From nobody Wed Mar 12 17:16:32 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1741250234480892.337773657492; Thu, 6 Mar 2025 00:37:14 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 996) id 5A27D17CE; Thu, 6 Mar 2025 03:37:13 -0500 (EST) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 4B5C917B9; Thu, 6 Mar 2025 03:36:29 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 996) id DA72711D5; Thu, 6 Mar 2025 03:36:25 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 50F5B11D4 for ; Thu, 6 Mar 2025 03:36:25 -0500 (EST) Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-378-iippP3tRPp-ql9kKz4wOxg-1; Thu, 06 Mar 2025 03:36:23 -0500 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id AFCAF1801A00 for ; Thu, 6 Mar 2025 08:36:22 +0000 (UTC) Received: from moe.brq.redhat.com (unknown [10.43.3.236]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 0B99D180AF7B for ; Thu, 6 Mar 2025 08:36:21 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741250185; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=csXaV4KCmQDGWd4B1GgKi9/HkDCSYvt2kyjIEFdSfJI=; b=VhEU1dcsVnUpUYIidSqnorDGIctozTWjbCN30WuD0J2Lsk80lTeaJmZmDAfWetiH+kayzF +TBYByk1HlPojvev6RfQ6wK0sD+KtWsW+0B/CphN5mfNMmAiuMXqkls/+dPYC82KJWExb9 NZGJC+1gRXkQqQn6nZRWS3z/4xbIcmg= X-MC-Unique: iippP3tRPp-ql9kKz4wOxg-1 X-Mimecast-MFC-AGG-ID: iippP3tRPp-ql9kKz4wOxg_1741250182 From: Michal Privoznik To: devel@lists.libvirt.org Subject: [PATCH 1/5] conf: Introduce os/shim element Date: Thu, 6 Mar 2025 09:36:14 +0100 Message-ID: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: 3mdcAkY2JpLPZmTxqRmf3thSI_bzvJ7EKwbL8YPc7-U_1741250182 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: NHNBVDXBXBQSV5ZKRGTVGH7BEPXG2MGZ X-Message-ID-Hash: NHNBVDXBXBQSV5ZKRGTVGH7BEPXG2MGZ X-MailFrom: mprivozn@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1741250237171019100 Content-Type: text/plain; charset="utf-8"; x-default="true" For secure boot environments where is signed, it may be unfeasible to keep the binary up to date (esp. when revoking certificates contained within). To address that, QEMU introduced '-shim' cmd line option which side loads another UEFI binary which can then contain new certification authorities or list of revocations. Expose it as element that's nested under , just like kernel and initrd are. Signed-off-by: Michal Privoznik --- docs/formatdomain.rst | 5 +++++ src/conf/domain_conf.c | 12 ++++++++---- src/conf/domain_conf.h | 1 + src/conf/domain_validate.c | 6 ++++++ src/conf/schemas/domaincommon.rng | 5 +++++ .../launch-security-sev-direct.x86_64-latest.xml | 1 + tests/qemuxmlconfdata/launch-security-sev-direct.xml | 1 + 7 files changed, 27 insertions(+), 4 deletions(-) diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst index cbe378e61d..087e77217e 100644 --- a/docs/formatdomain.rst +++ b/docs/formatdomain.rst @@ -397,6 +397,7 @@ and full virtualized guests. /root/f8-i386-vmlinuz /root/f8-i386-initrd console=3DttyS0 ks=3Dhttp://example.com/f8-i386/os/ + /path/to/shim.efi /root/ppc.dtb ... @@ -417,6 +418,10 @@ and full virtualized guests. The contents of this element specify arguments to be passed to the kern= el (or installer) at boot time. This is often used to specify an alternate pri= mary console (eg serial port), or the installation media source / kickstart = file +``shim`` + Use specified fully-qualified path to load an initial UEFI bootloader t= hat + handles chaining to a trusted full bootloader under secure boot + environments. ``dtb`` The contents of this element specify the fully-qualified path to the (optional) device tree binary (dtb) image in the host OS. diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index f42b7075ad..907e11cced 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -3922,6 +3922,7 @@ virDomainOSDefClear(virDomainOSDef *os) g_free(os->kernel); g_free(os->initrd); g_free(os->cmdline); + g_free(os->shim); g_free(os->dtb); g_free(os->root); g_free(os->slic_table); @@ -17732,6 +17733,7 @@ virDomainDefParseBootKernelOptions(virDomainDef *de= f, def->os.kernel =3D virXPathString("string(./os/kernel[1])", ctxt); def->os.initrd =3D virXPathString("string(./os/initrd[1])", ctxt); def->os.cmdline =3D virXPathString("string(./os/cmdline[1])", ctxt); + def->os.shim =3D virXPathString("string(./os/shim[1])", ctxt); def->os.dtb =3D virXPathString("string(./os/dtb[1])", ctxt); def->os.root =3D virXPathString("string(./os/root[1])", ctxt); } @@ -17904,10 +17906,10 @@ virDomainDefParseBootOptions(virDomainDef *def, /* * Booting options for different OS types.... * - * - A bootloader (and optional kernel+initrd) (xen) - * - A kernel + initrd (xen) - * - A boot device (and optional kernel+initrd) (hvm) - * - An init script (exe) + * - A bootloader (and optional kernel+initrd) (xen) + * - A kernel + initrd (xen) + * - A boot device (and optional kernel+initrd(+shim)) (hvm) + * - An init script (exe) */ =20 switch ((virDomainOSType) def->os.type) { @@ -28414,6 +28416,8 @@ virDomainDefFormatInternalSetRootName(virDomainDef = *def, def->os.initrd); virBufferEscapeString(buf, "%s\n", def->os.cmdline); + virBufferEscapeString(buf, "%s\n", + def->os.shim); virBufferEscapeString(buf, "%s\n", def->os.dtb); virBufferEscapeString(buf, "%s\n", diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index e7947741bd..32dabfeaa7 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -2501,6 +2501,7 @@ struct _virDomainOSDef { char *kernel; char *initrd; char *cmdline; + char *shim; char *dtb; char *root; char *slic_table; diff --git a/src/conf/domain_validate.c b/src/conf/domain_validate.c index ad3d17f0fd..6807d8e46a 100644 --- a/src/conf/domain_validate.c +++ b/src/conf/domain_validate.c @@ -1726,6 +1726,12 @@ virDomainDefOSValidate(const virDomainDef *def, } } =20 + if (def->os.shim && !def->os.kernel) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("shim only allowed with kernel option")); + return -1; + } + return 0; } =20 diff --git a/src/conf/schemas/domaincommon.rng b/src/conf/schemas/domaincom= mon.rng index 824da9d066..95196bee6e 100644 --- a/src/conf/schemas/domaincommon.rng +++ b/src/conf/schemas/domaincommon.rng @@ -1552,6 +1552,11 @@ + + + + + diff --git a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest= .xml b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.xml index e289b1e95e..dea8236540 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.xml +++ b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.xml @@ -9,6 +9,7 @@ /vmlinuz /initrd runme + /shim diff --git a/tests/qemuxmlconfdata/launch-security-sev-direct.xml b/tests/q= emuxmlconfdata/launch-security-sev-direct.xml index 80ce6412dd..76277b6278 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-direct.xml +++ b/tests/qemuxmlconfdata/launch-security-sev-direct.xml @@ -9,6 +9,7 @@ /vmlinuz /initrd runme + /shim destroy --=20 2.45.3