Libvirt allows specifying firmware for domains for quite some time now.
However, problem for mgmt applications is that they do not know which
firmware to chose as all they see are their paths and from that it's
impossible to tell whether one of them supports say secure boot.

This problem was addressed by qemu where Lazslo and Daniel created a
document, specification which describes metadata for each individual
firmware image. In the description (which itself is a JSON file for easy
machine parsing) then it's specified whether the firmware it's
describing supports secureboot, s3/s4 states, it it's bios or efi, and
so on.

These patches take advantage of that, and even though the description
files are not picked up by that many distributions yet, it allows users
to not care about putting specific firmware path into their domain XML.
It's as easy as:

  <os firmware='efi'>
    <loader secure='yes'/>
  </os>

to have libvirt pick up OVMF image with secure enabled boot (and enabled
System Management Mode at the same time).

The metadata specification lives under
qemu.git/docs/interop/firmware.json and I highly recommend you go and
read it before reviewing (unless you're Laszlo or Daniel in which case
you already know what the document says).

As usual, you can find my patches at my github:

  https://github.com/zippy2/libvirt/commits/firmware_v1


Michal Prívozník (15):
  virmock: Initialize both symbols in VIR_MOCK_REAL_INIT_ALT
  qemu_domain: Separate NVRAM VAR store file name generation
  qemu_capabilities: Expose qemu <-> libvirt arch translators
  virDomainLoaderDefParseXML: Allow loader path to be NULL
  conf: Introduce VIR_DOMAIN_LOADER_TYPE_NONE
  conf: Introduce firmware attribute to <os/>
  qemu: Introduce basic skeleton for parsing firmware description
  test: Introduce qemufirmwaretest
  qemu_firmware: Introduce qemuFirmwareFetchConfigs
  qemufirmwaretest: Test qemuFirmwareFetchConfigs()
  qemu_firmware: Introduce qemuFirmwareFillDomain()
  qemu_process: Call qemuFirmwareFillDomain
  qemuDomainDefValidate: Don't require SMM if automatic firmware
    selection enabled
  qemu: Enable firmware autoselection
  qemuxml2argvtest: Test os.firmware autoselection

 docs/formatdomain.html.in                     |   22 +-
 docs/schemas/domaincommon.rng                 |   12 +-
 src/conf/domain_conf.c                        |  113 +-
 src/conf/domain_conf.h                        |   15 +-
 src/libvirt_private.syms                      |    2 +
 src/qemu/Makefile.inc.am                      |    2 +
 src/qemu/qemu_capabilities.c                  |    4 +-
 src/qemu/qemu_capabilities.h                  |    3 +
 src/qemu/qemu_command.c                       |    1 +
 src/qemu/qemu_domain.c                        |   34 +-
 src/qemu/qemu_domain.h                        |    4 +
 src/qemu/qemu_firmware.c                      | 1285 +++++++++++++++++
 src/qemu/qemu_firmware.h                      |   50 +
 src/qemu/qemu_process.c                       |    5 +
 tests/Makefile.am                             |   14 +-
 tests/domaincapsschemadata/full.xml           |    1 +
 .../etc/qemu/firmware/40-ovmf-sb.json         |    1 +
 .../etc/qemu/firmware/60-ovmf.json            |    0
 .../user/.config/qemu/firmware/10-bios.json   |    0
 .../usr/share/qemu/firmware/40-bios.json      |   35 +
 .../usr/share/qemu/firmware/50-ovmf-sb.json   |   36 +
 .../usr/share/qemu/firmware/60-ovmf.json      |   35 +
 .../usr/share/qemu/firmware/70-aavmf.json     |   35 +
 tests/qemufirmwaretest.c                      |  129 ++
 ...arch64-os-firmware-efi.aarch64-latest.args |   37 +
 .../aarch64-os-firmware-efi.xml               |   30 +
 .../os-firmware-bios.x86_64-latest.args       |   39 +
 tests/qemuxml2argvdata/os-firmware-bios.xml   |   68 +
 ...os-firmware-efi-secboot.x86_64-latest.args |   42 +
 .../os-firmware-efi-secboot.xml               |   68 +
 .../os-firmware-efi.x86_64-latest.args        |   42 +
 tests/qemuxml2argvdata/os-firmware-efi.xml    |   68 +
 tests/qemuxml2argvtest.c                      |   17 +
 .../aarch64-os-firmware-efi.xml               |    1 +
 tests/qemuxml2xmloutdata/os-firmware-bios.xml |    1 +
 .../os-firmware-efi-secboot.xml               |    1 +
 tests/qemuxml2xmloutdata/os-firmware-efi.xml  |    1 +
 tests/qemuxml2xmltest.c                       |   27 +
 tests/virmock.h                               |    5 +-
 39 files changed, 2255 insertions(+), 30 deletions(-)
 create mode 100644 src/qemu/qemu_firmware.c
 create mode 100644 src/qemu/qemu_firmware.h
 create mode 120000 tests/qemufirmwaredata/etc/qemu/firmware/40-ovmf-sb.json
 create mode 100644 tests/qemufirmwaredata/etc/qemu/firmware/60-ovmf.json
 create mode 100644 tests/qemufirmwaredata/home/user/.config/qemu/firmware/10-bios.json
 create mode 100644 tests/qemufirmwaredata/usr/share/qemu/firmware/40-bios.json
 create mode 100644 tests/qemufirmwaredata/usr/share/qemu/firmware/50-ovmf-sb.json
 create mode 100644 tests/qemufirmwaredata/usr/share/qemu/firmware/60-ovmf.json
 create mode 100644 tests/qemufirmwaredata/usr/share/qemu/firmware/70-aavmf.json
 create mode 100644 tests/qemufirmwaretest.c
 create mode 100644 tests/qemuxml2argvdata/aarch64-os-firmware-efi.aarch64-latest.args
 create mode 100644 tests/qemuxml2argvdata/aarch64-os-firmware-efi.xml
 create mode 100644 tests/qemuxml2argvdata/os-firmware-bios.x86_64-latest.args
 create mode 100644 tests/qemuxml2argvdata/os-firmware-bios.xml
 create mode 100644 tests/qemuxml2argvdata/os-firmware-efi-secboot.x86_64-latest.args
 create mode 100644 tests/qemuxml2argvdata/os-firmware-efi-secboot.xml
 create mode 100644 tests/qemuxml2argvdata/os-firmware-efi.x86_64-latest.args
 create mode 100644 tests/qemuxml2argvdata/os-firmware-efi.xml
 create mode 120000 tests/qemuxml2xmloutdata/aarch64-os-firmware-efi.xml
 create mode 120000 tests/qemuxml2xmloutdata/os-firmware-bios.xml
 create mode 120000 tests/qemuxml2xmloutdata/os-firmware-efi-secboot.xml
 create mode 120000 tests/qemuxml2xmloutdata/os-firmware-efi.xml

-- 
2.19.2

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

On Wed, Feb 27, 2019 at 11:04:32AM +0100, Michal Privoznik wrote:
> Libvirt allows specifying firmware for domains for quite some time now.
> However, problem for mgmt applications is that they do not know which
> firmware to chose as all they see are their paths and from that it's
> impossible to tell whether one of them supports say secure boot.
> 
> This problem was addressed by qemu where Lazslo and Daniel created a
> document, specification which describes metadata for each individual
> firmware image. In the description (which itself is a JSON file for easy
> machine parsing) then it's specified whether the firmware it's
> describing supports secureboot, s3/s4 states, it it's bios or efi, and
> so on.
> 
> These patches take advantage of that, and even though the description
> files are not picked up by that many distributions yet, it allows users
> to not care about putting specific firmware path into their domain XML.
> It's as easy as:
> 
>   <os firmware='efi'>
>     <loader secure='yes'/>
>   </os>

Nice, _much_ better than how certain management tools hard-code the path
to firmware binaries :-)

Thanks for working on this patch series.  I'll give them a spin sometime
this or early next week. 

> to have libvirt pick up OVMF image with secure enabled boot (and enabled
> System Management Mode at the same time).
> 
> The metadata specification lives under
> qemu.git/docs/interop/firmware.json and I highly recommend you go and
> read it before reviewing (unless you're Laszlo or Daniel in which case
> you already know what the document says).
> 
> As usual, you can find my patches at my github:
> 
>   https://github.com/zippy2/libvirt/commits/firmware_v1

[...]

-- 
/kashyap

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list