Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
---
src/qemu/qemu_firmware.c | 40 +++++++++++++++
...re-efi-no-enrolled-keys.x86_64-latest.args | 49 ++++++++++++++++++
.../os-firmware-efi-no-enrolled-keys.xml | 25 ++++++++++
tests/qemuxml2argvtest.c | 1 +
...are-efi-no-enrolled-keys.x86_64-latest.xml | 50 +++++++++++++++++++
tests/qemuxml2xmltest.c | 1 +
6 files changed, 166 insertions(+)
create mode 100644 tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml
create mode 100644 tests/qemuxml2xmloutdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.xml
diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index d3198e2d45..f6f371f51f 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -930,6 +930,10 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
bool supportsS4 = false;
bool requiresSMM = false;
bool supportsSEV = false;
+ bool supportsSecureBoot = false;
+ bool hasEnrolledKeys = false;
+ int reqSecureBoot;
+ int reqEnrolledKeys;
want = qemuFirmwareOSInterfaceTypeFromOsDefFirmware(def->os.firmware);
@@ -979,7 +983,13 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
break;
case QEMU_FIRMWARE_FEATURE_SECURE_BOOT:
+ supportsSecureBoot = true;
+ break;
+
case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS:
+ hasEnrolledKeys = true;
+ break;
+
case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
case QEMU_FIRMWARE_FEATURE_NONE:
@@ -1000,6 +1010,36 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
return false;
}
+ if (def->os.firmwareFeatures) {
+ reqSecureBoot = def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_SECURE_BOOT];
+ if (reqSecureBoot != VIR_TRISTATE_BOOL_ABSENT) {
+ if (reqSecureBoot == VIR_TRISTATE_BOOL_YES && !supportsSecureBoot) {
+ VIR_DEBUG("User requested Secure Boot, firmware '%s' doesn't support it",
+ path);
+ return false;
+ }
+
+ if (reqSecureBoot == VIR_TRISTATE_BOOL_NO && supportsSecureBoot) {
+ VIR_DEBUG("User refused Secure Boot, firmware '%s' supports it", path);
+ return false;
+ }
+ }
+
+ reqEnrolledKeys = def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_ENROLLED_KEYS];
+ if (reqEnrolledKeys != VIR_TRISTATE_BOOL_ABSENT) {
+ if (reqEnrolledKeys == VIR_TRISTATE_BOOL_YES && !hasEnrolledKeys) {
+ VIR_DEBUG("User requested Enrolled keys, firmware '%s' doesn't support it",
+ path);
+ return false;
+ }
+
+ if (reqEnrolledKeys == VIR_TRISTATE_BOOL_NO && hasEnrolledKeys) {
+ VIR_DEBUG("User refused Enrolled keys, firmware '%s' supports it", path);
+ return false;
+ }
+ }
+ }
+
if (def->os.loader &&
def->os.loader->secure == VIR_TRISTATE_BOOL_YES &&
!requiresSMM) {
diff --git a/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.args b/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.args
new file mode 100644
index 0000000000..561a905e78
--- /dev/null
+++ b/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.args
@@ -0,0 +1,49 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/tmp/lib/domain--1-fedora \
+USER=test \
+LOGNAME=test \
+XDG_DATA_HOME=/tmp/lib/domain--1-fedora/.local/share \
+XDG_CACHE_HOME=/tmp/lib/domain--1-fedora/.cache \
+XDG_CONFIG_HOME=/tmp/lib/domain--1-fedora/.config \
+/usr/bin/qemu-system-x86_64 \
+-name guest=fedora,debug-threads=on \
+-S \
+-object secret,id=masterKey0,format=raw,\
+file=/tmp/lib/domain--1-fedora/master-key.aes \
+-blockdev '{"driver":"file","filename":"/usr/share/OVMF/OVMF_CODE.fd",\
+"node-name":"libvirt-pflash0-storage","auto-read-only":true,\
+"discard":"unmap"}' \
+-blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,\
+"driver":"raw","file":"libvirt-pflash0-storage"}' \
+-blockdev '{"driver":"file",\
+"filename":"/var/lib/libvirt/qemu/nvram/fedora_VARS.fd",\
+"node-name":"libvirt-pflash1-storage","auto-read-only":true,\
+"discard":"unmap"}' \
+-blockdev '{"node-name":"libvirt-pflash1-format","read-only":false,\
+"driver":"raw","file":"libvirt-pflash1-storage"}' \
+-machine pc-q35-4.0,accel=kvm,usb=off,dump-guest-core=off,\
+pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format,\
+memory-backend=pc.ram \
+-cpu qemu64 \
+-m 8 \
+-object memory-backend-ram,id=pc.ram,size=8388608 \
+-overcommit mem-lock=off \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid 63840878-0deb-4095-97e6-fc444d9bc9fa \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \
+-mon chardev=charmonitor,id=monitor,mode=control \
+-rtc base=utc \
+-no-shutdown \
+-boot strict=on \
+-device pcie-root-port,port=0x8,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,\
+addr=0x1 \
+-device pcie-root-port,port=0x9,chassis=2,id=pci.2,bus=pcie.0,addr=0x1.0x1 \
+-device qemu-xhci,id=usb,bus=pci.1,addr=0x0 \
+-audiodev id=audio1,driver=none \
+-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\
+resourcecontrol=deny \
+-msg timestamp=on
diff --git a/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml b/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml
new file mode 100644
index 0000000000..6c0b323fd4
--- /dev/null
+++ b/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml
@@ -0,0 +1,25 @@
+<domain type='kvm'>
+ <name>fedora</name>
+ <uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid>
+ <memory unit='KiB'>8192</memory>
+ <currentMemory unit='KiB'>8192</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os firmware='efi'>
+ <firmware type='efi'>
+ <feature enabled='no' name='enrolled-keys'/>
+ </firmware>
+ <type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
+ </os>
+ <features>
+ <acpi/>
+ <apic/>
+ <pae/>
+ </features>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <controller type='pci' index='0' model='pcie-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <memballoon model='none'/>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 2b32b7f303..44c2a316b0 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -3549,6 +3549,7 @@ mymain(void)
DO_TEST_CAPS_LATEST("os-firmware-bios");
DO_TEST_CAPS_LATEST("os-firmware-efi");
DO_TEST_CAPS_LATEST("os-firmware-efi-secboot");
+ DO_TEST_CAPS_LATEST("os-firmware-efi-no-enrolled-keys");
DO_TEST_CAPS_LATEST_PARSE_ERROR("os-firmware-invalid-type");
DO_TEST_CAPS_ARCH_LATEST("aarch64-os-firmware-efi", "aarch64");
diff --git a/tests/qemuxml2xmloutdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.xml b/tests/qemuxml2xmloutdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.xml
new file mode 100644
index 0000000000..3dbfbf0082
--- /dev/null
+++ b/tests/qemuxml2xmloutdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.xml
@@ -0,0 +1,50 @@
+<domain type='kvm'>
+ <name>fedora</name>
+ <uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid>
+ <memory unit='KiB'>8192</memory>
+ <currentMemory unit='KiB'>8192</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os firmware='efi'>
+ <type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
+ <firmware type='efi'>
+ <feature enabled='no' name='enrolled-keys'/>
+ </firmware>
+ <boot dev='hd'/>
+ </os>
+ <features>
+ <acpi/>
+ <apic/>
+ <pae/>
+ </features>
+ <cpu mode='custom' match='exact' check='none'>
+ <model fallback='forbid'>qemu64</model>
+ </cpu>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <controller type='pci' index='0' model='pcie-root'/>
+ <controller type='usb' index='0' model='qemu-xhci'>
+ <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
+ </controller>
+ <controller type='sata' index='0'>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
+ </controller>
+ <controller type='pci' index='1' model='pcie-root-port'>
+ <model name='pcie-root-port'/>
+ <target chassis='1' port='0x8'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0' multifunction='on'/>
+ </controller>
+ <controller type='pci' index='2' model='pcie-root-port'>
+ <model name='pcie-root-port'/>
+ <target chassis='2' port='0x9'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
+ </controller>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <audio id='1' type='none'/>
+ <memballoon model='none'/>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c
index f25a0902c9..4e7cce21c6 100644
--- a/tests/qemuxml2xmltest.c
+++ b/tests/qemuxml2xmltest.c
@@ -1123,6 +1123,7 @@ mymain(void)
DO_TEST_CAPS_LATEST("os-firmware-bios");
DO_TEST_CAPS_LATEST("os-firmware-efi");
DO_TEST_CAPS_LATEST("os-firmware-efi-secboot");
+ DO_TEST_CAPS_LATEST("os-firmware-efi-no-enrolled-keys");
DO_TEST("aarch64-aavmf-virtio-mmio",
QEMU_CAPS_DEVICE_VIRTIO_MMIO,
--
2.30.2
On 3/18/21 1:26 PM, Pavel Hrdina wrote:
> Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
> ---
> src/qemu/qemu_firmware.c | 40 +++++++++++++++
> ...re-efi-no-enrolled-keys.x86_64-latest.args | 49 ++++++++++++++++++
> .../os-firmware-efi-no-enrolled-keys.xml | 25 ++++++++++
> tests/qemuxml2argvtest.c | 1 +
> ...are-efi-no-enrolled-keys.x86_64-latest.xml | 50 +++++++++++++++++++
> tests/qemuxml2xmltest.c | 1 +
> 6 files changed, 166 insertions(+)
> create mode 100644 tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.args
> create mode 100644 tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml
> create mode 100644 tests/qemuxml2xmloutdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.xml
>
> diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
> index d3198e2d45..f6f371f51f 100644
> --- a/src/qemu/qemu_firmware.c
> +++ b/src/qemu/qemu_firmware.c
> @@ -930,6 +930,10 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
> bool supportsS4 = false;
> bool requiresSMM = false;
> bool supportsSEV = false;
> + bool supportsSecureBoot = false;
> + bool hasEnrolledKeys = false;
> + int reqSecureBoot;
> + int reqEnrolledKeys;
>
> want = qemuFirmwareOSInterfaceTypeFromOsDefFirmware(def->os.firmware);
>
> @@ -979,7 +983,13 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
> break;
>
> case QEMU_FIRMWARE_FEATURE_SECURE_BOOT:
> + supportsSecureBoot = true;
> + break;
> +
> case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS:
> + hasEnrolledKeys = true;
> + break;
> +
> case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
> case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
> case QEMU_FIRMWARE_FEATURE_NONE:
> @@ -1000,6 +1010,36 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
> return false;
> }
>
> + if (def->os.firmwareFeatures) {
> + reqSecureBoot = def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_SECURE_BOOT];
> + if (reqSecureBoot != VIR_TRISTATE_BOOL_ABSENT) {
> + if (reqSecureBoot == VIR_TRISTATE_BOOL_YES && !supportsSecureBoot) {
> + VIR_DEBUG("User requested Secure Boot, firmware '%s' doesn't support it",
> + path);
> + return false;
> + }
> +
> + if (reqSecureBoot == VIR_TRISTATE_BOOL_NO && supportsSecureBoot) {
> + VIR_DEBUG("User refused Secure Boot, firmware '%s' supports it", path);
> + return false;
> + }
> + }
> +
> + reqEnrolledKeys = def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_ENROLLED_KEYS];
> + if (reqEnrolledKeys != VIR_TRISTATE_BOOL_ABSENT) {
> + if (reqEnrolledKeys == VIR_TRISTATE_BOOL_YES && !hasEnrolledKeys) {
> + VIR_DEBUG("User requested Enrolled keys, firmware '%s' doesn't support it",
"doesn't have them" perhaps?
> + path);
> + return false;
> + }
> +
> + if (reqEnrolledKeys == VIR_TRISTATE_BOOL_NO && hasEnrolledKeys) {
> + VIR_DEBUG("User refused Enrolled keys, firmware '%s' supports it", path);
"has them" perhaps?
> + return false;
> + }
> + }
> + }
> +
> if (def->os.loader &&
> def->os.loader->secure == VIR_TRISTATE_BOOL_YES &&
> !requiresSMM) {
> diff --git a/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.args b/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.args
> new file mode 100644
> index 0000000000..561a905e78
> --- /dev/null
> +++ b/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.args
> @@ -0,0 +1,49 @@
> +LC_ALL=C \
> +PATH=/bin \
> +HOME=/tmp/lib/domain--1-fedora \
> +USER=test \
> +LOGNAME=test \
> +XDG_DATA_HOME=/tmp/lib/domain--1-fedora/.local/share \
> +XDG_CACHE_HOME=/tmp/lib/domain--1-fedora/.cache \
> +XDG_CONFIG_HOME=/tmp/lib/domain--1-fedora/.config \
> +/usr/bin/qemu-system-x86_64 \
> +-name guest=fedora,debug-threads=on \
> +-S \
> +-object secret,id=masterKey0,format=raw,\
> +file=/tmp/lib/domain--1-fedora/master-key.aes \
> +-blockdev '{"driver":"file","filename":"/usr/share/OVMF/OVMF_CODE.fd",\
> +"node-name":"libvirt-pflash0-storage","auto-read-only":true,\
> +"discard":"unmap"}' \
> +-blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,\
> +"driver":"raw","file":"libvirt-pflash0-storage"}' \
> +-blockdev '{"driver":"file",\
> +"filename":"/var/lib/libvirt/qemu/nvram/fedora_VARS.fd",\
> +"node-name":"libvirt-pflash1-storage","auto-read-only":true,\
> +"discard":"unmap"}' \
> +-blockdev '{"node-name":"libvirt-pflash1-format","read-only":false,\
> +"driver":"raw","file":"libvirt-pflash1-storage"}' \
> +-machine pc-q35-4.0,accel=kvm,usb=off,dump-guest-core=off,\
> +pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format,\
> +memory-backend=pc.ram \
> +-cpu qemu64 \
> +-m 8 \
> +-object memory-backend-ram,id=pc.ram,size=8388608 \
> +-overcommit mem-lock=off \
> +-smp 1,sockets=1,cores=1,threads=1 \
> +-uuid 63840878-0deb-4095-97e6-fc444d9bc9fa \
> +-display none \
> +-no-user-config \
> +-nodefaults \
> +-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \
> +-mon chardev=charmonitor,id=monitor,mode=control \
> +-rtc base=utc \
> +-no-shutdown \
> +-boot strict=on \
> +-device pcie-root-port,port=0x8,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,\
> +addr=0x1 \
> +-device pcie-root-port,port=0x9,chassis=2,id=pci.2,bus=pcie.0,addr=0x1.0x1 \
> +-device qemu-xhci,id=usb,bus=pci.1,addr=0x0 \
> +-audiodev id=audio1,driver=none \
> +-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\
> +resourcecontrol=deny \
> +-msg timestamp=on
> diff --git a/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml b/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml
> new file mode 100644
> index 0000000000..6c0b323fd4
> --- /dev/null
> +++ b/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml
> @@ -0,0 +1,25 @@
> +<domain type='kvm'>
> + <name>fedora</name>
> + <uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid>
> + <memory unit='KiB'>8192</memory>
> + <currentMemory unit='KiB'>8192</currentMemory>
> + <vcpu placement='static'>1</vcpu>
> + <os firmware='efi'>
> + <firmware type='efi'>
> + <feature enabled='no' name='enrolled-keys'/>
> + </firmware>
> + <type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
> + </os>
> + <features>
> + <acpi/>
> + <apic/>
> + <pae/>
> + </features>
> + <devices>
> + <emulator>/usr/bin/qemu-system-x86_64</emulator>
> + <controller type='pci' index='0' model='pcie-root'/>
> + <input type='mouse' bus='ps2'/>
> + <input type='keyboard' bus='ps2'/>
> + <memballoon model='none'/>
> + </devices>
> +</domain>
> diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
> index 2b32b7f303..44c2a316b0 100644
> --- a/tests/qemuxml2argvtest.c
> +++ b/tests/qemuxml2argvtest.c
> @@ -3549,6 +3549,7 @@ mymain(void)
> DO_TEST_CAPS_LATEST("os-firmware-bios");
> DO_TEST_CAPS_LATEST("os-firmware-efi");
> DO_TEST_CAPS_LATEST("os-firmware-efi-secboot");
> + DO_TEST_CAPS_LATEST("os-firmware-efi-no-enrolled-keys");
> DO_TEST_CAPS_LATEST_PARSE_ERROR("os-firmware-invalid-type");
> DO_TEST_CAPS_ARCH_LATEST("aarch64-os-firmware-efi", "aarch64");
>
> diff --git a/tests/qemuxml2xmloutdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.xml b/tests/qemuxml2xmloutdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.xml
Alternatively, let this be link to the XML above, since the difference
between them is not in the area of interest of this feature.
Michal
On Thu, Mar 18, 2021 at 05:18:38PM +0100, Michal Privoznik wrote:
> On 3/18/21 1:26 PM, Pavel Hrdina wrote:
> > Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
> > ---
> > src/qemu/qemu_firmware.c | 40 +++++++++++++++
> > ...re-efi-no-enrolled-keys.x86_64-latest.args | 49 ++++++++++++++++++
> > .../os-firmware-efi-no-enrolled-keys.xml | 25 ++++++++++
> > tests/qemuxml2argvtest.c | 1 +
> > ...are-efi-no-enrolled-keys.x86_64-latest.xml | 50 +++++++++++++++++++
> > tests/qemuxml2xmltest.c | 1 +
> > 6 files changed, 166 insertions(+)
> > create mode 100644 tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.args
> > create mode 100644 tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml
> > create mode 100644 tests/qemuxml2xmloutdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.xml
> >
> > diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
> > index d3198e2d45..f6f371f51f 100644
> > --- a/src/qemu/qemu_firmware.c
> > +++ b/src/qemu/qemu_firmware.c
> > @@ -930,6 +930,10 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
> > bool supportsS4 = false;
> > bool requiresSMM = false;
> > bool supportsSEV = false;
> > + bool supportsSecureBoot = false;
> > + bool hasEnrolledKeys = false;
> > + int reqSecureBoot;
> > + int reqEnrolledKeys;
> > want = qemuFirmwareOSInterfaceTypeFromOsDefFirmware(def->os.firmware);
> > @@ -979,7 +983,13 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
> > break;
> > case QEMU_FIRMWARE_FEATURE_SECURE_BOOT:
> > + supportsSecureBoot = true;
> > + break;
> > +
> > case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS:
> > + hasEnrolledKeys = true;
> > + break;
> > +
> > case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
> > case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
> > case QEMU_FIRMWARE_FEATURE_NONE:
> > @@ -1000,6 +1010,36 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
> > return false;
> > }
> > + if (def->os.firmwareFeatures) {
> > + reqSecureBoot = def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_SECURE_BOOT];
> > + if (reqSecureBoot != VIR_TRISTATE_BOOL_ABSENT) {
> > + if (reqSecureBoot == VIR_TRISTATE_BOOL_YES && !supportsSecureBoot) {
> > + VIR_DEBUG("User requested Secure Boot, firmware '%s' doesn't support it",
> > + path);
> > + return false;
> > + }
> > +
> > + if (reqSecureBoot == VIR_TRISTATE_BOOL_NO && supportsSecureBoot) {
> > + VIR_DEBUG("User refused Secure Boot, firmware '%s' supports it", path);
> > + return false;
> > + }
> > + }
> > +
> > + reqEnrolledKeys = def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_ENROLLED_KEYS];
> > + if (reqEnrolledKeys != VIR_TRISTATE_BOOL_ABSENT) {
> > + if (reqEnrolledKeys == VIR_TRISTATE_BOOL_YES && !hasEnrolledKeys) {
> > + VIR_DEBUG("User requested Enrolled keys, firmware '%s' doesn't support it",
>
> "doesn't have them" perhaps?
>
> > + path);
> > + return false;
> > + }
> > +
> > + if (reqEnrolledKeys == VIR_TRISTATE_BOOL_NO && hasEnrolledKeys) {
> > + VIR_DEBUG("User refused Enrolled keys, firmware '%s' supports it", path);
>
> "has them" perhaps?
Sounds better, I wanted to change it after copy&paste of the secureBoot
part, but as we can see it did not happen. :)
> > + return false;
> > + }
> > + }
> > + }
> > +
> > if (def->os.loader &&
> > def->os.loader->secure == VIR_TRISTATE_BOOL_YES &&
> > !requiresSMM) {
> > diff --git a/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.args b/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.args
> > new file mode 100644
> > index 0000000000..561a905e78
> > --- /dev/null
> > +++ b/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.args
> > @@ -0,0 +1,49 @@
> > +LC_ALL=C \
> > +PATH=/bin \
> > +HOME=/tmp/lib/domain--1-fedora \
> > +USER=test \
> > +LOGNAME=test \
> > +XDG_DATA_HOME=/tmp/lib/domain--1-fedora/.local/share \
> > +XDG_CACHE_HOME=/tmp/lib/domain--1-fedora/.cache \
> > +XDG_CONFIG_HOME=/tmp/lib/domain--1-fedora/.config \
> > +/usr/bin/qemu-system-x86_64 \
> > +-name guest=fedora,debug-threads=on \
> > +-S \
> > +-object secret,id=masterKey0,format=raw,\
> > +file=/tmp/lib/domain--1-fedora/master-key.aes \
> > +-blockdev '{"driver":"file","filename":"/usr/share/OVMF/OVMF_CODE.fd",\
> > +"node-name":"libvirt-pflash0-storage","auto-read-only":true,\
> > +"discard":"unmap"}' \
> > +-blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,\
> > +"driver":"raw","file":"libvirt-pflash0-storage"}' \
> > +-blockdev '{"driver":"file",\
> > +"filename":"/var/lib/libvirt/qemu/nvram/fedora_VARS.fd",\
> > +"node-name":"libvirt-pflash1-storage","auto-read-only":true,\
> > +"discard":"unmap"}' \
> > +-blockdev '{"node-name":"libvirt-pflash1-format","read-only":false,\
> > +"driver":"raw","file":"libvirt-pflash1-storage"}' \
> > +-machine pc-q35-4.0,accel=kvm,usb=off,dump-guest-core=off,\
> > +pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format,\
> > +memory-backend=pc.ram \
> > +-cpu qemu64 \
> > +-m 8 \
> > +-object memory-backend-ram,id=pc.ram,size=8388608 \
> > +-overcommit mem-lock=off \
> > +-smp 1,sockets=1,cores=1,threads=1 \
> > +-uuid 63840878-0deb-4095-97e6-fc444d9bc9fa \
> > +-display none \
> > +-no-user-config \
> > +-nodefaults \
> > +-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \
> > +-mon chardev=charmonitor,id=monitor,mode=control \
> > +-rtc base=utc \
> > +-no-shutdown \
> > +-boot strict=on \
> > +-device pcie-root-port,port=0x8,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,\
> > +addr=0x1 \
> > +-device pcie-root-port,port=0x9,chassis=2,id=pci.2,bus=pcie.0,addr=0x1.0x1 \
> > +-device qemu-xhci,id=usb,bus=pci.1,addr=0x0 \
> > +-audiodev id=audio1,driver=none \
> > +-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\
> > +resourcecontrol=deny \
> > +-msg timestamp=on
> > diff --git a/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml b/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml
> > new file mode 100644
> > index 0000000000..6c0b323fd4
> > --- /dev/null
> > +++ b/tests/qemuxml2argvdata/os-firmware-efi-no-enrolled-keys.xml
> > @@ -0,0 +1,25 @@
> > +<domain type='kvm'>
> > + <name>fedora</name>
> > + <uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid>
> > + <memory unit='KiB'>8192</memory>
> > + <currentMemory unit='KiB'>8192</currentMemory>
> > + <vcpu placement='static'>1</vcpu>
> > + <os firmware='efi'>
> > + <firmware type='efi'>
> > + <feature enabled='no' name='enrolled-keys'/>
> > + </firmware>
> > + <type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
> > + </os>
> > + <features>
> > + <acpi/>
> > + <apic/>
> > + <pae/>
> > + </features>
> > + <devices>
> > + <emulator>/usr/bin/qemu-system-x86_64</emulator>
> > + <controller type='pci' index='0' model='pcie-root'/>
> > + <input type='mouse' bus='ps2'/>
> > + <input type='keyboard' bus='ps2'/>
> > + <memballoon model='none'/>
> > + </devices>
> > +</domain>
> > diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
> > index 2b32b7f303..44c2a316b0 100644
> > --- a/tests/qemuxml2argvtest.c
> > +++ b/tests/qemuxml2argvtest.c
> > @@ -3549,6 +3549,7 @@ mymain(void)
> > DO_TEST_CAPS_LATEST("os-firmware-bios");
> > DO_TEST_CAPS_LATEST("os-firmware-efi");
> > DO_TEST_CAPS_LATEST("os-firmware-efi-secboot");
> > + DO_TEST_CAPS_LATEST("os-firmware-efi-no-enrolled-keys");
> > DO_TEST_CAPS_LATEST_PARSE_ERROR("os-firmware-invalid-type");
> > DO_TEST_CAPS_ARCH_LATEST("aarch64-os-firmware-efi", "aarch64");
> > diff --git a/tests/qemuxml2xmloutdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.xml b/tests/qemuxml2xmloutdata/os-firmware-efi-no-enrolled-keys.x86_64-latest.xml
>
> Alternatively, let this be link to the XML above, since the difference
> between them is not in the area of interest of this feature.
Will do. I usually try to create the input XML as minimal as possible so
it can be used as an example of the feature but I don't have a strong
preference.
Thanks,
Pavel
© 2016 - 2026 Red Hat, Inc.