8.2,usb=3Doff,gic-version=3D2,dump-guest-core=3Doff,memory-b=
ackend=3Dmach-virt.ram,acpi=3Don \
 -accel kvm \
 -bios /usr/share/edk2/aarch64/QEMU_EFI.qemuvars.fd \
+-device '{"driver":"uefi-vars-sysbus","jsonfile":"/var/lib/libvirt/qemu/va=
rstore/guest.json"}' \
 -m size=3D1048576k \
 -object '{"qom-type":"memory-backend-ram","id":"mach-virt.ram","size":1073=
741824}' \
 -overcommit mem-lock=3Doff \
diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x86_64-la=
test.args b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x86_64-lat=
est.args
index 9a899c2a65..392ea77c28 100644
--- a/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x86_64-latest.ar=
gs
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.x86_64-latest.ar=
gs
@@ -14,6 +14,7 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-guest/.=
config \
 -accel kvm \
 -cpu qemu64 \
 -bios /usr/share/edk2/ovmf/OVMF.qemuvars.fd \
+-device '{"driver":"uefi-vars-x64","jsonfile":"/var/lib/libvirt/qemu/varst=
ore/guest.json"}' \
 -m size=3D1048576k \
 -object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":1073741824}=
' \
 -overcommit mem-lock=3Doff \
diff --git a/tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.aar=
ch64-latest.args b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch=
64.aarch64-latest.args
index abc934692a..894bab7ffe 100644
--- a/tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.aarch64-la=
test.args
+++ b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.aarch64-la=
test.args
@@ -13,6 +13,7 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-guest/.=
config \
 -machine virt-8.2,usb=3Doff,gic-version=3D2,dump-guest-core=3Doff,memory-b=
ackend=3Dmach-virt.ram,acpi=3Don \
 -accel kvm \
 -bios /usr/share/edk2/aarch64/QEMU_EFI.qemuvars.fd \
+-device '{"driver":"uefi-vars-sysbus","jsonfile":"/path/to/guest.json"}' \
 -m size=3D1048576k \
 -object '{"qom-type":"memory-backend-ram","id":"mach-virt.ram","size":1073=
741824}' \
 -overcommit mem-lock=3Doff \
diff --git a/tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.x86_64-=
latest.args b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.x86_64=
-latest.args
index 9a899c2a65..6c04c8c39f 100644
--- a/tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.x86_64-latest.=
args
+++ b/tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.x86_64-latest.=
args
@@ -14,6 +14,7 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-guest/.=
config \
 -accel kvm \
 -cpu qemu64 \
 -bios /usr/share/edk2/ovmf/OVMF.qemuvars.fd \
+-device '{"driver":"uefi-vars-x64","jsonfile":"/path/to/guest.json"}' \
 -m size=3D1048576k \
 -object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":1073741824}=
' \
 -overcommit mem-lock=3Doff \
--=20
2.53.0
From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771873418; cv=none;
	d=zohomail.com; s=zohoarc;
	b=MfvrNrno5EUZTVK8b67VJq/Z+UiKBCq7bbcbWTd1ohnpalwHj75Sm4iFjNFXQvIlrW5XZbR98eKNxIz/eE4SZdGHwSRqlwfnEQcbrdJDgZpw96H0Zg3pJ3P5OLNQTu+qxmjybwdxTOi8DcwYWwc5k92y7iEGlnrhshukddK5kKg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771873418;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=V/zY/MsnGOlxdswLV3d6yHl3XORLv5cVCWXQpCIMXdg=;
	b=TNrfQah5Td3Y+1eQjbzAj2Vj7DO/t9P27ksA8fXsoZ/t2vEZhx1MyGpBiEy1EZSjmU/WFh9eDB4OuFZJt8XvZXPx9Ocd9X9eVKExZoXDiOTIAB98Os218gRVHbAnEyHfDzGy1vYOEHdzYcny/+EZ17v1vH/mkVJMz36dVLQ9oMo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771873418507401.3736379939121;
 Mon, 23 Feb 2026 11:03:38 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id A669341B88; Mon, 23 Feb 2026 14:03:37 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 3C4F14440F;
	Mon, 23 Feb 2026 13:37:03 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 8ED52441D6; Mon, 23 Feb 2026 13:36:48 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 035E641C8C
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:32:29 -0500 (EST)
Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-693-cvu6APOxOt2yRAB3QEvDeg-1; Mon,
 23 Feb 2026 13:32:28 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 69E881800464
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:27 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 7772A1955D71
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:26 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871549;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=V/zY/MsnGOlxdswLV3d6yHl3XORLv5cVCWXQpCIMXdg=;
	b=JDRsSze4skRRYnlJ6omU9mjDeX4ND6BiFz+YTN9WFGGrg1MuPQXL2EzYg1a5/aXdke6bHS
	c4kMecg8vp60zswV3AL30JaUJvRobwRwKyw4saWuyn67hArRsuOBBX8bY4LDn1Geb+TJzj
	1IMjXLOOw+0vYuEZW1BLdnqqMFPApjo=
X-MC-Unique: cvu6APOxOt2yRAB3QEvDeg-1
X-Mimecast-MFC-AGG-ID: cvu6APOxOt2yRAB3QEvDeg_1771871547
To: devel@lists.libvirt.org
Subject: [PATCH v4 34/36] include: Mention varstore where applicable
Date: Mon, 23 Feb 2026 19:31:17 +0100
Message-ID: <20260223183119.501349-35-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: x8n6zIFaNCPnnT9vShatMvHWN5aDmu3urwm1qQ6IX4U_1771871547
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 2L56YVXRMSNMBMDDGWYX4RSCLWQCNKAN
X-Message-ID-Hash: 2L56YVXRMSNMBMDDGWYX4RSCLWQCNKAN
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/2L56YVXRMSNMBMDDGWYX4RSCLWQCNKAN/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771873419396158500

We are not introducing additional API flags for varstore
handling since that would require unnecessary churn in all
libvirt-based apps, and the intent is the same: recreate
the UEFI variable storage, be it NVRAM or varstore, from its
template.

In order to clarify that the existing flags affect varstore
too, update their documentation.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 include/libvirt/libvirt-domain-snapshot.h | 2 +-
 include/libvirt/libvirt-domain.h          | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/include/libvirt/libvirt-domain-snapshot.h b/include/libvirt/li=
bvirt-domain-snapshot.h
index a11cd3f823..e14b661e37 100644
--- a/include/libvirt/libvirt-domain-snapshot.h
+++ b/include/libvirt/libvirt-domain-snapshot.h
@@ -217,7 +217,7 @@ typedef enum {
     VIR_DOMAIN_SNAPSHOT_REVERT_RUNNING =3D 1 << 0, /* Run after revert (Si=
nce: 0.9.5) */
     VIR_DOMAIN_SNAPSHOT_REVERT_PAUSED  =3D 1 << 1, /* Pause after revert (=
Since: 0.9.5) */
     VIR_DOMAIN_SNAPSHOT_REVERT_FORCE   =3D 1 << 2, /* Allow risky reverts =
(Since: 0.9.7) */
-    VIR_DOMAIN_SNAPSHOT_REVERT_RESET_NVRAM =3D 1 << 3, /* Re-initialize NV=
RAM from template (Since: 8.1.0) */
+    VIR_DOMAIN_SNAPSHOT_REVERT_RESET_NVRAM =3D 1 << 3, /* Re-initialize NV=
RAM/varstore from template (Since: 8.1.0) */
 } virDomainSnapshotRevertFlags;
=20
 /* Revert the domain to a point-in-time snapshot.  The
diff --git a/include/libvirt/libvirt-domain.h b/include/libvirt/libvirt-dom=
ain.h
index 56c21dcf25..d82406fe05 100644
--- a/include/libvirt/libvirt-domain.h
+++ b/include/libvirt/libvirt-domain.h
@@ -371,7 +371,7 @@ typedef enum {
     VIR_DOMAIN_START_BYPASS_CACHE =3D 1 << 2, /* Avoid file system cache p=
ollution (Since: 0.9.4) */
     VIR_DOMAIN_START_FORCE_BOOT   =3D 1 << 3, /* Boot, discarding any mana=
ged save (Since: 0.9.5) */
     VIR_DOMAIN_START_VALIDATE     =3D 1 << 4, /* Validate the XML document=
 against schema (Since: 1.2.12) */
-    VIR_DOMAIN_START_RESET_NVRAM  =3D 1 << 5, /* Re-initialize NVRAM from =
template (Since: 8.1.0) */
+    VIR_DOMAIN_START_RESET_NVRAM  =3D 1 << 5, /* Re-initialize NVRAM/varst=
ore from template (Since: 8.1.0) */
 } virDomainCreateFlags;
=20
=20
@@ -1652,7 +1652,7 @@ typedef enum {
     VIR_DOMAIN_SAVE_BYPASS_CACHE =3D 1 << 0, /* Avoid file system cache po=
llution (Since: 0.9.4) */
     VIR_DOMAIN_SAVE_RUNNING      =3D 1 << 1, /* Favor running over paused =
(Since: 0.9.5) */
     VIR_DOMAIN_SAVE_PAUSED       =3D 1 << 2, /* Favor paused over running =
(Since: 0.9.5) */
-    VIR_DOMAIN_SAVE_RESET_NVRAM  =3D 1 << 3, /* Re-initialize NVRAM from t=
emplate (Since: 8.1.0) */
+    VIR_DOMAIN_SAVE_RESET_NVRAM  =3D 1 << 3, /* Re-initialize NVRAM/varsto=
re from template (Since: 8.1.0) */
 } virDomainSaveRestoreFlags;
=20
 int                     virDomainSave           (virDomainPtr domain,
--=20
2.53.0

From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771873379; cv=none;
	d=zohomail.com; s=zohoarc;
	b=U802HhvUZ0CkGWGoesR4dbf0jviCLFyOMXN7I4bybrv2r/RrkFz+mq4eWq3b6uKn1jA5o0GwgkRErsSQDNUP/V8Jg24aLmF1nvKTn60RPkZG3EhnZZe4meYvnufDhgot8tfmJ6UkGRnAC5zzgU5lwlZzaM6ac8QUV3gLR7zH8+4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771873379;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=fsgCBp9J69BBzTat90ZPWTXk1UHOss3VRS8CzSC4FZw=;
	b=hDpBuGNgKVKVBR1HKZCuJCidYYIdwCfo9/6Zk6zyGGQknJ14GgLRoLkkgDYpOqZlXSBsjFlafO8cpORRvD3X8ARfZpL5RfpnVs1f+maI73lRM/HEUU6pMlCPjXgY5hOHkaRO7tRE9THkMOj897WTs6gydXYn72HruiY/XqAmli8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1771873379315386.4615561154003;
 Mon, 23 Feb 2026 11:02:59 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 567CA418F3; Mon, 23 Feb 2026 14:02:58 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 54EBC41B74;
	Mon, 23 Feb 2026 13:37:02 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 365DD41C86; Mon, 23 Feb 2026 13:36:48 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id A8E0441B28
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:32:31 -0500 (EST)
Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-68-OaB1rj6wNI6uSwFFccdIDw-1; Mon,
 23 Feb 2026 13:32:29 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 2B72F180034A
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:29 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 1F58C1955D71
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:27 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871551;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=fsgCBp9J69BBzTat90ZPWTXk1UHOss3VRS8CzSC4FZw=;
	b=Eu1cYlyc/nKwrUTJBMvZ/cbVsVJsmO/22BjKOyQjH8oD/D7qbc3R7MHqEmyCvATxcXx1He
	vriGBytVjmuXiV7TT6cw12y5QZ6zg996/oZInaiO2Pu62qDoW3CIwNmL6N+yIbtEDqnV6F
	IyT71eFkWUflZTmlOp52/ENLqYtvDQM=
X-MC-Unique: OaB1rj6wNI6uSwFFccdIDw-1
X-Mimecast-MFC-AGG-ID: OaB1rj6wNI6uSwFFccdIDw_1771871549
To: devel@lists.libvirt.org
Subject: [PATCH v4 35/36] virsh: Update for varstore handling
Date: Mon, 23 Feb 2026 19:31:18 +0100
Message-ID: <20260223183119.501349-36-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: N_YcQeNkxVa9WYwVsBYwnRYuBj22DM6fxwu-dPeaqvs_1771871549
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 77R4IOQE4SZVDJHVHML6VUYF42H2QTUU
X-Message-ID-Hash: 77R4IOQE4SZVDJHVHML6VUYF42H2QTUU
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/77R4IOQE4SZVDJHVHML6VUYF42H2QTUU/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771873381178158500
Content-Type: text/plain; charset="utf-8"; x-default="true"

Document the fact that the existing flags which apply to
NVRAM files also do the right thing when varstore files are
used instead.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---
 docs/manpages/virsh.rst | 23 ++++++++++++-----------
 tools/virsh-domain.c    | 10 +++++-----
 tools/virsh-snapshot.c  |  2 +-
 3 files changed, 18 insertions(+), 17 deletions(-)

diff --git a/docs/manpages/virsh.rst b/docs/manpages/virsh.rst
index ff0cf1a715..b3e9289894 100644
--- a/docs/manpages/virsh.rst
+++ b/docs/manpages/virsh.rst
@@ -1722,8 +1722,8 @@ of open file descriptors which should be pass on into=
 the guest. The
 file descriptors will be re-numbered in the guest, starting from 3. This
 is only supported with container based virtualization.
=20
-If *--reset-nvram* is specified, any existing NVRAM file will be deleted
-and re-initialized from its pristine template.
+If *--reset-nvram* is specified, any existing NVRAM/varstore file will be
+deleted and re-initialized from its pristine template.
=20
 **Example:**
=20
@@ -4281,8 +4281,8 @@ save image to decide between running or paused; passi=
ng either the
 *--running* or *--paused* flag will allow overriding which state the
 domain should be started in.
=20
-If *--reset-nvram* is specified, any existing NVRAM file will be deleted
-and re-initialized from its pristine template.
+If *--reset-nvram* is specified, any existing NVRAM/varstore file will be
+deleted and re-initialized from its pristine template.
=20
 *--parallel-channels* option can specify number of parallel IO channels
 to be used when loading memory from file. Parallel save may significantly
@@ -4925,8 +4925,8 @@ of open file descriptors which should be pass on into=
 the guest. The
 file descriptors will be re-numbered in the guest, starting from 3. This
 is only supported with container based virtualization.
=20
-If *--reset-nvram* is specified, any existing NVRAM file will be deleted
-and re-initialized from its pristine template.
+If *--reset-nvram* is specified, any existing NVRAM/varstore file will be
+deleted and re-initialized from its pristine template.
=20
=20
 suspend
@@ -4988,9 +4988,10 @@ domain.  Without the flag, attempts to undefine an i=
nactive domain with
 checkpoint metadata will fail.  If the domain is active, this flag is
 ignored.
=20
-*--nvram* and *--keep-nvram* specify accordingly to delete or keep nvram
-(/domain/os/nvram/) file. If the domain has an nvram file and the flags are
-omitted, the undefine will fail.
+The *--nvram* and *--keep-nvram* flags specify whether to delete or keep t=
he
+NVRAM (/domain/os/nvram/) or varstore (/domain/os/varstore) file respectiv=
ely.
+If the domain has an NVRAM/varstore file and the flags are omitted, the
+undefine operation will fail.
=20
 The *--storage* flag takes a parameter ``volumes``, which is a comma separ=
ated
 list of volume target names or source paths of storage volumes to be remov=
ed
@@ -8174,8 +8175,8 @@ requires the use of *--force* to proceed:
     likely cause extensive filesystem corruption or crashes due to swap co=
ntent
     mismatches when run.
=20
-If *--reset-nvram* is specified, any existing NVRAM file will be deleted
-and re-initialized from its pristine template.
+If *--reset-nvram* is specified, any existing NVRAM/varstore file will be
+deleted and re-initialized from its pristine template.
=20
=20
 snapshot-delete
diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c
index a7f6a97dd7..5a2ae75379 100644
--- a/tools/virsh-domain.c
+++ b/tools/virsh-domain.c
@@ -3981,11 +3981,11 @@ static const vshCmdOptDef opts_undefine[] =3D {
     },
     {.name =3D "nvram",
      .type =3D VSH_OT_BOOL,
-     .help =3D N_("remove nvram file")
+     .help =3D N_("remove NVRAM/varstore file")
     },
     {.name =3D "keep-nvram",
      .type =3D VSH_OT_BOOL,
-     .help =3D N_("keep nvram file")
+     .help =3D N_("keep NVRAM/varstore file")
     },
     {.name =3D "tpm",
      .type =3D VSH_OT_BOOL,
@@ -4401,7 +4401,7 @@ static const vshCmdOptDef opts_start[] =3D {
     },
     {.name =3D "reset-nvram",
      .type =3D VSH_OT_BOOL,
-     .help =3D N_("re-initialize NVRAM from its pristine template")
+     .help =3D N_("re-initialize NVRAM/varstore from its pristine template=
")
     },
     {.name =3D NULL}
 };
@@ -5728,7 +5728,7 @@ static const vshCmdOptDef opts_restore[] =3D {
     },
     {.name =3D "reset-nvram",
      .type =3D VSH_OT_BOOL,
-     .help =3D N_("re-initialize NVRAM from its pristine template")
+     .help =3D N_("re-initialize NVRAM/varstore from its pristine template=
")
     },
     {.name =3D NULL}
 };
@@ -8520,7 +8520,7 @@ static const vshCmdOptDef opts_create[] =3D {
     },
     {.name =3D "reset-nvram",
      .type =3D VSH_OT_BOOL,
-     .help =3D N_("re-initialize NVRAM from its pristine template")
+     .help =3D N_("re-initialize NVRAM/varstore from its pristine template=
")
     },
     {.name =3D NULL}
 };
diff --git a/tools/virsh-snapshot.c b/tools/virsh-snapshot.c
index 8e5b9d635c..08184576a7 100644
--- a/tools/virsh-snapshot.c
+++ b/tools/virsh-snapshot.c
@@ -1714,7 +1714,7 @@ static const vshCmdOptDef opts_snapshot_revert[] =3D {
     },
     {.name =3D "reset-nvram",
      .type =3D VSH_OT_BOOL,
-     .help =3D N_("re-initialize NVRAM from its pristine template")
+     .help =3D N_("re-initialize NVRAM/varstore from its pristine template=
")
     },
     {.name =3D NULL}
 };
--=20
2.53.0
From nobody Tue Mar  3 03:06:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1771873513; cv=none;
	d=zohomail.com; s=zohoarc;
	b=PqSswN3N0uUIa0/1R9ItTu8CJM8QWUgwxlQlr5qS7pmOuYlNu1XEv3Smgl5L8Jfk9F8JuQT9LaRzYXbq73miysU+1xM7AUO9kSdsYgplTDtj+ncGniUXdAl6Dbjkqy0rPdiWPpnHzcRepvv/4oo1+IssSmV/tuTE4CdXLuL4jUo=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1771873513;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=OHK5AEn9pqP+bjNqxLBJbxlEXh4gGArn/2oSAsHgDLg=;
	b=NX5C4QT2kdLBHJnhJYvW0346MAevX7tGyGbIEoDJTcxT1QbIgsUe/28ZRqPVAO5bQzZ/iMrmEWwIeNoml2Lky1Tq3o57Pibo0bTUHznvErH7bVmhDmZ9JRlxHc54kFQSpJYiOkWzla0RhhtKSnjK7hSuiYGgx1ZP4tYIEjRdG/k=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 177187351331415.246969440129305;
 Mon, 23 Feb 2026 11:05:13 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 4E59441CCC; Mon, 23 Feb 2026 14:05:12 -0500 (EST)
Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id B28E2444E9;
	Mon, 23 Feb 2026 13:37:07 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 0034441C80; Mon, 23 Feb 2026 13:36:49 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 7177D41B6A
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 13:32:33 -0500 (EST)
Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-441-xn7IKb1BMmyhIT0bPc3iSw-1; Mon,
 23 Feb 2026 13:32:31 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 052441800630
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:31 +0000 (UTC)
Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id D3D341955D71
	for <devel@lists.libvirt.org>; Mon, 23 Feb 2026 18:32:29 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1771871553;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=OHK5AEn9pqP+bjNqxLBJbxlEXh4gGArn/2oSAsHgDLg=;
	b=URR3Xk7m8j+hfkzvdgy7InMswQ//rMOPR4qS+PXy1Wg1VSs4s4en1rsRmFcQPPqpvCMFQi
	oO9wUiBOljMdjMCEp472URpK4QyWFjeShBRupBWR9GpSqJC05031K1Cy3yuARsCbc5c4Su
	Gcr1cLGY6n9BwZmlP1MtqS3U5vAsaSc=
X-MC-Unique: xn7IKb1BMmyhIT0bPc3iSw-1
X-Mimecast-MFC-AGG-ID: xn7IKb1BMmyhIT0bPc3iSw_1771871551
To: devel@lists.libvirt.org
Subject: [PATCH v4 36/36] news: Document support for uefi-vars device and
 firmwares
Date: Mon, 23 Feb 2026 19:31:19 +0100
Message-ID: <20260223183119.501349-37-abologna@redhat.com>
In-Reply-To: <20260223183119.501349-1-abologna@redhat.com>
References: <20260223183119.501349-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: VuJy2sEn1EonGRWA-jX9RmGu0-ivWYnJ9VK6KkASzdE_1771871551
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: IQEXKMECTYK2RAJHERIRRXL3I4ZOAIGW
X-Message-ID-Hash: IQEXKMECTYK2RAJHERIRRXL3I4ZOAIGW
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/IQEXKMECTYK2RAJHERIRRXL3I4ZOAIGW/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Andrea Bolognani via Devel <devel@lists.libvirt.org>
Reply-To: Andrea Bolognani <abologna@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1771873513937158500
Content-Type: text/plain; charset="utf-8"; x-default="true"

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---
 NEWS.rst | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/NEWS.rst b/NEWS.rst
index 7a80116de3..71f1f21472 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -24,6 +24,23 @@ v12.1.0 (unreleased)
     example Secure Boot support, is available for the selected architectur=
e and
     machine type.
=20
+  * qemu: Add support for uefi-vars device and firmware builds using it
+
+    This is particularly noteworthy for people running aarch64 VMs with the
+    'virt' machine type, as it makes it finally possible to use Secure Boot
+    with that combination.
+
+    In most cases, no special steps are needed to take advantage of this:
+    assuming that you have installed a recent version of QEMU, as well as a
+    build of edk2 that includes the necessary binaries, you can just `enab=
le
+    Secure Boot <kbase/secureboot.html>`__ as you normally would.
+
+    To explicitly request that the uefi-vars device is used even for scena=
rios
+    where that would normally not be the case, it's enough to add an empty
+    ``<varstore/>`` element in the domain XML. More details are available =
in
+    the `guest firmware configuration <formatdomain.html#guest-firmware>`__
+    section of the documentation.
+
 * **Improvements**
=20
 * **Bug fixes**
--=20
2.53.0