From nobody Tue Mar 3 04:53:02 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1771872071; cv=none; d=zohomail.com; s=zohoarc; b=Wn21ym+HG+iNMaMgy/rje5duGZgtxWFV3Ccad/+98vBWmG4JUbjfQpNNMn/AXLGz9qpc8r9dKhRjFBPnSQSs+/miNtqtRz+uFed2N9R3ebBWq7uX71pP+j20TXje5cskZozZk5ITLubc3fVGaeWhMt750MXF5I6VLorh0xp4+/Q= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1771872071; h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc; bh=68uRN2TGu4stNLup+dSLgULnAdD7X/w0Gx4Ip0qCeLk=; b=GytwIeIZsu70yTuJvaKQKru4VgBG2hhvpUlIA7QvxDivZV7R+WspqHxZOYLec8kn3x7AJBh/xhUpKdYU9TNNBJAlbAsUcqYL9vsA1fnIBO14R1ajI+rkXhqk8DjIMFmuUNf/ZfZIsJnf5QbBwEO7qoVbsJsPbxxuNlMC8imXCOo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1771872071416802.5524051570453; Mon, 23 Feb 2026 10:41:11 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 993) id 8494141BC1; Mon, 23 Feb 2026 13:41:10 -0500 (EST) Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id B78FA41D29; Mon, 23 Feb 2026 13:34:24 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 993) id 87626419DD; Mon, 23 Feb 2026 13:34:14 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 09BF8419CA for ; Mon, 23 Feb 2026 13:31:42 -0500 (EST) Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-624-GPGgBRRpOOaoLBBr3UqtiQ-1; Mon, 23 Feb 2026 13:31:40 -0500 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 4CBA019560A5 for ; Mon, 23 Feb 2026 18:31:39 +0000 (UTC) Received: from kinshicho.usersys.redhat.com (unknown [10.44.32.20]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id A052F1955D71 for ; Mon, 23 Feb 2026 18:31:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1771871501; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=68uRN2TGu4stNLup+dSLgULnAdD7X/w0Gx4Ip0qCeLk=; b=DMKj+YBUhm8gA3oiWK31hvE+D5D4khAre6lN6Rqki0XRH19Bxs+JGkhuPrfLD2QvWILM+l Ocps/yLs/zHbEDzXCqaxbq6oxoq3no0ss7e/dgM/9NtdWf4p6qJJn3Fub3B2k4MsA7uplE HyB74Rs+LLsuO0hkHO5JKsOsYs3+yoQ= X-MC-Unique: GPGgBRRpOOaoLBBr3UqtiQ-1 X-Mimecast-MFC-AGG-ID: GPGgBRRpOOaoLBBr3UqtiQ_1771871499 To: devel@lists.libvirt.org Subject: [PATCH v4 07/36] conf: Parse and format varstore element Date: Mon, 23 Feb 2026 19:30:50 +0100 Message-ID: <20260223183119.501349-8-abologna@redhat.com> In-Reply-To: <20260223183119.501349-1-abologna@redhat.com> References: <20260223183119.501349-1-abologna@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: T9-kEIvHb8PlNiV4eoRWhz58O9BYaFWu018gtI_6Qpc_1771871499 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: 2VWXEJTGP3J3GXIZWBYER7EDR74JJWXN X-Message-ID-Hash: 2VWXEJTGP3J3GXIZWBYER7EDR74JJWXN X-MailFrom: abologna@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Andrea Bolognani via Devel Reply-To: Andrea Bolognani X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1771872072036158500 Content-Type: text/plain; charset="utf-8"; x-default="true" This will be used to configure the backing storage used by the uefi-vars QEMU device. Dealing with the element itself is trivial, however we have to refactor the existing code which deals with the loader and nvram elements slightly: in particular, we can no longer perform an early exit if those elements are absent. Signed-off-by: Andrea Bolognani Reviewed-by: Daniel P. Berrang=C3=A9 --- docs/formatdomain.rst | 23 +++++++-- docs/kbase/secureboot.rst | 46 +++++++++++------- src/conf/domain_conf.c | 79 ++++++++++++++++++++++++++++--- src/conf/domain_conf.h | 9 ++++ src/conf/schemas/domaincommon.rng | 22 ++++++++- src/conf/virconftypes.h | 2 + src/libvirt_private.syms | 2 + 7 files changed, 156 insertions(+), 27 deletions(-) diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst index db664857af..7871613017 100644 --- a/docs/formatdomain.rst +++ b/docs/formatdomain.rst @@ -196,9 +196,9 @@ harddisk, cdrom, network) determining where to obtain/f= ind the boot image. =20 ``firmware`` The ``firmware`` attribute allows management applications to automatica= lly - fill ```` and ```` elements and possibly enable some - features required by selected firmware. Accepted values are ``bios`` and - ``efi``. + fill ```` and ```` or ```` elements and pos= sibly + enable some features required by selected firmware. Accepted values are + ``bios`` and ``efi``. The selection process scans for files describing installed firmware ima= ges in specified location and uses the most specific one which fulfills domain requirements. The locations in order of preference (from generic to most @@ -311,6 +311,23 @@ harddisk, cdrom, network) determining where to obtain/= find the boot image. It is not valid to provide this element if the loader is marked as stateless. =20 +``varstore`` + This works much the same way as the ```` element described abov= e, + except that variable storage is handled by the ``uefi-vars`` QEMU device + instead of being backed by a pflash device. :since:`Since 12.1.0 (QEMU = only)` + + The ``path`` attribute contains the path of the domain-specific file wh= ere + variables are stored, while the ``template`` attribute points to a temp= late + that the domain-specific file can be (re)generated from. Assuming that = the + necessary JSON firmware descriptor files are present, both attributes w= ill + be filled in automatically by libvirt. + + Using ```` instead of ```` is particularly useful on + non-x86 architectures such as aarch64, where it represent the only way = to + get Secure Boot working. It can be used on x86 too, and doing so will m= ake + it possible to keep UEFI authenticated variables safe from tampering wi= thout + requiring the use of SMM emulation. + ``boot`` The ``dev`` attribute takes one of the values "fd", "hd", "cdrom" or "network" and is used to specify the next boot device to consider. The diff --git a/docs/kbase/secureboot.rst b/docs/kbase/secureboot.rst index 6c22b08d22..b411b65f00 100644 --- a/docs/kbase/secureboot.rst +++ b/docs/kbase/secureboot.rst @@ -74,8 +74,8 @@ Changing an existing VM =20 When a VM is defined, libvirt will pick the firmware that best satisfies the provided criteria and record this information for use -on subsequent boots. The resulting XML configuration will look like -this: +on subsequent boots. The resulting XML configuration will look either +like this: =20 :: =20 @@ -88,14 +88,28 @@ this: /var/lib= /libvirt/qemu/nvram/vm_VARS.fd =20 +or like this: + +:: + + + + + + + /usr/share/edk2/aarch64/QEMU_EFI.q= emuvars.fd + + + In order to force libvirt to repeat the firmware autoselection -process, it's necessary to remove the ```` and ```` -elements. Failure to do so will likely result in an error. +process, it's necessary to remove the ```` as well as the +```` or ```` elements, depending on what's +applicable. Failure to do so will likely result in an error. =20 Note that updating the XML configuration as described above is -**not** enough to change the Secure Boot status: the NVRAM file -associated with the VM has to be regenerated from its template as -well. +**not** enough to change the Secure Boot status: the NVRAM/varstore +file associated with the VM has to be regenerated from its template +as well. =20 In order to do that, update the XML and then start the VM with =20 @@ -107,9 +121,9 @@ This option is only available starting with libvirt 8.1= .0, so if your version of libvirt is older than that you will have to delete the NVRAM file manually before starting the VM. =20 -Most guest operating systems will be able to cope with the NVRAM file -being reinitialized, but in some cases the VM will be unable to boot -after the change. +Most guest operating systems will be able to cope with the +NVRAM/varstore file being reinitialized, but in some cases the VM +will be unable to boot after the change. =20 =20 Additional information @@ -126,15 +140,15 @@ can be used to validate the operating system signatur= e need to be provided as well. =20 Asking for the ``enrolled-keys`` firmware feature to be enabled will -cause libvirt to initialize the NVRAM file associated with the VM -from a template that contains a suitable set of keys. These keys -being present will cause the firmware to enforce the Secure Boot +cause libvirt to initialize the NVRAM/varstore file associated with +the VM from a template that contains a suitable set of keys. These +keys being present will cause the firmware to enforce the Secure Boot signing requirements. =20 The opposite configuration, where the feature is explicitly disabled, -will result in no keys being present in the NVRAM file. Unable to -verify signatures, the firmware will allow even unsigned operating -systems to run. +will result in no keys being present in the NVRAM/varstore file. +Unable to verify signatures, the firmware will allow even unsigned +operating systems to run. =20 If running unsigned code is desired, it's also possible to ask for the ``secure-boot`` feature to be disabled, which will cause libvirt diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 453e301041..1384e9f3ab 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -3960,6 +3960,27 @@ virDomainLoaderDefFree(virDomainLoaderDef *loader) g_free(loader); } =20 +virDomainVarstoreDef * +virDomainVarstoreDefNew(void) +{ + virDomainVarstoreDef *def =3D NULL; + + def =3D g_new0(virDomainVarstoreDef, 1); + + return def; +} + +void +virDomainVarstoreDefFree(virDomainVarstoreDef *varstore) +{ + if (!varstore) + return; + + g_free(varstore->path); + g_free(varstore->template); + g_free(varstore); +} + =20 static void virDomainResctrlMonDefFree(virDomainResctrlMonDef *domresmon) @@ -4062,6 +4083,7 @@ virDomainOSDefClear(virDomainOSDef *os) virDomainOSACPITableDefFree(os->acpiTables[i]); g_free(os->acpiTables); virDomainLoaderDefFree(os->loader); + virDomainVarstoreDefFree(os->varstore); g_free(os->bootloader); g_free(os->bootloaderArgs); } @@ -18088,6 +18110,17 @@ virDomainLoaderDefParseXMLLoader(virDomainLoaderDe= f *loader, } =20 =20 +static int +virDomainVarstoreDefParseXML(virDomainVarstoreDef *varstore, + xmlNodePtr varstoreNode) +{ + varstore->path =3D virXMLPropString(varstoreNode, "path"); + varstore->template =3D virXMLPropString(varstoreNode, "template"); + + return 0; +} + + static int virDomainLoaderDefParseXML(virDomainLoaderDef *loader, xmlNodePtr loaderNode, @@ -18535,16 +18568,29 @@ virDomainDefParseBootLoaderOptions(virDomainDef *= def, xmlNodePtr loaderNode =3D virXPathNode("./os/loader[1]", ctxt); xmlNodePtr nvramNode =3D virXPathNode("./os/nvram[1]", ctxt); xmlNodePtr nvramSourceNode =3D virXPathNode("./os/nvram/source[1]", ct= xt); + xmlNodePtr varstoreNode =3D virXPathNode("./os/varstore[1]", ctxt); =20 - if (!loaderNode && !nvramNode) - return 0; + if (nvramNode && varstoreNode) { + virReportError(VIR_ERR_XML_ERROR, "%s", + _("Cannot have both and ")); + return -1; + } =20 - def->os.loader =3D virDomainLoaderDefNew(); + if (loaderNode || nvramNode) { + def->os.loader =3D virDomainLoaderDefNew(); =20 - if (virDomainLoaderDefParseXML(def->os.loader, - loaderNode, nvramNode, nvramSourceNode, - ctxt, xmlopt, flags) < 0) - return -1; + if (virDomainLoaderDefParseXML(def->os.loader, + loaderNode, nvramNode, nvramSourceN= ode, + ctxt, xmlopt, flags) < 0) + return -1; + } + + if (varstoreNode) { + def->os.varstore =3D virDomainVarstoreDefNew(); + + if (virDomainVarstoreDefParseXML(def->os.varstore, varstoreNode) <= 0) + return -1; + } =20 return 0; } @@ -28248,6 +28294,20 @@ virDomainLoaderDefFormat(virBuffer *buf, return 0; } =20 +static int +virDomainVarstoreDefFormat(virBuffer *buf, + virDomainVarstoreDef *varstore) +{ + g_auto(virBuffer) attrBuf =3D VIR_BUFFER_INITIALIZER; + + virBufferEscapeString(&attrBuf, " template=3D'%s'", varstore->template= ); + virBufferEscapeString(&attrBuf, " path=3D'%s'", varstore->path); + + virXMLFormatElementEmpty(buf, "varstore", &attrBuf, NULL); + + return 0; +} + static void virDomainKeyWrapDefFormat(virBuffer *buf, virDomainKeyWrapDef *keywrap) { @@ -29720,6 +29780,11 @@ virDomainDefFormatInternalSetRootName(virDomainDef= *def, if (def->os.loader && virDomainLoaderDefFormat(buf, def->os.loader, xmlopt, flags) < 0) return -1; + + if (def->os.varstore && + virDomainVarstoreDefFormat(buf, def->os.varstore) < 0) + return -1; + virBufferEscapeString(buf, "%s\n", def->os.kernel); virBufferEscapeString(buf, "%s\n", diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index a13f6d79e9..e63230beec 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -2423,6 +2423,14 @@ struct _virDomainLoaderDef { virDomainLoaderDef *virDomainLoaderDefNew(void); void virDomainLoaderDefFree(virDomainLoaderDef *loader); =20 +struct _virDomainVarstoreDef { + char *path; + char *template; +}; + +virDomainVarstoreDef *virDomainVarstoreDefNew(void); +void virDomainVarstoreDefFree(virDomainVarstoreDef *varstore); + typedef enum { VIR_DOMAIN_IOAPIC_NONE =3D 0, VIR_DOMAIN_IOAPIC_QEMU, @@ -2576,6 +2584,7 @@ struct _virDomainOSDef { size_t nacpiTables; virDomainOSACPITableDef **acpiTables; virDomainLoaderDef *loader; + virDomainVarstoreDef *varstore; char *bootloader; char *bootloaderArgs; int smbios_mode; diff --git a/src/conf/schemas/domaincommon.rng b/src/conf/schemas/domaincom= mon.rng index e09f6e80f3..376218118d 100644 --- a/src/conf/schemas/domaincommon.rng +++ b/src/conf/schemas/domaincommon.rng @@ -349,7 +349,10 @@ - + + + + @@ -456,6 +459,23 @@ =20 + + + + + + + + + + + + + + + + + diff --git a/src/conf/virconftypes.h b/src/conf/virconftypes.h index 6e2573035a..0596791a4d 100644 --- a/src/conf/virconftypes.h +++ b/src/conf/virconftypes.h @@ -164,6 +164,8 @@ typedef struct _virDomainLeaseDef virDomainLeaseDef; =20 typedef struct _virDomainLoaderDef virDomainLoaderDef; =20 +typedef struct _virDomainVarstoreDef virDomainVarstoreDef; + typedef struct _virDomainMemballoonDef virDomainMemballoonDef; =20 typedef struct _virDomainMemoryDef virDomainMemoryDef; diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index b200037189..19edf7eb12 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -719,6 +719,8 @@ virDomainTPMProfileRemoveDisabledTypeToString; virDomainTPMVersionTypeFromString; virDomainTPMVersionTypeToString; virDomainUSBDeviceDefForeach; +virDomainVarstoreDefFree; +virDomainVarstoreDefNew; virDomainVideoDefaultRAM; virDomainVideoDefClear; virDomainVideoDefFree; --=20 2.53.0