From nobody Sun May 11 18:31:55 2025
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass(p=none dis=none) header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1736264093; cv=none;
d=zohomail.com; s=zohoarc;
b=nWETgsId29McBg80moW9FgeDpjcru01U+eOvtFUIimPp0MQxtHApeIyi0+JQwWLSiNAeQfxCjtay6kyD0Be+jhzZOwJu4Hie7u7MCGohVxNdUDRJA4FW8wQ1nTZhJEoDnbRD7ugHGHINvZxGoJI1Sqcth25+oSxlfRxNKbf+UFE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
s=zohoarc;
t=1736264093;
h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
bh=UVhloq3ti9EHIyiQV/uSapzfpupxQNhfhuCF+psO+Wc=;
b=aGK73SDHCxSHuImWbhZaNDIT6XCDImAGBdUpbgVwk2yj4bVsio3Ia8Gk52t+bE3IzpsEs4i9arrrrHxeMACRY/UkSLeycCKIINLY4fTh8LnVU7PwhHAt4xHhoKtDxgh22khhGQeU0ghPXkUpxQ6GIli5NwRyVOdylWMyNsXsBNg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass header.from=<kraxel@redhat.com> (p=none dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
mx.zohomail.com
with SMTPS id 1736264093544855.5227572653223;
Tue, 7 Jan 2025 07:34:53 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
by lists.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <qemu-devel-bounces@nongnu.org>)
id 1tVBap-00034k-DP; Tue, 07 Jan 2025 10:34:07 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBan-00034L-P2
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:05 -0500
Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBam-000524-CG
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:05 -0500
Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com
(ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
cipher=TLS_AES_256_GCM_SHA384) id us-mta-637-TR7RHDnjPZifxcD4rOp4IA-1; Tue,
07 Jan 2025 10:33:59 -0500
Received: from mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com
(mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.40])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256)
(No client certificate requested)
by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
id 929181955E9C; Tue, 7 Jan 2025 15:33:57 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.66])
by mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
ESMTPS
id AF7E5195606B; Tue, 7 Jan 2025 15:33:55 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
id 77425180039D; Tue, 07 Jan 2025 16:33:53 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1736264041;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=UVhloq3ti9EHIyiQV/uSapzfpupxQNhfhuCF+psO+Wc=;
b=O5Mrc5rHYed7e+k3t5MIH67oIr5IXhFicBCuI4d1cUvg1Fs3/zLqW2999VfvqCXDs7FZfF
28aChYVetJApCcY83Z3yi5p2PAgysh2toLQOghVP9zNFrpCJBCdYg9wKg0BCIYHimnos6D
9BWnavu1xZ5uQ3xi6Z0EAu1LISw+EmU=
X-MC-Unique: TR7RHDnjPZifxcD4rOp4IA-1
X-Mimecast-MFC-AGG-ID: TR7RHDnjPZifxcD4rOp4IA
From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>, graf@amazon.com,
Paolo Bonzini <pbonzini@redhat.com>, Michael Roth <michael.roth@amd.com>,
=?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
Thomas Huth <thuth@redhat.com>, qemu-arm@nongnu.org,
Eric Blake <eblake@redhat.com>, Peter Maydell <peter.maydell@linaro.org>,
Markus Armbruster <armbru@redhat.com>,
=?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>,
Laszlo Ersek <lersek@redhat.com>
Subject: [PATCH v2 01/21] hw/uefi: add include/hw/uefi/var-service-api.h
Date: Tue, 7 Jan 2025 16:33:28 +0100
Message-ID: <20250107153353.1144978-2-kraxel@redhat.com>
In-Reply-To: <20250107153353.1144978-1-kraxel@redhat.com>
References: <20250107153353.1144978-1-kraxel@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.40
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
as permitted sender) client-ip=209.51.188.17;
envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com;
helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -24
X-Spam_score: -2.5
X-Spam_bar: --
X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.437,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1736264093954116600
Content-Type: text/plain; charset="utf-8"
This file defines the register interface of the uefi-vars device.
It's only a handful of registers: magic value, command and status
registers, location and size of the communication buffer.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
---
include/hw/uefi/var-service-api.h | 40 +++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
create mode 100644 include/hw/uefi/var-service-api.h
diff --git a/include/hw/uefi/var-service-api.h b/include/hw/uefi/var-servic=
e-api.h
new file mode 100644
index 000000000000..37fdab32741f
--- /dev/null
+++ b/include/hw/uefi/var-service-api.h
@@ -0,0 +1,40 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ *
+ * uefi-vars device - API of the virtual device for guest/host communicati=
on.
+ */
+#ifndef QEMU_UEFI_VAR_SERVICE_API_H
+#define QEMU_UEFI_VAR_SERVICE_API_H
+
+
+/* isa: io range */
+#define UEFI_VARS_IO_BASE 0x520
+
+/* sysbus: fdt node path */
+#define UEFI_VARS_FDT_NODE "qemu-uefi-vars"
+#define UEFI_VARS_FDT_COMPAT "qemu,uefi-vars"
+
+/* registers */
+#define UEFI_VARS_REG_MAGIC 0x00 /* 16 bit */
+#define UEFI_VARS_REG_CMD_STS 0x02 /* 16 bit */
+#define UEFI_VARS_REG_BUFFER_SIZE 0x04 /* 32 bit */
+#define UEFI_VARS_REG_BUFFER_ADDR_LO 0x08 /* 32 bit */
+#define UEFI_VARS_REG_BUFFER_ADDR_HI 0x0c /* 32 bit */
+#define UEFI_VARS_REGS_SIZE 0x10
+
+/* magic value */
+#define UEFI_VARS_MAGIC_VALUE 0xef1
+
+/* command values */
+#define UEFI_VARS_CMD_RESET 0x01
+#define UEFI_VARS_CMD_MM 0x02
+
+/* status values */
+#define UEFI_VARS_STS_SUCCESS 0x00
+#define UEFI_VARS_STS_BUSY 0x01
+#define UEFI_VARS_STS_ERR_UNKNOWN 0x10
+#define UEFI_VARS_STS_ERR_NOT_SUPPORTED 0x11
+#define UEFI_VARS_STS_ERR_BAD_BUFFER_SIZE 0x12
+
+
+#endif /* QEMU_UEFI_VAR_SERVICE_API_H */
--=20
2.47.1
From nobody Sun May 11 18:31:55 2025
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass(p=none dis=none) header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1736264298; cv=none;
d=zohomail.com; s=zohoarc;
b=ZyFB4hFlnCeMzp+FESnPS1wNQexMZr5P8TMszAj4+6pkIHWAEZ8tbZog1Hg42/QRSOsxV03ucSm9mD+8MnRTZRjvs4Tdu4WqaI0RW18O3KiwWjFGxEhHf/p8/fbJyhRjNvjXoMvImKy8nLoQNgJ2fiYzdn+QHHjamMQXQ1fnxpg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
s=zohoarc;
t=1736264298;
h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
bh=bSQ5L7Zhk7hPratztCsYq+dHPLgGCQu6t43i2qIwvp4=;
b=RqYeBRKO/y7zqh8S7hvXHEPBRq1OqPo8O//6VV3DQ1rRx3OGBegM/Pg4bNICpTkd2DZf+kBHyt8EZsuezm8Qs2UxLb9GM6uI/N7MmN1x//73PZE9zdFbos1EdhdexS5lu989ND3x40/gjxYdR9V7jcj3RYa5n0Vmtyqrn9GlcvU=
ARC-Authentication-Results: i=1; mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass header.from=<kraxel@redhat.com> (p=none dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
mx.zohomail.com
with SMTPS id 1736264298639636.380993065358;
Tue, 7 Jan 2025 07:38:18 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
by lists.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <qemu-devel-bounces@nongnu.org>)
id 1tVBas-000370-WE; Tue, 07 Jan 2025 10:34:11 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBaq-00035v-RO
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:08 -0500
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBan-00052s-Oz
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:08 -0500
Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com
(ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
cipher=TLS_AES_256_GCM_SHA384) id us-mta-16-OTX5ECVeNZCjHOBcI50S3A-1; Tue,
07 Jan 2025 10:34:01 -0500
Received: from mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com
(mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.40])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256)
(No client certificate requested)
by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
id 73C391955F4A; Tue, 7 Jan 2025 15:34:00 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.66])
by mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
ESMTPS
id DF994195606B; Tue, 7 Jan 2025 15:33:59 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
id 8921218003A0; Tue, 07 Jan 2025 16:33:53 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1736264045;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=bSQ5L7Zhk7hPratztCsYq+dHPLgGCQu6t43i2qIwvp4=;
b=i2II6zE94ys7bsCK/gktfr66KmD+edO8n8FpvvXWmk6K2h5sCtl7KcA2KtyEeiwgr1VosL
k7wiw8EguCZrWt9gUsWTv1JbZ/ob92oUp5BmQRgbRjYHF27u5RiVUa7qjOynFJdgzQpUHZ
pNA13wA6LLtYc1z3aZQrMf2BH7exxvA=
X-MC-Unique: OTX5ECVeNZCjHOBcI50S3A-1
X-Mimecast-MFC-AGG-ID: OTX5ECVeNZCjHOBcI50S3A
From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>, graf@amazon.com,
Paolo Bonzini <pbonzini@redhat.com>, Michael Roth <michael.roth@amd.com>,
=?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
Thomas Huth <thuth@redhat.com>, qemu-arm@nongnu.org,
Eric Blake <eblake@redhat.com>, Peter Maydell <peter.maydell@linaro.org>,
Markus Armbruster <armbru@redhat.com>,
=?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Subject: [PATCH v2 02/21] hw/uefi: add include/hw/uefi/var-service-edk2.h
Date: Tue, 7 Jan 2025 16:33:29 +0100
Message-ID: <20250107153353.1144978-3-kraxel@redhat.com>
In-Reply-To: <20250107153353.1144978-1-kraxel@redhat.com>
References: <20250107153353.1144978-1-kraxel@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.40
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
as permitted sender) client-ip=209.51.188.17;
envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.133.124; envelope-from=kraxel@redhat.com;
helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -24
X-Spam_score: -2.5
X-Spam_bar: --
X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.437,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1736264301128116600
Content-Type: text/plain; charset="utf-8"
A bunch of #defines and structs copied over from edk2,
mostly needed to decode and encode the messages in the
communication buffer.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
include/hw/uefi/var-service-edk2.h | 227 +++++++++++++++++++++++++++++
1 file changed, 227 insertions(+)
create mode 100644 include/hw/uefi/var-service-edk2.h
diff --git a/include/hw/uefi/var-service-edk2.h b/include/hw/uefi/var-servi=
ce-edk2.h
new file mode 100644
index 000000000000..c743a8df948d
--- /dev/null
+++ b/include/hw/uefi/var-service-edk2.h
@@ -0,0 +1,227 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ *
+ * uefi-vars device - structs and defines from edk2
+ *
+ * Note: The edk2 UINTN type has been mapped to uint64_t,
+ * so the structs are compatible with 64bit edk2 builds.
+ */
+#ifndef QEMU_UEFI_VAR_SERVICE_EDK2_H
+#define QEMU_UEFI_VAR_SERVICE_EDK2_H
+
+#include "qemu/uuid.h"
+
+#define MAX_BIT 0x8000000000000000ULL
+#define ENCODE_ERROR(StatusCode) (MAX_BIT | (StatusCode))
+#define EFI_SUCCESS 0
+#define EFI_INVALID_PARAMETER ENCODE_ERROR(2)
+#define EFI_UNSUPPORTED ENCODE_ERROR(3)
+#define EFI_BAD_BUFFER_SIZE ENCODE_ERROR(4)
+#define EFI_BUFFER_TOO_SMALL ENCODE_ERROR(5)
+#define EFI_WRITE_PROTECTED ENCODE_ERROR(8)
+#define EFI_OUT_OF_RESOURCES ENCODE_ERROR(9)
+#define EFI_NOT_FOUND ENCODE_ERROR(14)
+#define EFI_ACCESS_DENIED ENCODE_ERROR(15)
+#define EFI_ALREADY_STARTED ENCODE_ERROR(20)
+#define EFI_SECURITY_VIOLATION ENCODE_ERROR(26)
+
+#define EFI_VARIABLE_NON_VOLATILE 0x01
+#define EFI_VARIABLE_BOOTSERVICE_ACCESS 0x02
+#define EFI_VARIABLE_RUNTIME_ACCESS 0x04
+#define EFI_VARIABLE_HARDWARE_ERROR_RECORD 0x08
+#define EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS 0x10 /* depre=
cated */
+#define EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS 0x20
+#define EFI_VARIABLE_APPEND_WRITE 0x40
+
+/* SecureBootEnable */
+#define SECURE_BOOT_ENABLE 1
+#define SECURE_BOOT_DISABLE 0
+
+/* SecureBoot */
+#define SECURE_BOOT_MODE_ENABLE 1
+#define SECURE_BOOT_MODE_DISABLE 0
+
+/* CustomMode */
+#define CUSTOM_SECURE_BOOT_MODE 1
+#define STANDARD_SECURE_BOOT_MODE 0
+
+/* SetupMode */
+#define SETUP_MODE 1
+#define USER_MODE 0
+
+typedef uint64_t efi_status;
+typedef struct mm_header mm_header;
+
+/* EFI_MM_COMMUNICATE_HEADER */
+struct mm_header {
+ QemuUUID guid;
+ uint64_t length;
+};
+
+/* --- EfiSmmVariableProtocol ---------------------------------------- */
+
+#define SMM_VARIABLE_FUNCTION_GET_VARIABLE 1
+#define SMM_VARIABLE_FUNCTION_GET_NEXT_VARIABLE_NAME 2
+#define SMM_VARIABLE_FUNCTION_SET_VARIABLE 3
+#define SMM_VARIABLE_FUNCTION_QUERY_VARIABLE_INFO 4
+#define SMM_VARIABLE_FUNCTION_READY_TO_BOOT 5
+#define SMM_VARIABLE_FUNCTION_EXIT_BOOT_SERVICE 6
+#define SMM_VARIABLE_FUNCTION_LOCK_VARIABLE 8
+#define SMM_VARIABLE_FUNCTION_GET_PAYLOAD_SIZE 11
+
+typedef struct mm_variable mm_variable;
+typedef struct mm_variable_access mm_variable_access;
+typedef struct mm_next_variable mm_next_variable;
+typedef struct mm_next_variable mm_lock_variable;
+typedef struct mm_variable_info mm_variable_info;
+typedef struct mm_get_payload_size mm_get_payload_size;
+
+/* SMM_VARIABLE_COMMUNICATE_HEADER */
+struct mm_variable {
+ uint64_t function;
+ uint64_t status;
+};
+
+/* SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE */
+struct QEMU_PACKED mm_variable_access {
+ QemuUUID guid;
+ uint64_t data_size;
+ uint64_t name_size;
+ uint32_t attributes;
+ /* Name */
+ /* Data */
+};
+
+/* SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME */
+struct mm_next_variable {
+ QemuUUID guid;
+ uint64_t name_size;
+ /* Name */
+};
+
+/* SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO */
+struct QEMU_PACKED mm_variable_info {
+ uint64_t max_storage_size;
+ uint64_t free_storage_size;
+ uint64_t max_variable_size;
+ uint32_t attributes;
+};
+
+/* SMM_VARIABLE_COMMUNICATE_GET_PAYLOAD_SIZE */
+struct mm_get_payload_size {
+ uint64_t payload_size;
+};
+
+/* --- VarCheckPolicyLibMmiHandler ----------------------------------- */
+
+#define VAR_CHECK_POLICY_COMMAND_DISABLE 0x01
+#define VAR_CHECK_POLICY_COMMAND_IS_ENABLED 0x02
+#define VAR_CHECK_POLICY_COMMAND_REGISTER 0x03
+#define VAR_CHECK_POLICY_COMMAND_DUMP 0x04
+#define VAR_CHECK_POLICY_COMMAND_LOCK 0x05
+
+typedef struct mm_check_policy mm_check_policy;
+typedef struct mm_check_policy_is_enabled mm_check_policy_is_enabled;
+typedef struct mm_check_policy_dump_params mm_check_policy_dump_params;
+
+/* VAR_CHECK_POLICY_COMM_HEADER */
+struct QEMU_PACKED mm_check_policy {
+ uint32_t signature;
+ uint32_t revision;
+ uint32_t command;
+ uint64_t result;
+};
+
+/* VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS */
+struct QEMU_PACKED mm_check_policy_is_enabled {
+ uint8_t state;
+};
+
+/* VAR_CHECK_POLICY_COMM_DUMP_PARAMS */
+struct QEMU_PACKED mm_check_policy_dump_params {
+ uint32_t page_requested;
+ uint32_t total_size;
+ uint32_t page_size;
+ uint8_t has_more;
+};
+
+/* --- Edk2VariablePolicyProtocol ------------------------------------ */
+
+#define VARIABLE_POLICY_ENTRY_REVISION 0x00010000
+
+#define VARIABLE_POLICY_TYPE_NO_LOCK 0
+#define VARIABLE_POLICY_TYPE_LOCK_NOW 1
+#define VARIABLE_POLICY_TYPE_LOCK_ON_CREATE 2
+#define VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE 3
+
+typedef struct variable_policy_entry variable_policy_entry;
+typedef struct variable_lock_on_var_state variable_lock_on_var_state;
+
+/* VARIABLE_POLICY_ENTRY */
+struct variable_policy_entry {
+ uint32_t version;
+ uint16_t size;
+ uint16_t offset_to_name;
+ QemuUUID namespace;
+ uint32_t min_size;
+ uint32_t max_size;
+ uint32_t attributes_must_have;
+ uint32_t attributes_cant_have;
+ uint8_t lock_policy_type;
+ uint8_t padding[3];
+ /* LockPolicy */
+ /* Name */
+};
+
+/* VARIABLE_LOCK_ON_VAR_STATE_POLICY */
+struct variable_lock_on_var_state {
+ QemuUUID namespace;
+ uint8_t value;
+ uint8_t padding;
+ /* Name */
+};
+
+/* --- variable authentication --------------------------------------- */
+
+#define WIN_CERT_TYPE_EFI_GUID 0x0EF1
+
+typedef struct efi_time efi_time;
+typedef struct efi_siglist efi_siglist;
+typedef struct variable_auth_2 variable_auth_2;
+
+/* EFI_TIME */
+struct efi_time {
+ uint16_t year;
+ uint8_t month;
+ uint8_t day;
+ uint8_t hour;
+ uint8_t minute;
+ uint8_t second;
+ uint8_t pad1;
+ uint32_t nanosecond;
+ int16_t timezone;
+ uint8_t daylight;
+ uint8_t pad2;
+};
+
+/* EFI_SIGNATURE_LIST */
+struct efi_siglist {
+ QemuUUID guid_type;
+ uint32_t siglist_size;
+ uint32_t header_size;
+ uint32_t sig_size;
+};
+
+/* EFI_VARIABLE_AUTHENTICATION_2 */
+struct variable_auth_2 {
+ struct efi_time timestamp;
+
+ /* WIN_CERTIFICATE_UEFI_GUID */
+ uint32_t hdr_length;
+ uint16_t hdr_revision;
+ uint16_t hdr_cert_type;
+ QemuUUID guid_cert_type;
+ uint8_t cert_data[];
+};
+
+#endif /* QEMU_UEFI_VAR_SERVICE_EDK2_H */
--=20
2.47.1
From nobody Sun May 11 18:31:55 2025
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass(p=none dis=none) header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1736264276; cv=none;
d=zohomail.com; s=zohoarc;
b=HJ5LfaH97ofJ043F63uQx4c+bxwVLsHlGj/2WFZ6mDmeTuiQvQlE4SLIJmtmZ/nI2JDKljMlH6Zd/SrydhkVad+RbS7ZgFD5HcKk6x249Ux5yXlcsg7v62HC5Pu1gs+0/6jJTQOGqGRUOPYOf1HT/CgdLOaPZre1igjc8kpQbWg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
s=zohoarc;
t=1736264276;
h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
bh=uJ/oGwKUkmWyexNQEwby0Nfm4jUz5BbqBK6Rvm1+Xzc=;
b=Do5BlL0qbV7xMolbsOY9/YvSyRS6MgXbhj/vPCgXhwP3tLZfWtKFJfCE3N2jlH71Hb7013Xhsh80jEn+egN9PWARaQomBwf84UY2Wfecai0Q/zRRcp2QXseDvHBQRnozwlWyYfuAZWkjT1Ko7YzxSz7wq/2s/ZT6Gufu2mLiNu8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass header.from=<kraxel@redhat.com> (p=none dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
mx.zohomail.com
with SMTPS id 1736264276746607.6374275892347;
Tue, 7 Jan 2025 07:37:56 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
by lists.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <qemu-devel-bounces@nongnu.org>)
id 1tVBat-00037e-Pc; Tue, 07 Jan 2025 10:34:11 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBar-00036Y-3x
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:09 -0500
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBap-00053E-Dn
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:08 -0500
Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com
(ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
cipher=TLS_AES_256_GCM_SHA384) id us-mta-370-4DaALzO2OuukTaYS_HLweA-1; Tue,
07 Jan 2025 10:34:03 -0500
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com
(mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256)
(No client certificate requested)
by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
id F3E6B1955F3A; Tue, 7 Jan 2025 15:34:00 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.66])
by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
ESMTPS
id E119019560A2; Tue, 7 Jan 2025 15:33:59 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
id 992ED18003A5; Tue, 07 Jan 2025 16:33:53 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1736264046;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=uJ/oGwKUkmWyexNQEwby0Nfm4jUz5BbqBK6Rvm1+Xzc=;
b=FiIO13CthDXDD6fJoMpXuc45ItL90NTpp0CL/AuUE5qWvdOW//8CoSjl2iCcr4nGwcoadJ
kQgEwQDBzQhvmG97Cz5cjkzjFE0HU9Fn2InJ8Ak9alqEwpIJ22DKS4f9pQ+nFGwancsxw6
tJiyFB2SVg97vN4vKC3IiFpyY6MumBo=
X-MC-Unique: 4DaALzO2OuukTaYS_HLweA-1
X-Mimecast-MFC-AGG-ID: 4DaALzO2OuukTaYS_HLweA
From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>, graf@amazon.com,
Paolo Bonzini <pbonzini@redhat.com>, Michael Roth <michael.roth@amd.com>,
=?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
Thomas Huth <thuth@redhat.com>, qemu-arm@nongnu.org,
Eric Blake <eblake@redhat.com>, Peter Maydell <peter.maydell@linaro.org>,
Markus Armbruster <armbru@redhat.com>,
=?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Subject: [PATCH v2 03/21] hw/uefi: add include/hw/uefi/var-service.h
Date: Tue, 7 Jan 2025 16:33:30 +0100
Message-ID: <20250107153353.1144978-4-kraxel@redhat.com>
In-Reply-To: <20250107153353.1144978-1-kraxel@redhat.com>
References: <20250107153353.1144978-1-kraxel@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
as permitted sender) client-ip=209.51.188.17;
envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.133.124; envelope-from=kraxel@redhat.com;
helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -24
X-Spam_score: -2.5
X-Spam_bar: --
X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.437,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1736264278711116600
Content-Type: text/plain; charset="utf-8"
Add state structs and function declarations for the uefi-vars device.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
include/hw/uefi/var-service.h | 186 ++++++++++++++++++++++++++++++++++
1 file changed, 186 insertions(+)
create mode 100644 include/hw/uefi/var-service.h
diff --git a/include/hw/uefi/var-service.h b/include/hw/uefi/var-service.h
new file mode 100644
index 000000000000..e078d2b0e68f
--- /dev/null
+++ b/include/hw/uefi/var-service.h
@@ -0,0 +1,186 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ *
+ * uefi-vars device - state struct and function prototypes
+ */
+#ifndef QEMU_UEFI_VAR_SERVICE_H
+#define QEMU_UEFI_VAR_SERVICE_H
+
+#include "qemu/uuid.h"
+#include "qemu/queue.h"
+
+#include "hw/uefi/var-service-edk2.h"
+
+#define MAX_BUFFER_SIZE (64 * 1024)
+
+typedef struct uefi_variable uefi_variable;
+typedef struct uefi_var_policy uefi_var_policy;
+typedef struct uefi_vars_state uefi_vars_state;
+
+typedef struct uefi_vars_cert uefi_vars_cert;
+typedef struct uefi_vars_hash uefi_vars_hash;
+typedef struct uefi_vars_siglist uefi_vars_siglist;
+
+struct uefi_variable {
+ QemuUUID guid;
+ uint16_t *name;
+ uint32_t name_size;
+ uint32_t attributes;
+ void *data;
+ uint32_t data_size;
+ efi_time time;
+ void *digest;
+ uint32_t digest_size;
+ QTAILQ_ENTRY(uefi_variable) next;
+};
+
+struct uefi_var_policy {
+ variable_policy_entry *entry;
+ uint32_t entry_size;
+ uint16_t *name;
+ uint32_t name_size;
+
+ /* number of hashmarks (wildcard character) in name */
+ uint32_t hashmarks;
+
+ QTAILQ_ENTRY(uefi_var_policy) next;
+};
+
+struct uefi_vars_state {
+ MemoryRegion mr;
+ uint16_t sts;
+ uint32_t buf_size;
+ uint32_t buf_addr_lo;
+ uint32_t buf_addr_hi;
+ uint8_t *buffer;
+ QTAILQ_HEAD(, uefi_variable) variables;
+ QTAILQ_HEAD(, uefi_var_policy) var_policies;
+
+ /* boot phases */
+ bool end_of_dxe;
+ bool ready_to_boot;
+ bool exit_boot_service;
+ bool policy_locked;
+
+ /* storage accounting */
+ uint64_t max_storage;
+ uint64_t used_storage;
+
+ /* config options */
+ char *jsonfile;
+ int jsonfd;
+ bool force_secure_boot;
+ bool disable_custom_mode;
+};
+
+struct uefi_vars_cert {
+ QTAILQ_ENTRY(uefi_vars_cert) next;
+ QemuUUID owner;
+ uint64_t size;
+ uint8_t data[];
+};
+
+struct uefi_vars_hash {
+ QTAILQ_ENTRY(uefi_vars_hash) next;
+ QemuUUID owner;
+ uint8_t data[];
+};
+
+struct uefi_vars_siglist {
+ QTAILQ_HEAD(, uefi_vars_cert) x509;
+ QTAILQ_HEAD(, uefi_vars_hash) sha256;
+};
+
+/* vars-service-guid.c */
+extern const QemuUUID EfiGlobalVariable;
+extern const QemuUUID EfiImageSecurityDatabase;
+extern const QemuUUID EfiCustomModeEnable;
+extern const QemuUUID EfiSecureBootEnableDisable;
+
+extern const QemuUUID EfiCertSha256Guid;
+extern const QemuUUID EfiCertSha384Guid;
+extern const QemuUUID EfiCertSha512Guid;
+extern const QemuUUID EfiCertRsa2048Guid;
+extern const QemuUUID EfiCertX509Guid;
+extern const QemuUUID EfiCertTypePkcs7Guid;
+
+extern const QemuUUID EfiSmmVariableProtocolGuid;
+extern const QemuUUID VarCheckPolicyLibMmiHandlerGuid;
+
+extern const QemuUUID EfiEndOfDxeEventGroupGuid;
+extern const QemuUUID EfiEventReadyToBootGuid;
+extern const QemuUUID EfiEventExitBootServicesGuid;
+
+/* vars-service-utils.c */
+gboolean uefi_str_is_valid(const uint16_t *str, size_t len,
+ gboolean must_be_null_terminated);
+size_t uefi_strlen(const uint16_t *str, size_t len);
+gboolean uefi_str_equal_ex(const uint16_t *a, size_t alen,
+ const uint16_t *b, size_t blen,
+ gboolean wildcards_in_a);
+gboolean uefi_str_equal(const uint16_t *a, size_t alen,
+ const uint16_t *b, size_t blen);
+char *uefi_ucs2_to_ascii(const uint16_t *ucs2, uint64_t ucs2_size);
+int uefi_time_compare(efi_time *a, efi_time *b);
+void uefi_trace_variable(const char *action, QemuUUID guid,
+ const uint16_t *name, uint64_t name_size);
+void uefi_trace_status(const char *action, efi_status status);
+
+/* vars-service-core.c */
+extern const VMStateDescription vmstate_uefi_vars;
+void uefi_vars_init(Object *obj, uefi_vars_state *uv);
+void uefi_vars_realize(uefi_vars_state *uv, Error **errp);
+void uefi_vars_hard_reset(uefi_vars_state *uv);
+
+/* vars-service-json.c */
+void uefi_vars_json_init(uefi_vars_state *uv, Error **errp);
+void uefi_vars_json_save(uefi_vars_state *uv);
+void uefi_vars_json_load(uefi_vars_state *uv, Error **errp);
+
+/* vars-service-vars.c */
+extern const VMStateDescription vmstate_uefi_variable;
+uefi_variable *uefi_vars_find_variable(uefi_vars_state *uv, QemuUUID guid,
+ const uint16_t *name,
+ uint64_t name_size);
+void uefi_vars_set_variable(uefi_vars_state *uv, QemuUUID guid,
+ const uint16_t *name, uint64_t name_size,
+ uint32_t attributes,
+ void *data, uint64_t data_size);
+void uefi_vars_clear_volatile(uefi_vars_state *uv);
+void uefi_vars_clear_all(uefi_vars_state *uv);
+void uefi_vars_update_storage(uefi_vars_state *uv);
+uint32_t uefi_vars_mm_vars_proto(uefi_vars_state *uv);
+
+/* vars-service-auth.c */
+bool uefi_vars_is_sb_pk(uefi_variable *var);
+bool uefi_vars_is_sb_any(uefi_variable *var);
+efi_status uefi_vars_check_auth_2(uefi_vars_state *uv, uefi_variable *var,
+ mm_variable_access *va, void *data);
+efi_status uefi_vars_check_secure_boot(uefi_vars_state *uv, uefi_variable =
*var);
+void uefi_vars_auth_init(uefi_vars_state *uv);
+
+/* vars-service-pkcs7.c */
+efi_status uefi_vars_check_pkcs7_2(uefi_variable *siglist,
+ void **digest, uint32_t *digest_size,
+ mm_variable_access *va, void *data);
+
+/* vars-service-siglist.c */
+void uefi_vars_siglist_init(uefi_vars_siglist *siglist);
+void uefi_vars_siglist_free(uefi_vars_siglist *siglist);
+void uefi_vars_siglist_parse(uefi_vars_siglist *siglist,
+ void *data, uint64_t size);
+uint64_t uefi_vars_siglist_blob_size(uefi_vars_siglist *siglist);
+void uefi_vars_siglist_blob_generate(uefi_vars_siglist *siglist,
+ void *data, uint64_t size);
+
+/* vars-service-policy.c */
+extern const VMStateDescription vmstate_uefi_var_policy;
+efi_status uefi_vars_policy_check(uefi_vars_state *uv,
+ uefi_variable *var,
+ gboolean is_newvar);
+void uefi_vars_policies_clear(uefi_vars_state *uv);
+uefi_var_policy *uefi_vars_add_policy(uefi_vars_state *uv,
+ variable_policy_entry *pe);
+uint32_t uefi_vars_mm_check_policy_proto(uefi_vars_state *uv);
+
+#endif /* QEMU_UEFI_VAR_SERVICE_H */
--=20
2.47.1
From nobody Sun May 11 18:31:55 2025
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass(p=none dis=none) header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1736264170; cv=none;
d=zohomail.com; s=zohoarc;
b=f5kJi75ZUeIO6Zqz8sDWTnq4g1FMYc4VR31IQMMUR46sZNXJbn+atibU0L82IRoEIN2OvUjVF4yUnIq2HTA+2WB9iIxIDG7pzsF5v5vbev/xbicLuZcbRWOUEHsOy7GOIZReEzOCm9Vn5yua2iQFdUqXTcqSXzNNg3c6wSrgKaM=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
s=zohoarc;
t=1736264170;
h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
bh=JMh2MHEoYzUlPfGL+abayuLPOSHs7NHuPxqf2cRo2cY=;
b=MSvEkE/9amsRrDC/3fucGy604Gi0bkU7L8SuOs3xE4L4RXVji/OfD4mnTpgTBrPuB4+MrYfdyN065kZPoJPe0hlLnrIWW4kSkChseS9s4eGyYJ1lEq/sXIt4FQOSAIGT4vq/zuDWCHkRlscdvhuJ+tdGlC6bVRjXCjPXSTPCGMs=
ARC-Authentication-Results: i=1; mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass header.from=<kraxel@redhat.com> (p=none dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
mx.zohomail.com
with SMTPS id 1736264170795743.3222567102483;
Tue, 7 Jan 2025 07:36:10 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
by lists.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <qemu-devel-bounces@nongnu.org>)
id 1tVBau-00037h-QN; Tue, 07 Jan 2025 10:34:12 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBas-000371-QK
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:10 -0500
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBar-00053z-BA
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:10 -0500
Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com
(ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
cipher=TLS_AES_256_GCM_SHA384) id us-mta-194-Q0XGpCrUPnqr89uRtxplow-1; Tue,
07 Jan 2025 10:34:04 -0500
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com
(mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256)
(No client certificate requested)
by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
id 151F71956069; Tue, 7 Jan 2025 15:34:03 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.66])
by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
ESMTPS
id C02F919560A2; Tue, 7 Jan 2025 15:34:02 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
id A853B18003A6; Tue, 07 Jan 2025 16:33:53 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1736264048;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=JMh2MHEoYzUlPfGL+abayuLPOSHs7NHuPxqf2cRo2cY=;
b=Tus80WjTbaNkF385S4IJXmY/c6e871iTGVf/uhwBN3DvGyizK4bwxvBkFnLjkmbVd9tsAi
Tb2dsKdlxY7rcrBug99Zti+rNpm/0eCjo7XcP5XfiZPuw09gGqo9ricZsRA4xsKRcea8CJ
ZoBuKHbgjJGwjZtn0V1HgHw+6H6Cisg=
X-MC-Unique: Q0XGpCrUPnqr89uRtxplow-1
X-Mimecast-MFC-AGG-ID: Q0XGpCrUPnqr89uRtxplow
From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>, graf@amazon.com,
Paolo Bonzini <pbonzini@redhat.com>, Michael Roth <michael.roth@amd.com>,
=?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
Thomas Huth <thuth@redhat.com>, qemu-arm@nongnu.org,
Eric Blake <eblake@redhat.com>, Peter Maydell <peter.maydell@linaro.org>,
Markus Armbruster <armbru@redhat.com>,
=?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Subject: [PATCH v2 04/21] hw/uefi: add var-service-guid.c
Date: Tue, 7 Jan 2025 16:33:31 +0100
Message-ID: <20250107153353.1144978-5-kraxel@redhat.com>
In-Reply-To: <20250107153353.1144978-1-kraxel@redhat.com>
References: <20250107153353.1144978-1-kraxel@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
as permitted sender) client-ip=209.51.188.17;
envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.133.124; envelope-from=kraxel@redhat.com;
helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -24
X-Spam_score: -2.5
X-Spam_bar: --
X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.437,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1736264172232116600
Content-Type: text/plain; charset="utf-8"
Add variables for a bunch of UEFI GUIDs we will need.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/uefi/var-service-guid.c | 99 ++++++++++++++++++++++++++++++++++++++
1 file changed, 99 insertions(+)
create mode 100644 hw/uefi/var-service-guid.c
diff --git a/hw/uefi/var-service-guid.c b/hw/uefi/var-service-guid.c
new file mode 100644
index 000000000000..eba3655c8d30
--- /dev/null
+++ b/hw/uefi/var-service-guid.c
@@ -0,0 +1,99 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ *
+ * uefi vars device - GUIDs
+ */
+
+#include "qemu/osdep.h"
+#include "system/dma.h"
+
+#include "hw/uefi/var-service.h"
+
+/* variable namespaces */
+
+const QemuUUID EfiGlobalVariable =3D {
+ .data =3D UUID_LE(0x8be4df61, 0x93ca, 0x11d2, 0xaa, 0x0d,
+ 0x00, 0xe0, 0x98, 0x03, 0x2b, 0x8c)
+};
+
+const QemuUUID EfiImageSecurityDatabase =3D {
+ .data =3D UUID_LE(0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc,
+ 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f)
+};
+
+const QemuUUID EfiCustomModeEnable =3D {
+ .data =3D UUID_LE(0xc076ec0c, 0x7028, 0x4399, 0xa0, 0x72,
+ 0x71, 0xee, 0x5c, 0x44, 0x8b, 0x9f)
+};
+
+const QemuUUID EfiSecureBootEnableDisable =3D {
+ .data =3D UUID_LE(0xf0a30bc7, 0xaf08, 0x4556, 0x99, 0xc4,
+ 0x0, 0x10, 0x9, 0xc9, 0x3a, 0x44)
+};
+
+/* signatures */
+
+const QemuUUID EfiCertSha256Guid =3D {
+ .data =3D UUID_LE(0xc1c41626, 0x504c, 0x4092, 0xac, 0xa9,
+ 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28)
+};
+
+const QemuUUID EfiCertSha384Guid =3D {
+ .data =3D UUID_LE(0xff3e5307, 0x9fd0, 0x48c9, 0x85, 0xf1,
+ 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1)
+};
+
+const QemuUUID EfiCertSha512Guid =3D {
+ .data =3D UUID_LE(0x93e0fae, 0xa6c4, 0x4f50, 0x9f, 0x1b,
+ 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a)
+};
+
+const QemuUUID EfiCertRsa2048Guid =3D {
+ .data =3D UUID_LE(0x3c5766e8, 0x269c, 0x4e34, 0xaa, 0x14,
+ 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6)
+};
+
+const QemuUUID EfiCertX509Guid =3D {
+ .data =3D UUID_LE(0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5,
+ 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72)
+};
+
+const QemuUUID EfiCertTypePkcs7Guid =3D {
+ .data =3D UUID_LE(0x4aafd29d, 0x68df, 0x49ee, 0x8a, 0xa9,
+ 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7)
+};
+
+/*
+ * mm_header.guid values that the guest DXE/BDS phases use for
+ * sending requests to management mode
+ */
+
+const QemuUUID EfiSmmVariableProtocolGuid =3D {
+ .data =3D UUID_LE(0xed32d533, 0x99e6, 0x4209, 0x9c, 0xc0,
+ 0x2d, 0x72, 0xcd, 0xd9, 0x98, 0xa7)
+};
+
+const QemuUUID VarCheckPolicyLibMmiHandlerGuid =3D {
+ .data =3D UUID_LE(0xda1b0d11, 0xd1a7, 0x46c4, 0x9d, 0xc9,
+ 0xf3, 0x71, 0x48, 0x75, 0xc6, 0xeb)
+};
+
+/*
+ * mm_header.guid values that the guest DXE/BDS phases use for
+ * reporting event groups being signaled to management mode
+ */
+
+const QemuUUID EfiEndOfDxeEventGroupGuid =3D {
+ .data =3D UUID_LE(0x02ce967a, 0xdd7e, 0x4FFc, 0x9e, 0xe7,
+ 0x81, 0x0c, 0xF0, 0x47, 0x08, 0x80)
+};
+
+const QemuUUID EfiEventReadyToBootGuid =3D {
+ .data =3D UUID_LE(0x7ce88Fb3, 0x4bd7, 0x4679, 0x87, 0xa8,
+ 0xa8, 0xd8, 0xde, 0xe5, 0x0d, 0x2b)
+};
+
+const QemuUUID EfiEventExitBootServicesGuid =3D {
+ .data =3D UUID_LE(0x27abF055, 0xb1b8, 0x4c26, 0x80, 0x48,
+ 0x74, 0x8F, 0x37, 0xba, 0xa2, 0xdF)
+};
--=20
2.47.1
From nobody Sun May 11 18:31:55 2025
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass(p=none dis=none) header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1736264130; cv=none;
d=zohomail.com; s=zohoarc;
b=F+4JtezJQtDDwzWUE13qu81V3KMoAKMzqmZJJl0MEgEabbydf3edQ+8Ibd5ANpkhu/Tz3pL3XNwqaRlxqVIGl7GVfyMmQqWksu28cd8bKKjqlJlyl8w48CQIu+E4vp68CipZLbF/G0ZAxfM+ZJG1hMAtn2HtflkFhmQKIVnRfoc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
s=zohoarc;
t=1736264130;
h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
bh=T8Tg5TqYCPiE4vlCmZG2Zz/LheTr6XQOKkOrbpvpkPM=;
b=Bk1Z0PLW+zmlsI5Y9xZjvEKgL4u4no3CJijcGYwHMFBBTM2RJwDpsLYOicdumBXxt4C1tp+Nmi7H0KisQ6Vxz6HSg6FASAPkrFniGWgW3ejDhrSi6RGT1FdJNhzGlsueU+RdPWAGlZOqxHmuhfLiuCDiL5oWNQwXkr7//7juqIQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass header.from=<kraxel@redhat.com> (p=none dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
mx.zohomail.com
with SMTPS id 1736264130398681.9814925635117;
Tue, 7 Jan 2025 07:35:30 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
by lists.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <qemu-devel-bounces@nongnu.org>)
id 1tVBaw-00038o-LF; Tue, 07 Jan 2025 10:34:14 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBav-000380-6F
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:13 -0500
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBat-00054C-JR
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:12 -0500
Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com
(ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
cipher=TLS_AES_256_GCM_SHA384) id us-mta-102-7w7Bws9aMHm-SsYXAvUq1A-1; Tue,
07 Jan 2025 10:34:06 -0500
Received: from mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com
(mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.15])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256)
(No client certificate requested)
by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
id AC8341956063; Tue, 7 Jan 2025 15:34:03 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.66])
by mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
ESMTPS
id 269701956088; Tue, 7 Jan 2025 15:34:03 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
id B86AC18003A9; Tue, 07 Jan 2025 16:33:53 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1736264049;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=T8Tg5TqYCPiE4vlCmZG2Zz/LheTr6XQOKkOrbpvpkPM=;
b=hR9JyAsBF8f+atDglLP/Ab02bTcYmy5wIOUxkjWmBNH4jzyYJthMPbsynTnERgvegwU/E3
uGKhWmS15/uR0J4Lpv3KP9mcvGQNT1PC0ef/uNpYYl5thnMyqMGj/8s7OGvbKawxhWRwaM
hQacSVougBnXo2M+mmmTEMIWM4B2+UU=
X-MC-Unique: 7w7Bws9aMHm-SsYXAvUq1A-1
X-Mimecast-MFC-AGG-ID: 7w7Bws9aMHm-SsYXAvUq1A
From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>, graf@amazon.com,
Paolo Bonzini <pbonzini@redhat.com>, Michael Roth <michael.roth@amd.com>,
=?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
Thomas Huth <thuth@redhat.com>, qemu-arm@nongnu.org,
Eric Blake <eblake@redhat.com>, Peter Maydell <peter.maydell@linaro.org>,
Markus Armbruster <armbru@redhat.com>,
=?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Subject: [PATCH v2 05/21] hw/uefi: add var-service-utils.c
Date: Tue, 7 Jan 2025 16:33:32 +0100
Message-ID: <20250107153353.1144978-6-kraxel@redhat.com>
In-Reply-To: <20250107153353.1144978-1-kraxel@redhat.com>
References: <20250107153353.1144978-1-kraxel@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.15
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
as permitted sender) client-ip=209.51.188.17;
envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.133.124; envelope-from=kraxel@redhat.com;
helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -24
X-Spam_score: -2.5
X-Spam_bar: --
X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.437,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1736264132305116600
Content-Type: text/plain; charset="utf-8"
Add utility functions. Helpers for UEFI (ucs2) string handling.
Helpers for readable trace messages. Compare UEFI time stamps.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/uefi/var-service-utils.c | 241 ++++++++++++++++++++++++++++++++++++
1 file changed, 241 insertions(+)
create mode 100644 hw/uefi/var-service-utils.c
diff --git a/hw/uefi/var-service-utils.c b/hw/uefi/var-service-utils.c
new file mode 100644
index 000000000000..c9ef46570f48
--- /dev/null
+++ b/hw/uefi/var-service-utils.c
@@ -0,0 +1,241 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ *
+ * uefi vars device - helper functions for ucs2 strings and tracing
+ */
+#include "qemu/osdep.h"
+#include "system/dma.h"
+
+#include "hw/uefi/var-service.h"
+
+#include "trace/trace-hw_uefi.h"
+
+/* ------------------------------------------------------------------ */
+
+/*
+ * string helper functions.
+ *
+ * Most of the time uefi ucs2 strings are NULL-terminated, except
+ * sometimes when they are not (for example in variable policies).
+ */
+
+gboolean uefi_str_is_valid(const uint16_t *str, size_t len,
+ gboolean must_be_null_terminated)
+{
+ size_t pos =3D 0;
+
+ for (;;) {
+ if (pos =3D=3D len) {
+ if (must_be_null_terminated) {
+ return false;
+ } else {
+ return true;
+ }
+ }
+ switch (str[pos]) {
+ case 0:
+ /* end of string */
+ return true;
+ case 0xd800 ... 0xdfff:
+ /* reject surrogates */
+ return false;
+ default:
+ /* char is good, check next */
+ break;
+ }
+ pos++;
+ }
+}
+
+size_t uefi_strlen(const uint16_t *str, size_t len)
+{
+ size_t pos =3D 0;
+
+ for (;;) {
+ if (pos =3D=3D len) {
+ return pos;
+ }
+ if (str[pos] =3D=3D 0) {
+ return pos;
+ }
+ pos++;
+ }
+}
+
+gboolean uefi_str_equal_ex(const uint16_t *a, size_t alen,
+ const uint16_t *b, size_t blen,
+ gboolean wildcards_in_a)
+{
+ size_t pos =3D 0;
+
+ alen =3D alen / 2;
+ blen =3D blen / 2;
+ for (;;) {
+ if (pos =3D=3D alen && pos =3D=3D blen) {
+ return true;
+ }
+ if (pos =3D=3D alen && b[pos] =3D=3D 0) {
+ return true;
+ }
+ if (pos =3D=3D blen && a[pos] =3D=3D 0) {
+ return true;
+ }
+ if (pos =3D=3D alen || pos =3D=3D blen) {
+ return false;
+ }
+ if (a[pos] =3D=3D 0 && b[pos] =3D=3D 0) {
+ return true;
+ }
+
+ if (wildcards_in_a && a[pos] =3D=3D '#') {
+ if (!isxdigit(b[pos])) {
+ return false;
+ }
+ } else {
+ if (a[pos] !=3D b[pos]) {
+ return false;
+ }
+ }
+ pos++;
+ }
+}
+
+gboolean uefi_str_equal(const uint16_t *a, size_t alen,
+ const uint16_t *b, size_t blen)
+{
+ return uefi_str_equal_ex(a, alen, b, blen, false);
+}
+
+char *uefi_ucs2_to_ascii(const uint16_t *ucs2, uint64_t ucs2_size)
+{
+ char *str =3D g_malloc0(ucs2_size / 2 + 1);
+ int i;
+
+ for (i =3D 0; i * 2 < ucs2_size; i++) {
+ if (ucs2[i] =3D=3D 0) {
+ break;
+ }
+ if (ucs2[i] < 128) {
+ str[i] =3D ucs2[i];
+ } else {
+ str[i] =3D '?';
+ }
+ }
+ str[i] =3D 0;
+ return str;
+}
+
+/* ------------------------------------------------------------------ */
+/* time helper functions */
+
+int uefi_time_compare(efi_time *a, efi_time *b)
+{
+ if (a->year < b->year) {
+ return -1;
+ }
+ if (a->year > b->year) {
+ return 1;
+ }
+
+ if (a->month < b->month) {
+ return -1;
+ }
+ if (a->month > b->month) {
+ return 1;
+ }
+
+ if (a->day < b->day) {
+ return -1;
+ }
+ if (a->day > b->day) {
+ return 1;
+ }
+
+ if (a->hour < b->hour) {
+ return -1;
+ }
+ if (a->hour > b->hour) {
+ return 1;
+ }
+
+ if (a->minute < b->minute) {
+ return -1;
+ }
+ if (a->minute > b->minute) {
+ return 1;
+ }
+
+ if (a->second < b->second) {
+ return -1;
+ }
+ if (a->second > b->second) {
+ return 1;
+ }
+
+ if (a->nanosecond < b->nanosecond) {
+ return -1;
+ }
+ if (a->nanosecond > b->nanosecond) {
+ return 1;
+ }
+
+ return 0;
+}
+
+/* ------------------------------------------------------------------ */
+/* tracing helper functions */
+
+void uefi_trace_variable(const char *action, QemuUUID guid,
+ const uint16_t *name, uint64_t name_size)
+{
+ QemuUUID be =3D qemu_uuid_bswap(guid);
+ char *str_uuid =3D qemu_uuid_unparse_strdup(&be);
+ char *str_name =3D uefi_ucs2_to_ascii(name, name_size);
+
+ trace_uefi_variable(action, str_name, name_size, str_uuid);
+
+ g_free(str_name);
+ g_free(str_uuid);
+}
+
+void uefi_trace_status(const char *action, efi_status status)
+{
+ switch (status) {
+ case EFI_SUCCESS:
+ trace_uefi_status(action, "success");
+ break;
+ case EFI_INVALID_PARAMETER:
+ trace_uefi_status(action, "invalid parameter");
+ break;
+ case EFI_UNSUPPORTED:
+ trace_uefi_status(action, "unsupported");
+ break;
+ case EFI_BAD_BUFFER_SIZE:
+ trace_uefi_status(action, "bad buffer size");
+ break;
+ case EFI_BUFFER_TOO_SMALL:
+ trace_uefi_status(action, "buffer too small");
+ break;
+ case EFI_WRITE_PROTECTED:
+ trace_uefi_status(action, "write protected");
+ break;
+ case EFI_OUT_OF_RESOURCES:
+ trace_uefi_status(action, "out of resources");
+ break;
+ case EFI_NOT_FOUND:
+ trace_uefi_status(action, "not found");
+ break;
+ case EFI_ACCESS_DENIED:
+ trace_uefi_status(action, "access denied");
+ break;
+ case EFI_ALREADY_STARTED:
+ trace_uefi_status(action, "already started");
+ break;
+ case EFI_SECURITY_VIOLATION:
+ trace_uefi_status(action, "security violation");
+ break;
+ default:
+ trace_uefi_status(action, "unknown error");
+ break;
+ }
+}
--=20
2.47.1
From nobody Sun May 11 18:31:55 2025
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass(p=none dis=none) header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1736264167; cv=none;
d=zohomail.com; s=zohoarc;
b=bslysgbLv6HYu9KogqDYZgXBO8APNk9/U4lQMpc+y+M1ZlwrsI3oZv3wFMI68QjmA8v8FhRjgcsf3sqMU99o954W2ZCVqtt8LCQ/PiF+AfqoVVdP2Nnv2YNnBQd7LotNV0TzilOQpDY7gHkwgdmZA9mm9UrSbJVT8MwoCtEIp40=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
s=zohoarc;
t=1736264167;
h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
bh=lgpBvrVMgyg2wTMu/6asnoRMqLd9lTTYrQopZskiUmY=;
b=BshAqVc30/GhFT+MmpL8G141SatvSBaMlKm73uAbTnczlC2asslftFgb0+5Og0iRrXEhJOVKZ/ZwO8UgjJzkGfyM6bOELbBz1PR8zpInMSC9nELlTJKtgG0NN6iCAKFVdrI2HSzYNV3XN+98GMlEkqTKW43cHHZL2q76qB/gxUw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass header.from=<kraxel@redhat.com> (p=none dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
mx.zohomail.com
with SMTPS id 1736264167386743.5007138025493;
Tue, 7 Jan 2025 07:36:07 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
by lists.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <qemu-devel-bounces@nongnu.org>)
id 1tVBaz-0003Aq-C4; Tue, 07 Jan 2025 10:34:17 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBax-00039a-Gr
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:15 -0500
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBat-00054a-U2
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:15 -0500
Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com
(ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
cipher=TLS_AES_256_GCM_SHA384) id us-mta-564-ybDJ9m5WNFau0XXhr-WLVw-1; Tue,
07 Jan 2025 10:34:08 -0500
Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com
(mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256)
(No client certificate requested)
by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
id C6B9E1956068; Tue, 7 Jan 2025 15:34:06 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.66])
by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
ESMTPS
id 7BA983000197; Tue, 7 Jan 2025 15:34:05 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
id CB50218003AC; Tue, 07 Jan 2025 16:33:53 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1736264051;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=lgpBvrVMgyg2wTMu/6asnoRMqLd9lTTYrQopZskiUmY=;
b=eoxUP7zdVykizaOMwGHtQ0662bc9a7CR5dyZBR+a+Xkr5ti4IRBFkwFYw7FgGuIzSJU12P
8KOO515b/mkQF07jmIMghAVkiu/GScAseFeLltgGnreCFEy94/vttr7HZ3PdLTnkYaYjsf
zKD62F8iEq+f93qI+GRpoudRPRJ7Uj8=
X-MC-Unique: ybDJ9m5WNFau0XXhr-WLVw-1
X-Mimecast-MFC-AGG-ID: ybDJ9m5WNFau0XXhr-WLVw
From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>, graf@amazon.com,
Paolo Bonzini <pbonzini@redhat.com>, Michael Roth <michael.roth@amd.com>,
=?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
Thomas Huth <thuth@redhat.com>, qemu-arm@nongnu.org,
Eric Blake <eblake@redhat.com>, Peter Maydell <peter.maydell@linaro.org>,
Markus Armbruster <armbru@redhat.com>,
=?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Subject: [PATCH v2 06/21] hw/uefi: add var-service-vars.c
Date: Tue, 7 Jan 2025 16:33:33 +0100
Message-ID: <20250107153353.1144978-7-kraxel@redhat.com>
In-Reply-To: <20250107153353.1144978-1-kraxel@redhat.com>
References: <20250107153353.1144978-1-kraxel@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
as permitted sender) client-ip=209.51.188.17;
envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.133.124; envelope-from=kraxel@redhat.com;
helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -24
X-Spam_score: -2.5
X-Spam_bar: --
X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.437,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
T_FILL_THIS_FORM_SHORT=0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1736264168287116600
Content-Type: text/plain; charset="utf-8"
This is the uefi variable service (EfiSmmVariableProtocol), providing
functions for listing, reading and updating variables.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/uefi/var-service-vars.c | 725 +++++++++++++++++++++++++++++++++++++
1 file changed, 725 insertions(+)
create mode 100644 hw/uefi/var-service-vars.c
diff --git a/hw/uefi/var-service-vars.c b/hw/uefi/var-service-vars.c
new file mode 100644
index 000000000000..7f98d77a38d1
--- /dev/null
+++ b/hw/uefi/var-service-vars.c
@@ -0,0 +1,725 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ *
+ * uefi vars device - EfiSmmVariableProtocol implementation
+ */
+#include "qemu/osdep.h"
+#include "qemu/error-report.h"
+#include "system/dma.h"
+#include "migration/vmstate.h"
+
+#include "hw/uefi/var-service.h"
+#include "hw/uefi/var-service-api.h"
+#include "hw/uefi/var-service-edk2.h"
+
+#include "trace/trace-hw_uefi.h"
+
+#define EFI_VARIABLE_ATTRIBUTE_SUPPORTED \
+ (EFI_VARIABLE_NON_VOLATILE | \
+ EFI_VARIABLE_BOOTSERVICE_ACCESS | \
+ EFI_VARIABLE_RUNTIME_ACCESS | \
+ EFI_VARIABLE_HARDWARE_ERROR_RECORD | \
+ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS | \
+ EFI_VARIABLE_APPEND_WRITE)
+
+
+const VMStateDescription vmstate_uefi_time =3D {
+ .name =3D "uefi-time",
+ .fields =3D (VMStateField[]) {
+ VMSTATE_UINT16(year, efi_time),
+ VMSTATE_UINT8(month, efi_time),
+ VMSTATE_UINT8(day, efi_time),
+ VMSTATE_UINT8(hour, efi_time),
+ VMSTATE_UINT8(minute, efi_time),
+ VMSTATE_UINT8(second, efi_time),
+ VMSTATE_UINT32(nanosecond, efi_time),
+ VMSTATE_END_OF_LIST()
+ },
+};
+
+const VMStateDescription vmstate_uefi_variable =3D {
+ .name =3D "uefi-variable",
+ .fields =3D (VMStateField[]) {
+ VMSTATE_UINT8_ARRAY_V(guid.data, uefi_variable, sizeof(QemuUUID), =
0),
+ VMSTATE_UINT32(name_size, uefi_variable),
+ VMSTATE_UINT32(data_size, uefi_variable),
+ VMSTATE_UINT32(attributes, uefi_variable),
+ VMSTATE_VBUFFER_ALLOC_UINT32(name, uefi_variable, 0, NULL, name_si=
ze),
+ VMSTATE_VBUFFER_ALLOC_UINT32(data, uefi_variable, 0, NULL, data_si=
ze),
+ VMSTATE_STRUCT(time, uefi_variable, 0, vmstate_uefi_time, efi_time=
),
+ VMSTATE_END_OF_LIST()
+ },
+};
+
+uefi_variable *uefi_vars_find_variable(uefi_vars_state *uv, QemuUUID guid,
+ const uint16_t *name, uint64_t name=
_size)
+{
+ uefi_variable *var;
+
+ QTAILQ_FOREACH(var, &uv->variables, next) {
+ if (!uefi_str_equal(var->name, var->name_size,
+ name, name_size)) {
+ continue;
+ }
+ if (!qemu_uuid_is_equal(&var->guid, &guid)) {
+ continue;
+ }
+ if (!var->data_size) {
+ /* in process of being created/updated */
+ continue;
+ }
+ return var;
+ }
+ return NULL;
+}
+
+static uefi_variable *add_variable(uefi_vars_state *uv, QemuUUID guid,
+ const uint16_t *name, uint64_t name_siz=
e,
+ uint32_t attributes)
+{
+ uefi_variable *var;
+
+ var =3D g_new0(uefi_variable, 1);
+ var->guid =3D guid;
+ var->name =3D g_malloc(name_size);
+ memcpy(var->name, name, name_size);
+ var->name_size =3D name_size;
+ var->attributes =3D attributes;
+
+ var->attributes &=3D ~EFI_VARIABLE_APPEND_WRITE;
+
+ QTAILQ_INSERT_TAIL(&uv->variables, var, next);
+ return var;
+}
+
+static void del_variable(uefi_vars_state *uv, uefi_variable *var)
+{
+ if (!var) {
+ return;
+ }
+
+ QTAILQ_REMOVE(&uv->variables, var, next);
+ g_free(var->data);
+ g_free(var->name);
+ g_free(var->digest);
+ g_free(var);
+}
+
+static size_t variable_size(uefi_variable *var)
+{
+ size_t size;
+
+ size =3D sizeof(*var);
+ size +=3D var->name_size;
+ size +=3D var->data_size;
+ size +=3D var->digest_size;
+ return size;
+}
+
+void uefi_vars_set_variable(uefi_vars_state *uv, QemuUUID guid,
+ const uint16_t *name, uint64_t name_size,
+ uint32_t attributes,
+ void *data, uint64_t data_size)
+{
+ uefi_variable *old_var, *new_var;
+
+ uefi_trace_variable(__func__, guid, name, name_size);
+
+ old_var =3D uefi_vars_find_variable(uv, guid, name, name_size);
+ if (old_var) {
+ uv->used_storage -=3D variable_size(old_var);
+ del_variable(uv, old_var);
+ }
+
+ new_var =3D add_variable(uv, guid, name, name_size, attributes);
+ new_var->data =3D g_malloc(data_size);
+ new_var->data_size =3D data_size;
+ memcpy(new_var->data, data, data_size);
+ uv->used_storage +=3D variable_size(new_var);
+}
+
+void uefi_vars_clear_volatile(uefi_vars_state *uv)
+{
+ uefi_variable *var, *n;
+
+ QTAILQ_FOREACH_SAFE(var, &uv->variables, next, n) {
+ if (var->attributes & EFI_VARIABLE_NON_VOLATILE) {
+ continue;
+ }
+ uv->used_storage -=3D variable_size(var);
+ del_variable(uv, var);
+ }
+}
+
+void uefi_vars_clear_all(uefi_vars_state *uv)
+{
+ uefi_variable *var, *n;
+
+ QTAILQ_FOREACH_SAFE(var, &uv->variables, next, n) {
+ del_variable(uv, var);
+ }
+ uv->used_storage =3D 0;
+}
+
+void uefi_vars_update_storage(uefi_vars_state *uv)
+{
+ uefi_variable *var;
+
+ uv->used_storage =3D 0;
+ QTAILQ_FOREACH(var, &uv->variables, next) {
+ uv->used_storage +=3D variable_size(var);
+ }
+}
+
+static gboolean check_access(uefi_vars_state *uv, uefi_variable *var)
+{
+ if (!uv->exit_boot_service) {
+ if (!(var->attributes & EFI_VARIABLE_BOOTSERVICE_ACCESS)) {
+ return false;
+ }
+ } else {
+ if (!(var->attributes & EFI_VARIABLE_RUNTIME_ACCESS)) {
+ return false;
+ }
+ }
+ return true;
+}
+
+static efi_status check_update(uefi_vars_state *uv, uefi_variable *old_var,
+ uefi_variable *new_var)
+{
+ efi_status status;
+
+ if (old_var) {
+ if (!check_access(uv, old_var)) {
+ return EFI_ACCESS_DENIED;
+ }
+ }
+
+ if (new_var) {
+ if (new_var->attributes & ~EFI_VARIABLE_ATTRIBUTE_SUPPORTED) {
+ return EFI_UNSUPPORTED;
+ }
+ if (!check_access(uv, new_var)) {
+ return EFI_ACCESS_DENIED;
+ }
+ }
+
+ if (old_var && new_var) {
+ if (old_var->attributes !=3D new_var->attributes) {
+ return EFI_INVALID_PARAMETER;
+ }
+ }
+
+ if (new_var) {
+ /* create + update */
+ status =3D uefi_vars_policy_check(uv, new_var, old_var =3D=3D NULL=
);
+ } else {
+ /* delete */
+ g_assert(old_var);
+ status =3D uefi_vars_policy_check(uv, old_var, false);
+ }
+ if (status !=3D EFI_SUCCESS) {
+ return status;
+ }
+
+ status =3D uefi_vars_check_secure_boot(uv, new_var ?: old_var);
+ if (status !=3D EFI_SUCCESS) {
+ return status;
+ }
+
+ return EFI_SUCCESS;
+}
+
+static void append_write(uefi_variable *old_var,
+ uefi_variable *new_var)
+{
+ uefi_vars_siglist siglist;
+ uint64_t size;
+ void *data;
+
+ uefi_vars_siglist_init(&siglist);
+ uefi_vars_siglist_parse(&siglist, old_var->data, old_var->data_size);
+ uefi_vars_siglist_parse(&siglist, new_var->data, new_var->data_size);
+
+ size =3D uefi_vars_siglist_blob_size(&siglist);
+ data =3D g_malloc(size);
+ uefi_vars_siglist_blob_generate(&siglist, data, size);
+
+ g_free(new_var->data);
+ new_var->data =3D data;
+ new_var->data_size =3D size;
+
+ uefi_vars_siglist_free(&siglist);
+}
+
+static size_t uefi_vars_mm_error(mm_header *mhdr, mm_variable *mvar,
+ uint64_t status)
+{
+ mvar->status =3D status;
+ return sizeof(*mvar);
+}
+
+static size_t uefi_vars_mm_get_variable(uefi_vars_state *uv, mm_header *mh=
dr,
+ mm_variable *mvar, void *func)
+{
+ mm_variable_access *va =3D func;
+ uint16_t *name;
+ void *data;
+ uefi_variable *var;
+ uint64_t length;
+
+ length =3D sizeof(*mvar) + sizeof(*va);
+ if (mhdr->length < length) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
+ }
+
+ if (va->name_size > uv->max_storage ||
+ va->data_size > uv->max_storage) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_OUT_OF_RESOURCES);
+ }
+
+ name =3D func + sizeof(*va);
+ if (uadd64_overflow(length, va->name_size, &length)) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
+ }
+ if (mhdr->length < length) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
+ }
+
+ if (!uefi_str_is_valid(name, va->name_size, true)) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_INVALID_PARAMETER);
+ }
+
+ uefi_trace_variable(__func__, va->guid, name, va->name_size);
+
+ var =3D uefi_vars_find_variable(uv, va->guid, name, va->name_size);
+ if (!var) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_NOT_FOUND);
+ }
+
+ /* check permissions etc. */
+ if (!check_access(uv, var)) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_ACCESS_DENIED);
+ }
+
+ data =3D func + sizeof(*va) + va->name_size;
+ if (uadd64_overflow(length, va->data_size, &length)) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
+ }
+ if (uv->buf_size < length) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
+ }
+
+ va->attributes =3D var->attributes;
+ if (va->data_size < var->data_size) {
+ va->data_size =3D var->data_size;
+ length -=3D va->data_size;
+ mvar->status =3D EFI_BUFFER_TOO_SMALL;
+ } else {
+ va->data_size =3D var->data_size;
+ memcpy(data, var->data, var->data_size);
+ mvar->status =3D EFI_SUCCESS;
+ }
+ return length;
+}
+
+static size_t
+uefi_vars_mm_get_next_variable(uefi_vars_state *uv, mm_header *mhdr,
+ mm_variable *mvar, void *func)
+{
+ mm_next_variable *nv =3D func;
+ uefi_variable *var;
+ uint16_t *name;
+ uint64_t length;
+
+ length =3D sizeof(*mvar) + sizeof(*nv);
+ if (mhdr->length < length) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
+ }
+
+ if (nv->name_size > uv->max_storage) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_OUT_OF_RESOURCES);
+ }
+
+ name =3D func + sizeof(*nv);
+ if (uadd64_overflow(length, nv->name_size, &length)) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
+ }
+ if (mhdr->length < length) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
+ }
+
+ if (!uefi_str_is_valid(name, nv->name_size, true)) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_INVALID_PARAMETER);
+ }
+
+ if (uefi_strlen(name, nv->name_size) =3D=3D 0) {
+ /* empty string -> first */
+ var =3D QTAILQ_FIRST(&uv->variables);
+ if (!var) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_NOT_FOUND);
+ }
+ } else {
+ var =3D uefi_vars_find_variable(uv, nv->guid, name, nv->name_size);
+ if (!var) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_INVALID_PARAMETER);
+ }
+ do {
+ var =3D QTAILQ_NEXT(var, next);
+ } while (var && !check_access(uv, var));
+ if (!var) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_NOT_FOUND);
+ }
+ }
+
+ length =3D sizeof(*mvar) + sizeof(*nv) + var->name_size;
+ if (uv->buf_size < length) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
+ }
+
+ nv->guid =3D var->guid;
+ nv->name_size =3D var->name_size;
+ memcpy(name, var->name, var->name_size);
+ mvar->status =3D EFI_SUCCESS;
+ return length;
+}
+
+static bool uefi_vars_mm_digest_compare(uefi_variable *old_var,
+ uefi_variable *new_var)
+{
+ if (!old_var->digest ||
+ !new_var->digest ||
+ !old_var->digest_size ||
+ !new_var->digest_size) {
+ /* should not happen */
+ trace_uefi_vars_security_violation("inconsistent authvar digest st=
ate");
+ return false;
+ }
+ if (old_var->digest_size !=3D new_var->digest_size) {
+ trace_uefi_vars_security_violation("authvar digest size mismatch");
+ return false;
+ }
+ if (memcmp(old_var->digest, new_var->digest,
+ old_var->digest_size) !=3D 0) {
+ trace_uefi_vars_security_violation("authvar digest data mismatch");
+ return false;
+ }
+ return true;
+}
+
+static size_t uefi_vars_mm_set_variable(uefi_vars_state *uv, mm_header *mh=
dr,
+ mm_variable *mvar, void *func)
+{
+ mm_variable_access *va =3D func;
+ uint32_t attributes =3D 0;
+ uint16_t *name;
+ void *data;
+ uefi_variable *old_var, *new_var;
+ uint64_t length;
+ size_t new_storage;
+ efi_status status;
+
+ length =3D sizeof(*mvar) + sizeof(*va);
+ if (mhdr->length < length) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
+ }
+
+ if (va->name_size > uv->max_storage ||
+ va->data_size > uv->max_storage) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_OUT_OF_RESOURCES);
+ }
+
+ name =3D func + sizeof(*va);
+ if (uadd64_overflow(length, va->name_size, &length)) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
+ }
+ if (mhdr->length < length) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
+ }
+
+ data =3D func + sizeof(*va) + va->name_size;
+ if (uadd64_overflow(length, va->data_size, &length)) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
+ }
+ if (mhdr->length < length) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
+ }
+
+ g_assert(va->name_size < G_MAXUINT32);
+ g_assert(va->data_size < G_MAXUINT32);
+
+ if (!uefi_str_is_valid(name, va->name_size, true)) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_INVALID_PARAMETER);
+ }
+
+ uefi_trace_variable(__func__, va->guid, name, va->name_size);
+
+ old_var =3D uefi_vars_find_variable(uv, va->guid, name, va->name_size);
+ if (va->data_size) {
+ new_var =3D add_variable(uv, va->guid, name, va->name_size,
+ va->attributes);
+ if (va->attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) {
+ /* not implemented (deprecated in uefi spec) */
+ warn_report("%s: AUTHENTICATED_WRITE_ACCESS", __func__);
+ mvar->status =3D EFI_UNSUPPORTED;
+ goto rollback;
+ } else if (va->attributes &
+ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) {
+ status =3D uefi_vars_check_auth_2(uv, new_var, va, data);
+ if (status !=3D EFI_SUCCESS) {
+ mvar->status =3D status;
+ goto rollback;
+ }
+ if (old_var && new_var) {
+ if (uefi_time_compare(&old_var->time, &new_var->time) > 0)=
{
+ trace_uefi_vars_security_violation("time check failed"=
);
+ mvar->status =3D EFI_SECURITY_VIOLATION;
+ goto rollback;
+ }
+ if (old_var->digest_size || new_var->digest_size) {
+ if (!uefi_vars_mm_digest_compare(old_var, new_var)) {
+ mvar->status =3D EFI_SECURITY_VIOLATION;
+ goto rollback;
+ }
+ }
+ }
+ } else {
+ new_var->data =3D g_malloc(va->data_size);
+ memcpy(new_var->data, data, va->data_size);
+ new_var->data_size =3D va->data_size;
+ }
+ if (!new_var->data) {
+ /* we land here when deleting authenticated variables */
+ del_variable(uv, new_var);
+ new_var =3D NULL;
+ }
+ } else {
+ new_var =3D NULL;
+ }
+
+ if (!old_var && !new_var) {
+ /* delete non-existing variable -> nothing to do */
+ mvar->status =3D EFI_SUCCESS;
+ return sizeof(*mvar);
+ }
+
+ /* check permissions etc. */
+ status =3D check_update(uv, old_var, new_var);
+ if (status !=3D EFI_SUCCESS) {
+ mvar->status =3D status;
+ goto rollback;
+ }
+
+ if (va->attributes & EFI_VARIABLE_APPEND_WRITE && old_var && new_var) {
+ /* merge signature databases */
+ if (!uefi_vars_is_sb_any(new_var)) {
+ mvar->status =3D EFI_UNSUPPORTED;
+ goto rollback;
+ }
+ append_write(old_var, new_var);
+ }
+
+ /* check storage space */
+ new_storage =3D uv->used_storage;
+ if (old_var) {
+ new_storage -=3D variable_size(old_var);
+ }
+ if (new_var) {
+ new_storage +=3D variable_size(new_var);
+ }
+ if (new_storage > uv->max_storage) {
+ mvar->status =3D EFI_OUT_OF_RESOURCES;
+ goto rollback;
+ }
+
+ attributes =3D new_var
+ ? new_var->attributes
+ : old_var->attributes;
+
+ /* all good, commit */
+ del_variable(uv, old_var);
+ uv->used_storage =3D new_storage;
+
+ if (attributes & EFI_VARIABLE_NON_VOLATILE) {
+ uefi_vars_json_save(uv);
+ }
+
+ if (new_var && uefi_vars_is_sb_pk(new_var)) {
+ uefi_vars_auth_init(uv);
+ }
+
+ mvar->status =3D EFI_SUCCESS;
+ return sizeof(*mvar);
+
+rollback:
+ del_variable(uv, new_var);
+ return sizeof(*mvar);
+}
+
+static size_t uefi_vars_mm_variable_info(uefi_vars_state *uv, mm_header *m=
hdr,
+ mm_variable *mvar, void *func)
+{
+ mm_variable_info *vi =3D func;
+ uint64_t length;
+
+ length =3D sizeof(*mvar) + sizeof(*vi);
+ if (uv->buf_size < length) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
+ }
+
+ vi->max_storage_size =3D uv->max_storage;
+ vi->free_storage_size =3D uv->max_storage - uv->used_storage;
+ vi->max_variable_size =3D uv->max_storage >> 2;
+ vi->attributes =3D 0;
+
+ mvar->status =3D EFI_SUCCESS;
+ return length;
+}
+
+static size_t
+uefi_vars_mm_get_payload_size(uefi_vars_state *uv, mm_header *mhdr,
+ mm_variable *mvar, void *func)
+{
+ mm_get_payload_size *ps =3D func;
+ uint64_t length;
+
+ length =3D sizeof(*mvar) + sizeof(*ps);
+ if (uv->buf_size < length) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
+ }
+
+ ps->payload_size =3D uv->buf_size;
+ mvar->status =3D EFI_SUCCESS;
+ return length;
+}
+
+static size_t
+uefi_vars_mm_lock_variable(uefi_vars_state *uv, mm_header *mhdr,
+ mm_variable *mvar, void *func)
+{
+ mm_lock_variable *lv =3D func;
+ variable_policy_entry *pe;
+ uint16_t *name, *dest;
+ uint64_t length;
+
+ length =3D sizeof(*mvar) + sizeof(*lv);
+ if (mhdr->length < length) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
+ }
+
+ name =3D func + sizeof(*lv);
+ if (uadd64_overflow(length, lv->name_size, &length)) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
+ }
+ if (mhdr->length < length) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
+ }
+
+ uefi_trace_variable(__func__, lv->guid, name, lv->name_size);
+
+ pe =3D g_malloc0(sizeof(*pe) + lv->name_size);
+ pe->version =3D VARIABLE_POLICY_ENTRY_REVISION;
+ pe->size =3D sizeof(*pe) + lv->name_size;
+ pe->offset_to_name =3D sizeof(*pe);
+ pe->namespace =3D lv->guid;
+ pe->min_size =3D 0;
+ pe->max_size =3D UINT32_MAX;
+ pe->attributes_must_have =3D 0;
+ pe->attributes_cant_have =3D 0;
+ pe->lock_policy_type =3D VARIABLE_POLICY_TYPE_LOCK_NOW;
+
+ dest =3D (void *)pe + pe->offset_to_name;
+ memcpy(dest, name, lv->name_size);
+
+ uefi_vars_add_policy(uv, pe);
+ g_free(pe);
+
+ mvar->status =3D EFI_SUCCESS;
+ return length;
+}
+
+uint32_t uefi_vars_mm_vars_proto(uefi_vars_state *uv)
+{
+ static const char *fnames[] =3D {
+ "zero",
+ "get-variable",
+ "get-next-variable-name",
+ "set-variable",
+ "query-variable-info",
+ "ready-to-boot",
+ "exit-boot-service",
+ "get-statistics",
+ "lock-variable",
+ "var-check-prop-set",
+ "var-check-prop-get",
+ "get-payload-size",
+ "init-runtime-cache-contect",
+ "sync-runtime-cache",
+ "get-runtime-cache-info",
+ };
+ const char *fname;
+ uint64_t length;
+
+ mm_header *mhdr =3D (mm_header *) uv->buffer;
+ mm_variable *mvar =3D (mm_variable *) (uv->buffer + sizeof(*mhdr));
+ void *func =3D (uv->buffer + sizeof(*mhdr) + sizeof(*mvar));
+
+ if (mhdr->length < sizeof(*mvar)) {
+ return UEFI_VARS_STS_ERR_BAD_BUFFER_SIZE;
+ }
+
+ fname =3D mvar->function < ARRAY_SIZE(fnames)
+ ? fnames[mvar->function]
+ : "unknown";
+ trace_uefi_vars_proto_cmd(fname);
+
+ switch (mvar->function) {
+ case SMM_VARIABLE_FUNCTION_GET_VARIABLE:
+ length =3D uefi_vars_mm_get_variable(uv, mhdr, mvar, func);
+ break;
+
+ case SMM_VARIABLE_FUNCTION_GET_NEXT_VARIABLE_NAME:
+ length =3D uefi_vars_mm_get_next_variable(uv, mhdr, mvar, func);
+ break;
+
+ case SMM_VARIABLE_FUNCTION_SET_VARIABLE:
+ length =3D uefi_vars_mm_set_variable(uv, mhdr, mvar, func);
+ break;
+
+ case SMM_VARIABLE_FUNCTION_QUERY_VARIABLE_INFO:
+ length =3D uefi_vars_mm_variable_info(uv, mhdr, mvar, func);
+ break;
+
+ case SMM_VARIABLE_FUNCTION_LOCK_VARIABLE:
+ length =3D uefi_vars_mm_lock_variable(uv, mhdr, mvar, func);
+ break;
+
+ case SMM_VARIABLE_FUNCTION_GET_PAYLOAD_SIZE:
+ length =3D uefi_vars_mm_get_payload_size(uv, mhdr, mvar, func);
+ break;
+
+ case SMM_VARIABLE_FUNCTION_READY_TO_BOOT:
+ trace_uefi_event("ready-to-boot");
+ uv->ready_to_boot =3D true;
+ length =3D 0;
+ break;
+
+ case SMM_VARIABLE_FUNCTION_EXIT_BOOT_SERVICE:
+ trace_uefi_event("exit-boot-service");
+ uv->exit_boot_service =3D true;
+ length =3D 0;
+ break;
+
+ default:
+ length =3D uefi_vars_mm_error(mhdr, mvar, EFI_UNSUPPORTED);
+ break;
+ }
+
+ if (mhdr->length < length) {
+ mvar->status =3D EFI_BUFFER_TOO_SMALL;
+ }
+
+ uefi_trace_status(__func__, mvar->status);
+ return UEFI_VARS_STS_SUCCESS;
+}
--=20
2.47.1
From nobody Sun May 11 18:31:55 2025
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass(p=none dis=none) header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1736264306; cv=none;
d=zohomail.com; s=zohoarc;
b=IOT837PLVza24givSX9HH5rV8SjWfy5INhzh00taSf+I8qixinqHAH6Vpqqmklke4jJM8J+2B5avpQ7qOwwMXkQM2sp0hK1UNHGmDqp13I2ixxgT542N5i1xlJzXCy0oxm5TnftVODWxEi0Fem5bNvmJoaxFd4/V4OCjK+FmkJ0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
s=zohoarc;
t=1736264306;
h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
bh=oOpNfIq/eKA6FXax4VDDnK3fZoe3dMi2arkm/xjhUg4=;
b=hhvEA2YMBvbIGKZ9fAFAJpLLcRECI5yu1oVe5VNZbRc6DW10pweqi4H0mAZ4SoFhknOKRHkCj7QW+PfLH4Xmgv849l2GoA4fi8MnjDQord205YxoKI53/NEjF1qLrpWZ9p0rcGmenw2Aj1E6hmGG3zSpw+zY/2vzzApmLjjdnkk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass header.from=<kraxel@redhat.com> (p=none dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
mx.zohomail.com
with SMTPS id 173626430641268.42266532820918;
Tue, 7 Jan 2025 07:38:26 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
by lists.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <qemu-devel-bounces@nongnu.org>)
id 1tVBay-0003AR-Gb; Tue, 07 Jan 2025 10:34:16 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBaw-00038y-Tf
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:15 -0500
Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBat-00054R-K2
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:14 -0500
Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com
(ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
cipher=TLS_AES_256_GCM_SHA384) id us-mta-631-M8ViwJxBNuu4J1b46urhrA-1; Tue,
07 Jan 2025 10:34:07 -0500
Received: from mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com
(mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.40])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256)
(No client certificate requested)
by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
id 9486B1955E78; Tue, 7 Jan 2025 15:34:06 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.66])
by mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
ESMTPS
id 00F71195606C; Tue, 7 Jan 2025 15:34:06 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
id DC80618003AD; Tue, 07 Jan 2025 16:33:53 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1736264051;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=oOpNfIq/eKA6FXax4VDDnK3fZoe3dMi2arkm/xjhUg4=;
b=JfIODkDRVn4idE+RPNjUDBgQG9taQ5Im4OvscFtgmnfQo/hC/0KSto91j/2eHZfGU3zS18
94TtjlPmJTpO/ZMa1RuRew/IEFxA6E9gDjcpqfeuf430MZE5sNAucYbPb2Ibug62krjSMt
xrQy3AgvBGTDVfiHdKykBlPTqLCe1Wg=
X-MC-Unique: M8ViwJxBNuu4J1b46urhrA-1
X-Mimecast-MFC-AGG-ID: M8ViwJxBNuu4J1b46urhrA
From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>, graf@amazon.com,
Paolo Bonzini <pbonzini@redhat.com>, Michael Roth <michael.roth@amd.com>,
=?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
Thomas Huth <thuth@redhat.com>, qemu-arm@nongnu.org,
Eric Blake <eblake@redhat.com>, Peter Maydell <peter.maydell@linaro.org>,
Markus Armbruster <armbru@redhat.com>,
=?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Subject: [PATCH v2 07/21] hw/uefi: add var-service-auth.c
Date: Tue, 7 Jan 2025 16:33:34 +0100
Message-ID: <20250107153353.1144978-8-kraxel@redhat.com>
In-Reply-To: <20250107153353.1144978-1-kraxel@redhat.com>
References: <20250107153353.1144978-1-kraxel@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.40
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
as permitted sender) client-ip=209.51.188.17;
envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com;
helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -24
X-Spam_score: -2.5
X-Spam_bar: --
X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.437,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1736264306917116600
Content-Type: text/plain; charset="utf-8"
This implements authenticated variable handling (see AuthVariableLib in
edk2).
The by far most common use case for auth variables is secure boot. The
secure boot certificate databases ('PK', 'KEK', 'db' and 'dbx') are
authenticated variables, with update rules being specified in the UEFI
specification.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/uefi/var-service-auth.c | 361 +++++++++++++++++++++++++++++++++++++
1 file changed, 361 insertions(+)
create mode 100644 hw/uefi/var-service-auth.c
diff --git a/hw/uefi/var-service-auth.c b/hw/uefi/var-service-auth.c
new file mode 100644
index 000000000000..fba5a0956a57
--- /dev/null
+++ b/hw/uefi/var-service-auth.c
@@ -0,0 +1,361 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ *
+ * uefi vars device - AuthVariableLib
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/error-report.h"
+#include "system/dma.h"
+
+#include "hw/uefi/var-service.h"
+
+static const uint16_t name_pk[] =3D u"PK";
+static const uint16_t name_kek[] =3D u"KEK";
+static const uint16_t name_db[] =3D u"db";
+static const uint16_t name_dbx[] =3D u"dbx";
+static const uint16_t name_setup_mode[] =3D u"SetupMode";
+static const uint16_t name_sigs_support[] =3D u"SignatureSupport";
+static const uint16_t name_sb[] =3D u"SecureBoot";
+static const uint16_t name_sb_enable[] =3D u"SecureBootEnable";
+static const uint16_t name_custom_mode[] =3D u"CustomMode";
+static const uint16_t name_vk[] =3D u"VendorKeys";
+static const uint16_t name_vk_nv[] =3D u"VendorKeysNv";
+
+static const uint32_t sigdb_attrs =3D
+ EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_RUNTIME_ACCESS |
+ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
+
+static void set_secure_boot(uefi_vars_state *uv, uint8_t sb)
+{
+ uefi_vars_set_variable(uv, EfiGlobalVariable,
+ name_sb, sizeof(name_sb),
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_RUNTIME_ACCESS,
+ &sb, sizeof(sb));
+}
+
+static void set_secure_boot_enable(uefi_vars_state *uv, uint8_t sbe)
+{
+ uefi_vars_set_variable(uv, EfiSecureBootEnableDisable,
+ name_sb_enable, sizeof(name_sb_enable),
+ EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ &sbe, sizeof(sbe));
+}
+
+static void set_setup_mode(uefi_vars_state *uv, uint8_t sm)
+{
+ uefi_vars_set_variable(uv, EfiGlobalVariable,
+ name_setup_mode, sizeof(name_setup_mode),
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_RUNTIME_ACCESS,
+ &sm, sizeof(sm));
+}
+
+static void set_custom_mode(uefi_vars_state *uv, uint8_t cm)
+{
+ uefi_vars_set_variable(uv, EfiCustomModeEnable,
+ name_custom_mode, sizeof(name_custom_mode),
+ EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ &cm, sizeof(cm));
+}
+
+static void set_signature_support(uefi_vars_state *uv)
+{
+ QemuUUID sigs_support[5];
+
+ sigs_support[0] =3D EfiCertSha256Guid;
+ sigs_support[1] =3D EfiCertSha384Guid;
+ sigs_support[2] =3D EfiCertSha512Guid;
+ sigs_support[3] =3D EfiCertRsa2048Guid;
+ sigs_support[4] =3D EfiCertX509Guid;
+
+ uefi_vars_set_variable(uv, EfiGlobalVariable,
+ name_sigs_support, sizeof(name_sigs_support),
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_RUNTIME_ACCESS,
+ sigs_support, sizeof(sigs_support));
+}
+
+static bool setup_mode_is_active(uefi_vars_state *uv)
+{
+ uefi_variable *var;
+ uint8_t *value;
+
+ var =3D uefi_vars_find_variable(uv, EfiGlobalVariable,
+ name_setup_mode, sizeof(name_setup_mode)=
);
+ if (var) {
+ value =3D var->data;
+ if (value[0] =3D=3D SETUP_MODE) {
+ return true;
+ }
+ }
+ return false;
+}
+
+static bool custom_mode_is_active(uefi_vars_state *uv)
+{
+ uefi_variable *var;
+ uint8_t *value;
+
+ var =3D uefi_vars_find_variable(uv, EfiCustomModeEnable,
+ name_custom_mode, sizeof(name_custom_mod=
e));
+ if (var) {
+ value =3D var->data;
+ if (value[0] =3D=3D CUSTOM_SECURE_BOOT_MODE) {
+ return true;
+ }
+ }
+ return false;
+}
+
+bool uefi_vars_is_sb_pk(uefi_variable *var)
+{
+ if (qemu_uuid_is_equal(&var->guid, &EfiGlobalVariable) &&
+ uefi_str_equal(var->name, var->name_size, name_pk, sizeof(name_pk)=
)) {
+ return true;
+ }
+ return false;
+}
+
+static bool uefi_vars_is_sb_kek(uefi_variable *var)
+{
+ if (qemu_uuid_is_equal(&var->guid, &EfiGlobalVariable) &&
+ uefi_str_equal(var->name, var->name_size, name_kek, sizeof(name_ke=
k))) {
+ return true;
+ }
+ return false;
+}
+
+static bool uefi_vars_is_sb_db(uefi_variable *var)
+{
+ if (!qemu_uuid_is_equal(&var->guid, &EfiImageSecurityDatabase)) {
+ return false;
+ }
+ if (uefi_str_equal(var->name, var->name_size, name_db, sizeof(name_db)=
)) {
+ return true;
+ }
+ if (uefi_str_equal(var->name, var->name_size, name_dbx, sizeof(name_db=
x))) {
+ return true;
+ }
+ return false;
+}
+
+bool uefi_vars_is_sb_any(uefi_variable *var)
+{
+ if (uefi_vars_is_sb_pk(var) ||
+ uefi_vars_is_sb_kek(var) ||
+ uefi_vars_is_sb_db(var)) {
+ return true;
+ }
+ return false;
+}
+
+static uefi_variable *uefi_vars_find_siglist(uefi_vars_state *uv,
+ uefi_variable *var)
+{
+ if (uefi_vars_is_sb_pk(var)) {
+ return uefi_vars_find_variable(uv, EfiGlobalVariable,
+ name_pk, sizeof(name_pk));
+ }
+ if (uefi_vars_is_sb_kek(var)) {
+ return uefi_vars_find_variable(uv, EfiGlobalVariable,
+ name_pk, sizeof(name_pk));
+ }
+ if (uefi_vars_is_sb_db(var)) {
+ return uefi_vars_find_variable(uv, EfiGlobalVariable,
+ name_kek, sizeof(name_kek));
+ }
+
+ return NULL;
+}
+
+static efi_status uefi_vars_check_auth_2_sb(uefi_vars_state *uv,
+ uefi_variable *var,
+ mm_variable_access *va,
+ void *data,
+ uint64_t data_offset)
+{
+ variable_auth_2 *auth =3D data;
+ uefi_variable *siglist;
+
+ if (custom_mode_is_active(uv)) {
+ /* no authentication in custom mode */
+ return EFI_SUCCESS;
+ }
+
+ if (setup_mode_is_active(uv) && !uefi_vars_is_sb_pk(var)) {
+ /* no authentication in setup mode (except PK) */
+ return EFI_SUCCESS;
+ }
+
+ if (auth->hdr_length =3D=3D 24) {
+ /* no signature (auth->cert_data is empty) */
+ return EFI_SECURITY_VIOLATION;
+ }
+
+ siglist =3D uefi_vars_find_siglist(uv, var);
+ if (!siglist && setup_mode_is_active(uv) && uefi_vars_is_sb_pk(var)) {
+ /* check PK is self-signed */
+ uefi_variable tmp =3D {
+ .guid =3D EfiGlobalVariable,
+ .name =3D (uint16_t *)name_pk,
+ .name_size =3D sizeof(name_pk),
+ .attributes =3D sigdb_attrs,
+ .data =3D data + data_offset,
+ .data_size =3D va->data_size - data_offset,
+ };
+ return uefi_vars_check_pkcs7_2(&tmp, NULL, NULL, va, data);
+ }
+
+ return uefi_vars_check_pkcs7_2(siglist, NULL, NULL, va, data);
+}
+
+efi_status uefi_vars_check_auth_2(uefi_vars_state *uv, uefi_variable *var,
+ mm_variable_access *va, void *data)
+{
+ variable_auth_2 *auth =3D data;
+ uint64_t data_offset;
+ efi_status status;
+
+ if (va->data_size < sizeof(*auth)) {
+ return EFI_SECURITY_VIOLATION;
+ }
+ if (uadd64_overflow(sizeof(efi_time), auth->hdr_length, &data_offset))=
{
+ return EFI_SECURITY_VIOLATION;
+ }
+ if (va->data_size < data_offset) {
+ return EFI_SECURITY_VIOLATION;
+ }
+
+ if (auth->hdr_revision !=3D 0x0200 ||
+ auth->hdr_cert_type !=3D WIN_CERT_TYPE_EFI_GUID ||
+ !qemu_uuid_is_equal(&auth->guid_cert_type, &EfiCertTypePkcs7Guid))=
{
+ return EFI_UNSUPPORTED;
+ }
+
+ if (uefi_vars_is_sb_any(var)) {
+ /* secure boot variables */
+ status =3D uefi_vars_check_auth_2_sb(uv, var, va, data, data_offse=
t);
+ if (status !=3D EFI_SUCCESS) {
+ return status;
+ }
+ } else {
+ /* other authenticated variables */
+ status =3D uefi_vars_check_pkcs7_2(NULL,
+ &var->digest, &var->digest_size,
+ va, data);
+ if (status !=3D EFI_SUCCESS) {
+ return status;
+ }
+ }
+
+ /* checks passed, set variable data */
+ var->time =3D auth->timestamp;
+ if (va->data_size - data_offset > 0) {
+ var->data =3D g_malloc(va->data_size - data_offset);
+ memcpy(var->data, data + data_offset, va->data_size - data_offset);
+ var->data_size =3D va->data_size - data_offset;
+ }
+
+ return EFI_SUCCESS;
+}
+
+efi_status uefi_vars_check_secure_boot(uefi_vars_state *uv, uefi_variable =
*var)
+{
+ uint8_t *value =3D var->data;
+
+ if (uefi_vars_is_sb_any(var)) {
+ if (var->attributes !=3D sigdb_attrs) {
+ return EFI_INVALID_PARAMETER;
+ }
+ }
+
+ /* reject SecureBootEnable updates if force_secure_boot is set */
+ if (qemu_uuid_is_equal(&var->guid, &EfiSecureBootEnableDisable) &&
+ uefi_str_equal(var->name, var->name_size,
+ name_sb_enable, sizeof(name_sb_enable)) &&
+ uv->force_secure_boot &&
+ value[0] !=3D SECURE_BOOT_ENABLE) {
+ return EFI_WRITE_PROTECTED;
+ }
+
+ /* reject CustomMode updates if disable_custom_mode is set */
+ if (qemu_uuid_is_equal(&var->guid, &EfiCustomModeEnable) &&
+ uefi_str_equal(var->name, var->name_size,
+ name_custom_mode, sizeof(name_custom_mode)) &&
+ uv->disable_custom_mode) {
+ return EFI_WRITE_PROTECTED;
+ }
+
+ return EFI_SUCCESS;
+}
+
+/* AuthVariableLibInitialize */
+void uefi_vars_auth_init(uefi_vars_state *uv)
+{
+ uefi_variable *pk_var, *sbe_var;
+ uint8_t platform_mode, sb, sbe, vk;
+
+ /* SetupMode */
+ pk_var =3D uefi_vars_find_variable(uv, EfiGlobalVariable,
+ name_pk, sizeof(name_pk));
+ if (!pk_var) {
+ platform_mode =3D SETUP_MODE;
+ } else {
+ platform_mode =3D USER_MODE;
+ }
+ set_setup_mode(uv, platform_mode);
+
+ /* SignatureSupport */
+ set_signature_support(uv);
+
+ /* SecureBootEnable */
+ sbe =3D SECURE_BOOT_DISABLE;
+ sbe_var =3D uefi_vars_find_variable(uv, EfiSecureBootEnableDisable,
+ name_sb_enable, sizeof(name_sb_enabl=
e));
+ if (sbe_var) {
+ if (platform_mode =3D=3D USER_MODE) {
+ sbe =3D ((uint8_t *)sbe_var->data)[0];
+ }
+ } else if (platform_mode =3D=3D USER_MODE) {
+ sbe =3D SECURE_BOOT_ENABLE;
+ set_secure_boot_enable(uv, sbe);
+ }
+
+ if (uv->force_secure_boot && sbe !=3D SECURE_BOOT_ENABLE) {
+ sbe =3D SECURE_BOOT_ENABLE;
+ set_secure_boot_enable(uv, sbe);
+ }
+
+ /* SecureBoot */
+ if ((sbe =3D=3D SECURE_BOOT_ENABLE) && (platform_mode =3D=3D USER_MODE=
)) {
+ sb =3D SECURE_BOOT_MODE_ENABLE;
+ } else {
+ sb =3D SECURE_BOOT_MODE_DISABLE;
+ }
+ set_secure_boot(uv, sb);
+
+ /* CustomMode */
+ set_custom_mode(uv, STANDARD_SECURE_BOOT_MODE);
+
+ vk =3D 0;
+ uefi_vars_set_variable(uv, EfiGlobalVariable,
+ name_vk_nv, sizeof(name_vk_nv),
+ EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACC=
ESS,
+ &vk, sizeof(vk));
+ uefi_vars_set_variable(uv, EfiGlobalVariable,
+ name_vk, sizeof(name_vk),
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_RUNTIME_ACCESS,
+ &vk, sizeof(vk));
+
+ /* flush to disk */
+ uefi_vars_json_save(uv);
+}
--=20
2.47.1
From nobody Sun May 11 18:31:55 2025
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass(p=none dis=none) header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1736264269; cv=none;
d=zohomail.com; s=zohoarc;
b=g0AZWlMFrD4Ot3SPfe86ik9vbwCZWcU9TpbQRG7TXNoMSAOZ2MDGawiO9O9dHk1gaJpD9Ypf7vFW7gemY8Kf6LamPHTcWJGE6OzqvQYmQAheGLU+uFZiqJlmzRl035W22PSjF51iUyNqv9CKqWlSD1weiQhhUtjUOXYIvfTJNpI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
s=zohoarc;
t=1736264269;
h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
bh=vOsqL2sLEPDfF++zjwertebXDJiNYtLXu2cZD9voBvU=;
b=CK+jWFWo0jPW1XU/K6UDEN3+78Fr3Jo33w7IYQaDNUAZA6BXdpL3Sdc8LfF2vuyNjDQSsjg8rBndmDECJRiYpIaHj+jPU+F+L9Ox/R7Cm26Opm+JvV0FWGDK+D0Y5vLBa9X195oxVgixJ0xoPjpLHzfWkK3E5R1QDUaHxh+fg/0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass header.from=<kraxel@redhat.com> (p=none dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
mx.zohomail.com
with SMTPS id 173626426922967.00603514335478;
Tue, 7 Jan 2025 07:37:49 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
by lists.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <qemu-devel-bounces@nongnu.org>)
id 1tVBb4-0003E4-In; Tue, 07 Jan 2025 10:34:22 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBaz-0003As-Ky
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:17 -0500
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBax-00055L-Kf
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:17 -0500
Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com
(ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
cipher=TLS_AES_256_GCM_SHA384) id us-mta-68-hT-juV__MU2YoEKxVE4jvA-1; Tue,
07 Jan 2025 10:34:11 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
(mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256)
(No client certificate requested)
by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
id AD44D1956068; Tue, 7 Jan 2025 15:34:09 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.66])
by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
ESMTPS
id 084291956053; Tue, 7 Jan 2025 15:34:09 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
id ED3EE18003AE; Tue, 07 Jan 2025 16:33:53 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1736264054;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=vOsqL2sLEPDfF++zjwertebXDJiNYtLXu2cZD9voBvU=;
b=CVjcy5UbVxTkKX2LXY1Wwc3EbJU1/hyIqfsTbUKt2yGd75S2AXuwVosgThERL9y8gXzSEP
GJINLDcbYkn9kQ3u7oxysomiekTB6FhlnRYYsBctZTKdiuAZwMNoX4AoQ052J0C+O77qBB
i+2Wdno/M1DzWJMWs453hsoRNGhul/w=
X-MC-Unique: hT-juV__MU2YoEKxVE4jvA-1
X-Mimecast-MFC-AGG-ID: hT-juV__MU2YoEKxVE4jvA
From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>, graf@amazon.com,
Paolo Bonzini <pbonzini@redhat.com>, Michael Roth <michael.roth@amd.com>,
=?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
Thomas Huth <thuth@redhat.com>, qemu-arm@nongnu.org,
Eric Blake <eblake@redhat.com>, Peter Maydell <peter.maydell@linaro.org>,
Markus Armbruster <armbru@redhat.com>,
=?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Subject: [PATCH v2 08/21] hw/uefi: add var-service-policy.c
Date: Tue, 7 Jan 2025 16:33:35 +0100
Message-ID: <20250107153353.1144978-9-kraxel@redhat.com>
In-Reply-To: <20250107153353.1144978-1-kraxel@redhat.com>
References: <20250107153353.1144978-1-kraxel@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
as permitted sender) client-ip=209.51.188.17;
envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.133.124; envelope-from=kraxel@redhat.com;
helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -24
X-Spam_score: -2.5
X-Spam_bar: --
X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.437,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1736264270903116600
Implement variable policies (Edk2VariablePolicyProtocol).
This EFI protocol allows to define restrictions for variables.
It also allows to lock down variables (disallow write access).
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/uefi/var-service-policy.c | 370 +++++++++++++++++++++++++++++++++++
1 file changed, 370 insertions(+)
create mode 100644 hw/uefi/var-service-policy.c
diff --git a/hw/uefi/var-service-policy.c b/hw/uefi/var-service-policy.c
new file mode 100644
index 000000000000..3b1155fe4ea1
--- /dev/null
+++ b/hw/uefi/var-service-policy.c
@@ -0,0 +1,370 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ *
+ * uefi vars device - VarCheckPolicyLibMmiHandler implementation
+ *
+ * variable policy specs:
+ * https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Library/Vari=
ablePolicyLib/ReadMe.md
+ */
+#include "qemu/osdep.h"
+#include "system/dma.h"
+#include "migration/vmstate.h"
+
+#include "hw/uefi/var-service.h"
+#include "hw/uefi/var-service-api.h"
+#include "hw/uefi/var-service-edk2.h"
+
+#include "trace/trace-hw_uefi.h"
+
+static void calc_policy(uefi_var_policy *pol);
+
+static int uefi_var_policy_post_load(void *opaque, int version_id)
+{
+ uefi_var_policy *pol =3D opaque;
+
+ calc_policy(pol);
+ return 0;
+}
+
+const VMStateDescription vmstate_uefi_var_policy =3D {
+ .name =3D "uefi-var-policy",
+ .post_load =3D uefi_var_policy_post_load,
+ .fields =3D (VMStateField[]) {
+ VMSTATE_UINT32(entry_size, uefi_var_policy),
+ VMSTATE_VBUFFER_ALLOC_UINT32(entry, uefi_var_policy,
+ 0, NULL, entry_size),
+ VMSTATE_END_OF_LIST()
+ },
+};
+
+static void print_policy_entry(variable_policy_entry *pe)
+{
+ uint16_t *name =3D (void *)pe + pe->offset_to_name;
+
+ fprintf(stderr, "%s:\n", __func__);
+
+ fprintf(stderr, " name =C2=B4");
+ while (*name) {
+ fprintf(stderr, "%c", *name);
+ name++;
+ }
+ fprintf(stderr, "', version=3D%d.%d, size=3D%d\n",
+ pe->version >> 16, pe->version & 0xffff, pe->size);
+
+ if (pe->min_size) {
+ fprintf(stderr, " size min=3D%d\n", pe->min_size);
+ }
+ if (pe->max_size !=3D UINT32_MAX) {
+ fprintf(stderr, " size max=3D%u\n", pe->max_size);
+ }
+ if (pe->attributes_must_have) {
+ fprintf(stderr, " attr must=3D0x%x\n", pe->attributes_must_have=
);
+ }
+ if (pe->attributes_cant_have) {
+ fprintf(stderr, " attr cant=3D0x%x\n", pe->attributes_cant_have=
);
+ }
+ if (pe->lock_policy_type) {
+ fprintf(stderr, " lock policy type %d\n", pe->lock_policy_type);
+ }
+}
+
+static gboolean wildcard_str_equal(uefi_var_policy *pol,
+ uefi_variable *var)
+{
+ return uefi_str_equal_ex(pol->name, pol->name_size,
+ var->name, var->name_size,
+ true);
+}
+
+static uefi_var_policy *find_policy(uefi_vars_state *uv, QemuUUID guid,
+ uint16_t *name, uint64_t name_size)
+{
+ uefi_var_policy *pol;
+
+ QTAILQ_FOREACH(pol, &uv->var_policies, next) {
+ if (!qemu_uuid_is_equal(&pol->entry->namespace, &guid)) {
+ continue;
+ }
+ if (!uefi_str_equal(pol->name, pol->name_size,
+ name, name_size)) {
+ continue;
+ }
+ return pol;
+ }
+ return NULL;
+}
+
+static uefi_var_policy *wildcard_find_policy(uefi_vars_state *uv,
+ uefi_variable *var)
+{
+ uefi_var_policy *pol;
+
+ QTAILQ_FOREACH(pol, &uv->var_policies, next) {
+ if (!qemu_uuid_is_equal(&pol->entry->namespace, &var->guid)) {
+ continue;
+ }
+ if (!wildcard_str_equal(pol, var)) {
+ continue;
+ }
+ return pol;
+ }
+ return NULL;
+}
+
+static void calc_policy(uefi_var_policy *pol)
+{
+ variable_policy_entry *pe =3D pol->entry;
+ unsigned int i;
+
+ pol->name =3D (void *)pol->entry + pe->offset_to_name;
+ pol->name_size =3D pe->size - pe->offset_to_name;
+
+ for (i =3D 0; i < pol->name_size / 2; i++) {
+ if (pol->name[i] =3D=3D '#') {
+ pol->hashmarks++;
+ }
+ }
+}
+
+uefi_var_policy *uefi_vars_add_policy(uefi_vars_state *uv,
+ variable_policy_entry *pe)
+{
+ uefi_var_policy *pol, *p;
+
+ pol =3D g_new0(uefi_var_policy, 1);
+ pol->entry =3D g_malloc(pe->size);
+ memcpy(pol->entry, pe, pe->size);
+ pol->entry_size =3D pe->size;
+
+ calc_policy(pol);
+
+ /* keep list sorted by priority, add to tail of priority group */
+ QTAILQ_FOREACH(p, &uv->var_policies, next) {
+ if ((p->hashmarks > pol->hashmarks) ||
+ (!p->name_size && pol->name_size)) {
+ QTAILQ_INSERT_BEFORE(p, pol, next);
+ return pol;
+ }
+ }
+
+ QTAILQ_INSERT_TAIL(&uv->var_policies, pol, next);
+ return pol;
+}
+
+efi_status uefi_vars_policy_check(uefi_vars_state *uv,
+ uefi_variable *var,
+ gboolean is_newvar)
+{
+ uefi_var_policy *pol;
+ variable_policy_entry *pe;
+ variable_lock_on_var_state *lvarstate;
+ uint16_t *lvarname;
+ size_t lvarnamesize;
+ uefi_variable *lvar;
+
+ if (!uv->end_of_dxe) {
+ return EFI_SUCCESS;
+ }
+
+ pol =3D wildcard_find_policy(uv, var);
+ if (!pol) {
+ return EFI_SUCCESS;
+ }
+ pe =3D pol->entry;
+
+ uefi_trace_variable(__func__, var->guid, var->name, var->name_size);
+ print_policy_entry(pe);
+
+ if ((var->attributes & pe->attributes_must_have) !=3D pe->attributes_m=
ust_have) {
+ trace_uefi_vars_policy_deny("must-have-attr");
+ return EFI_INVALID_PARAMETER;
+ }
+ if ((var->attributes & pe->attributes_cant_have) !=3D 0) {
+ trace_uefi_vars_policy_deny("cant-have-attr");
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (var->data_size < pe->min_size) {
+ trace_uefi_vars_policy_deny("min-size");
+ return EFI_INVALID_PARAMETER;
+ }
+ if (var->data_size > pe->max_size) {
+ trace_uefi_vars_policy_deny("max-size");
+ return EFI_INVALID_PARAMETER;
+ }
+
+ switch (pe->lock_policy_type) {
+ case VARIABLE_POLICY_TYPE_NO_LOCK:
+ break;
+
+ case VARIABLE_POLICY_TYPE_LOCK_NOW:
+ trace_uefi_vars_policy_deny("lock-now");
+ return EFI_WRITE_PROTECTED;
+
+ case VARIABLE_POLICY_TYPE_LOCK_ON_CREATE:
+ if (!is_newvar) {
+ trace_uefi_vars_policy_deny("lock-on-create");
+ return EFI_WRITE_PROTECTED;
+ }
+ break;
+
+ case VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE:
+ lvarstate =3D (void *)pol->entry + sizeof(*pe);
+ lvarname =3D (void *)pol->entry + sizeof(*pe) + sizeof(*lvarst=
ate);
+ lvarnamesize =3D pe->offset_to_name - sizeof(*pe) - sizeof(*lvarst=
ate);
+
+ uefi_trace_variable(__func__, lvarstate->namespace,
+ lvarname, lvarnamesize);
+ lvar =3D uefi_vars_find_variable(uv, lvarstate->namespace,
+ lvarname, lvarnamesize);
+ if (lvar && lvar->data_size =3D=3D 1) {
+ uint8_t *value =3D lvar->data;
+ if (lvarstate->value =3D=3D *value) {
+ return EFI_WRITE_PROTECTED;
+ }
+ }
+ break;
+ }
+
+ return EFI_SUCCESS;
+}
+
+void uefi_vars_policies_clear(uefi_vars_state *uv)
+{
+ uefi_var_policy *pol;
+
+ while (!QTAILQ_EMPTY(&uv->var_policies)) {
+ pol =3D QTAILQ_FIRST(&uv->var_policies);
+ QTAILQ_REMOVE(&uv->var_policies, pol, next);
+ g_free(pol->entry);
+ g_free(pol);
+ }
+}
+
+static size_t uefi_vars_mm_policy_error(mm_header *mhdr,
+ mm_check_policy *mchk,
+ uint64_t status)
+{
+ mchk->result =3D status;
+ return sizeof(*mchk);
+}
+
+static uint32_t uefi_vars_mm_check_policy_is_enabled(uefi_vars_state *uv,
+ mm_header *mhdr,
+ mm_check_policy *mchk,
+ void *func)
+{
+ mm_check_policy_is_enabled *mpar =3D func;
+ size_t length;
+
+ length =3D sizeof(*mchk) + sizeof(*mpar);
+ if (mhdr->length < length) {
+ return uefi_vars_mm_policy_error(mhdr, mchk, EFI_BAD_BUFFER_SIZE);
+ }
+
+ mpar->state =3D TRUE;
+ mchk->result =3D EFI_SUCCESS;
+ return sizeof(*mchk);
+}
+
+static uint32_t uefi_vars_mm_check_policy_register(uefi_vars_state *uv,
+ mm_header *mhdr,
+ mm_check_policy *mchk,
+ void *func)
+{
+ variable_policy_entry *pe =3D func;
+ uefi_var_policy *pol;
+ uint64_t length;
+
+ if (uadd64_overflow(sizeof(*mchk), pe->size, &length)) {
+ return uefi_vars_mm_policy_error(mhdr, mchk, EFI_BAD_BUFFER_SIZE);
+ }
+ if (mhdr->length < length) {
+ return uefi_vars_mm_policy_error(mhdr, mchk, EFI_BAD_BUFFER_SIZE);
+ }
+ if (pe->size < sizeof(*pe)) {
+ return uefi_vars_mm_policy_error(mhdr, mchk, EFI_BAD_BUFFER_SIZE);
+ }
+ if (pe->offset_to_name < sizeof(*pe)) {
+ return uefi_vars_mm_policy_error(mhdr, mchk, EFI_BAD_BUFFER_SIZE);
+ }
+
+ if (pe->lock_policy_type =3D=3D VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE=
&&
+ pe->offset_to_name < sizeof(*pe) + sizeof(variable_lock_on_var_sta=
te)) {
+ return uefi_vars_mm_policy_error(mhdr, mchk, EFI_BAD_BUFFER_SIZE);
+ }
+
+ /* check space for minimum string length */
+ if (pe->size < (size_t)pe->offset_to_name) {
+ return uefi_vars_mm_policy_error(mhdr, mchk, EFI_BAD_BUFFER_SIZE);
+ }
+
+ if (!uefi_str_is_valid((void *)pe + pe->offset_to_name,
+ pe->size - pe->offset_to_name,
+ false)) {
+ return uefi_vars_mm_policy_error(mhdr, mchk, EFI_INVALID_PARAMETER=
);
+ }
+
+ pol =3D find_policy(uv, pe->namespace,
+ (void *)pe + pe->offset_to_name,
+ pe->size - pe->offset_to_name);
+ if (pol) {
+ return uefi_vars_mm_policy_error(mhdr, mchk, EFI_ALREADY_STARTED);
+ }
+
+ uefi_vars_add_policy(uv, pe);
+
+ mchk->result =3D EFI_SUCCESS;
+ return sizeof(*mchk);
+}
+
+uint32_t uefi_vars_mm_check_policy_proto(uefi_vars_state *uv)
+{
+ static const char *fnames[] =3D {
+ "zero",
+ "disable",
+ "is-enabled",
+ "register",
+ "dump",
+ "lock",
+ };
+ const char *fname;
+ mm_header *mhdr =3D (mm_header *) uv->buffer;
+ mm_check_policy *mchk =3D (mm_check_policy *) (uv->buffer + sizeof(*mh=
dr));
+ void *func =3D (uv->buffer + sizeof(*mhdr) + sizeof(*mchk));
+
+ if (mhdr->length < sizeof(*mchk)) {
+ return UEFI_VARS_STS_ERR_BAD_BUFFER_SIZE;
+ }
+
+ fname =3D mchk->command < ARRAY_SIZE(fnames)
+ ? fnames[mchk->command]
+ : "unknown";
+ trace_uefi_vars_policy_cmd(fname);
+
+ switch (mchk->command) {
+ case VAR_CHECK_POLICY_COMMAND_DISABLE:
+ mchk->result =3D EFI_UNSUPPORTED;
+ break;
+ case VAR_CHECK_POLICY_COMMAND_IS_ENABLED:
+ uefi_vars_mm_check_policy_is_enabled(uv, mhdr, mchk, func);
+ break;
+ case VAR_CHECK_POLICY_COMMAND_REGISTER:
+ if (uv->policy_locked) {
+ mchk->result =3D EFI_WRITE_PROTECTED;
+ } else {
+ uefi_vars_mm_check_policy_register(uv, mhdr, mchk, func);
+ }
+ break;
+ case VAR_CHECK_POLICY_COMMAND_LOCK:
+ uv->policy_locked =3D true;
+ mchk->result =3D EFI_SUCCESS;
+ break;
+ default:
+ mchk->result =3D EFI_UNSUPPORTED;
+ break;
+ }
+
+ uefi_trace_status(__func__, mchk->result);
+ return UEFI_VARS_STS_SUCCESS;
+}
--=20
2.47.1
From nobody Sun May 11 18:31:55 2025
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass(p=none dis=none) header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1736264093; cv=none;
d=zohomail.com; s=zohoarc;
b=X28t+qD7DHlj69NLE/SggM/CEzSBkRpIkVEQRZiBy1dTZH0zhcPK6/Ud7vxvdKicSYab/1wht0+k2Dmuv+G2srmFUUVa+47oVb48ynkQTziYpszgr6DhsZ/TChIzZpxypPRx6UYmdRpF3O65Nn5CBAx6wdDEOFbPgKU5ECFvoYU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
s=zohoarc;
t=1736264093;
h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
bh=KjLEH9gdFHJEDaQJt1/7ZyCDQaBaH75V5Kx39fT0IgM=;
b=QzxncyISqn2Paoigu5h/dlPkZblaDJdzXWgejgq7mcxCF8WnIEK37xSG3b6+X2BbMnMCiM2XXMHnVdjhOslDsgkoL0fAzwFzY/AhN+NshBHPyaVDeZzWmZ/wapxCYj6KSxuAitq//2dDbXi3ykBHqxkzvbULwjobH90Y2ej5QcY=
ARC-Authentication-Results: i=1; mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass header.from=<kraxel@redhat.com> (p=none dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
mx.zohomail.com
with SMTPS id 1736264093543400.5328846177124;
Tue, 7 Jan 2025 07:34:53 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
by lists.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <qemu-devel-bounces@nongnu.org>)
id 1tVBax-00039n-R1; Tue, 07 Jan 2025 10:34:16 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBaw-00038r-PK
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:14 -0500
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBau-00054o-NX
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:14 -0500
Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com
(ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
cipher=TLS_AES_256_GCM_SHA384) id us-mta-606-Nvwqpl_fO7SuhPP0ufgp3Q-1; Tue,
07 Jan 2025 10:34:10 -0500
Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com
(mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256)
(No client certificate requested)
by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
id 7F5D61955E92; Tue, 7 Jan 2025 15:34:09 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.66])
by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
ESMTPS
id EFA4B30044C1; Tue, 7 Jan 2025 15:34:08 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
id 08F1618003B4; Tue, 07 Jan 2025 16:33:54 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1736264052;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=KjLEH9gdFHJEDaQJt1/7ZyCDQaBaH75V5Kx39fT0IgM=;
b=DMhtFaBYiRjgf9WT0yeVS4oUwwyNtHyMfDDdMEr//n1W+mVRSoWZIX5izmSq+vhF9Q53Ki
5P7znRLXpg475KRz1h+NUWnu8lmfsuoQRfU3a9rR4oQGej+5M2ndVEdR+AP780RveWD9Yp
NW8xSJN8mKzUzg1yvDWlidBw4FMdbbI=
X-MC-Unique: Nvwqpl_fO7SuhPP0ufgp3Q-1
X-Mimecast-MFC-AGG-ID: Nvwqpl_fO7SuhPP0ufgp3Q
From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>, graf@amazon.com,
Paolo Bonzini <pbonzini@redhat.com>, Michael Roth <michael.roth@amd.com>,
=?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
Thomas Huth <thuth@redhat.com>, qemu-arm@nongnu.org,
Eric Blake <eblake@redhat.com>, Peter Maydell <peter.maydell@linaro.org>,
Markus Armbruster <armbru@redhat.com>,
=?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Subject: [PATCH v2 09/21] hw/uefi: add var-service-core.c
Date: Tue, 7 Jan 2025 16:33:36 +0100
Message-ID: <20250107153353.1144978-10-kraxel@redhat.com>
In-Reply-To: <20250107153353.1144978-1-kraxel@redhat.com>
References: <20250107153353.1144978-1-kraxel@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
as permitted sender) client-ip=209.51.188.17;
envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.133.124; envelope-from=kraxel@redhat.com;
helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -24
X-Spam_score: -2.5
X-Spam_bar: --
X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.437,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1736264093955116600
Content-Type: text/plain; charset="utf-8"
This is the core code for guest <-> host communication. This accepts
request messages from the guest, dispatches them to the service called,
and sends back the response message.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/uefi/var-service-core.c | 237 +++++++++++++++++++++++++++++++++++++
1 file changed, 237 insertions(+)
create mode 100644 hw/uefi/var-service-core.c
diff --git a/hw/uefi/var-service-core.c b/hw/uefi/var-service-core.c
new file mode 100644
index 000000000000..78a668e68fa2
--- /dev/null
+++ b/hw/uefi/var-service-core.c
@@ -0,0 +1,237 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ *
+ * uefi vars device
+ */
+#include "qemu/osdep.h"
+#include "system/dma.h"
+#include "migration/vmstate.h"
+
+#include "hw/uefi/var-service.h"
+#include "hw/uefi/var-service-api.h"
+#include "hw/uefi/var-service-edk2.h"
+
+#include "trace/trace-hw_uefi.h"
+
+static int uefi_vars_pre_load(void *opaque)
+{
+ uefi_vars_state *uv =3D opaque;
+
+ uefi_vars_clear_all(uv);
+ uefi_vars_policies_clear(uv);
+ g_free(uv->buffer);
+ return 0;
+}
+
+static int uefi_vars_post_load(void *opaque, int version_id)
+{
+ uefi_vars_state *uv =3D opaque;
+
+ uefi_vars_update_storage(uv);
+ uv->buffer =3D g_malloc(uv->buf_size);
+ return 0;
+}
+
+const VMStateDescription vmstate_uefi_vars =3D {
+ .name =3D "uefi-vars",
+ .pre_load =3D uefi_vars_pre_load,
+ .post_load =3D uefi_vars_post_load,
+ .fields =3D (VMStateField[]) {
+ VMSTATE_UINT16(sts, uefi_vars_state),
+ VMSTATE_UINT32(buf_size, uefi_vars_state),
+ VMSTATE_UINT32(buf_addr_lo, uefi_vars_state),
+ VMSTATE_UINT32(buf_addr_hi, uefi_vars_state),
+ VMSTATE_BOOL(end_of_dxe, uefi_vars_state),
+ VMSTATE_BOOL(ready_to_boot, uefi_vars_state),
+ VMSTATE_BOOL(exit_boot_service, uefi_vars_state),
+ VMSTATE_BOOL(policy_locked, uefi_vars_state),
+ VMSTATE_UINT64(used_storage, uefi_vars_state),
+ VMSTATE_QTAILQ_V(variables, uefi_vars_state, 0,
+ vmstate_uefi_variable, uefi_variable, next),
+ VMSTATE_QTAILQ_V(var_policies, uefi_vars_state, 0,
+ vmstate_uefi_var_policy, uefi_var_policy, next),
+ VMSTATE_END_OF_LIST()
+ },
+};
+
+static uint32_t uefi_vars_cmd_mm(uefi_vars_state *uv)
+{
+ hwaddr dma;
+ mm_header *mhdr;
+ uint64_t size;
+ uint32_t retval;
+
+ dma =3D uv->buf_addr_lo | ((hwaddr)uv->buf_addr_hi << 32);
+ mhdr =3D (mm_header *) uv->buffer;
+
+ if (!uv->buffer || uv->buf_size < sizeof(*mhdr)) {
+ return UEFI_VARS_STS_ERR_BAD_BUFFER_SIZE;
+ }
+
+ /* read header */
+ dma_memory_read(&address_space_memory, dma,
+ uv->buffer, sizeof(*mhdr),
+ MEMTXATTRS_UNSPECIFIED);
+
+ if (uadd64_overflow(sizeof(*mhdr), mhdr->length, &size)) {
+ return UEFI_VARS_STS_ERR_BAD_BUFFER_SIZE;
+ }
+ if (uv->buf_size < size) {
+ return UEFI_VARS_STS_ERR_BAD_BUFFER_SIZE;
+ }
+
+ /* read buffer (excl header) */
+ dma_memory_read(&address_space_memory, dma + sizeof(*mhdr),
+ uv->buffer + sizeof(*mhdr), mhdr->length,
+ MEMTXATTRS_UNSPECIFIED);
+ memset(uv->buffer + size, 0, uv->buf_size - size);
+
+ /* dispatch */
+ if (qemu_uuid_is_equal(&mhdr->guid, &EfiSmmVariableProtocolGuid)) {
+ retval =3D uefi_vars_mm_vars_proto(uv);
+
+ } else if (qemu_uuid_is_equal(&mhdr->guid, &VarCheckPolicyLibMmiHandle=
rGuid)) {
+ retval =3D uefi_vars_mm_check_policy_proto(uv);
+
+ } else if (qemu_uuid_is_equal(&mhdr->guid, &EfiEndOfDxeEventGroupGuid)=
) {
+ trace_uefi_event("end-of-dxe");
+ uv->end_of_dxe =3D true;
+ retval =3D UEFI_VARS_STS_SUCCESS;
+
+ } else if (qemu_uuid_is_equal(&mhdr->guid, &EfiEventReadyToBootGuid)) {
+ trace_uefi_event("ready-to-boot");
+ uv->ready_to_boot =3D true;
+ retval =3D UEFI_VARS_STS_SUCCESS;
+
+ } else if (qemu_uuid_is_equal(&mhdr->guid, &EfiEventExitBootServicesGu=
id)) {
+ trace_uefi_event("exit-boot-service");
+ uv->exit_boot_service =3D true;
+ retval =3D UEFI_VARS_STS_SUCCESS;
+
+ } else {
+ retval =3D UEFI_VARS_STS_ERR_NOT_SUPPORTED;
+ }
+
+ /* write buffer */
+ dma_memory_write(&address_space_memory, dma,
+ uv->buffer, sizeof(*mhdr) + mhdr->length,
+ MEMTXATTRS_UNSPECIFIED);
+
+ return retval;
+}
+
+static void uefi_vars_soft_reset(uefi_vars_state *uv)
+{
+ g_free(uv->buffer);
+ uv->buffer =3D NULL;
+ uv->buf_size =3D 0;
+ uv->buf_addr_lo =3D 0;
+ uv->buf_addr_hi =3D 0;
+}
+
+void uefi_vars_hard_reset(uefi_vars_state *uv)
+{
+ trace_uefi_hard_reset();
+ uefi_vars_soft_reset(uv);
+
+ uv->end_of_dxe =3D false;
+ uv->ready_to_boot =3D false;
+ uv->exit_boot_service =3D false;
+ uv->policy_locked =3D false;
+
+ uefi_vars_clear_volatile(uv);
+ uefi_vars_policies_clear(uv);
+ uefi_vars_auth_init(uv);
+}
+
+static uint32_t uefi_vars_cmd(uefi_vars_state *uv, uint32_t cmd)
+{
+ switch (cmd) {
+ case UEFI_VARS_CMD_RESET:
+ uefi_vars_soft_reset(uv);
+ return UEFI_VARS_STS_SUCCESS;
+ case UEFI_VARS_CMD_MM:
+ return uefi_vars_cmd_mm(uv);
+ default:
+ return UEFI_VARS_STS_ERR_NOT_SUPPORTED;
+ }
+}
+
+static uint64_t uefi_vars_read(void *opaque, hwaddr addr, unsigned size)
+{
+ uefi_vars_state *uv =3D opaque;
+ uint64_t retval =3D -1;
+
+ trace_uefi_reg_read(addr, size);
+
+ switch (addr) {
+ case UEFI_VARS_REG_MAGIC:
+ retval =3D UEFI_VARS_MAGIC_VALUE;
+ break;
+ case UEFI_VARS_REG_CMD_STS:
+ retval =3D uv->sts;
+ break;
+ case UEFI_VARS_REG_BUFFER_SIZE:
+ retval =3D uv->buf_size;
+ break;
+ case UEFI_VARS_REG_BUFFER_ADDR_LO:
+ retval =3D uv->buf_addr_lo;
+ break;
+ case UEFI_VARS_REG_BUFFER_ADDR_HI:
+ retval =3D uv->buf_addr_hi;
+ break;
+ }
+ return retval;
+}
+
+static void uefi_vars_write(void *opaque, hwaddr addr, uint64_t val, unsig=
ned size)
+{
+ uefi_vars_state *uv =3D opaque;
+
+ trace_uefi_reg_write(addr, val, size);
+
+ switch (addr) {
+ case UEFI_VARS_REG_CMD_STS:
+ uv->sts =3D uefi_vars_cmd(uv, val);
+ break;
+ case UEFI_VARS_REG_BUFFER_SIZE:
+ if (val > MAX_BUFFER_SIZE) {
+ val =3D MAX_BUFFER_SIZE;
+ }
+ uv->buf_size =3D val;
+ g_free(uv->buffer);
+ uv->buffer =3D g_malloc(uv->buf_size);
+ break;
+ case UEFI_VARS_REG_BUFFER_ADDR_LO:
+ uv->buf_addr_lo =3D val;
+ break;
+ case UEFI_VARS_REG_BUFFER_ADDR_HI:
+ uv->buf_addr_hi =3D val;
+ break;
+ }
+}
+
+static const MemoryRegionOps uefi_vars_ops =3D {
+ .read =3D uefi_vars_read,
+ .write =3D uefi_vars_write,
+ .endianness =3D DEVICE_LITTLE_ENDIAN,
+ .impl =3D {
+ .min_access_size =3D 2,
+ .max_access_size =3D 4,
+ },
+};
+
+void uefi_vars_init(Object *obj, uefi_vars_state *uv)
+{
+ QTAILQ_INIT(&uv->variables);
+ QTAILQ_INIT(&uv->var_policies);
+ uv->jsonfd =3D -1;
+ memory_region_init_io(&uv->mr, obj, &uefi_vars_ops, uv,
+ "uefi-vars", UEFI_VARS_REGS_SIZE);
+}
+
+void uefi_vars_realize(uefi_vars_state *uv, Error **errp)
+{
+ uefi_vars_json_init(uv, errp);
+ uefi_vars_json_load(uv, errp);
+}
--=20
2.47.1
From nobody Sun May 11 18:31:55 2025
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass(p=none dis=none) header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1736264273; cv=none;
d=zohomail.com; s=zohoarc;
b=Jlz+5zZV+a/Q+O6UpcHKrTGFaYQ5szQayuoaoPjEt8U1YZIvke0Q6BNQnqi65EVlAXOBvagJPmSY3b+Olzwv2spwFJaNHyJcDFdU90uJF+jT9/aVDRpsRsf4Z393Hoo87DgQXmzX4c9gg6FAS+tQ/OA7ol0xGSx14zPnm1dvL/E=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
s=zohoarc;
t=1736264273;
h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
bh=6B7bXLfWKPT5+t+tEfl3hspygVMy2cFF8E6ZcaSMuoY=;
b=nplQcizYU93HY4kvH9h/zhhKbUxb53L646LhOa7OD1PdmOdaa+jD4Fco/BbVX3l6k2epmYvJJfmAESF1No7F5e9efMmhT1Wp/FBdM5O/SzTCeX9WRlPIzfppvbXI9/egNuqRSGXT83JvnM4ERQ7NxuDa/sa5WOgZh0j3IP5cQhc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass header.from=<kraxel@redhat.com> (p=none dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
mx.zohomail.com
with SMTPS id 1736264273189842.9709783423068;
Tue, 7 Jan 2025 07:37:53 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
by lists.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <qemu-devel-bounces@nongnu.org>)
id 1tVBb5-0003ED-4g; Tue, 07 Jan 2025 10:34:23 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBb2-0003D2-Ku
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:20 -0500
Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBb0-00056Z-MQ
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:20 -0500
Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com
(ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
cipher=TLS_AES_256_GCM_SHA384) id us-mta-539-szNqzVKGNz2t96cYwVf2pQ-1; Tue,
07 Jan 2025 10:34:13 -0500
Received: from mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com
(mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.40])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256)
(No client certificate requested)
by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
id 670281955DDE; Tue, 7 Jan 2025 15:34:12 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.66])
by mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
ESMTPS
id C7A1F195606B; Tue, 7 Jan 2025 15:34:11 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
id 19D7018003B5; Tue, 07 Jan 2025 16:33:54 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1736264058;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=6B7bXLfWKPT5+t+tEfl3hspygVMy2cFF8E6ZcaSMuoY=;
b=RavK5VKspacoDes/dpYQr2HD5ss1N7vRixXB8euCWd+sGZVbvuTmpUNFNAKBRMSAULa7xs
49rh1sKeOxOyiyGFke1r0dLVebsGNGghZmDBuLDiY4dW/SIWyVEvcBeJieoXLwdrr3Aptt
X5ttHlVQRTMOKyG44bYlJ7AA8xA+2qc=
X-MC-Unique: szNqzVKGNz2t96cYwVf2pQ-1
X-Mimecast-MFC-AGG-ID: szNqzVKGNz2t96cYwVf2pQ
From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>, graf@amazon.com,
Paolo Bonzini <pbonzini@redhat.com>, Michael Roth <michael.roth@amd.com>,
=?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
Thomas Huth <thuth@redhat.com>, qemu-arm@nongnu.org,
Eric Blake <eblake@redhat.com>, Peter Maydell <peter.maydell@linaro.org>,
Markus Armbruster <armbru@redhat.com>,
=?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Subject: [PATCH v2 10/21] hw/uefi: add var-service-pkcs7.c
Date: Tue, 7 Jan 2025 16:33:37 +0100
Message-ID: <20250107153353.1144978-11-kraxel@redhat.com>
In-Reply-To: <20250107153353.1144978-1-kraxel@redhat.com>
References: <20250107153353.1144978-1-kraxel@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.40
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
as permitted sender) client-ip=209.51.188.17;
envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com;
helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -24
X-Spam_score: -2.5
X-Spam_bar: --
X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.437,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1736264274963116600
Content-Type: text/plain; charset="utf-8"
This implements pkcs7 signature verification using gnutls.
Needed to check authenticated variable updates.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/uefi/var-service-pkcs7.c | 436 ++++++++++++++++++++++++++++++++++++
1 file changed, 436 insertions(+)
create mode 100644 hw/uefi/var-service-pkcs7.c
diff --git a/hw/uefi/var-service-pkcs7.c b/hw/uefi/var-service-pkcs7.c
new file mode 100644
index 000000000000..32accf4e44e0
--- /dev/null
+++ b/hw/uefi/var-service-pkcs7.c
@@ -0,0 +1,436 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ *
+ * uefi vars device - pkcs7 verification
+ */
+#include "qemu/osdep.h"
+#include "qemu/error-report.h"
+#include "system/dma.h"
+
+#include <gnutls/gnutls.h>
+#include <gnutls/pkcs7.h>
+#include <gnutls/crypto.h>
+
+#include "hw/uefi/var-service.h"
+
+#define AUTHVAR_DIGEST_ALGO GNUTLS_DIG_SHA256
+#define AUTHVAR_DIGEST_SIZE 32
+
+/*
+ * Replicate the signed data for signature verification.
+ */
+static gnutls_datum_t *build_signed_data(mm_variable_access *va, void *dat=
a)
+{
+ variable_auth_2 *auth =3D data;
+ uint64_t data_offset =3D sizeof(efi_time) + auth->hdr_length;
+ uint16_t *name =3D (void *)va + sizeof(mm_variable_access);
+ gnutls_datum_t *sdata;
+ uint64_t pos =3D 0;
+
+ sdata =3D g_new(gnutls_datum_t, 1);
+ sdata->size =3D (va->name_size - 2
+ + sizeof(QemuUUID)
+ + sizeof(va->attributes)
+ + sizeof(auth->timestamp)
+ + va->data_size - data_offset);
+ sdata->data =3D g_malloc(sdata->size);
+
+ /* Variable Name (without terminating \0) */
+ memcpy(sdata->data + pos, name, va->name_size - 2);
+ pos +=3D va->name_size - 2;
+
+ /* Variable Namespace Guid */
+ memcpy(sdata->data + pos, &va->guid, sizeof(va->guid));
+ pos +=3D sizeof(va->guid);
+
+ /* Attributes */
+ memcpy(sdata->data + pos, &va->attributes, sizeof(va->attributes));
+ pos +=3D sizeof(va->attributes);
+
+ /* TimeStamp */
+ memcpy(sdata->data + pos, &auth->timestamp, sizeof(auth->timestamp));
+ pos +=3D sizeof(auth->timestamp);
+
+ /* Variable Content */
+ memcpy(sdata->data + pos, data + data_offset, va->data_size - data_off=
set);
+ pos +=3D va->data_size - data_offset;
+
+ assert(pos =3D=3D sdata->size);
+ return sdata;
+}
+
+/*
+ * See WrapPkcs7Data() in edk2.
+ *
+ * UEFI spec allows pkcs7 signatures being used without the envelope which
+ * identifies them as pkcs7 signatures. openssl and gnutls will not parse=
them
+ * without the envelope though. So add it if needed.
+ */
+static void wrap_pkcs7(gnutls_datum_t *pkcs7)
+{
+ static uint8_t signed_data_oid[9] =3D {
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02
+ };
+ gnutls_datum_t wrap;
+
+ if (pkcs7->data[4] =3D=3D 0x06 &&
+ pkcs7->data[5] =3D=3D 0x09 &&
+ memcmp(pkcs7->data + 6, signed_data_oid, sizeof(signed_data_oid)) =
=3D=3D 0 &&
+ pkcs7->data[15] =3D=3D 0x0a &&
+ pkcs7->data[16] =3D=3D 0x82) {
+ return;
+ }
+
+ wrap.size =3D pkcs7->size + 19;
+ wrap.data =3D g_malloc(wrap.size);
+
+ wrap.data[0] =3D 0x30;
+ wrap.data[1] =3D 0x82;
+ wrap.data[2] =3D (wrap.size - 4) >> 8;
+ wrap.data[3] =3D (wrap.size - 4) & 0xff;
+ wrap.data[4] =3D 0x06;
+ wrap.data[5] =3D 0x09;
+ memcpy(wrap.data + 6, signed_data_oid, sizeof(signed_data_oid));
+
+ wrap.data[15] =3D 0xa0;
+ wrap.data[16] =3D 0x82;
+ wrap.data[17] =3D pkcs7->size >> 8;
+ wrap.data[18] =3D pkcs7->size & 0xff;
+ memcpy(wrap.data + 19, pkcs7->data, pkcs7->size);
+
+ g_free(pkcs7->data);
+ *pkcs7 =3D wrap;
+}
+
+static gnutls_datum_t *build_pkcs7(void *data)
+{
+ variable_auth_2 *auth =3D data;
+ gnutls_datum_t *pkcs7;
+
+ pkcs7 =3D g_new(gnutls_datum_t, 1);
+ pkcs7->size =3D auth->hdr_length - 24;
+ pkcs7->data =3D g_malloc(pkcs7->size);
+ memcpy(pkcs7->data, data + 16 + 24, pkcs7->size);
+
+ wrap_pkcs7(pkcs7);
+
+ return pkcs7;
+}
+
+/*
+ * Read UEFI signature database, store x509 all certificates found in
+ * gnutls_x509_trust_list_t.
+ */
+static gnutls_x509_trust_list_t build_trust_list_sb(uefi_variable *var)
+{
+ gnutls_x509_trust_list_t tlist;
+ gnutls_datum_t cert_data;
+ gnutls_x509_crt_t cert;
+ uefi_vars_siglist siglist;
+ uefi_vars_cert *c;
+ int rc;
+
+ rc =3D gnutls_x509_trust_list_init(&tlist, 0);
+ if (rc < 0) {
+ warn_report("gnutls_x509_trust_list_init error: %s",
+ gnutls_strerror(rc));
+ return NULL;
+ }
+
+ uefi_vars_siglist_init(&siglist);
+ uefi_vars_siglist_parse(&siglist, var->data, var->data_size);
+
+ QTAILQ_FOREACH(c, &siglist.x509, next) {
+ cert_data.size =3D c->size;
+ cert_data.data =3D c->data;
+
+ rc =3D gnutls_x509_crt_init(&cert);
+ if (rc < 0) {
+ warn_report("gnutls_x509_crt_init error: %s", gnutls_strerror(=
rc));
+ break;
+ }
+ rc =3D gnutls_x509_crt_import(cert, &cert_data, GNUTLS_X509_FMT_DE=
R);
+ if (rc < 0) {
+ warn_report("gnutls_x509_crt_import error: %s",
+ gnutls_strerror(rc));
+ gnutls_x509_crt_deinit(cert);
+ break;
+ }
+ rc =3D gnutls_x509_trust_list_add_cas(tlist, &cert, 1, 0);
+ if (rc < 0) {
+ warn_report("gnutls_x509_crt_import error: %s",
+ gnutls_strerror(rc));
+ gnutls_x509_crt_deinit(cert);
+ break;
+ }
+ }
+
+ uefi_vars_siglist_free(&siglist);
+
+ return tlist;
+}
+
+static int build_digest_authvar(gnutls_x509_crt_t signer,
+ gnutls_x509_crt_t root,
+ uint8_t *hash_digest)
+{
+ char *cn;
+ size_t cn_size =3D 0;
+ uint8_t fp[AUTHVAR_DIGEST_SIZE];
+ size_t fp_size =3D sizeof(fp);
+ gnutls_hash_hd_t hash;
+ int rc;
+
+ /* get signer CN */
+ rc =3D gnutls_x509_crt_get_dn_by_oid(signer, GNUTLS_OID_X520_COMMON_NA=
ME,
+ 0, 0, NULL, &cn_size);
+ if (rc !=3D GNUTLS_E_SHORT_MEMORY_BUFFER) {
+ warn_report("gnutls_x509_crt_get_dn_by_oid error #1: %s",
+ gnutls_strerror(rc));
+ return rc;
+ }
+
+ cn =3D g_malloc(cn_size);
+ rc =3D gnutls_x509_crt_get_dn_by_oid(signer, GNUTLS_OID_X520_COMMON_NA=
ME,
+ 0, 0, cn, &cn_size);
+ if (rc < 0) {
+ warn_report("gnutls_x509_crt_get_dn_by_oid error #2: %s",
+ gnutls_strerror(rc));
+ goto err;
+ }
+
+ /* get root certificate fingerprint */
+ rc =3D gnutls_x509_crt_get_fingerprint(root, AUTHVAR_DIGEST_ALGO,
+ fp, &fp_size);
+ if (rc < 0) {
+ warn_report("gnutls_x509_crt_get_fingerprint error: %s",
+ gnutls_strerror(rc));
+ goto err;
+ }
+
+ /* digest both items */
+ rc =3D gnutls_hash_init(&hash, AUTHVAR_DIGEST_ALGO);
+ if (rc < 0) {
+ warn_report("gnutls_hash_init error: %s",
+ gnutls_strerror(rc));
+ goto err;
+ }
+ rc =3D gnutls_hash(hash, cn, cn_size);
+ if (rc < 0) {
+ warn_report("gnutls_hash error: %s",
+ gnutls_strerror(rc));
+ goto err;
+ }
+ rc =3D gnutls_hash(hash, fp, fp_size);
+ if (rc < 0) {
+ warn_report("gnutls_hash error: %s",
+ gnutls_strerror(rc));
+ goto err;
+ }
+ gnutls_hash_deinit(hash, hash_digest);
+
+ return 0;
+
+err:
+ g_free(cn);
+ return rc;
+}
+
+/*
+ * uefi spec 2.9, section 8.2.2
+ *
+ * For EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS variables which =
are
+ * NOT secure boot variables we should track the root certificate of the t=
rust
+ * chain, and the subject CN of the signer certificate.
+ *
+ * So we'll go store a digest of these two items so we can verify this. A=
lso
+ * create a gnutls_x509_trust_list_t with the root certificate, so
+ * gnutls_pkcs7_verify() will pass (assuming the signature is otherwise
+ * correct).
+ */
+static gnutls_x509_trust_list_t build_trust_list_authvar(gnutls_pkcs7_t pk=
cs7,
+ uint8_t *hash_dig=
est)
+{
+ gnutls_datum_t signer_data =3D { 0 };
+ gnutls_datum_t root_data =3D { 0 };
+ gnutls_x509_crt_t signer =3D NULL;
+ gnutls_x509_crt_t root =3D NULL;
+ gnutls_x509_trust_list_t tlist =3D NULL;
+ int n, rc;
+
+ n =3D gnutls_pkcs7_get_crt_count(pkcs7);
+
+ /* first is signer certificate */
+ rc =3D gnutls_pkcs7_get_crt_raw2(pkcs7, 0, &signer_data);
+ if (rc < 0) {
+ warn_report("gnutls_pkcs7_get_crt_raw2(0) error: %s",
+ gnutls_strerror(rc));
+ goto done;
+ }
+ rc =3D gnutls_x509_crt_init(&signer);
+ if (rc < 0) {
+ warn_report("gnutls_x509_crt_init error: %s", gnutls_strerror(rc));
+ goto done;
+ }
+ rc =3D gnutls_x509_crt_import(signer, &signer_data, GNUTLS_X509_FMT_DE=
R);
+ if (rc < 0) {
+ warn_report("gnutls_x509_crt_import error: %s",
+ gnutls_strerror(rc));
+ gnutls_x509_crt_deinit(signer);
+ goto done;
+ }
+
+ /* last is root-of-trust certificate (can be identical to signer) */
+ rc =3D gnutls_pkcs7_get_crt_raw2(pkcs7, n - 1, &root_data);
+ if (rc < 0) {
+ warn_report("gnutls_pkcs7_get_crt_raw2(%d) error: %s",
+ n - 1, gnutls_strerror(rc));
+ goto done;
+ }
+ rc =3D gnutls_x509_crt_init(&root);
+ if (rc < 0) {
+ warn_report("gnutls_x509_crt_init error: %s", gnutls_strerror(rc));
+ goto done;
+ }
+ rc =3D gnutls_x509_crt_import(root, &root_data, GNUTLS_X509_FMT_DER);
+ if (rc < 0) {
+ warn_report("gnutls_x509_crt_import error: %s",
+ gnutls_strerror(rc));
+ goto done;
+ }
+
+ /* calc digest for signer CN + root cert */
+ rc =3D build_digest_authvar(signer, root, hash_digest);
+ if (rc < 0) {
+ goto done;
+ }
+
+ /* add root to trust list */
+ rc =3D gnutls_x509_trust_list_init(&tlist, 0);
+ if (rc < 0) {
+ warn_report("gnutls_x509_trust_list_init error: %s",
+ gnutls_strerror(rc));
+ goto done;
+ }
+ rc =3D gnutls_x509_trust_list_add_cas(tlist, &root, 1, 0);
+ if (rc < 0) {
+ warn_report("gnutls_x509_crt_import error: %s",
+ gnutls_strerror(rc));
+ gnutls_x509_trust_list_deinit(tlist, 1);
+ tlist =3D NULL;
+ goto done;
+ } else {
+ /* ownership passed to tlist */
+ root =3D NULL;
+ }
+
+done:
+ if (signer_data.data) {
+ gnutls_free(signer_data.data);
+ }
+ if (root_data.data) {
+ gnutls_free(root_data.data);
+ }
+ if (signer) {
+ gnutls_x509_crt_deinit(signer);
+ }
+ if (root) {
+ gnutls_x509_crt_deinit(root);
+ }
+ return tlist;
+}
+
+static void free_datum(gnutls_datum_t *ptr)
+{
+ if (!ptr) {
+ return;
+ }
+ g_free(ptr->data);
+ g_free(ptr);
+}
+
+static void gnutls_log_stderr(int level, const char *msg)
+{
+ if (strncmp(msg, "ASSERT:", 7) =3D=3D 0) {
+ return;
+ }
+ fprintf(stderr, " %d: %s", level, msg);
+}
+
+/*
+ * pkcs7 signature verification (EFI_VARIABLE_AUTHENTICATION_2).
+ */
+efi_status uefi_vars_check_pkcs7_2(uefi_variable *siglist,
+ void **digest, uint32_t *digest_size,
+ mm_variable_access *va, void *data)
+{
+ gnutls_x509_trust_list_t tlist =3D NULL;
+ gnutls_datum_t *signed_data =3D NULL;
+ gnutls_datum_t *pkcs7_data =3D NULL;
+ gnutls_pkcs7_t pkcs7 =3D NULL;
+ efi_status status =3D EFI_SECURITY_VIOLATION;
+ int rc;
+
+ if (0) {
+ /* gnutls debug logging */
+ static bool first =3D true;
+
+ if (first) {
+ first =3D false;
+ gnutls_global_set_log_function(gnutls_log_stderr);
+ gnutls_global_set_log_level(99);
+ }
+ }
+
+ signed_data =3D build_signed_data(va, data);
+ pkcs7_data =3D build_pkcs7(data);
+
+ rc =3D gnutls_pkcs7_init(&pkcs7);
+ if (rc < 0) {
+ warn_report("gnutls_pkcs7_init error: %s", gnutls_strerror(rc));
+ goto out;
+ }
+
+ rc =3D gnutls_pkcs7_import(pkcs7, pkcs7_data, GNUTLS_X509_FMT_DER);
+ if (rc < 0) {
+ warn_report("gnutls_pkcs7_import error: %s", gnutls_strerror(rc));
+ goto out;
+ }
+
+ if (siglist) {
+ /* secure boot variables */
+ tlist =3D build_trust_list_sb(siglist);
+ } else if (digest && digest_size) {
+ /* other authenticated variables */
+ *digest_size =3D AUTHVAR_DIGEST_SIZE;
+ *digest =3D g_malloc(*digest_size);
+ tlist =3D build_trust_list_authvar(pkcs7, *digest);
+ } else {
+ /* should not happen */
+ goto out;
+ }
+
+ rc =3D gnutls_pkcs7_verify(pkcs7, tlist,
+ NULL, 0,
+ 0, signed_data,
+ GNUTLS_VERIFY_DISABLE_TIME_CHECKS |
+ GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS);
+ if (rc < 0) {
+ warn_report("gnutls_pkcs7_verify error: %s", gnutls_strerror(rc));
+ goto out;
+ }
+
+ /* check passed */
+ status =3D EFI_SUCCESS;
+
+out:
+ free_datum(signed_data);
+ free_datum(pkcs7_data);
+ if (tlist) {
+ gnutls_x509_trust_list_deinit(tlist, 1);
+ }
+ if (pkcs7) {
+ gnutls_pkcs7_deinit(pkcs7);
+ }
+ return status;
+}
--=20
2.47.1
From nobody Sun May 11 18:31:55 2025
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass(p=none dis=none) header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1736264192; cv=none;
d=zohomail.com; s=zohoarc;
b=e1cN8Ze8WsvSTo4RBYuZTaHV5aB4NfwJXD1p4pW25gd5Tn0FVAeqN8LBerWew/8fHLz6OFeoyYUYsUeZvBJQkgRuK+lPNTNDy2BoEolY9T0O90K0g5AMTI6nj5gFitQZE/umVGGXStOsCC0i3OYDKdpHFUgaRv9M586MrKCHUJs=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
s=zohoarc;
t=1736264192;
h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
bh=qMgawXtrIVlaeM7Nd+w2ae5y0ULXzvEM2qhvmTnjdk4=;
b=XSKJn+oXMZj3kGqSrPI7fLMPWE6ksBZbyjOEDx52rxYjVX+6I2agAvW6W5R8P180s3J2GQLmuzLbayZmehx76+bN5ktCC0FRJFTEeWmYL9ZwbNGYZM40ouo2nNCIooTkCTg6C7iR4LtJBif2g0FLzRMOs/GUHIvGY1VC4WNw/Rs=
ARC-Authentication-Results: i=1; mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass header.from=<kraxel@redhat.com> (p=none dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
mx.zohomail.com
with SMTPS id 1736264192538936.2698866400744;
Tue, 7 Jan 2025 07:36:32 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
by lists.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <qemu-devel-bounces@nongnu.org>)
id 1tVBb3-0003D7-Gs; Tue, 07 Jan 2025 10:34:21 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBb1-0003C9-ID
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:19 -0500
Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBb0-00056Q-4W
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:19 -0500
Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com
(ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
cipher=TLS_AES_256_GCM_SHA384) id us-mta-533-mtrcTVuGOe6ALPwc18U5qw-1; Tue,
07 Jan 2025 10:34:14 -0500
Received: from mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com
(mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.15])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256)
(No client certificate requested)
by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
id 339C91955DC3; Tue, 7 Jan 2025 15:34:12 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.66])
by mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
ESMTPS
id D37F11956088; Tue, 7 Jan 2025 15:34:11 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
id 2825618003B7; Tue, 07 Jan 2025 16:33:54 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1736264057;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=qMgawXtrIVlaeM7Nd+w2ae5y0ULXzvEM2qhvmTnjdk4=;
b=jTxRSHUgmCmpDz5GVav+SIRkmGOrolqXr6hQi+mmBBIocieWuCMuaNUrA/TFZYOlNlWQRo
ATWG4v/dKtoSeS1oU0o17bsAGfGWzoGnsGqTxHeuQK8G3W98nrw9pTB69W0Rjempn6sQ9E
f3TmcYmf9AyNzq3MM2XU97OWYGO1orc=
X-MC-Unique: mtrcTVuGOe6ALPwc18U5qw-1
X-Mimecast-MFC-AGG-ID: mtrcTVuGOe6ALPwc18U5qw
From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>, graf@amazon.com,
Paolo Bonzini <pbonzini@redhat.com>, Michael Roth <michael.roth@amd.com>,
=?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
Thomas Huth <thuth@redhat.com>, qemu-arm@nongnu.org,
Eric Blake <eblake@redhat.com>, Peter Maydell <peter.maydell@linaro.org>,
Markus Armbruster <armbru@redhat.com>,
=?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Subject: [PATCH v2 11/21] hw/uefi: add var-service-pkcs7-stub.c
Date: Tue, 7 Jan 2025 16:33:38 +0100
Message-ID: <20250107153353.1144978-12-kraxel@redhat.com>
In-Reply-To: <20250107153353.1144978-1-kraxel@redhat.com>
References: <20250107153353.1144978-1-kraxel@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.15
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
as permitted sender) client-ip=209.51.188.17;
envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com;
helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -24
X-Spam_score: -2.5
X-Spam_bar: --
X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.437,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1736264194387116600
Content-Type: text/plain; charset="utf-8"
pkcs7 stub which is used in case gnutls is not available.
It throws EFI_WRITE_PROTECTED errors unconditionally, so all
authenticated variables are readonly for the guest.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/uefi/var-service-pkcs7-stub.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
create mode 100644 hw/uefi/var-service-pkcs7-stub.c
diff --git a/hw/uefi/var-service-pkcs7-stub.c b/hw/uefi/var-service-pkcs7-s=
tub.c
new file mode 100644
index 000000000000..118cba446d4b
--- /dev/null
+++ b/hw/uefi/var-service-pkcs7-stub.c
@@ -0,0 +1,16 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ *
+ * uefi vars device - pkcs7 stubs
+ */
+#include "qemu/osdep.h"
+#include "system/dma.h"
+
+#include "hw/uefi/var-service.h"
+
+efi_status uefi_vars_check_pkcs7_2(uefi_variable *siglist,
+ void **digest, uint32_t *digest_size,
+ mm_variable_access *va, void *data)
+{
+ return EFI_WRITE_PROTECTED;
+}
--=20
2.47.1
From nobody Sun May 11 18:31:55 2025
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass(p=none dis=none) header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1736264130; cv=none;
d=zohomail.com; s=zohoarc;
b=d0caeSPfjxC0bITv6j7EBwtMF6MLPLLuwBgYAtdeHif90b47ZUqsj1CMs5/fB6bsk9o9PLdJIBPlhP5RAiVK+kzFkl8752Oqanx1+8/aNqszr677QLtExxp4ymkSeTA2ZOkgpiej8eAqR79om511f+qxx4THptJ1ICItDHgphLA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
s=zohoarc;
t=1736264130;
h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
bh=yz/bsE8gyaNLSItcFierCVjNdCgof9+AXEC7zZ4bu6M=;
b=iczKP5gHyCTF3maGzSIV3ux/LiJgjHszsGVFVHasM64pzaGFgk33Ry78f+3mizW5NW3HTyd+Un6jglHOuIefnguFxk76v62i0WygR03R234IzqGzdjzMQTLJy9mWral5wZjOiMX2GpFhC+9Iwy6soDn4hXGJhrl8QtsBffG7KBo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass header.from=<kraxel@redhat.com> (p=none dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
mx.zohomail.com
with SMTPS id 1736264130408711.3290332477255;
Tue, 7 Jan 2025 07:35:30 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
by lists.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <qemu-devel-bounces@nongnu.org>)
id 1tVBb9-0003Gs-1j; Tue, 07 Jan 2025 10:34:27 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBb6-0003FE-Bh
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:24 -0500
Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBb4-00057K-8k
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:24 -0500
Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com
(ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
cipher=TLS_AES_256_GCM_SHA384) id us-mta-611-5ALhW-hHNAq6_TDtbt2xtQ-1; Tue,
07 Jan 2025 10:34:16 -0500
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com
(mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256)
(No client certificate requested)
by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
id 327281955DE4; Tue, 7 Jan 2025 15:34:15 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.66])
by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
ESMTPS
id 9A85A1953969; Tue, 7 Jan 2025 15:34:14 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
id 37EF118003B9; Tue, 07 Jan 2025 16:33:54 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1736264060;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=yz/bsE8gyaNLSItcFierCVjNdCgof9+AXEC7zZ4bu6M=;
b=Rlcc3flBG6rGTf6WH0DWFMyxWiKLFYYGb7oX3cQrc8t3rO1EfHwpOK8r5lOKVoDI7s0G0n
Pbtd5UNur6gMXoSYYJ6ZyboyrOZGa5IBIhy59sCGAbcy8mkxLddAdjL7osZl8ZUHKbhrM7
exJyqyJzd9WwWDovWA/ZV4H3VDlPe+g=
X-MC-Unique: 5ALhW-hHNAq6_TDtbt2xtQ-1
X-Mimecast-MFC-AGG-ID: 5ALhW-hHNAq6_TDtbt2xtQ
From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>, graf@amazon.com,
Paolo Bonzini <pbonzini@redhat.com>, Michael Roth <michael.roth@amd.com>,
=?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
Thomas Huth <thuth@redhat.com>, qemu-arm@nongnu.org,
Eric Blake <eblake@redhat.com>, Peter Maydell <peter.maydell@linaro.org>,
Markus Armbruster <armbru@redhat.com>,
=?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Subject: [PATCH v2 12/21] hw/uefi: add var-service-siglist.c
Date: Tue, 7 Jan 2025 16:33:39 +0100
Message-ID: <20250107153353.1144978-13-kraxel@redhat.com>
In-Reply-To: <20250107153353.1144978-1-kraxel@redhat.com>
References: <20250107153353.1144978-1-kraxel@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
as permitted sender) client-ip=209.51.188.17;
envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com;
helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -24
X-Spam_score: -2.5
X-Spam_bar: --
X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.437,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1736264132120116600
Content-Type: text/plain; charset="utf-8"
Functions to serialize and de-serialize EFI signature databases. This
is needed to merge signature databases (happens in practice when
appending dbx updates) and also to extract the certificates for
pkcs7 signature verification.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/uefi/var-service-siglist.c | 212 ++++++++++++++++++++++++++++++++++
1 file changed, 212 insertions(+)
create mode 100644 hw/uefi/var-service-siglist.c
diff --git a/hw/uefi/var-service-siglist.c b/hw/uefi/var-service-siglist.c
new file mode 100644
index 000000000000..8948f1b78471
--- /dev/null
+++ b/hw/uefi/var-service-siglist.c
@@ -0,0 +1,212 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ *
+ * uefi vars device - parse and generate efi signature databases
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/error-report.h"
+#include "system/dma.h"
+
+#include "hw/uefi/var-service.h"
+
+/*
+ * Add x509 certificate to list (with duplicate check).
+ */
+static void uefi_vars_siglist_add_x509(uefi_vars_siglist *siglist,
+ QemuUUID *owner,
+ void *data, uint64_t size)
+{
+ uefi_vars_cert *c;
+
+ QTAILQ_FOREACH(c, &siglist->x509, next) {
+ if (c->size !=3D size) {
+ continue;
+ }
+ if (memcmp(c->data, data, size) !=3D 0) {
+ continue;
+ }
+ return;
+ }
+
+ c =3D g_malloc(sizeof(*c) + size);
+ c->owner =3D *owner;
+ c->size =3D size;
+ memcpy(c->data, data, size);
+ QTAILQ_INSERT_TAIL(&siglist->x509, c, next);
+}
+
+/*
+ * Add sha256 hash to list (with duplicate check).
+ */
+static void uefi_vars_siglist_add_sha256(uefi_vars_siglist *siglist,
+ QemuUUID *owner,
+ void *data)
+{
+ uefi_vars_hash *h;
+
+ QTAILQ_FOREACH(h, &siglist->sha256, next) {
+ if (memcmp(h->data, data, 32) !=3D 0) {
+ continue;
+ }
+ return;
+ }
+
+ h =3D g_malloc(sizeof(*h) + 32);
+ h->owner =3D *owner;
+ memcpy(h->data, data, 32);
+ QTAILQ_INSERT_TAIL(&siglist->sha256, h, next);
+}
+
+void uefi_vars_siglist_init(uefi_vars_siglist *siglist)
+{
+ memset(siglist, 0, sizeof(*siglist));
+ QTAILQ_INIT(&siglist->x509);
+ QTAILQ_INIT(&siglist->sha256);
+}
+
+void uefi_vars_siglist_free(uefi_vars_siglist *siglist)
+{
+ uefi_vars_cert *c, *cs;
+ uefi_vars_hash *h, *hs;
+
+ QTAILQ_FOREACH_SAFE(c, &siglist->x509, next, cs) {
+ QTAILQ_REMOVE(&siglist->x509, c, next);
+ g_free(c);
+ }
+ QTAILQ_FOREACH_SAFE(h, &siglist->sha256, next, hs) {
+ QTAILQ_REMOVE(&siglist->sha256, h, next);
+ g_free(h);
+ }
+}
+
+/*
+ * Parse UEFI signature list.
+ */
+void uefi_vars_siglist_parse(uefi_vars_siglist *siglist,
+ void *data, uint64_t size)
+{
+ efi_siglist *efilist;
+ uint64_t start;
+
+ while (size) {
+ if (size < sizeof(*efilist)) {
+ break;
+ }
+ efilist =3D data;
+ if (size < efilist->siglist_size) {
+ break;
+ }
+
+ if (uadd64_overflow(sizeof(*efilist), efilist->header_size, &start=
)) {
+ break;
+ }
+ if (efilist->sig_size <=3D sizeof(QemuUUID)) {
+ break;
+ }
+
+ if (qemu_uuid_is_equal(&efilist->guid_type, &EfiCertX509Guid)) {
+ if (start + efilist->sig_size !=3D efilist->siglist_size) {
+ break;
+ }
+ uefi_vars_siglist_add_x509(siglist,
+ (QemuUUID *)(data + start),
+ data + start + sizeof(QemuUUID),
+ efilist->sig_size - sizeof(QemuUUID=
));
+
+ } else if (qemu_uuid_is_equal(&efilist->guid_type, &EfiCertSha256G=
uid)) {
+ if (efilist->sig_size !=3D sizeof(QemuUUID) + 32) {
+ break;
+ }
+ if (start + efilist->sig_size > efilist->siglist_size) {
+ break;
+ }
+ while (start <=3D efilist->siglist_size - efilist->sig_size) {
+ uefi_vars_siglist_add_sha256(siglist,
+ (QemuUUID *)(data + start),
+ data + start + sizeof(QemuUUI=
D));
+ start +=3D efilist->sig_size;
+ }
+
+ } else {
+ QemuUUID be =3D qemu_uuid_bswap(efilist->guid_type);
+ char *str_uuid =3D qemu_uuid_unparse_strdup(&be);
+ warn_report("%s: unknown type (%s)", __func__, str_uuid);
+ g_free(str_uuid);
+ }
+
+ data +=3D efilist->siglist_size;
+ size -=3D efilist->siglist_size;
+ }
+}
+
+uint64_t uefi_vars_siglist_blob_size(uefi_vars_siglist *siglist)
+{
+ uefi_vars_cert *c;
+ uefi_vars_hash *h;
+ uint64_t size =3D 0;
+
+ QTAILQ_FOREACH(c, &siglist->x509, next) {
+ size +=3D sizeof(efi_siglist) + sizeof(QemuUUID) + c->size;
+ }
+
+ if (!QTAILQ_EMPTY(&siglist->sha256)) {
+ size +=3D sizeof(efi_siglist);
+ QTAILQ_FOREACH(h, &siglist->sha256, next) {
+ size +=3D sizeof(QemuUUID) + 32;
+ }
+ }
+
+ return size;
+}
+
+/*
+ * Generate UEFI signature list.
+ */
+void uefi_vars_siglist_blob_generate(uefi_vars_siglist *siglist,
+ void *data, uint64_t size)
+{
+ uefi_vars_cert *c;
+ uefi_vars_hash *h;
+ efi_siglist *efilist;
+ uint64_t pos =3D 0, start;
+ uint32_t i;
+
+ QTAILQ_FOREACH(c, &siglist->x509, next) {
+ efilist =3D data + pos;
+ efilist->guid_type =3D EfiCertX509Guid;
+ efilist->sig_size =3D sizeof(QemuUUID) + c->size;
+ efilist->header_size =3D 0;
+
+ start =3D pos + sizeof(efi_siglist);
+ memcpy(data + start,
+ &c->owner, sizeof(QemuUUID));
+ memcpy(data + start + sizeof(QemuUUID),
+ c->data, c->size);
+
+ efilist->siglist_size =3D sizeof(efi_siglist) + efilist->sig_size;
+ pos +=3D efilist->siglist_size;
+ }
+
+ if (!QTAILQ_EMPTY(&siglist->sha256)) {
+ efilist =3D data + pos;
+ efilist->guid_type =3D EfiCertSha256Guid;
+ efilist->sig_size =3D sizeof(QemuUUID) + 32;
+ efilist->header_size =3D 0;
+
+ i =3D 0;
+ start =3D pos + sizeof(efi_siglist);
+ QTAILQ_FOREACH(h, &siglist->sha256, next) {
+ memcpy(data + start + efilist->sig_size * i,
+ &h->owner, sizeof(QemuUUID));
+ memcpy(data + start + efilist->sig_size * i + sizeof(QemuUUID),
+ h->data, 32);
+ i++;
+ }
+
+ efilist->siglist_size =3D sizeof(efi_siglist) + efilist->sig_size =
* i;
+ pos +=3D efilist->siglist_size;
+ }
+
+ assert(pos =3D=3D size);
+}
--=20
2.47.1
From nobody Sun May 11 18:31:55 2025
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass(p=none dis=none) header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1736264179; cv=none;
d=zohomail.com; s=zohoarc;
b=W/igbtlCk2qAj6iCCi34zCS0JFkrYo6892csPZCvuRJ6BSeezDIHAMecw2utPVaz51ANZX4CKSE64FmRivw3YSMC2sjZjFS5ecs1bAkTMcMY1TiOyfWgXdZpVT9J+PC0UHy1z/eLJ1k1rtxafRhhFj/HwDJ5yASA/hY1FkZFX0M=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
s=zohoarc;
t=1736264179;
h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
bh=oMNvyDYaqUfDFDJ6m8BWiePc/GEO69yCDLguTfOJk5A=;
b=j9oG3RaxaOAkg4Yu5u+lGvV46X/jBgIDuFESI622caA7sIxUwaPaIybHsFiLMYVhFwX4YQC2FnY0CCpYvJmxbYdG4MaVOzU9oB07DiYAjbw+tBkzC3ciBoQfisk0XZQwcpf3/tO9JWox9TNmIKQ9XwNUkhMaJde5PHTp14WTJkI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass header.from=<kraxel@redhat.com> (p=none dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
mx.zohomail.com
with SMTPS id 1736264179663413.96936647447933;
Tue, 7 Jan 2025 07:36:19 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
by lists.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <qemu-devel-bounces@nongnu.org>)
id 1tVBbA-0003Ia-TN; Tue, 07 Jan 2025 10:34:28 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBb9-0003Gt-2l
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:27 -0500
Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBb2-000576-JH
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:26 -0500
Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com
(ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
cipher=TLS_AES_256_GCM_SHA384) id us-mta-619-avbxtTNoNlqA1b0gDADu6w-1; Tue,
07 Jan 2025 10:34:16 -0500
Received: from mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com
(mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.15])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256)
(No client certificate requested)
by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
id 50C331955EC5; Tue, 7 Jan 2025 15:34:15 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.66])
by mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
ESMTPS
id 7D8B11956088; Tue, 7 Jan 2025 15:34:14 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
id 559CA18003BA; Tue, 07 Jan 2025 16:33:54 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1736264059;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=oMNvyDYaqUfDFDJ6m8BWiePc/GEO69yCDLguTfOJk5A=;
b=VJi2U2L4DF0ZVMw9IDwevA7oBfOT8gNstiAhVlxeRhx6Ev5qfl82279n+wsChjOYFPil1/
CCGMyO6Rv9GfqAkxMgtwOjcf8oODwGEBm/DNewCHflwJWvIcD9ylzb6V2IOvi5ZY7Kf4E0
vnHE9pOIRj8YTuRrQ+kcQohN7eF55pc=
X-MC-Unique: avbxtTNoNlqA1b0gDADu6w-1
X-Mimecast-MFC-AGG-ID: avbxtTNoNlqA1b0gDADu6w
From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>, graf@amazon.com,
Paolo Bonzini <pbonzini@redhat.com>, Michael Roth <michael.roth@amd.com>,
=?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
Thomas Huth <thuth@redhat.com>, qemu-arm@nongnu.org,
Eric Blake <eblake@redhat.com>, Peter Maydell <peter.maydell@linaro.org>,
Markus Armbruster <armbru@redhat.com>,
=?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Subject: [PATCH v2 13/21] hw/uefi: add var-service-json.c + qapi for NV vars.
Date: Tue, 7 Jan 2025 16:33:40 +0100
Message-ID: <20250107153353.1144978-14-kraxel@redhat.com>
In-Reply-To: <20250107153353.1144978-1-kraxel@redhat.com>
References: <20250107153353.1144978-1-kraxel@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.15
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
as permitted sender) client-ip=209.51.188.17;
envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com;
helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -24
X-Spam_score: -2.5
X-Spam_bar: --
X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.437,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1736264180422116600
Content-Type: text/plain; charset="utf-8"
Define qapi schema for the uefi variable store state.
Use it and the generated visitor helper functions to store persistent
(EFI_VARIABLE_NON_VOLATILE) variables in JSON format on disk.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/uefi/var-service-json.c | 242 +++++++++++++++++++++++++++++++++++++
qapi/meson.build | 1 +
qapi/qapi-schema.json | 1 +
qapi/uefi.json | 45 +++++++
4 files changed, 289 insertions(+)
create mode 100644 hw/uefi/var-service-json.c
create mode 100644 qapi/uefi.json
diff --git a/hw/uefi/var-service-json.c b/hw/uefi/var-service-json.c
new file mode 100644
index 000000000000..e8fb37ad302e
--- /dev/null
+++ b/hw/uefi/var-service-json.c
@@ -0,0 +1,242 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ *
+ * uefi vars device - serialize non-volatile varstore from/to json,
+ * using qapi
+ *
+ * tools which can read/write these json files:
+ * - https://gitlab.com/kraxel/virt-firmware
+ * - https://github.com/awslabs/python-uefivars
+ */
+#include "qemu/osdep.h"
+#include "qemu/cutils.h"
+#include "qemu/error-report.h"
+#include "system/dma.h"
+
+#include "hw/uefi/var-service.h"
+
+#include "qapi/dealloc-visitor.h"
+#include "qapi/qobject-input-visitor.h"
+#include "qapi/qobject-output-visitor.h"
+#include "qapi/qmp/qobject.h"
+#include "qapi/qmp/qjson.h"
+#include "qapi/qapi-types-uefi.h"
+#include "qapi/qapi-visit-uefi.h"
+
+static char *generate_hexstr(void *data, size_t len)
+{
+ static const char hex[] =3D {
+ '0', '1', '2', '3', '4', '5', '6', '7',
+ '8', '9', 'a', 'b', 'c', 'd', 'e', 'f',
+ };
+ uint8_t *src =3D data;
+ char *dest;
+ size_t i;
+
+ dest =3D g_malloc(len * 2 + 1);
+ for (i =3D 0; i < len * 2;) {
+ dest[i++] =3D hex[*src >> 4];
+ dest[i++] =3D hex[*src & 15];
+ src++;
+ }
+ dest[i++] =3D 0;
+
+ return dest;
+}
+
+static UefiVarStore *uefi_vars_to_qapi(uefi_vars_state *uv)
+{
+ UefiVarStore *vs;
+ UefiVariableList **tail;
+ UefiVariable *v;
+ QemuUUID be;
+ uefi_variable *var;
+
+ vs =3D g_new0(UefiVarStore, 1);
+ vs->version =3D 2;
+ tail =3D &vs->variables;
+
+ QTAILQ_FOREACH(var, &uv->variables, next) {
+ if (!(var->attributes & EFI_VARIABLE_NON_VOLATILE)) {
+ continue;
+ }
+
+ v =3D g_new0(UefiVariable, 1);
+ be =3D qemu_uuid_bswap(var->guid);
+ v->guid =3D qemu_uuid_unparse_strdup(&be);
+ v->name =3D uefi_ucs2_to_ascii(var->name, var->name_size);
+ v->attr =3D var->attributes;
+
+ v->data =3D generate_hexstr(var->data, var->data_size);
+
+ if (var->attributes &
+ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) {
+ v->time =3D generate_hexstr(&var->time, sizeof(var->time));
+ if (var->digest && var->digest_size) {
+ v->digest =3D generate_hexstr(var->digest, var->digest_siz=
e);
+ }
+ }
+
+ QAPI_LIST_APPEND(tail, v);
+ }
+ return vs;
+}
+
+static unsigned parse_hexchar(char c)
+{
+ switch (c) {
+ case '0' ... '9': return c - '0';
+ case 'a' ... 'f': return c - 'a' + 0xa;
+ case 'A' ... 'F': return c - 'A' + 0xA;
+ default: return 0;
+ }
+}
+
+static void parse_hexstr(void *dest, char *src, int len)
+{
+ uint8_t *data =3D dest;
+ size_t i;
+
+ for (i =3D 0; i < len; i +=3D 2) {
+ *(data++) =3D
+ parse_hexchar(src[i]) << 4 |
+ parse_hexchar(src[i + 1]);
+ }
+}
+
+static void uefi_vars_from_qapi(uefi_vars_state *uv, UefiVarStore *vs)
+{
+ UefiVariableList *item;
+ UefiVariable *v;
+ QemuUUID be;
+ uefi_variable *var;
+ uint8_t *data;
+ size_t i, len;
+
+ for (item =3D vs->variables; item !=3D NULL; item =3D item->next) {
+ v =3D item->value;
+
+ var =3D g_new0(uefi_variable, 1);
+ var->attributes =3D v->attr;
+ qemu_uuid_parse(v->guid, &be);
+ var->guid =3D qemu_uuid_bswap(be);
+
+ len =3D strlen(v->name);
+ var->name_size =3D len * 2 + 2;
+ var->name =3D g_malloc(var->name_size);
+ for (i =3D 0; i <=3D len; i++) {
+ var->name[i] =3D v->name[i];
+ }
+
+ len =3D strlen(v->data);
+ var->data_size =3D len / 2;
+ var->data =3D data =3D g_malloc(var->data_size);
+ parse_hexstr(var->data, v->data, len);
+
+ if (v->time && strlen(v->time) =3D=3D 32) {
+ parse_hexstr(&var->time, v->time, 32);
+ }
+
+ if (v->digest) {
+ len =3D strlen(v->digest);
+ var->digest_size =3D len / 2;
+ var->digest =3D g_malloc(var->digest_size);
+ parse_hexstr(var->digest, v->digest, len);
+ }
+
+ QTAILQ_INSERT_TAIL(&uv->variables, var, next);
+ }
+}
+
+static GString *uefi_vars_to_json(uefi_vars_state *uv)
+{
+ UefiVarStore *vs =3D uefi_vars_to_qapi(uv);
+ QObject *qobj =3D NULL;
+ Visitor *v;
+ GString *gstr;
+
+ v =3D qobject_output_visitor_new(&qobj);
+ if (visit_type_UefiVarStore(v, NULL, &vs, NULL)) {
+ visit_complete(v, &qobj);
+ }
+ visit_free(v);
+ qapi_free_UefiVarStore(vs);
+
+ gstr =3D qobject_to_json_pretty(qobj, true);
+ qobject_unref(qobj);
+
+ return gstr;
+}
+
+void uefi_vars_json_init(uefi_vars_state *uv, Error **errp)
+{
+ if (uv->jsonfile) {
+ uv->jsonfd =3D qemu_create(uv->jsonfile, O_RDWR, 0666, errp);
+ }
+}
+
+void uefi_vars_json_save(uefi_vars_state *uv)
+{
+ GString *gstr;
+ int rc;
+
+ if (uv->jsonfd =3D=3D -1) {
+ return;
+ }
+
+ gstr =3D uefi_vars_to_json(uv);
+
+ lseek(uv->jsonfd, 0, SEEK_SET);
+ rc =3D write(uv->jsonfd, gstr->str, gstr->len);
+ if (rc !=3D gstr->len) {
+ warn_report("%s: write error", __func__);
+ }
+ rc =3D ftruncate(uv->jsonfd, gstr->len);
+ if (rc !=3D 0) {
+ warn_report("%s: ftruncate error", __func__);
+ }
+ fsync(uv->jsonfd);
+
+ g_string_free(gstr, true);
+}
+
+void uefi_vars_json_load(uefi_vars_state *uv, Error **errp)
+{
+ UefiVarStore *vs;
+ QObject *qobj;
+ Visitor *v;
+ char *str;
+ size_t len;
+ int rc;
+
+ if (uv->jsonfd =3D=3D -1) {
+ return;
+ }
+
+ len =3D lseek(uv->jsonfd, 0, SEEK_END);
+ if (len =3D=3D 0) {
+ return;
+ }
+
+ str =3D g_malloc(len + 1);
+ lseek(uv->jsonfd, 0, SEEK_SET);
+ rc =3D read(uv->jsonfd, str, len);
+ if (rc !=3D len) {
+ warn_report("%s: read error", __func__);
+ }
+ str[len] =3D 0;
+
+ qobj =3D qobject_from_json(str, errp);
+ v =3D qobject_input_visitor_new(qobj);
+ visit_type_UefiVarStore(v, NULL, &vs, errp);
+ visit_free(v);
+
+ if (!(*errp)) {
+ uefi_vars_from_qapi(uv, vs);
+ uefi_vars_update_storage(uv);
+ }
+
+ qapi_free_UefiVarStore(vs);
+ qobject_unref(qobj);
+ g_free(str);
+}
diff --git a/qapi/meson.build b/qapi/meson.build
index e7bc54e5d047..eadde4db307f 100644
--- a/qapi/meson.build
+++ b/qapi/meson.build
@@ -65,6 +65,7 @@ if have_system
'pci',
'rocker',
'tpm',
+ 'uefi',
]
endif
if have_system or have_tools
diff --git a/qapi/qapi-schema.json b/qapi/qapi-schema.json
index b1581988e4eb..2877aff73d0c 100644
--- a/qapi/qapi-schema.json
+++ b/qapi/qapi-schema.json
@@ -81,3 +81,4 @@
{ 'include': 'vfio.json' }
{ 'include': 'cryptodev.json' }
{ 'include': 'cxl.json' }
+{ 'include': 'uefi.json' }
diff --git a/qapi/uefi.json b/qapi/uefi.json
new file mode 100644
index 000000000000..c268ed11b70c
--- /dev/null
+++ b/qapi/uefi.json
@@ -0,0 +1,45 @@
+# -*- Mode: Python -*-
+# vim: filetype=3Dpython
+#
+
+##
+# @UefiVariable:
+#
+# UEFI Variable
+#
+# @guid: variable namespace guid
+#
+# @name: variable name (utf-8)
+#
+# @attr: variable attributes
+#
+# @data: variable content (base64)
+#
+# @time: variable modification time (EFI_VARIABLE_TIME_BASED_AUTHENTICATED=
_WRITE_ACCESS).
+#
+# @digest: variable certificate digest (EFI_VARIABLE_TIME_BASED_AUTHENTICA=
TED_WRITE_ACCESS).
+#
+# Since: 10.0
+##
+{ 'struct' : 'UefiVariable',
+ 'data' : { 'guid' : 'str',
+ 'name' : 'str',
+ 'attr' : 'int',
+ 'data' : 'str',
+ '*time' : 'str',
+ '*digest' : 'str'}}
+
+##
+# @UefiVarStore:
+#
+# UEFI Variable Store
+#
+# @version: 2
+#
+# @variables: list of uefi variables
+#
+# Since: 10.0
+##
+{ 'struct' : 'UefiVarStore',
+ 'data' : { 'version' : 'int',
+ 'variables' : [ 'UefiVariable' ] }}
--=20
2.47.1
From nobody Sun May 11 18:31:55 2025
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass(p=none dis=none) header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1736264116; cv=none;
d=zohomail.com; s=zohoarc;
b=QMuixFdr5ZtQ9aYWLYN6KwH0x4EZ7Pr76j4DLDvuaCWIT47BU5d8VLagC58o+4WVMKxyb+ePl3BjS3PKhAKSFZwPTBWRIyXf0c+dLlDK+EDAKW6qOQAm3mJ145X5WKxPRnfj+/poSGc2n4lX7C2yFwqs6K8kplfuqdPorWneYck=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
s=zohoarc;
t=1736264116;
h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
bh=9AeNcEVQWo89Dm1WgbEXuyIA5BpKIMEbdxMGTfP9Eh0=;
b=nu3TpltPX/0VOAsRk+jrKti2PDOSAEcTYvbOtFzVDrN4CVQQ3FnwlkKAHj8eP8+df6BS98Y4+4Z9Tv08+gXMgLMT/jy6BUuyyxzsT9acO3qTo9ybtWFiHopCNF5XvGy4PXCn1Q9llBZR+eBV8QxwNV+2g+p5QsC2ST57zHFDQss=
ARC-Authentication-Results: i=1; mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass header.from=<kraxel@redhat.com> (p=none dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
mx.zohomail.com
with SMTPS id 1736264116322676.5872118736436;
Tue, 7 Jan 2025 07:35:16 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
by lists.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <qemu-devel-bounces@nongnu.org>)
id 1tVBb9-0003HS-Mv; Tue, 07 Jan 2025 10:34:27 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBb8-0003Fq-5q
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:26 -0500
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBb6-00057o-Bo
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:25 -0500
Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com
(ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
cipher=TLS_AES_256_GCM_SHA384) id us-mta-358-8W-ZHYf8OI66Th3kFKVAgA-1; Tue,
07 Jan 2025 10:34:20 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
(mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256)
(No client certificate requested)
by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
id CB9F11955BF4; Tue, 7 Jan 2025 15:34:17 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.66])
by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
ESMTPS
id 792391955F43; Tue, 7 Jan 2025 15:34:17 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
id 644E018003BB; Tue, 07 Jan 2025 16:33:54 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1736264063;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=9AeNcEVQWo89Dm1WgbEXuyIA5BpKIMEbdxMGTfP9Eh0=;
b=XqtZEkn+klmYHreXFE7wuWQmwa+ce118a2EZKZe+mT66onoEqlU0TPbM1S6a199bpAbY3j
3q5GNIdu6DACcJCfWYdhag3i6UjKtzET8qOtroQO0HK8xmdn9Q8kqpWJERChtF+O3EbEAT
kKy0G4Bce7XmEVXXh25xKfkGBMRLVhs=
X-MC-Unique: 8W-ZHYf8OI66Th3kFKVAgA-1
X-Mimecast-MFC-AGG-ID: 8W-ZHYf8OI66Th3kFKVAgA
From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>, graf@amazon.com,
Paolo Bonzini <pbonzini@redhat.com>, Michael Roth <michael.roth@amd.com>,
=?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
Thomas Huth <thuth@redhat.com>, qemu-arm@nongnu.org,
Eric Blake <eblake@redhat.com>, Peter Maydell <peter.maydell@linaro.org>,
Markus Armbruster <armbru@redhat.com>,
=?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Subject: [PATCH v2 14/21] hw/uefi: add trace-events
Date: Tue, 7 Jan 2025 16:33:41 +0100
Message-ID: <20250107153353.1144978-15-kraxel@redhat.com>
In-Reply-To: <20250107153353.1144978-1-kraxel@redhat.com>
References: <20250107153353.1144978-1-kraxel@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
as permitted sender) client-ip=209.51.188.17;
envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.133.124; envelope-from=kraxel@redhat.com;
helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -24
X-Spam_score: -2.5
X-Spam_bar: --
X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.437,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1736264118046116600
Content-Type: text/plain; charset="utf-8"
Add trace events for debugging and trouble shooting.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/uefi/trace-events | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
create mode 100644 hw/uefi/trace-events
diff --git a/hw/uefi/trace-events b/hw/uefi/trace-events
new file mode 100644
index 000000000000..3694712a946d
--- /dev/null
+++ b/hw/uefi/trace-events
@@ -0,0 +1,17 @@
+# device
+uefi_reg_read(uint64_t addr, unsigned size) "addr 0x%" PRIx64 ", size %u"
+uefi_reg_write(uint64_t addr, uint64_t val, unsigned size) "addr 0x%" PRIx=
64 ", val 0x%" PRIx64 ", size %d"
+uefi_hard_reset(void) ""
+
+# generic uefi
+uefi_variable(const char *context, const char *name, uint64_t size, const =
char *uuid) "context %s, name %s, size %" PRIu64 ", uuid %s"
+uefi_status(const char *context, const char *name) "context %s, status %s"
+uefi_event(const char *name) "event %s"
+
+# variable protocol
+uefi_vars_proto_cmd(const char *cmd) "cmd %s"
+uefi_vars_security_violation(const char *reason) "reason %s"
+
+# variable policy protocol
+uefi_vars_policy_cmd(const char *cmd) "cmd %s"
+uefi_vars_policy_deny(const char *reason) "reason %s"
--=20
2.47.1
From nobody Sun May 11 18:31:55 2025
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass(p=none dis=none) header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1736264277; cv=none;
d=zohomail.com; s=zohoarc;
b=MY6lWzMlf/O7AuGYlkSmNYHICdNKu0IeQrRKRAbVKk6TcrL5DzLigkMGNFY75q0n4z4ySfkDpxwct1FhYbR+9e0EcxW1JFxzDe1ctCMQx5VXY73KorZnVCUImgHj0DHcIz8hp9N7hD8d/z074fOEz33vrJR8kpKLnYj0kVo3d5U=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
s=zohoarc;
t=1736264277;
h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
bh=PjBrYgOwtmo8qMJXJpTwd/TA0zSKEe5ftLA045b+r08=;
b=D93yoX+pxvHYRiifrkR+kPd+LbzmGfiV/E1dNxSzsqHG3hV0g22KG87ZifXYPMzKFrPioREWkDF1dgfurnyOm9Koz26MrKB73UmiayK2rnREkbHVXeJElLulQV+TmPjGgTgazXmGVfxwYeQ+AR7ngFmxfehHBOSK+7gR8F90xhs=
ARC-Authentication-Results: i=1; mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass header.from=<kraxel@redhat.com> (p=none dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
mx.zohomail.com
with SMTPS id 1736264277347620.6598798196324;
Tue, 7 Jan 2025 07:37:57 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
by lists.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <qemu-devel-bounces@nongnu.org>)
id 1tVBbA-0003Ho-3C; Tue, 07 Jan 2025 10:34:28 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBb8-0003Fr-7F
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:26 -0500
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBb6-000581-OI
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:25 -0500
Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com
(ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
cipher=TLS_AES_256_GCM_SHA384) id us-mta-358-AA329mqQMX-hoWxKowrT9g-1; Tue,
07 Jan 2025 10:34:20 -0500
Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com
(mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256)
(No client certificate requested)
by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
id DCC821955D5A; Tue, 7 Jan 2025 15:34:17 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.66])
by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
ESMTPS
id 9659E3000197; Tue, 7 Jan 2025 15:34:17 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
id 7522B18003BD; Tue, 07 Jan 2025 16:33:54 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1736264064;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=PjBrYgOwtmo8qMJXJpTwd/TA0zSKEe5ftLA045b+r08=;
b=NVIyDoKz4ftjQ3SOV5D9AU+XFh40pMlnqC4TNQmfU1OjHuEFy8WLBXY1Vd02UF/bV2/ZWb
GT6PIuJHGKuBCmoPd7ENd9+R2hrzWGzam/HtRZo2HaEAYK2kRC/+2jTIwBKCf2X9FbL8QY
BeIZN3Qzm2CYQBqmih5QvHEZKc/5zEo=
X-MC-Unique: AA329mqQMX-hoWxKowrT9g-1
X-Mimecast-MFC-AGG-ID: AA329mqQMX-hoWxKowrT9g
From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>, graf@amazon.com,
Paolo Bonzini <pbonzini@redhat.com>, Michael Roth <michael.roth@amd.com>,
=?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
Thomas Huth <thuth@redhat.com>, qemu-arm@nongnu.org,
Eric Blake <eblake@redhat.com>, Peter Maydell <peter.maydell@linaro.org>,
Markus Armbruster <armbru@redhat.com>,
=?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Subject: [PATCH v2 15/21] hw/uefi: add UEFI_VARS to Kconfig
Date: Tue, 7 Jan 2025 16:33:42 +0100
Message-ID: <20250107153353.1144978-16-kraxel@redhat.com>
In-Reply-To: <20250107153353.1144978-1-kraxel@redhat.com>
References: <20250107153353.1144978-1-kraxel@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
as permitted sender) client-ip=209.51.188.17;
envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.133.124; envelope-from=kraxel@redhat.com;
helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -24
X-Spam_score: -2.5
X-Spam_bar: --
X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.437,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1736264278692116600
Content-Type: text/plain; charset="utf-8"
Add UEFI_VARS config option, enable by default for x86_64 and aarch64.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/Kconfig | 1 +
hw/uefi/Kconfig | 3 +++
2 files changed, 4 insertions(+)
create mode 100644 hw/uefi/Kconfig
diff --git a/hw/Kconfig b/hw/Kconfig
index 1b4e9bb07f7d..c4dfe2e7af7c 100644
--- a/hw/Kconfig
+++ b/hw/Kconfig
@@ -37,6 +37,7 @@ source smbios/Kconfig
source ssi/Kconfig
source timer/Kconfig
source tpm/Kconfig
+source uefi/Kconfig
source ufs/Kconfig
source usb/Kconfig
source virtio/Kconfig
diff --git a/hw/uefi/Kconfig b/hw/uefi/Kconfig
new file mode 100644
index 000000000000..ca6c2bc46a96
--- /dev/null
+++ b/hw/uefi/Kconfig
@@ -0,0 +1,3 @@
+config UEFI_VARS
+ bool
+ default y if X86_64 || AARCH64
--=20
2.47.1
From nobody Sun May 11 18:31:55 2025
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass(p=none dis=none) header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1736264194; cv=none;
d=zohomail.com; s=zohoarc;
b=g444nzwbgn9CaTwSQkr8w0C0UeSL4hfI8PUcrNiQImqpDZSGBgm87mavmFnYZeaTlpx7gM6mW7aDn1NmX7wC8fLzfvTCmKRl/SHKFsIrkWGjzd6cJaxbaWZWq3stwIB1Fy8ov73dyBYTcORbE0hMTxa1eUrvFOvGR3AwZvEcEkA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
s=zohoarc;
t=1736264194;
h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
bh=V72gLHc8eOLeuqp6z1QZn/Z6Pn3sjtYnWvuS+x+Pus0=;
b=aySeEElt5GzrLTI6DXXxsdIY2v3tYmFujAAn9p7B9rLScfUsv5ksqmDnO0NiU3A7nno3IWhnE5ML8/iOEN7EZoAUocWFzAAa6C5RS7UQe1BE+koBhTotRlVuE8qmlnMY+I6ITGfWyjASd4uKROFzPlAP9zr8I/OCiyCpW4Ap1Ck=
ARC-Authentication-Results: i=1; mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass header.from=<kraxel@redhat.com> (p=none dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
mx.zohomail.com
with SMTPS id 1736264194912493.58257138885426;
Tue, 7 Jan 2025 07:36:34 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
by lists.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <qemu-devel-bounces@nongnu.org>)
id 1tVBbB-0003Is-J1; Tue, 07 Jan 2025 10:34:29 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBb9-0003H2-EZ
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:27 -0500
Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBb7-00058H-U6
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:27 -0500
Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com
(ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
cipher=TLS_AES_256_GCM_SHA384) id us-mta-67-EMtvT4ycNZuf3gtmN2Db0Q-1; Tue,
07 Jan 2025 10:34:21 -0500
Received: from mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com
(mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.15])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256)
(No client certificate requested)
by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
id 4E0361955D45; Tue, 7 Jan 2025 15:34:20 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.66])
by mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
ESMTPS
id 01F2F1956088; Tue, 7 Jan 2025 15:34:20 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
id 892351800601; Tue, 07 Jan 2025 16:33:54 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1736264065;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=V72gLHc8eOLeuqp6z1QZn/Z6Pn3sjtYnWvuS+x+Pus0=;
b=JLQoT9CStRZnTi9ijyU3uUGkxzVU9n7tZk5E0h6hbRhM/uQDPBuE1V9LNcceVtcz/rq0ew
UWqn+fzUiAfW6CaO7943t8ShnqPHfpjV5humK677bIEb1IzRwsJb6uxEWfNboVSef42G9l
QAdvDk/NIOcALc/J8Cs58qY0YrRPsHk=
X-MC-Unique: EMtvT4ycNZuf3gtmN2Db0Q-1
X-Mimecast-MFC-AGG-ID: EMtvT4ycNZuf3gtmN2Db0Q
From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>, graf@amazon.com,
Paolo Bonzini <pbonzini@redhat.com>, Michael Roth <michael.roth@amd.com>,
=?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
Thomas Huth <thuth@redhat.com>, qemu-arm@nongnu.org,
Eric Blake <eblake@redhat.com>, Peter Maydell <peter.maydell@linaro.org>,
Markus Armbruster <armbru@redhat.com>,
=?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Subject: [PATCH v2 16/21] hw/uefi: add to meson
Date: Tue, 7 Jan 2025 16:33:43 +0100
Message-ID: <20250107153353.1144978-17-kraxel@redhat.com>
In-Reply-To: <20250107153353.1144978-1-kraxel@redhat.com>
References: <20250107153353.1144978-1-kraxel@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.15
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
as permitted sender) client-ip=209.51.188.17;
envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com;
helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -24
X-Spam_score: -2.5
X-Spam_bar: --
X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.437,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1736264196378116600
Content-Type: text/plain; charset="utf-8"
Wire up uefi-vars in the build system.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/meson.build | 1 +
hw/uefi/meson.build | 18 ++++++++++++++++++
meson.build | 1 +
3 files changed, 20 insertions(+)
create mode 100644 hw/uefi/meson.build
diff --git a/hw/meson.build b/hw/meson.build
index b827c82c5d7b..138f5d59e178 100644
--- a/hw/meson.build
+++ b/hw/meson.build
@@ -35,6 +35,7 @@ subdir('smbios')
subdir('ssi')
subdir('timer')
subdir('tpm')
+subdir('uefi')
subdir('ufs')
subdir('usb')
subdir('vfio')
diff --git a/hw/uefi/meson.build b/hw/uefi/meson.build
new file mode 100644
index 000000000000..d280881f457a
--- /dev/null
+++ b/hw/uefi/meson.build
@@ -0,0 +1,18 @@
+uefi_vars_ss =3D ss.source_set()
+if (config_all_devices.has_key('CONFIG_UEFI_VARS'))
+ uefi_vars_ss.add(files('var-service-core.c',
+ 'var-service-json.c',
+ 'var-service-vars.c',
+ 'var-service-auth.c',
+ 'var-service-guid.c',
+ 'var-service-utils.c',
+ 'var-service-policy.c'))
+ uefi_vars_ss.add(when: gnutls,
+ if_true: files('var-service-pkcs7.c'),
+ if_false: files('var-service-pkcs7-stub.c'))
+ uefi_vars_ss.add(files('var-service-siglist.c'))
+endif
+
+modules +=3D { 'hw-uefi' : {
+ 'vars' : uefi_vars_ss,
+}}
diff --git a/meson.build b/meson.build
index d06f59095c67..741a61089ff4 100644
--- a/meson.build
+++ b/meson.build
@@ -3584,6 +3584,7 @@ if have_system
'hw/ssi',
'hw/timer',
'hw/tpm',
+ 'hw/uefi',
'hw/ufs',
'hw/usb',
'hw/vfio',
--=20
2.47.1
From nobody Sun May 11 18:31:55 2025
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass(p=none dis=none) header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1736264201; cv=none;
d=zohomail.com; s=zohoarc;
b=bGcNFI0uM0Cc+KNlS4smnxjuxZ+aMrovku5lrAG2kjZ3aOYxlOnReVu4OYpxtKhOQjZC8+8LSUHXDJyAvhZKhDM5wAUKo78yaZ05OZZJpzh4YSbPB4pmy3szMZ8tuQGAqrjmxFChtGzjbQereoz4G5ekKQUQ/iN8+c6hH4aI7vs=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
s=zohoarc;
t=1736264201;
h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
bh=fhA9vw4rC8cliR2dekVATbP1rzZ3SVv6Ouh3uqjp7AI=;
b=kE4FXnqbNEG63isjjz7ZTAcUHRca+4/LDzUcXN2sXWe/ZlEtnKrX91ptrobwHiFgmJsxV+JzMNufL5QHqeQfmUblqtNOCROZXiEz8YsIwPy+/ulS+2HcSXPd1dInelYhpvPlBa5llEixGDHvAdgqsfq6DDdK/rTB759JLViYmWE=
ARC-Authentication-Results: i=1; mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass header.from=<kraxel@redhat.com> (p=none dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
mx.zohomail.com
with SMTPS id 1736264201324635.4459088040112;
Tue, 7 Jan 2025 07:36:41 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
by lists.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <qemu-devel-bounces@nongnu.org>)
id 1tVBbA-0003IZ-QA; Tue, 07 Jan 2025 10:34:28 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBb9-0003HI-Jk
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:27 -0500
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBb8-00058Y-1c
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:27 -0500
Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com
(ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
cipher=TLS_AES_256_GCM_SHA384) id us-mta-632-6sUirdTSNhu6eQHzgdy-3w-1; Tue,
07 Jan 2025 10:34:22 -0500
Received: from mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com
(mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.40])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256)
(No client certificate requested)
by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
id BE4901955D92; Tue, 7 Jan 2025 15:34:20 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.66])
by mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
ESMTPS
id 3247E195606C; Tue, 7 Jan 2025 15:34:20 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
id 9AB4B1800603; Tue, 07 Jan 2025 16:33:54 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1736264065;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=fhA9vw4rC8cliR2dekVATbP1rzZ3SVv6Ouh3uqjp7AI=;
b=i7sKF8Luy8eYmjL8/vJcS9S/pG1ahQgh1LmtRQz0xAYjYicbWsu/6CG3OKYLPTc6wkIKXs
s0XuCkEYupuTmqsRSV+zrfgnMCvcwoWdBqI9DYXNRzGa9/hKGwNQKybNWRFEzJspdXJgE6
UmfvSbnkGgbuDjlPD+vhjfyC+oY2L2Q=
X-MC-Unique: 6sUirdTSNhu6eQHzgdy-3w-1
X-Mimecast-MFC-AGG-ID: 6sUirdTSNhu6eQHzgdy-3w
From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>, graf@amazon.com,
Paolo Bonzini <pbonzini@redhat.com>, Michael Roth <michael.roth@amd.com>,
=?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
Thomas Huth <thuth@redhat.com>, qemu-arm@nongnu.org,
Eric Blake <eblake@redhat.com>, Peter Maydell <peter.maydell@linaro.org>,
Markus Armbruster <armbru@redhat.com>,
=?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Subject: [PATCH v2 17/21] hw/uefi: add uefi-vars-sysbus device
Date: Tue, 7 Jan 2025 16:33:44 +0100
Message-ID: <20250107153353.1144978-18-kraxel@redhat.com>
In-Reply-To: <20250107153353.1144978-1-kraxel@redhat.com>
References: <20250107153353.1144978-1-kraxel@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.40
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
as permitted sender) client-ip=209.51.188.17;
envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.133.124; envelope-from=kraxel@redhat.com;
helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -24
X-Spam_score: -2.5
X-Spam_bar: --
X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.437,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1736264202490116600
Content-Type: text/plain; charset="utf-8"
This adds sysbus bindings for the variable service.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/uefi/var-service-sysbus.c | 90 ++++++++++++++++++++++++++++++++++++
hw/uefi/meson.build | 3 +-
2 files changed, 92 insertions(+), 1 deletion(-)
create mode 100644 hw/uefi/var-service-sysbus.c
diff --git a/hw/uefi/var-service-sysbus.c b/hw/uefi/var-service-sysbus.c
new file mode 100644
index 000000000000..de2f83e3e5ab
--- /dev/null
+++ b/hw/uefi/var-service-sysbus.c
@@ -0,0 +1,90 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ *
+ * uefi vars device - sysbus variant.
+ */
+#include "qemu/osdep.h"
+#include "migration/vmstate.h"
+
+#include "hw/qdev-properties.h"
+#include "hw/sysbus.h"
+
+#include "hw/uefi/var-service.h"
+#include "hw/uefi/var-service-api.h"
+
+#define TYPE_UEFI_VARS_SYSBUS "uefi-vars-sysbus"
+OBJECT_DECLARE_SIMPLE_TYPE(uefi_vars_sysbus_state, UEFI_VARS_SYSBUS)
+
+struct uefi_vars_sysbus_state {
+ SysBusDevice parent_obj;
+ struct uefi_vars_state state;
+};
+
+static const VMStateDescription vmstate_uefi_vars_sysbus =3D {
+ .name =3D "uefi-vars-sysbus",
+ .fields =3D (VMStateField[]) {
+ VMSTATE_STRUCT(state, uefi_vars_sysbus_state, 0,
+ vmstate_uefi_vars, uefi_vars_state),
+ VMSTATE_END_OF_LIST()
+ }
+};
+
+static const Property uefi_vars_sysbus_properties[] =3D {
+ DEFINE_PROP_SIZE("size", uefi_vars_sysbus_state, state.max_storage,
+ 256 * 1024),
+ DEFINE_PROP_STRING("jsonfile", uefi_vars_sysbus_state, state.jsonfile),
+ DEFINE_PROP_BOOL("force-secure-boot", uefi_vars_sysbus_state,
+ state.force_secure_boot, false),
+ DEFINE_PROP_BOOL("disable-custom-mode", uefi_vars_sysbus_state,
+ state.disable_custom_mode, false),
+};
+
+static void uefi_vars_sysbus_init(Object *obj)
+{
+ uefi_vars_sysbus_state *uv =3D UEFI_VARS_SYSBUS(obj);
+
+ uefi_vars_init(obj, &uv->state);
+}
+
+static void uefi_vars_sysbus_reset(DeviceState *dev)
+{
+ uefi_vars_sysbus_state *uv =3D UEFI_VARS_SYSBUS(dev);
+
+ uefi_vars_hard_reset(&uv->state);
+}
+
+static void uefi_vars_sysbus_realize(DeviceState *dev, Error **errp)
+{
+ uefi_vars_sysbus_state *uv =3D UEFI_VARS_SYSBUS(dev);
+ SysBusDevice *sysbus =3D SYS_BUS_DEVICE(dev);
+
+ sysbus_init_mmio(sysbus, &uv->state.mr);
+ uefi_vars_realize(&uv->state, errp);
+}
+
+static void uefi_vars_sysbus_class_init(ObjectClass *klass, void *data)
+{
+ DeviceClass *dc =3D DEVICE_CLASS(klass);
+
+ dc->realize =3D uefi_vars_sysbus_realize;
+ dc->vmsd =3D &vmstate_uefi_vars_sysbus;
+ device_class_set_legacy_reset(dc, uefi_vars_sysbus_reset);
+ device_class_set_props(dc, uefi_vars_sysbus_properties);
+ set_bit(DEVICE_CATEGORY_MISC, dc->categories);
+}
+
+static const TypeInfo uefi_vars_sysbus_info =3D {
+ .name =3D TYPE_UEFI_VARS_SYSBUS,
+ .parent =3D TYPE_SYS_BUS_DEVICE,
+ .instance_size =3D sizeof(uefi_vars_sysbus_state),
+ .instance_init =3D uefi_vars_sysbus_init,
+ .class_init =3D uefi_vars_sysbus_class_init,
+};
+module_obj(TYPE_UEFI_VARS_SYSBUS);
+
+static void uefi_vars_sysbus_register_types(void)
+{
+ type_register_static(&uefi_vars_sysbus_info);
+}
+
+type_init(uefi_vars_sysbus_register_types)
diff --git a/hw/uefi/meson.build b/hw/uefi/meson.build
index d280881f457a..cf2d26e9bf9a 100644
--- a/hw/uefi/meson.build
+++ b/hw/uefi/meson.build
@@ -6,7 +6,8 @@ if (config_all_devices.has_key('CONFIG_UEFI_VARS'))
'var-service-auth.c',
'var-service-guid.c',
'var-service-utils.c',
- 'var-service-policy.c'))
+ 'var-service-policy.c',
+ 'var-service-sysbus.c'))
uefi_vars_ss.add(when: gnutls,
if_true: files('var-service-pkcs7.c'),
if_false: files('var-service-pkcs7-stub.c'))
--=20
2.47.1
From nobody Sun May 11 18:31:55 2025
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass(p=none dis=none) header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1736264116; cv=none;
d=zohomail.com; s=zohoarc;
b=NK1HVWHlQaPip2ElFQuq3ErMAXPYSG/IVF0H9RFGsZ2B3QQpXK4Oc4RPuUT0MoYUk1/xKsdSi/8UvmmYGPjDrGkw7wDidrHApFXwv4fkXtWK8m6G8QE1xgsxPwQdkY7VNiQEX/UYIq9uTiGgoC9itWBCljwCIRIYfMWCGwZVN3E=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
s=zohoarc;
t=1736264116;
h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
bh=FGnGsQOQFsBzSvR/lTFsCrb437Mz82OmNftfJSgXau0=;
b=nOj5h8j+8qxYHDM6s09TkOdOa4nDmyFJ5YT8F73FmKpeqjMyC5GR2RVvH0oJFcJAXP9g/h+bPEgx5gG5H0NMRorpScyX4YP+ynZXHsFEtqVmAJ9/EAMqLLQCMOapssBIF1Aix9L7BVKic5+ttikUtW4kyU5LKsPXNi3dmg5g6ec=
ARC-Authentication-Results: i=1; mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass header.from=<kraxel@redhat.com> (p=none dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
mx.zohomail.com
with SMTPS id 1736264116000365.14459138626455;
Tue, 7 Jan 2025 07:35:16 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
by lists.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <qemu-devel-bounces@nongnu.org>)
id 1tVBbF-0003Rk-L6; Tue, 07 Jan 2025 10:34:33 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBbC-0003Iw-BE
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:30 -0500
Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBbA-00059f-NV
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:30 -0500
Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com
(ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
cipher=TLS_AES_256_GCM_SHA384) id us-mta-27-BvgPxBInMhS-9gfSsLiTfQ-1; Tue,
07 Jan 2025 10:34:25 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
(mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256)
(No client certificate requested)
by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
id 2BB7C1979072; Tue, 7 Jan 2025 15:34:23 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.66])
by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
ESMTPS
id 746F71956053; Tue, 7 Jan 2025 15:34:22 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
id AE7C51800604; Tue, 07 Jan 2025 16:33:54 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1736264068;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=FGnGsQOQFsBzSvR/lTFsCrb437Mz82OmNftfJSgXau0=;
b=PIPvLTGjeJQaGDEK0bka8FJurEWnIRqyCPiBnWnuQ9/9A5liQwyCDKEfG1oDD7X8IhC/yZ
iOxuZIiWWYppXfnGeX259iq6Lux81dbrcjveKOgmftV83z/vxuP6HFkEZqrQm8d+ZC1/nD
9j9a6+URWdVGWKrKjdZQJiif+vAoYLE=
X-MC-Unique: BvgPxBInMhS-9gfSsLiTfQ-1
X-Mimecast-MFC-AGG-ID: BvgPxBInMhS-9gfSsLiTfQ
From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>, graf@amazon.com,
Paolo Bonzini <pbonzini@redhat.com>, Michael Roth <michael.roth@amd.com>,
=?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
Thomas Huth <thuth@redhat.com>, qemu-arm@nongnu.org,
Eric Blake <eblake@redhat.com>, Peter Maydell <peter.maydell@linaro.org>,
Markus Armbruster <armbru@redhat.com>,
=?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Subject: [PATCH v2 18/21] hw/uefi: add uefi-vars-isa device
Date: Tue, 7 Jan 2025 16:33:45 +0100
Message-ID: <20250107153353.1144978-19-kraxel@redhat.com>
In-Reply-To: <20250107153353.1144978-1-kraxel@redhat.com>
References: <20250107153353.1144978-1-kraxel@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
as permitted sender) client-ip=209.51.188.17;
envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com;
helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -24
X-Spam_score: -2.5
X-Spam_bar: --
X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.437,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1736264118012116600
Content-Type: text/plain; charset="utf-8"
This adds isa bindings for the variable service.
Usage: qemu-system-x86_64 -device uefi-vars-isa,jsonfile=3D/path/to/uefivar=
s.json
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/uefi/var-service-isa.c | 91 +++++++++++++++++++++++++++++++++++++++
hw/uefi/Kconfig | 6 +++
hw/uefi/meson.build | 5 +++
3 files changed, 102 insertions(+)
create mode 100644 hw/uefi/var-service-isa.c
diff --git a/hw/uefi/var-service-isa.c b/hw/uefi/var-service-isa.c
new file mode 100644
index 000000000000..5d74395fe5f0
--- /dev/null
+++ b/hw/uefi/var-service-isa.c
@@ -0,0 +1,91 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ *
+ * uefi vars device - ISA variant for x64.
+ */
+#include "qemu/osdep.h"
+#include "migration/vmstate.h"
+
+#include "hw/isa/isa.h"
+#include "hw/qdev-properties.h"
+
+#include "hw/uefi/var-service.h"
+#include "hw/uefi/var-service-api.h"
+
+#define TYPE_UEFI_VARS_ISA "uefi-vars-isa"
+OBJECT_DECLARE_SIMPLE_TYPE(uefi_vars_isa_state, UEFI_VARS_ISA)
+
+struct uefi_vars_isa_state {
+ ISADevice parent_obj;
+ struct uefi_vars_state state;
+};
+
+static const VMStateDescription vmstate_uefi_vars_isa =3D {
+ .name =3D "uefi-vars-isa",
+ .fields =3D (VMStateField[]) {
+ VMSTATE_STRUCT(state, uefi_vars_isa_state, 0,
+ vmstate_uefi_vars, uefi_vars_state),
+ VMSTATE_END_OF_LIST()
+ }
+};
+
+static const Property uefi_vars_isa_properties[] =3D {
+ DEFINE_PROP_SIZE("size", uefi_vars_isa_state, state.max_storage,
+ 256 * 1024),
+ DEFINE_PROP_STRING("jsonfile", uefi_vars_isa_state, state.jsonfile),
+ DEFINE_PROP_BOOL("force-secure-boot", uefi_vars_isa_state,
+ state.force_secure_boot, false),
+ DEFINE_PROP_BOOL("disable-custom-mode", uefi_vars_isa_state,
+ state.disable_custom_mode, false),
+};
+
+static void uefi_vars_isa_init(Object *obj)
+{
+ uefi_vars_isa_state *uv =3D UEFI_VARS_ISA(obj);
+
+ uefi_vars_init(obj, &uv->state);
+}
+
+static void uefi_vars_isa_reset(DeviceState *dev)
+{
+ uefi_vars_isa_state *uv =3D UEFI_VARS_ISA(dev);
+
+ uefi_vars_hard_reset(&uv->state);
+}
+
+static void uefi_vars_isa_realize(DeviceState *dev, Error **errp)
+{
+ uefi_vars_isa_state *uv =3D UEFI_VARS_ISA(dev);
+ ISADevice *isa =3D ISA_DEVICE(dev);
+
+ isa_register_ioport(isa, &uv->state.mr, UEFI_VARS_IO_BASE);
+ uefi_vars_realize(&uv->state, errp);
+}
+
+static void uefi_vars_isa_class_init(ObjectClass *klass, void *data)
+{
+ DeviceClass *dc =3D DEVICE_CLASS(klass);
+
+ dc->realize =3D uefi_vars_isa_realize;
+ dc->vmsd =3D &vmstate_uefi_vars_isa;
+ device_class_set_legacy_reset(dc, uefi_vars_isa_reset);
+ device_class_set_props(dc, uefi_vars_isa_properties);
+ set_bit(DEVICE_CATEGORY_MISC, dc->categories);
+}
+
+static const TypeInfo uefi_vars_isa_info =3D {
+ .name =3D TYPE_UEFI_VARS_ISA,
+ .parent =3D TYPE_ISA_DEVICE,
+ .instance_size =3D sizeof(uefi_vars_isa_state),
+ .instance_init =3D uefi_vars_isa_init,
+ .class_init =3D uefi_vars_isa_class_init,
+};
+module_obj(TYPE_UEFI_VARS_ISA);
+module_dep("hw-uefi-vars");
+
+static void uefi_vars_isa_register_types(void)
+{
+ type_register_static(&uefi_vars_isa_info);
+}
+
+type_init(uefi_vars_isa_register_types)
diff --git a/hw/uefi/Kconfig b/hw/uefi/Kconfig
index ca6c2bc46a96..feb9f6de5e30 100644
--- a/hw/uefi/Kconfig
+++ b/hw/uefi/Kconfig
@@ -1,3 +1,9 @@
config UEFI_VARS
bool
default y if X86_64 || AARCH64
+
+config UEFI_VARS_ISA
+ bool
+ default y
+ depends on UEFI_VARS
+ depends on ISA_BUS
diff --git a/hw/uefi/meson.build b/hw/uefi/meson.build
index cf2d26e9bf9a..0f191c436bcf 100644
--- a/hw/uefi/meson.build
+++ b/hw/uefi/meson.build
@@ -14,6 +14,11 @@ if (config_all_devices.has_key('CONFIG_UEFI_VARS'))
uefi_vars_ss.add(files('var-service-siglist.c'))
endif
=20
+uefi_vars_isa_ss =3D ss.source_set()
+uefi_vars_isa_ss.add(when: 'CONFIG_UEFI_VARS_ISA',
+ if_true: files('var-service-isa.c'))
+
modules +=3D { 'hw-uefi' : {
'vars' : uefi_vars_ss,
+ 'vars-isa' : uefi_vars_isa_ss,
}}
--=20
2.47.1
From nobody Sun May 11 18:31:55 2025
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass(p=none dis=none) header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1736264402; cv=none;
d=zohomail.com; s=zohoarc;
b=ITdTgEG0zA9ykD7mLcjVfMfuZWVsozMhLCOs/Hd955iRf3gKLbHrMkB+iojRirUtmwPigXkcVl0heIDoDKneNi1s5Q40r/R3xQ4nk5QoNQoHktzTkWHomeEdNApnm1NzgqUlYpaHlKHHTjfom7vJ9B3xUiVmFUKE6bWi9FgwziE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
s=zohoarc;
t=1736264402;
h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
bh=Oms5RWxiSjkIU9AQhaOd854sk01PnwCnlIaXt2N+Kh0=;
b=LnrDqO+hPPk3NTaBH8LqyNQ4lqZm/oRx1JHxhqi7uhnXj4sSDX8ElJ0wyJsLBA5p1N7ZqtmMidIsenGMBlCd0p9ovpScBq8wsku4GMX9ZivxSAKCmSuLNCUJ18xhzY4oi1dd8SZdyUsXOq2l1Ax6Cuwkwy42SQnzwUW3Lyha8xw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass header.from=<kraxel@redhat.com> (p=none dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
mx.zohomail.com
with SMTPS id 1736264402102850.0442657046882;
Tue, 7 Jan 2025 07:40:02 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
by lists.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <qemu-devel-bounces@nongnu.org>)
id 1tVBgL-0001fM-0I; Tue, 07 Jan 2025 10:39:49 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBg8-0001bH-H4
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:39:39 -0500
Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBg6-0005lN-Fr
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:39:36 -0500
Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com
(ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
cipher=TLS_AES_256_GCM_SHA384) id us-mta-359-5k7VL-GXMnemsZ6KCOKRCw-1; Tue,
07 Jan 2025 10:39:28 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
(mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256)
(No client certificate requested)
by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
id B82181954B24; Tue, 7 Jan 2025 15:39:27 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.66])
by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
ESMTPS
id 728DA1956053; Tue, 7 Jan 2025 15:39:27 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
id BFD741800605; Tue, 07 Jan 2025 16:33:54 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1736264371;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=Oms5RWxiSjkIU9AQhaOd854sk01PnwCnlIaXt2N+Kh0=;
b=NcB8pvhXUtlqHRTUrgEqYwiY51HbW4QVj1xx2/JrypwZMnx9VpJ6hdmgwjxByHG5CQoK5o
FZ4fT/t2oGhT/Mii36h852t/zebs8Uz2SpPpAGQ30UYKaD0bnxnThe9cnCwythwIM0rFve
UnIbIEepmje/uUDheN+yBwwODAWAB8c=
X-MC-Unique: 5k7VL-GXMnemsZ6KCOKRCw-1
X-Mimecast-MFC-AGG-ID: 5k7VL-GXMnemsZ6KCOKRCw
From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>, graf@amazon.com,
Paolo Bonzini <pbonzini@redhat.com>, Michael Roth <michael.roth@amd.com>,
=?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
Thomas Huth <thuth@redhat.com>, qemu-arm@nongnu.org,
Eric Blake <eblake@redhat.com>, Peter Maydell <peter.maydell@linaro.org>,
Markus Armbruster <armbru@redhat.com>,
=?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Subject: [PATCH v2 19/21] hw/arm: add uefi variable support to virt machine
type
Date: Tue, 7 Jan 2025 16:33:46 +0100
Message-ID: <20250107153353.1144978-20-kraxel@redhat.com>
In-Reply-To: <20250107153353.1144978-1-kraxel@redhat.com>
References: <20250107153353.1144978-1-kraxel@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
as permitted sender) client-ip=209.51.188.17;
envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com;
helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -24
X-Spam_score: -2.5
X-Spam_bar: --
X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.437,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1736264403466116600
Content-Type: text/plain; charset="utf-8"
Add -machine virt,x-uefi-vars=3D{on,off} property. Default is off.
When enabled wire up the uefi-vars-sysbus device.
TODO: wire up jsonfile property.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
include/hw/arm/virt.h | 2 ++
hw/arm/virt.c | 41 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
index c8e94e6aedc9..393ea2cbec78 100644
--- a/include/hw/arm/virt.h
+++ b/include/hw/arm/virt.h
@@ -79,6 +79,7 @@ enum {
VIRT_ACPI_GED,
VIRT_NVDIMM_ACPI,
VIRT_PVTIME,
+ VIRT_UEFI_VARS,
VIRT_LOWMEMMAP_LAST,
};
=20
@@ -156,6 +157,7 @@ struct VirtMachineState {
bool mte;
bool dtb_randomness;
bool second_ns_uart_present;
+ bool uefi_vars;
OnOffAuto acpi;
VirtGICType gic_version;
VirtIOMMUType iommu;
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index 99e0a68b6c55..6856ecb4dcf2 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -65,6 +65,7 @@
#include "hw/intc/arm_gicv3_common.h"
#include "hw/intc/arm_gicv3_its_common.h"
#include "hw/irq.h"
+#include "hw/uefi/var-service-api.h"
#include "kvm_arm.h"
#include "hvf_arm.h"
#include "hw/firmware/smbios.h"
@@ -181,6 +182,7 @@ static const MemMapEntry base_memmap[] =3D {
[VIRT_NVDIMM_ACPI] =3D { 0x09090000, NVDIMM_ACPI_IO_LEN},
[VIRT_PVTIME] =3D { 0x090a0000, 0x00010000 },
[VIRT_SECURE_GPIO] =3D { 0x090b0000, 0x00001000 },
+ [VIRT_UEFI_VARS] =3D { 0x090c0000, 0x00000010 },
[VIRT_MMIO] =3D { 0x0a000000, 0x00000200 },
/* ...repeating for a total of NUM_VIRTIO_TRANSPORTS, each of that siz=
e */
[VIRT_PLATFORM_BUS] =3D { 0x0c000000, 0x02000000 },
@@ -1369,6 +1371,24 @@ static FWCfgState *create_fw_cfg(const VirtMachineSt=
ate *vms, AddressSpace *as)
return fw_cfg;
}
=20
+static void create_uefi_vars(const VirtMachineState *vms)
+{
+ hwaddr base =3D vms->memmap[VIRT_UEFI_VARS].base;
+ hwaddr size =3D vms->memmap[VIRT_UEFI_VARS].size;
+ MachineState *ms =3D MACHINE(vms);
+ char *nodename;
+
+ sysbus_create_simple("uefi-vars-sysbus", base, NULL);
+
+ nodename =3D g_strdup_printf("/%s@%" PRIx64, UEFI_VARS_FDT_NODE, base);
+ qemu_fdt_add_subnode(ms->fdt, nodename);
+ qemu_fdt_setprop_string(ms->fdt, nodename,
+ "compatible", UEFI_VARS_FDT_COMPAT);
+ qemu_fdt_setprop_sized_cells(ms->fdt, nodename, "reg",
+ 2, base, 2, size);
+ g_free(nodename);
+}
+
static void create_pcie_irq_map(const MachineState *ms,
uint32_t gic_phandle,
int first_irq, const char *nodename)
@@ -2425,6 +2445,10 @@ static void machvirt_init(MachineState *machine)
vms->fw_cfg =3D create_fw_cfg(vms, &address_space_memory);
rom_set_fw(vms->fw_cfg);
=20
+ if (vms->uefi_vars) {
+ create_uefi_vars(vms);
+ }
+
create_platform_bus(vms);
=20
if (machine->nvdimms_state->is_enabled) {
@@ -2621,6 +2645,20 @@ static void virt_set_oem_table_id(Object *obj, const=
char *value,
strncpy(vms->oem_table_id, value, 8);
}
=20
+static bool virt_get_uefi_vars(Object *obj, Error **errp)
+{
+ VirtMachineState *vms =3D VIRT_MACHINE(obj);
+
+ return vms->uefi_vars;
+}
+
+static void virt_set_uefi_vars(Object *obj, bool value, Error **errp)
+{
+ VirtMachineState *vms =3D VIRT_MACHINE(obj);
+
+ vms->uefi_vars =3D value;
+}
+
=20
bool virt_is_acpi_enabled(VirtMachineState *vms)
{
@@ -3273,6 +3311,9 @@ static void virt_machine_class_init(ObjectClass *oc, =
void *data)
"in ACPI table header."
"The string may be up to 8 bytes=
in size");
=20
+ object_class_property_add_bool(oc, "x-uefi-vars",
+ virt_get_uefi_vars,
+ virt_set_uefi_vars);
}
=20
static void virt_instance_init(Object *obj)
--=20
2.47.1
From nobody Sun May 11 18:31:55 2025
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass(p=none dis=none) header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1736264093; cv=none;
d=zohomail.com; s=zohoarc;
b=T+gQ1uYbxPwnSiXplRQvQOjjHF8wtrffJJP9l/iSG+vpje12tL2T3n2zZDQiSjX9brlxpIPW3pX/LQCOyhlRP2jzrsOHJqPMCVXvCyfu2a+Kd16v7xX6H87D593iheUw7dmKTeFceccFHG1ur08LLp6x4XPlPmS5RK3TEfm+v80=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
s=zohoarc;
t=1736264093;
h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
bh=kSr09eySL7lUswaydhH7hCz8x7o2ME2ZHatF7jinfq4=;
b=KlWHB1gKIMqjmw/EFRpu0++2CQCBUhvGnbPaJMEg6drq38GFM72KkkNDPfYS/n/0okbPMDrHkqKUMk34S/aK6UMVNuuitqx2ls0YekPERaj9bG611zT+FVMnnr7aW5AxdxCgvdACcPUsrSDQqubtjCHTmSA1xjQode3bsSICjzw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass header.from=<kraxel@redhat.com> (p=none dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
mx.zohomail.com
with SMTPS id 1736264093539222.7709329832369;
Tue, 7 Jan 2025 07:34:53 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
by lists.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <qemu-devel-bounces@nongnu.org>)
id 1tVBbH-0003Zy-PP; Tue, 07 Jan 2025 10:34:36 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBbF-0003Sx-Re
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:33 -0500
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBbE-0005AE-06
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:33 -0500
Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com
(ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
cipher=TLS_AES_256_GCM_SHA384) id us-mta-490-miCq3fBRPfGPE9Epb83pAQ-1; Tue,
07 Jan 2025 10:34:27 -0500
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
(mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256)
(No client certificate requested)
by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
id 41D791955DD2; Tue, 7 Jan 2025 15:34:26 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.66])
by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
ESMTPS
id 912A81956053; Tue, 7 Jan 2025 15:34:25 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
id D3AE31800608; Tue, 07 Jan 2025 16:33:54 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1736264071;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=kSr09eySL7lUswaydhH7hCz8x7o2ME2ZHatF7jinfq4=;
b=IIaG+OziJTO+Mb8l1iQW2QeSamXvNirfdUCjMWp8eK4DjxzfcLHpyaG0wigUurwy4LeYUm
2pR6N6ZnWkmv0gTAMdqPsjPvV+u6NisRxxT+CKsNcFUiJ3lmDcmyf4JvDq0BvoI/FPjLx9
WmE0on2oqcOHfk2ZXvNQbHpJrnGmKLE=
X-MC-Unique: miCq3fBRPfGPE9Epb83pAQ-1
X-Mimecast-MFC-AGG-ID: miCq3fBRPfGPE9Epb83pAQ
From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>, graf@amazon.com,
Paolo Bonzini <pbonzini@redhat.com>, Michael Roth <michael.roth@amd.com>,
=?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
Thomas Huth <thuth@redhat.com>, qemu-arm@nongnu.org,
Eric Blake <eblake@redhat.com>, Peter Maydell <peter.maydell@linaro.org>,
Markus Armbruster <armbru@redhat.com>,
=?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Subject: [PATCH v2 20/21] docs: add uefi variable service documentation
Date: Tue, 7 Jan 2025 16:33:47 +0100
Message-ID: <20250107153353.1144978-21-kraxel@redhat.com>
In-Reply-To: <20250107153353.1144978-1-kraxel@redhat.com>
References: <20250107153353.1144978-1-kraxel@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
as permitted sender) client-ip=209.51.188.17;
envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.133.124; envelope-from=kraxel@redhat.com;
helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -24
X-Spam_score: -2.5
X-Spam_bar: --
X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.437,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1736264094087116600
Content-Type: text/plain; charset="utf-8"
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
docs/devel/index-internals.rst | 1 +
docs/devel/uefi-vars.rst | 66 ++++++++++++++++++++++++++++++++++
hw/uefi/LIMITATIONS.md | 7 ++++
3 files changed, 74 insertions(+)
create mode 100644 docs/devel/uefi-vars.rst
create mode 100644 hw/uefi/LIMITATIONS.md
diff --git a/docs/devel/index-internals.rst b/docs/devel/index-internals.rst
index ab9fbc448263..56aa589f663c 100644
--- a/docs/devel/index-internals.rst
+++ b/docs/devel/index-internals.rst
@@ -18,6 +18,7 @@ Details about QEMU's various subsystems including how to =
add features to them.
s390-cpu-topology
s390-dasd-ipl
tracing
+ uefi-vars
vfio-iommufd
writing-monitor-commands
virtio-backends
diff --git a/docs/devel/uefi-vars.rst b/docs/devel/uefi-vars.rst
new file mode 100644
index 000000000000..3e7bd98b5208
--- /dev/null
+++ b/docs/devel/uefi-vars.rst
@@ -0,0 +1,66 @@
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+UEFI variables
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+
+Guest UEFI variable management
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
+
+The traditional approach for UEFI Variable storage in qemu guests is
+to work as close as possible to physical hardware. That means
+providing pflash as storage and leaving the management of variables
+and flash to the guest.
+
+Secure boot support comes with the requirement that the UEFI variable
+storage must be protected against direct access by the OS. All update
+requests must pass the sanity checks. (Parts of) the firmware must
+run with a higher privilege level than the OS so this can be enforced
+by the firmware. On x86 this has been implemented using System
+Management Mode (SMM) in qemu and kvm, which again is the same
+approach taken by physical hardware. Only privileged code running in
+SMM mode is allowed to access flash storage.
+
+Communication with the firmware code running in SMM mode works by
+serializing the requests to a shared buffer, then trapping into SMM
+mode via SMI. The SMM code processes the request, stores the reply in
+the same buffer and returns.
+
+Host UEFI variable service
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D
+
+Instead of running the privileged code inside the guest we can run it
+on the host. The serialization protocol can be reused. The
+communication with the host uses a virtual device, which essentially
+configures the shared buffer location and size, and traps to the host
+to process the requests.
+
+The ``uefi-vars`` device implements the UEFI virtual device. It comes
+in ``uefi-vars-isa`` and ``uefi-vars-sysbus`` flavours. The device
+reimplements the handlers needed, specifically
+``EfiSmmVariableProtocol`` and ``VarCheckPolicyLibMmiHandler``. It
+also consumes events (``EfiEndOfDxeEventGroup``,
+``EfiEventReadyToBoot`` and ``EfiEventExitBootServices``).
+
+The advantage of the approach is that we do not need a special
+privilege level for the firmware to protect itself, i.e. it does not
+depend on SMM emulation on x64, which allows the removal of a bunch of
+complex code for SMM emulation from the linux kernel
+(CONFIG_KVM_SMM=3Dn). It also allows support for secure boot on arm
+without implementing secure world (el3) emulation in kvm.
+
+Of course there are also downsides. The added device increases the
+attack surface of the host, and we are adding some code duplication
+because we have to reimplement some edk2 functionality in qemu.
+
+usage on x86_64 (isa)
+---------------------
+
+.. code::
+
+ qemu-system-x86_64 -device uefi-vars-isa,jsonfile=3D/path/to/vars.json
+
+usage on aarch64 (sysbus)
+-------------------------
+
+.. code::
+
+ qemu-system-aarch64 -M virt,x-uefi-vars=3Don
diff --git a/hw/uefi/LIMITATIONS.md b/hw/uefi/LIMITATIONS.md
new file mode 100644
index 000000000000..29308bd587aa
--- /dev/null
+++ b/hw/uefi/LIMITATIONS.md
@@ -0,0 +1,7 @@
+known issues and limitations
+----------------------------
+
+* works only on little endian hosts
+ - accessing structs in guest ram is done without endian conversion.
+* works only for 64-bit guests
+ - UINTN is mapped to uint64_t, for 32-bit guests that would be uint32_t
--=20
2.47.1
From nobody Sun May 11 18:31:55 2025
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass(p=none dis=none) header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1736264203; cv=none;
d=zohomail.com; s=zohoarc;
b=Ti5ZUYbfVyHsRE1qygp25VQFDhVX2UZJFKNAVIHqu9uG0qiN1n+i1LV2gcBlxRmaDYqojYbXPr+Hasz5RRhBR8aBK1TdZdYski8A6R0GobWYiEKXJdGiDFRppaYxAtQFaVVUoMiR2IR9CFWt3JgpRZYOYd5A7Jib6WBXna4d1aQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
s=zohoarc;
t=1736264203;
h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
bh=9VfOLVY4PKP7+JfEplTNZ+7N7DCAftr7lf3bLl4oJc8=;
b=gjlwoqfVRWhBuErXlA/Uo97eBHve88Sn9pkWQxRq/g5Lvm7wmYIYSJLMZmhrRLhg0KRw9mLu9nFU6NGl8yx9Bz4r3YVd79tUW13xfiYtV4FplyoPtvhVIEuSae7tSmCytz47QQFlLKu5qlGUIFzXxZVMRqF2xnEN7DH4/Bd41gY=
ARC-Authentication-Results: i=1; mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
permitted sender)
smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=pass header.from=<kraxel@redhat.com> (p=none dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
mx.zohomail.com
with SMTPS id 1736264203577535.9238763814748;
Tue, 7 Jan 2025 07:36:43 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
by lists.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <qemu-devel-bounces@nongnu.org>)
id 1tVBbJ-0003cz-Cf; Tue, 07 Jan 2025 10:34:37 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBbG-0003XF-VQ
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:34 -0500
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1tVBbF-0005AY-IZ
for qemu-devel@nongnu.org; Tue, 07 Jan 2025 10:34:34 -0500
Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com
(ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
cipher=TLS_AES_256_GCM_SHA384) id us-mta-412-_SqfRP5PNLqZT_qxB3-w_g-1; Tue,
07 Jan 2025 10:34:29 -0500
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com
(mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256)
(No client certificate requested)
by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
id C85F51955D53; Tue, 7 Jan 2025 15:34:27 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.66])
by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
ESMTPS
id BC8C519560A2; Tue, 7 Jan 2025 15:34:26 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
id E1C0F180060A; Tue, 07 Jan 2025 16:33:54 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1736264072;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=9VfOLVY4PKP7+JfEplTNZ+7N7DCAftr7lf3bLl4oJc8=;
b=NOlG/wTHOXkCTYJamcrRQ58QSXUSijQSArL1pyrk2k4JT+5WITctcTodcTo5MMOFWBBB0O
+7Nwjao6IMyF4GNaxjPWfigSvYiojzSeCEFA/7NGm3Hl+1jb+WNdUlKS1vqZAu93hJQxZb
TVgxoSBdT90ohc9OfvmCQvhd7f/HV1k=
X-MC-Unique: _SqfRP5PNLqZT_qxB3-w_g-1
X-Mimecast-MFC-AGG-ID: _SqfRP5PNLqZT_qxB3-w_g
From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>, graf@amazon.com,
Paolo Bonzini <pbonzini@redhat.com>, Michael Roth <michael.roth@amd.com>,
=?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
Thomas Huth <thuth@redhat.com>, qemu-arm@nongnu.org,
Eric Blake <eblake@redhat.com>, Peter Maydell <peter.maydell@linaro.org>,
Markus Armbruster <armbru@redhat.com>,
=?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Subject: [PATCH v2 21/21] hw/uefi: add MAINTAINERS entry
Date: Tue, 7 Jan 2025 16:33:48 +0100
Message-ID: <20250107153353.1144978-22-kraxel@redhat.com>
In-Reply-To: <20250107153353.1144978-1-kraxel@redhat.com>
References: <20250107153353.1144978-1-kraxel@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
as permitted sender) client-ip=209.51.188.17;
envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.133.124; envelope-from=kraxel@redhat.com;
helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -24
X-Spam_score: -2.5
X-Spam_bar: --
X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.437,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1736264204392116600
Content-Type: text/plain; charset="utf-8"
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
MAINTAINERS | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/MAINTAINERS b/MAINTAINERS
index 2101b5121756..ad2bce45a076 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -2785,6 +2785,12 @@ F: hw/hyperv/hv-balloon*.h
F: include/hw/hyperv/dynmem-proto.h
F: include/hw/hyperv/hv-balloon.h
=20
+UEFI variable service
+M: Gerd Hoffmann <kraxel@redhat.com>
+S: Maintained
+F: hw/uefi/
+F: include/hw/uefi/
+
Subsystems
----------
Overall Audio backends
--=20
2.47.1