From nobody Wed Mar 5 02:14:02 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1741092565; cv=none; d=zohomail.com; s=zohoarc; b=bsZRjLW3BySQDqq3yyZbBBf0+v2f1CXxHmDmtAz9gXN3dd/46w6zk6y193EpB3SFQPRf/46tSxJ3Ke7hvUakAVIn5Aq3/OisCw3G8OvYJuHoJbeoocOqaJXkpto95D4SkH7SNILXenjbP+ZSzyzyDgyvzdMGOxhszQ6NpCJCUOs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1741092565; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=gkcyaZ27h2WsA2IHdLuCkDhTgUP4RBoCBo8IPYTJMjw=; b=MDkEqER1DdmZw68YKmj/Zfv4xDgL8cJjUSWrK52LPKvVL1rzHhv0SQWQkjxUsYbqbvwnu/m+xLHsscNKcbi+yaxq6P+MQYYjb8e/YD5mkVFfQ/guZtep91JLetOsBXJN7xOEXSPzpiwx7o/1GNLoYS59g4Xs6tY5tAecpFwGvwc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1741092565046573.7454292992134; Tue, 4 Mar 2025 04:49:25 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tpRhM-0004ff-HG; Tue, 04 Mar 2025 07:48:36 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhI-0004ei-Sh for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:32 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhF-0006he-P3 for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:32 -0500 Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-570-9L6nYouiMkCypSe16qSyxw-1; Tue, 04 Mar 2025 07:48:22 -0500 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 6009F1954B20; Tue, 4 Mar 2025 12:48:19 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.44.32.122]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id A30841956048; Tue, 4 Mar 2025 12:48:17 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 3B4931800392; Tue, 04 Mar 2025 13:48:15 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741092508; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gkcyaZ27h2WsA2IHdLuCkDhTgUP4RBoCBo8IPYTJMjw=; b=MtzfkzLu/sFQyQJF5XNjNfocOJMk5mg2ZOxXLdeGOTnyBpYB+2vAIWkmLDac4t1zy9nm81 pyfAANnIjDt4NMK8kngAesqeIePhOsSWyWualRBqB24yXB0LJ2L1TGzm98iEZ2+yfhp+xr ZdqCV3OyEfq2/SyBZ1l3aFYZCSurLx0= X-MC-Unique: 9L6nYouiMkCypSe16qSyxw-1 X-Mimecast-MFC-AGG-ID: 9L6nYouiMkCypSe16qSyxw_1741092500 From: Gerd Hoffmann To: qemu-devel@nongnu.org Cc: Richard Henderson , Marcel Apfelbaum , "Michael S. Tsirkin" , Eric Blake , Paolo Bonzini , Gerd Hoffmann , Peter Maydell , qemu-arm@nongnu.org, Michael Roth , Markus Armbruster , Eduardo Habkost , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Subject: [PULL 01/24] Add support for etc/hardware-info fw_cfg file Date: Tue, 4 Mar 2025 13:47:49 +0100 Message-ID: <20250304124815.591749-2-kraxel@redhat.com> In-Reply-To: <20250304124815.591749-1-kraxel@redhat.com> References: <20250304124815.591749-1-kraxel@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1741092567579019000 Content-Type: text/plain; charset="utf-8" edk2 looks for the etc/hardware-info fw_cfg file to discover hardware which can not easily be found in other ways. Entries consist of a header with hardware type and entry size (HARDWARE_INFO_HEADER), followed by the actual hardware description (which is type specific). The file can have multiple entries. This patch adds the infrastructure to add entries to the file and an entry struct for simple devices (HARDWARE_INFO_SIMPLE_DEVICE) which have an mmio address only. Signed-off-by: Gerd Hoffmann Message-ID: <20250225163031.1409078-2-kraxel@redhat.com> --- include/hw/uefi/hardware-info.h | 35 +++++++++++++++++++++++++++++++++ hw/uefi/hardware-info.c | 31 +++++++++++++++++++++++++++++ hw/uefi/meson.build | 1 + 3 files changed, 67 insertions(+) create mode 100644 include/hw/uefi/hardware-info.h create mode 100644 hw/uefi/hardware-info.c create mode 100644 hw/uefi/meson.build diff --git a/include/hw/uefi/hardware-info.h b/include/hw/uefi/hardware-inf= o.h new file mode 100644 index 000000000000..94c38cff2007 --- /dev/null +++ b/include/hw/uefi/hardware-info.h @@ -0,0 +1,35 @@ +/* + * SPDX-License-Identifier: GPL-2.0-or-later + * + * pass hardware information to uefi + * + * see OvmfPkg/Library/HardwareInfoLib/ in edk2 + */ +#ifndef QEMU_UEFI_HARDWARE_INFO_H +#define QEMU_UEFI_HARDWARE_INFO_H + +/* data structures */ + +typedef enum { + HardwareInfoTypeUndefined =3D 0, + HardwareInfoTypeHostBridge =3D 1, + HardwareInfoQemuUefiVars =3D 2, +} HARDWARE_INFO_TYPE; + +typedef struct { + union { + uint64_t uint64; + HARDWARE_INFO_TYPE value; + } type; + uint64_t size; +} HARDWARE_INFO_HEADER; + +typedef struct { + uint64_t mmio_address; +} HARDWARE_INFO_SIMPLE_DEVICE; + +/* qemu functions */ + +void hardware_info_register(HARDWARE_INFO_TYPE type, void *info, uint64_t = size); + +#endif /* QEMU_UEFI_HARDWARE_INFO_H */ diff --git a/hw/uefi/hardware-info.c b/hw/uefi/hardware-info.c new file mode 100644 index 000000000000..930502a4df3a --- /dev/null +++ b/hw/uefi/hardware-info.c @@ -0,0 +1,31 @@ +/* + * SPDX-License-Identifier: GPL-2.0-or-later + * + * pass hardware information to uefi + * + * see OvmfPkg/Library/HardwareInfoLib/ in edk2 + */ + +#include "qemu/osdep.h" + +#include "hw/nvram/fw_cfg.h" +#include "hw/uefi/hardware-info.h" + +static void *blob; +static uint64_t blobsize; + +void hardware_info_register(HARDWARE_INFO_TYPE type, void *info, uint64_t = infosize) +{ + HARDWARE_INFO_HEADER hdr =3D { + .type.value =3D cpu_to_le64(type), + .size =3D cpu_to_le64(infosize), + }; + + blob =3D g_realloc(blob, blobsize + sizeof(hdr) + infosize); + memcpy(blob + blobsize, &hdr, sizeof(hdr)); + blobsize +=3D sizeof(hdr); + memcpy(blob + blobsize, info, infosize); + blobsize +=3D infosize; + + fw_cfg_modify_file(fw_cfg_find(), "etc/hardware-info", blob, blobsize); +} diff --git a/hw/uefi/meson.build b/hw/uefi/meson.build new file mode 100644 index 000000000000..a8b168941255 --- /dev/null +++ b/hw/uefi/meson.build @@ -0,0 +1 @@ +system_ss.add(files('hardware-info.c')) --=20 2.48.1 From nobody Wed Mar 5 02:14:02 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1741093055; cv=none; d=zohomail.com; s=zohoarc; b=MqnwnzgbYktZoZwkzhAnDp+nLKHvzo1wdnubm8HVMPs/nziedhmLBOd1jjwwTOBu1+xkbnKHDU+pc4zU8CvPFRAB+oesZdS4VEvjmC8tTDPwaEdy9qYww3eIVygPb3HHiRbg5EuNhjbV8GFnOSmWY35TJPAvvEzBH/SimcDgiWE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1741093055; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=K/GFtp0QO6yu6/4mr5Mp0qNucr+nmJ7SLkaVqL01H0Y=; b=iXJQO2z7wtevDKy6SYyBA3xSw7xSdhbyr1Hw4isVYS+jBfqDg3uOF7yfzp2rcgeZosxoxYDnwhMnrcekzw2VRO1nk0ZsWNfLgRSOOtEpg5VN5AuAKSdRDosSSnv4/VWS1ruG3ecy2pDdCxxU8VMQHk0gYmhi7is/tZLIxohizHo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1741093055857682.1542480402486; Tue, 4 Mar 2025 04:57:35 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tpRhe-0004oq-LD; Tue, 04 Mar 2025 07:48:54 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhQ-0004gj-Bj for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:41 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhO-0006jj-7W for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:40 -0500 Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-77-emFkRSd3MQuaCOEaCoM7tA-1; Tue, 04 Mar 2025 07:48:24 -0500 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 8CBA21954200; Tue, 4 Mar 2025 12:48:22 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.44.32.122]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id CB275180087C; Tue, 4 Mar 2025 12:48:21 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 4B3941800396; Tue, 04 Mar 2025 13:48:15 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741092517; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=K/GFtp0QO6yu6/4mr5Mp0qNucr+nmJ7SLkaVqL01H0Y=; b=KPV7llWU/qZAzAEAum7L+UAahEFXHZL3mdFdum8JbAmlKwErCuKt92gtraktpZFeo3gUup 5LLLqIIt6tVzf54BdQYWo72MhrS3g3Fxi+RptAKVYjm8UzKxiEGHyuvj93FAzeBcA8kgab JO21VEzJZ2DCTQVTaWL7HcJg0ta/Pfg= X-MC-Unique: emFkRSd3MQuaCOEaCoM7tA-1 X-Mimecast-MFC-AGG-ID: emFkRSd3MQuaCOEaCoM7tA_1741092502 From: Gerd Hoffmann To: qemu-devel@nongnu.org Cc: Richard Henderson , Marcel Apfelbaum , "Michael S. Tsirkin" , Eric Blake , Paolo Bonzini , Gerd Hoffmann , Peter Maydell , qemu-arm@nongnu.org, Michael Roth , Markus Armbruster , Eduardo Habkost , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , Laszlo Ersek Subject: [PULL 02/24] hw/uefi: add include/hw/uefi/var-service-api.h Date: Tue, 4 Mar 2025 13:47:50 +0100 Message-ID: <20250304124815.591749-3-kraxel@redhat.com> In-Reply-To: <20250304124815.591749-1-kraxel@redhat.com> References: <20250304124815.591749-1-kraxel@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1741093057896019100 Content-Type: text/plain; charset="utf-8" This file defines the register interface of the uefi-vars device. It's only a handful of registers: magic value, command and status registers, location and size of the communication buffer. Reviewed-by: Laszlo Ersek Signed-off-by: Gerd Hoffmann Message-ID: <20250225163031.1409078-3-kraxel@redhat.com> --- include/hw/uefi/var-service-api.h | 48 +++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 include/hw/uefi/var-service-api.h diff --git a/include/hw/uefi/var-service-api.h b/include/hw/uefi/var-servic= e-api.h new file mode 100644 index 000000000000..0d71638f3efe --- /dev/null +++ b/include/hw/uefi/var-service-api.h @@ -0,0 +1,48 @@ +/* + * SPDX-License-Identifier: GPL-2.0-or-later + * + * uefi-vars device - API of the virtual device for guest/host communicati= on. + */ +#ifndef QEMU_UEFI_VAR_SERVICE_API_H +#define QEMU_UEFI_VAR_SERVICE_API_H + +/* qom: device names */ +#define TYPE_UEFI_VARS_X64 "uefi-vars-x64" +#define TYPE_UEFI_VARS_SYSBUS "uefi-vars-sysbus" + +/* sysbus: fdt node path */ +#define UEFI_VARS_FDT_NODE "qemu-uefi-vars" +#define UEFI_VARS_FDT_COMPAT "qemu,uefi-vars" + +/* registers */ +#define UEFI_VARS_REG_MAGIC 0x00 /* 16 bit */ +#define UEFI_VARS_REG_CMD_STS 0x02 /* 16 bit */ +#define UEFI_VARS_REG_BUFFER_SIZE 0x04 /* 32 bit */ +#define UEFI_VARS_REG_DMA_BUFFER_ADDR_LO 0x08 /* 32 bit */ +#define UEFI_VARS_REG_DMA_BUFFER_ADDR_HI 0x0c /* 32 bit */ +#define UEFI_VARS_REG_PIO_BUFFER_TRANSFER 0x10 /* 8-64 bit */ +#define UEFI_VARS_REG_PIO_BUFFER_CRC32C 0x18 /* 32 bit (read-only) */ +#define UEFI_VARS_REG_FLAGS 0x1c /* 32 bit */ +#define UEFI_VARS_REGS_SIZE 0x20 + +/* flags register */ +#define UEFI_VARS_FLAG_USE_PIO (1 << 0) + +/* magic value */ +#define UEFI_VARS_MAGIC_VALUE 0xef1 + +/* command values */ +#define UEFI_VARS_CMD_RESET 0x01 +#define UEFI_VARS_CMD_DMA_MM 0x02 +#define UEFI_VARS_CMD_PIO_MM 0x03 +#define UEFI_VARS_CMD_PIO_ZERO_OFFSET 0x04 + +/* status values */ +#define UEFI_VARS_STS_SUCCESS 0x00 +#define UEFI_VARS_STS_BUSY 0x01 +#define UEFI_VARS_STS_ERR_UNKNOWN 0x10 +#define UEFI_VARS_STS_ERR_NOT_SUPPORTED 0x11 +#define UEFI_VARS_STS_ERR_BAD_BUFFER_SIZE 0x12 + + +#endif /* QEMU_UEFI_VAR_SERVICE_API_H */ --=20 2.48.1 From nobody Wed Mar 5 02:14:02 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1741092565; cv=none; d=zohomail.com; s=zohoarc; b=Jm3Nk2iV3l3ma8hhP+zVPviNY7lrcRdw+zrcuTwDO//v8ZEsnxSKCsn5x20elkBOLliPsmGsNdM4vXuxO6ZyExyZ9xGARa5d0THU6xP7615j85UNPOMSOkBcCu+2YRPbXKqDKO3OqdzHFVtXWicVUKiWqrFnzRaTTqoPEI1Y0F0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1741092565; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=soxuZe2OoPmZHU6LJxXL0aHKa070QZ98vQ3VDzAbP+4=; b=dkKZRouHAiBZqrY7MVOOm6plNHULii3TNAcq9SL8ln5v5VqWV9Fg2Bt0qVwL7n5apr0nAkyiM5yhb/b1xzVi+HO7KLJUCt6BiqZRvaeKs/Wq3g8zkT+b93VQ5U175zPnDcSAel6fsj919dMIc0/Y9Z0x8UgEqvLwEcyIMJTyJ/k= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1741092565221320.58552687385577; Tue, 4 Mar 2025 04:49:25 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tpRhS-0004gw-0t; Tue, 04 Mar 2025 07:48:42 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhJ-0004ev-5u for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:33 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhF-0006hm-P4 for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:32 -0500 Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-56-oKOVJFEwNyOyZioV7e1iJg-1; Tue, 04 Mar 2025 07:48:24 -0500 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 4E8B51954B20; Tue, 4 Mar 2025 12:48:23 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.44.32.122]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id A408A180035F; Tue, 4 Mar 2025 12:48:21 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 5B5F91800399; Tue, 04 Mar 2025 13:48:15 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741092509; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=soxuZe2OoPmZHU6LJxXL0aHKa070QZ98vQ3VDzAbP+4=; b=E4e5LA9zMBj5pjVxbrcmARouNE0mkDYDyRYxx+Dn27N7T/kV/Obhfth4M+uO66R5rklaQa 5oZj9KP7AHoWYx0XGcc6nDO8cKbC4BKAMIrVlJ4XYh9b3o7ixvPwF323TiVYoitiytmi6j lE7fc3NlZmN2bWC/FuIBt9t6Lo19GIs= X-MC-Unique: oKOVJFEwNyOyZioV7e1iJg-1 X-Mimecast-MFC-AGG-ID: oKOVJFEwNyOyZioV7e1iJg_1741092503 From: Gerd Hoffmann To: qemu-devel@nongnu.org Cc: Richard Henderson , Marcel Apfelbaum , "Michael S. Tsirkin" , Eric Blake , Paolo Bonzini , Gerd Hoffmann , Peter Maydell , qemu-arm@nongnu.org, Michael Roth , Markus Armbruster , Eduardo Habkost , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Subject: [PULL 03/24] hw/uefi: add include/hw/uefi/var-service-edk2.h Date: Tue, 4 Mar 2025 13:47:51 +0100 Message-ID: <20250304124815.591749-4-kraxel@redhat.com> In-Reply-To: <20250304124815.591749-1-kraxel@redhat.com> References: <20250304124815.591749-1-kraxel@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1741092567464019000 Content-Type: text/plain; charset="utf-8" A bunch of #defines and structs copied over from edk2, mostly needed to decode and encode the messages in the communication buffer. Signed-off-by: Gerd Hoffmann Message-ID: <20250225163031.1409078-4-kraxel@redhat.com> --- include/hw/uefi/var-service-edk2.h | 227 +++++++++++++++++++++++++++++ 1 file changed, 227 insertions(+) create mode 100644 include/hw/uefi/var-service-edk2.h diff --git a/include/hw/uefi/var-service-edk2.h b/include/hw/uefi/var-servi= ce-edk2.h new file mode 100644 index 000000000000..c743a8df948d --- /dev/null +++ b/include/hw/uefi/var-service-edk2.h @@ -0,0 +1,227 @@ +/* + * SPDX-License-Identifier: GPL-2.0-or-later + * + * uefi-vars device - structs and defines from edk2 + * + * Note: The edk2 UINTN type has been mapped to uint64_t, + * so the structs are compatible with 64bit edk2 builds. + */ +#ifndef QEMU_UEFI_VAR_SERVICE_EDK2_H +#define QEMU_UEFI_VAR_SERVICE_EDK2_H + +#include "qemu/uuid.h" + +#define MAX_BIT 0x8000000000000000ULL +#define ENCODE_ERROR(StatusCode) (MAX_BIT | (StatusCode)) +#define EFI_SUCCESS 0 +#define EFI_INVALID_PARAMETER ENCODE_ERROR(2) +#define EFI_UNSUPPORTED ENCODE_ERROR(3) +#define EFI_BAD_BUFFER_SIZE ENCODE_ERROR(4) +#define EFI_BUFFER_TOO_SMALL ENCODE_ERROR(5) +#define EFI_WRITE_PROTECTED ENCODE_ERROR(8) +#define EFI_OUT_OF_RESOURCES ENCODE_ERROR(9) +#define EFI_NOT_FOUND ENCODE_ERROR(14) +#define EFI_ACCESS_DENIED ENCODE_ERROR(15) +#define EFI_ALREADY_STARTED ENCODE_ERROR(20) +#define EFI_SECURITY_VIOLATION ENCODE_ERROR(26) + +#define EFI_VARIABLE_NON_VOLATILE 0x01 +#define EFI_VARIABLE_BOOTSERVICE_ACCESS 0x02 +#define EFI_VARIABLE_RUNTIME_ACCESS 0x04 +#define EFI_VARIABLE_HARDWARE_ERROR_RECORD 0x08 +#define EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS 0x10 /* depre= cated */ +#define EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS 0x20 +#define EFI_VARIABLE_APPEND_WRITE 0x40 + +/* SecureBootEnable */ +#define SECURE_BOOT_ENABLE 1 +#define SECURE_BOOT_DISABLE 0 + +/* SecureBoot */ +#define SECURE_BOOT_MODE_ENABLE 1 +#define SECURE_BOOT_MODE_DISABLE 0 + +/* CustomMode */ +#define CUSTOM_SECURE_BOOT_MODE 1 +#define STANDARD_SECURE_BOOT_MODE 0 + +/* SetupMode */ +#define SETUP_MODE 1 +#define USER_MODE 0 + +typedef uint64_t efi_status; +typedef struct mm_header mm_header; + +/* EFI_MM_COMMUNICATE_HEADER */ +struct mm_header { + QemuUUID guid; + uint64_t length; +}; + +/* --- EfiSmmVariableProtocol ---------------------------------------- */ + +#define SMM_VARIABLE_FUNCTION_GET_VARIABLE 1 +#define SMM_VARIABLE_FUNCTION_GET_NEXT_VARIABLE_NAME 2 +#define SMM_VARIABLE_FUNCTION_SET_VARIABLE 3 +#define SMM_VARIABLE_FUNCTION_QUERY_VARIABLE_INFO 4 +#define SMM_VARIABLE_FUNCTION_READY_TO_BOOT 5 +#define SMM_VARIABLE_FUNCTION_EXIT_BOOT_SERVICE 6 +#define SMM_VARIABLE_FUNCTION_LOCK_VARIABLE 8 +#define SMM_VARIABLE_FUNCTION_GET_PAYLOAD_SIZE 11 + +typedef struct mm_variable mm_variable; +typedef struct mm_variable_access mm_variable_access; +typedef struct mm_next_variable mm_next_variable; +typedef struct mm_next_variable mm_lock_variable; +typedef struct mm_variable_info mm_variable_info; +typedef struct mm_get_payload_size mm_get_payload_size; + +/* SMM_VARIABLE_COMMUNICATE_HEADER */ +struct mm_variable { + uint64_t function; + uint64_t status; +}; + +/* SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE */ +struct QEMU_PACKED mm_variable_access { + QemuUUID guid; + uint64_t data_size; + uint64_t name_size; + uint32_t attributes; + /* Name */ + /* Data */ +}; + +/* SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME */ +struct mm_next_variable { + QemuUUID guid; + uint64_t name_size; + /* Name */ +}; + +/* SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO */ +struct QEMU_PACKED mm_variable_info { + uint64_t max_storage_size; + uint64_t free_storage_size; + uint64_t max_variable_size; + uint32_t attributes; +}; + +/* SMM_VARIABLE_COMMUNICATE_GET_PAYLOAD_SIZE */ +struct mm_get_payload_size { + uint64_t payload_size; +}; + +/* --- VarCheckPolicyLibMmiHandler ----------------------------------- */ + +#define VAR_CHECK_POLICY_COMMAND_DISABLE 0x01 +#define VAR_CHECK_POLICY_COMMAND_IS_ENABLED 0x02 +#define VAR_CHECK_POLICY_COMMAND_REGISTER 0x03 +#define VAR_CHECK_POLICY_COMMAND_DUMP 0x04 +#define VAR_CHECK_POLICY_COMMAND_LOCK 0x05 + +typedef struct mm_check_policy mm_check_policy; +typedef struct mm_check_policy_is_enabled mm_check_policy_is_enabled; +typedef struct mm_check_policy_dump_params mm_check_policy_dump_params; + +/* VAR_CHECK_POLICY_COMM_HEADER */ +struct QEMU_PACKED mm_check_policy { + uint32_t signature; + uint32_t revision; + uint32_t command; + uint64_t result; +}; + +/* VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS */ +struct QEMU_PACKED mm_check_policy_is_enabled { + uint8_t state; +}; + +/* VAR_CHECK_POLICY_COMM_DUMP_PARAMS */ +struct QEMU_PACKED mm_check_policy_dump_params { + uint32_t page_requested; + uint32_t total_size; + uint32_t page_size; + uint8_t has_more; +}; + +/* --- Edk2VariablePolicyProtocol ------------------------------------ */ + +#define VARIABLE_POLICY_ENTRY_REVISION 0x00010000 + +#define VARIABLE_POLICY_TYPE_NO_LOCK 0 +#define VARIABLE_POLICY_TYPE_LOCK_NOW 1 +#define VARIABLE_POLICY_TYPE_LOCK_ON_CREATE 2 +#define VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE 3 + +typedef struct variable_policy_entry variable_policy_entry; +typedef struct variable_lock_on_var_state variable_lock_on_var_state; + +/* VARIABLE_POLICY_ENTRY */ +struct variable_policy_entry { + uint32_t version; + uint16_t size; + uint16_t offset_to_name; + QemuUUID namespace; + uint32_t min_size; + uint32_t max_size; + uint32_t attributes_must_have; + uint32_t attributes_cant_have; + uint8_t lock_policy_type; + uint8_t padding[3]; + /* LockPolicy */ + /* Name */ +}; + +/* VARIABLE_LOCK_ON_VAR_STATE_POLICY */ +struct variable_lock_on_var_state { + QemuUUID namespace; + uint8_t value; + uint8_t padding; + /* Name */ +}; + +/* --- variable authentication --------------------------------------- */ + +#define WIN_CERT_TYPE_EFI_GUID 0x0EF1 + +typedef struct efi_time efi_time; +typedef struct efi_siglist efi_siglist; +typedef struct variable_auth_2 variable_auth_2; + +/* EFI_TIME */ +struct efi_time { + uint16_t year; + uint8_t month; + uint8_t day; + uint8_t hour; + uint8_t minute; + uint8_t second; + uint8_t pad1; + uint32_t nanosecond; + int16_t timezone; + uint8_t daylight; + uint8_t pad2; +}; + +/* EFI_SIGNATURE_LIST */ +struct efi_siglist { + QemuUUID guid_type; + uint32_t siglist_size; + uint32_t header_size; + uint32_t sig_size; +}; + +/* EFI_VARIABLE_AUTHENTICATION_2 */ +struct variable_auth_2 { + struct efi_time timestamp; + + /* WIN_CERTIFICATE_UEFI_GUID */ + uint32_t hdr_length; + uint16_t hdr_revision; + uint16_t hdr_cert_type; + QemuUUID guid_cert_type; + uint8_t cert_data[]; +}; + +#endif /* QEMU_UEFI_VAR_SERVICE_EDK2_H */ --=20 2.48.1 From nobody Wed Mar 5 02:14:02 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1741092615; cv=none; d=zohomail.com; s=zohoarc; b=Lmw6whOWP3iQvVtnLltceUbKCvgyR13fIZellzt1uigt43PaB/uKbFTOmKwJyKEvy1Gn9lyNMD54Tswr3W+xw+OVQ06IAVOPlSHjyCST+dRG9kpPx6a3BeIH4G34cqpnZeDUiMg2S+a6Ay/F5flAelQ4J+ph1UATmysfSKMTSIw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1741092615; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=j86CDYwtI9X55e5axt64TTQ0qTTEZPdFKpQF5ux0Uso=; b=CCH2stcaSbq3PrY9mz9vGGn2mv45VWHUPpbNVWS9lf+dgDGfR3+2ux2Jn4HwVc30+asOgIXxam9nvhGDFAnjJT4TVb+HdyDyttshSBUeQ0o7n3Eed2QlvQi1STE+LSM/0+6LEY30Ggy/UnagjF/oFbDrb8uus3zB+nXPSA9K7ZY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1741092615443440.38991247047386; Tue, 4 Mar 2025 04:50:15 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tpRhp-0004uq-9k; Tue, 04 Mar 2025 07:49:07 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhQ-0004gi-Bi for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:41 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhO-0006jb-1y for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:40 -0500 Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-517-0sxTaEkJNuyxZ1UhbpOcIQ-1; Tue, 04 Mar 2025 07:48:27 -0500 Received: from mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 401D91944F05; Tue, 4 Mar 2025 12:48:26 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.44.32.122]) by mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 2949F19560AB; Tue, 4 Mar 2025 12:48:25 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 6B556180039B; Tue, 04 Mar 2025 13:48:15 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741092517; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=j86CDYwtI9X55e5axt64TTQ0qTTEZPdFKpQF5ux0Uso=; b=U08AzIC6AlvmGjEDB8XQTYNwkWrgqgjHzTY5xT4vkdept0ZlZwmbVdW9mzqpefsBoM1ldx m7TjowOMLsnCNlCWQ2fU+bY9iTBHooWNezkFPepu/lIV00CU1qEMBGjhjf4/k3yjxVIuxB MfxCl2LMjYkd3mgCqTU3B+IqNkadvGo= X-MC-Unique: 0sxTaEkJNuyxZ1UhbpOcIQ-1 X-Mimecast-MFC-AGG-ID: 0sxTaEkJNuyxZ1UhbpOcIQ_1741092506 From: Gerd Hoffmann To: qemu-devel@nongnu.org Cc: Richard Henderson , Marcel Apfelbaum , "Michael S. Tsirkin" , Eric Blake , Paolo Bonzini , Gerd Hoffmann , Peter Maydell , qemu-arm@nongnu.org, Michael Roth , Markus Armbruster , Eduardo Habkost , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Subject: [PULL 04/24] hw/uefi: add include/hw/uefi/var-service.h Date: Tue, 4 Mar 2025 13:47:52 +0100 Message-ID: <20250304124815.591749-5-kraxel@redhat.com> In-Reply-To: <20250304124815.591749-1-kraxel@redhat.com> References: <20250304124815.591749-1-kraxel@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.15 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1741092616691019100 Content-Type: text/plain; charset="utf-8" Add state structs and function declarations for the uefi-vars device. Signed-off-by: Gerd Hoffmann Message-ID: <20250225163031.1409078-5-kraxel@redhat.com> --- include/hw/uefi/var-service.h | 191 ++++++++++++++++++++++++++++++++++ 1 file changed, 191 insertions(+) create mode 100644 include/hw/uefi/var-service.h diff --git a/include/hw/uefi/var-service.h b/include/hw/uefi/var-service.h new file mode 100644 index 000000000000..f7ceac4ce243 --- /dev/null +++ b/include/hw/uefi/var-service.h @@ -0,0 +1,191 @@ +/* + * SPDX-License-Identifier: GPL-2.0-or-later + * + * uefi-vars device - state struct and function prototypes + */ +#ifndef QEMU_UEFI_VAR_SERVICE_H +#define QEMU_UEFI_VAR_SERVICE_H + +#include "qemu/uuid.h" +#include "qemu/queue.h" + +#include "hw/uefi/var-service-edk2.h" + +#define MAX_BUFFER_SIZE (64 * 1024) + +typedef struct uefi_variable uefi_variable; +typedef struct uefi_var_policy uefi_var_policy; +typedef struct uefi_vars_state uefi_vars_state; + +typedef struct uefi_vars_cert uefi_vars_cert; +typedef struct uefi_vars_hash uefi_vars_hash; +typedef struct uefi_vars_siglist uefi_vars_siglist; + +struct uefi_variable { + QemuUUID guid; + uint16_t *name; + uint32_t name_size; + uint32_t attributes; + void *data; + uint32_t data_size; + efi_time time; + void *digest; + uint32_t digest_size; + QTAILQ_ENTRY(uefi_variable) next; +}; + +struct uefi_var_policy { + variable_policy_entry *entry; + uint32_t entry_size; + uint16_t *name; + uint32_t name_size; + + /* number of hashmarks (wildcard character) in name */ + uint32_t hashmarks; + + QTAILQ_ENTRY(uefi_var_policy) next; +}; + +struct uefi_vars_state { + MemoryRegion mr; + uint16_t sts; + uint32_t buf_size; + uint32_t buf_addr_lo; + uint32_t buf_addr_hi; + uint8_t *buffer; + QTAILQ_HEAD(, uefi_variable) variables; + QTAILQ_HEAD(, uefi_var_policy) var_policies; + + /* pio transfer buffer */ + uint32_t pio_xfer_offset; + uint8_t *pio_xfer_buffer; + + /* boot phases */ + bool end_of_dxe; + bool ready_to_boot; + bool exit_boot_service; + bool policy_locked; + + /* storage accounting */ + uint64_t max_storage; + uint64_t used_storage; + + /* config options */ + char *jsonfile; + int jsonfd; + bool force_secure_boot; + bool disable_custom_mode; + bool use_pio; +}; + +struct uefi_vars_cert { + QTAILQ_ENTRY(uefi_vars_cert) next; + QemuUUID owner; + uint64_t size; + uint8_t data[]; +}; + +struct uefi_vars_hash { + QTAILQ_ENTRY(uefi_vars_hash) next; + QemuUUID owner; + uint8_t data[]; +}; + +struct uefi_vars_siglist { + QTAILQ_HEAD(, uefi_vars_cert) x509; + QTAILQ_HEAD(, uefi_vars_hash) sha256; +}; + +/* vars-service-guid.c */ +extern const QemuUUID EfiGlobalVariable; +extern const QemuUUID EfiImageSecurityDatabase; +extern const QemuUUID EfiCustomModeEnable; +extern const QemuUUID EfiSecureBootEnableDisable; + +extern const QemuUUID EfiCertSha256Guid; +extern const QemuUUID EfiCertSha384Guid; +extern const QemuUUID EfiCertSha512Guid; +extern const QemuUUID EfiCertRsa2048Guid; +extern const QemuUUID EfiCertX509Guid; +extern const QemuUUID EfiCertTypePkcs7Guid; + +extern const QemuUUID EfiSmmVariableProtocolGuid; +extern const QemuUUID VarCheckPolicyLibMmiHandlerGuid; + +extern const QemuUUID EfiEndOfDxeEventGroupGuid; +extern const QemuUUID EfiEventReadyToBootGuid; +extern const QemuUUID EfiEventExitBootServicesGuid; + +/* vars-service-utils.c */ +gboolean uefi_str_is_valid(const uint16_t *str, size_t len, + gboolean must_be_null_terminated); +size_t uefi_strlen(const uint16_t *str, size_t len); +gboolean uefi_str_equal_ex(const uint16_t *a, size_t alen, + const uint16_t *b, size_t blen, + gboolean wildcards_in_a); +gboolean uefi_str_equal(const uint16_t *a, size_t alen, + const uint16_t *b, size_t blen); +char *uefi_ucs2_to_ascii(const uint16_t *ucs2, uint64_t ucs2_size); +int uefi_time_compare(efi_time *a, efi_time *b); +void uefi_trace_variable(const char *action, QemuUUID guid, + const uint16_t *name, uint64_t name_size); +void uefi_trace_status(const char *action, efi_status status); + +/* vars-service-core.c */ +extern const VMStateDescription vmstate_uefi_vars; +void uefi_vars_init(Object *obj, uefi_vars_state *uv); +void uefi_vars_realize(uefi_vars_state *uv, Error **errp); +void uefi_vars_hard_reset(uefi_vars_state *uv); + +/* vars-service-json.c */ +void uefi_vars_json_init(uefi_vars_state *uv, Error **errp); +void uefi_vars_json_save(uefi_vars_state *uv); +void uefi_vars_json_load(uefi_vars_state *uv, Error **errp); + +/* vars-service-vars.c */ +extern const VMStateDescription vmstate_uefi_variable; +uefi_variable *uefi_vars_find_variable(uefi_vars_state *uv, QemuUUID guid, + const uint16_t *name, + uint64_t name_size); +void uefi_vars_set_variable(uefi_vars_state *uv, QemuUUID guid, + const uint16_t *name, uint64_t name_size, + uint32_t attributes, + void *data, uint64_t data_size); +void uefi_vars_clear_volatile(uefi_vars_state *uv); +void uefi_vars_clear_all(uefi_vars_state *uv); +void uefi_vars_update_storage(uefi_vars_state *uv); +uint32_t uefi_vars_mm_vars_proto(uefi_vars_state *uv); + +/* vars-service-auth.c */ +bool uefi_vars_is_sb_pk(uefi_variable *var); +bool uefi_vars_is_sb_any(uefi_variable *var); +efi_status uefi_vars_check_auth_2(uefi_vars_state *uv, uefi_variable *var, + mm_variable_access *va, void *data); +efi_status uefi_vars_check_secure_boot(uefi_vars_state *uv, uefi_variable = *var); +void uefi_vars_auth_init(uefi_vars_state *uv); + +/* vars-service-pkcs7.c */ +efi_status uefi_vars_check_pkcs7_2(uefi_variable *siglist, + void **digest, uint32_t *digest_size, + mm_variable_access *va, void *data); + +/* vars-service-siglist.c */ +void uefi_vars_siglist_init(uefi_vars_siglist *siglist); +void uefi_vars_siglist_free(uefi_vars_siglist *siglist); +void uefi_vars_siglist_parse(uefi_vars_siglist *siglist, + void *data, uint64_t size); +uint64_t uefi_vars_siglist_blob_size(uefi_vars_siglist *siglist); +void uefi_vars_siglist_blob_generate(uefi_vars_siglist *siglist, + void *data, uint64_t size); + +/* vars-service-policy.c */ +extern const VMStateDescription vmstate_uefi_var_policy; +efi_status uefi_vars_policy_check(uefi_vars_state *uv, + uefi_variable *var, + gboolean is_newvar); +void uefi_vars_policies_clear(uefi_vars_state *uv); +uefi_var_policy *uefi_vars_add_policy(uefi_vars_state *uv, + variable_policy_entry *pe); +uint32_t uefi_vars_mm_check_policy_proto(uefi_vars_state *uv); + +#endif /* QEMU_UEFI_VAR_SERVICE_H */ --=20 2.48.1 From nobody Wed Mar 5 02:14:02 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1741092565; cv=none; d=zohomail.com; s=zohoarc; b=A5UY8vGynAD5AyBVeL73Fp81mDclG3PEPev9OX9kZ7usBD7qowxFhY82Rh+WEczt0CNyey+didBEgkIBQEHu8HCiZcb6fh2esX0MT4x0fOmmfO6z9WN2QVyvhqOumbcm21NfCmuBEYkUb6cdp3Rn8Z1koK3GF5fSU5BN8SYTSJo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1741092565; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=SYCW8pEG+wJxQ5YUmYgwS2yXIN+meMLGRDcCodQB6Q0=; b=PSj2APVJjHymXFupzL3VVOT1MowPXxtvpEtSySujC0NkbuT0BISYXPO7uFXy0yMFD+1qKpBN65JnggcyZnm6rgr1OejeHHSFhcN1r9vxyeMQ5oMfVJsMJiS7F/37kQnlTrE/M+SzjSH1sqNl6mBlg22SyxIFeBPqMCKD80pqmfs= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1741092565336458.46597782656124; Tue, 4 Mar 2025 04:49:25 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tpRhX-0004i1-W6; Tue, 04 Mar 2025 07:48:48 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhK-0004fC-6M for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:35 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhH-0006i6-QD for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:33 -0500 Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-656-nbB2caNwPQaiOWVA55U5yw-1; Tue, 04 Mar 2025 07:48:28 -0500 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id B7AF11801A1B; Tue, 4 Mar 2025 12:48:26 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.44.32.122]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id AE7851944DF0; Tue, 4 Mar 2025 12:48:25 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 7A8DE180039D; Tue, 04 Mar 2025 13:48:15 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741092511; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SYCW8pEG+wJxQ5YUmYgwS2yXIN+meMLGRDcCodQB6Q0=; b=SHo/Y/Fpd8USIxIuqdeKC1ajy0rmoVPDCv4PCihs0T5USwU/Z/mIN6bFx0LTLqKgb+yznV wSJ1TrcwE5PvJYXW3DSFmtEwHh5Qd8RF13R86XL0dr/RlWaa3U4/S7x0BW0K9Hk73RMjwK yfNY1wJYOsBIieOPpyjciekQQByEgcw= X-MC-Unique: nbB2caNwPQaiOWVA55U5yw-1 X-Mimecast-MFC-AGG-ID: nbB2caNwPQaiOWVA55U5yw_1741092506 From: Gerd Hoffmann To: qemu-devel@nongnu.org Cc: Richard Henderson , Marcel Apfelbaum , "Michael S. Tsirkin" , Eric Blake , Paolo Bonzini , Gerd Hoffmann , Peter Maydell , qemu-arm@nongnu.org, Michael Roth , Markus Armbruster , Eduardo Habkost , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Subject: [PULL 05/24] hw/uefi: add var-service-guid.c Date: Tue, 4 Mar 2025 13:47:53 +0100 Message-ID: <20250304124815.591749-6-kraxel@redhat.com> In-Reply-To: <20250304124815.591749-1-kraxel@redhat.com> References: <20250304124815.591749-1-kraxel@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1741092566992019100 Content-Type: text/plain; charset="utf-8" Add variables for a bunch of UEFI GUIDs we will need. Signed-off-by: Gerd Hoffmann Message-ID: <20250225163031.1409078-6-kraxel@redhat.com> --- hw/uefi/var-service-guid.c | 99 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 hw/uefi/var-service-guid.c diff --git a/hw/uefi/var-service-guid.c b/hw/uefi/var-service-guid.c new file mode 100644 index 000000000000..eba3655c8d30 --- /dev/null +++ b/hw/uefi/var-service-guid.c @@ -0,0 +1,99 @@ +/* + * SPDX-License-Identifier: GPL-2.0-or-later + * + * uefi vars device - GUIDs + */ + +#include "qemu/osdep.h" +#include "system/dma.h" + +#include "hw/uefi/var-service.h" + +/* variable namespaces */ + +const QemuUUID EfiGlobalVariable =3D { + .data =3D UUID_LE(0x8be4df61, 0x93ca, 0x11d2, 0xaa, 0x0d, + 0x00, 0xe0, 0x98, 0x03, 0x2b, 0x8c) +}; + +const QemuUUID EfiImageSecurityDatabase =3D { + .data =3D UUID_LE(0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, + 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f) +}; + +const QemuUUID EfiCustomModeEnable =3D { + .data =3D UUID_LE(0xc076ec0c, 0x7028, 0x4399, 0xa0, 0x72, + 0x71, 0xee, 0x5c, 0x44, 0x8b, 0x9f) +}; + +const QemuUUID EfiSecureBootEnableDisable =3D { + .data =3D UUID_LE(0xf0a30bc7, 0xaf08, 0x4556, 0x99, 0xc4, + 0x0, 0x10, 0x9, 0xc9, 0x3a, 0x44) +}; + +/* signatures */ + +const QemuUUID EfiCertSha256Guid =3D { + .data =3D UUID_LE(0xc1c41626, 0x504c, 0x4092, 0xac, 0xa9, + 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28) +}; + +const QemuUUID EfiCertSha384Guid =3D { + .data =3D UUID_LE(0xff3e5307, 0x9fd0, 0x48c9, 0x85, 0xf1, + 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1) +}; + +const QemuUUID EfiCertSha512Guid =3D { + .data =3D UUID_LE(0x93e0fae, 0xa6c4, 0x4f50, 0x9f, 0x1b, + 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a) +}; + +const QemuUUID EfiCertRsa2048Guid =3D { + .data =3D UUID_LE(0x3c5766e8, 0x269c, 0x4e34, 0xaa, 0x14, + 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6) +}; + +const QemuUUID EfiCertX509Guid =3D { + .data =3D UUID_LE(0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, + 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72) +}; + +const QemuUUID EfiCertTypePkcs7Guid =3D { + .data =3D UUID_LE(0x4aafd29d, 0x68df, 0x49ee, 0x8a, 0xa9, + 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7) +}; + +/* + * mm_header.guid values that the guest DXE/BDS phases use for + * sending requests to management mode + */ + +const QemuUUID EfiSmmVariableProtocolGuid =3D { + .data =3D UUID_LE(0xed32d533, 0x99e6, 0x4209, 0x9c, 0xc0, + 0x2d, 0x72, 0xcd, 0xd9, 0x98, 0xa7) +}; + +const QemuUUID VarCheckPolicyLibMmiHandlerGuid =3D { + .data =3D UUID_LE(0xda1b0d11, 0xd1a7, 0x46c4, 0x9d, 0xc9, + 0xf3, 0x71, 0x48, 0x75, 0xc6, 0xeb) +}; + +/* + * mm_header.guid values that the guest DXE/BDS phases use for + * reporting event groups being signaled to management mode + */ + +const QemuUUID EfiEndOfDxeEventGroupGuid =3D { + .data =3D UUID_LE(0x02ce967a, 0xdd7e, 0x4FFc, 0x9e, 0xe7, + 0x81, 0x0c, 0xF0, 0x47, 0x08, 0x80) +}; + +const QemuUUID EfiEventReadyToBootGuid =3D { + .data =3D UUID_LE(0x7ce88Fb3, 0x4bd7, 0x4679, 0x87, 0xa8, + 0xa8, 0xd8, 0xde, 0xe5, 0x0d, 0x2b) +}; + +const QemuUUID EfiEventExitBootServicesGuid =3D { + .data =3D UUID_LE(0x27abF055, 0xb1b8, 0x4c26, 0x80, 0x48, + 0x74, 0x8F, 0x37, 0xba, 0xa2, 0xdF) +}; --=20 2.48.1 From nobody Wed Mar 5 02:14:02 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1741092642; cv=none; d=zohomail.com; s=zohoarc; b=BGDx4txZJNDd1friru+33twtT5yhFx0HVRRekqd4s5lkjYGulOmFgD4N+O+vhEW6fKDwNu/+NsK5LlIlZeMwwQ1RCQwxlQi62V3kxnQGUwF9lahGaLQKV1RbKj7Lnabxk62NvuTTqoHgW5BjgmYfC2Kc65pT/i6moEr50t13CuI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1741092642; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=2S0DT0tDH2d3TDCtB2It8VnLXLr3fsOtArZ9huPJxo4=; b=QPMve2W24ZYaKmBpQkuRAl4xFKYmuic2dfXpqYvdpQPXx9+1PlJ2vW1EjTCTCtEYGYYdHHUJt+RJJv8Ely77owvjJc2TJoOdYYwexlL3oTfX0JQlL4jX+sbzm7BoZYAl4lvvnyNpE/tkPyVuhhYO6+DwbxDk9WASu4JNcy0lDZk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1741092642838597.4480155341988; Tue, 4 Mar 2025 04:50:42 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tpRif-0005j5-A7; Tue, 04 Mar 2025 07:49:57 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhY-0004ju-Nf for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:49 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhW-0006lv-M9 for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:48 -0500 Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-444-eYZtMCKUNrqPeLNdmhWGEQ-1; Tue, 04 Mar 2025 07:48:31 -0500 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id CCC881944EB3; Tue, 4 Mar 2025 12:48:29 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.44.32.122]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id CD4971954B00; Tue, 4 Mar 2025 12:48:28 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 8A90E18003A0; Tue, 04 Mar 2025 13:48:15 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741092526; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=2S0DT0tDH2d3TDCtB2It8VnLXLr3fsOtArZ9huPJxo4=; b=EazL9t8D29Lx6nafSzUDgUbyZMrnAKZVK9K0qMGpS6Hy2ugRjJk44hYkUMz/FRmVcEwNlx qn3g56YxbuFrWa+sys4/++CdcJ5xyf0LR12Xju0XugJBz0RHu7hz/uW4XGtFY5lRLj86kI A3AU5wn9BogiyiqitIc8BwTIFqKbbvA= X-MC-Unique: eYZtMCKUNrqPeLNdmhWGEQ-1 X-Mimecast-MFC-AGG-ID: eYZtMCKUNrqPeLNdmhWGEQ_1741092509 From: Gerd Hoffmann To: qemu-devel@nongnu.org Cc: Richard Henderson , Marcel Apfelbaum , "Michael S. Tsirkin" , Eric Blake , Paolo Bonzini , Gerd Hoffmann , Peter Maydell , qemu-arm@nongnu.org, Michael Roth , Markus Armbruster , Eduardo Habkost , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Subject: [PULL 06/24] hw/uefi: add var-service-utils.c Date: Tue, 4 Mar 2025 13:47:54 +0100 Message-ID: <20250304124815.591749-7-kraxel@redhat.com> In-Reply-To: <20250304124815.591749-1-kraxel@redhat.com> References: <20250304124815.591749-1-kraxel@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1741092644939019100 Content-Type: text/plain; charset="utf-8" Add utility functions. Helpers for UEFI (ucs2) string handling. Helpers for readable trace messages. Compare UEFI time stamps. Signed-off-by: Gerd Hoffmann Message-ID: <20250225163031.1409078-7-kraxel@redhat.com> --- hw/uefi/var-service-utils.c | 241 ++++++++++++++++++++++++++++++++++++ 1 file changed, 241 insertions(+) create mode 100644 hw/uefi/var-service-utils.c diff --git a/hw/uefi/var-service-utils.c b/hw/uefi/var-service-utils.c new file mode 100644 index 000000000000..c9ef46570f48 --- /dev/null +++ b/hw/uefi/var-service-utils.c @@ -0,0 +1,241 @@ +/* + * SPDX-License-Identifier: GPL-2.0-or-later + * + * uefi vars device - helper functions for ucs2 strings and tracing + */ +#include "qemu/osdep.h" +#include "system/dma.h" + +#include "hw/uefi/var-service.h" + +#include "trace/trace-hw_uefi.h" + +/* ------------------------------------------------------------------ */ + +/* + * string helper functions. + * + * Most of the time uefi ucs2 strings are NULL-terminated, except + * sometimes when they are not (for example in variable policies). + */ + +gboolean uefi_str_is_valid(const uint16_t *str, size_t len, + gboolean must_be_null_terminated) +{ + size_t pos =3D 0; + + for (;;) { + if (pos =3D=3D len) { + if (must_be_null_terminated) { + return false; + } else { + return true; + } + } + switch (str[pos]) { + case 0: + /* end of string */ + return true; + case 0xd800 ... 0xdfff: + /* reject surrogates */ + return false; + default: + /* char is good, check next */ + break; + } + pos++; + } +} + +size_t uefi_strlen(const uint16_t *str, size_t len) +{ + size_t pos =3D 0; + + for (;;) { + if (pos =3D=3D len) { + return pos; + } + if (str[pos] =3D=3D 0) { + return pos; + } + pos++; + } +} + +gboolean uefi_str_equal_ex(const uint16_t *a, size_t alen, + const uint16_t *b, size_t blen, + gboolean wildcards_in_a) +{ + size_t pos =3D 0; + + alen =3D alen / 2; + blen =3D blen / 2; + for (;;) { + if (pos =3D=3D alen && pos =3D=3D blen) { + return true; + } + if (pos =3D=3D alen && b[pos] =3D=3D 0) { + return true; + } + if (pos =3D=3D blen && a[pos] =3D=3D 0) { + return true; + } + if (pos =3D=3D alen || pos =3D=3D blen) { + return false; + } + if (a[pos] =3D=3D 0 && b[pos] =3D=3D 0) { + return true; + } + + if (wildcards_in_a && a[pos] =3D=3D '#') { + if (!isxdigit(b[pos])) { + return false; + } + } else { + if (a[pos] !=3D b[pos]) { + return false; + } + } + pos++; + } +} + +gboolean uefi_str_equal(const uint16_t *a, size_t alen, + const uint16_t *b, size_t blen) +{ + return uefi_str_equal_ex(a, alen, b, blen, false); +} + +char *uefi_ucs2_to_ascii(const uint16_t *ucs2, uint64_t ucs2_size) +{ + char *str =3D g_malloc0(ucs2_size / 2 + 1); + int i; + + for (i =3D 0; i * 2 < ucs2_size; i++) { + if (ucs2[i] =3D=3D 0) { + break; + } + if (ucs2[i] < 128) { + str[i] =3D ucs2[i]; + } else { + str[i] =3D '?'; + } + } + str[i] =3D 0; + return str; +} + +/* ------------------------------------------------------------------ */ +/* time helper functions */ + +int uefi_time_compare(efi_time *a, efi_time *b) +{ + if (a->year < b->year) { + return -1; + } + if (a->year > b->year) { + return 1; + } + + if (a->month < b->month) { + return -1; + } + if (a->month > b->month) { + return 1; + } + + if (a->day < b->day) { + return -1; + } + if (a->day > b->day) { + return 1; + } + + if (a->hour < b->hour) { + return -1; + } + if (a->hour > b->hour) { + return 1; + } + + if (a->minute < b->minute) { + return -1; + } + if (a->minute > b->minute) { + return 1; + } + + if (a->second < b->second) { + return -1; + } + if (a->second > b->second) { + return 1; + } + + if (a->nanosecond < b->nanosecond) { + return -1; + } + if (a->nanosecond > b->nanosecond) { + return 1; + } + + return 0; +} + +/* ------------------------------------------------------------------ */ +/* tracing helper functions */ + +void uefi_trace_variable(const char *action, QemuUUID guid, + const uint16_t *name, uint64_t name_size) +{ + QemuUUID be =3D qemu_uuid_bswap(guid); + char *str_uuid =3D qemu_uuid_unparse_strdup(&be); + char *str_name =3D uefi_ucs2_to_ascii(name, name_size); + + trace_uefi_variable(action, str_name, name_size, str_uuid); + + g_free(str_name); + g_free(str_uuid); +} + +void uefi_trace_status(const char *action, efi_status status) +{ + switch (status) { + case EFI_SUCCESS: + trace_uefi_status(action, "success"); + break; + case EFI_INVALID_PARAMETER: + trace_uefi_status(action, "invalid parameter"); + break; + case EFI_UNSUPPORTED: + trace_uefi_status(action, "unsupported"); + break; + case EFI_BAD_BUFFER_SIZE: + trace_uefi_status(action, "bad buffer size"); + break; + case EFI_BUFFER_TOO_SMALL: + trace_uefi_status(action, "buffer too small"); + break; + case EFI_WRITE_PROTECTED: + trace_uefi_status(action, "write protected"); + break; + case EFI_OUT_OF_RESOURCES: + trace_uefi_status(action, "out of resources"); + break; + case EFI_NOT_FOUND: + trace_uefi_status(action, "not found"); + break; + case EFI_ACCESS_DENIED: + trace_uefi_status(action, "access denied"); + break; + case EFI_ALREADY_STARTED: + trace_uefi_status(action, "already started"); + break; + case EFI_SECURITY_VIOLATION: + trace_uefi_status(action, "security violation"); + break; + default: + trace_uefi_status(action, "unknown error"); + break; + } +} --=20 2.48.1 From nobody Wed Mar 5 02:14:02 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1741092751; cv=none; d=zohomail.com; s=zohoarc; b=GmQdDGTBVifEsHo7Zidl17ltDx8sGGd1Pj/n2FUz5a/zdQUB7xEiUbWZx1giQmqQgEgF+j4fVhq2xmT9WWDKvUJnKiaBHjogwhzTqCh9/Q2ZnZzHsovfWKHJnjcuzWUrVYodASPP3BDtb2lSJedonklUV6uFARb09nqESRlrUu4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1741092751; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=zWDljEzQh9kvu112X/0Kh5HIwOGin4sEZeIN27KQ9sg=; b=bRO2BZWFUoW2sOePSC/Dkrj2Ckwzhge63D5eTLh/9CuCFs3d+4VMljtaRXqAh+5HORnUMFZPJ1cpFCYiLwaiSOSMoCy2qByvpJGXk8uFf/oIsqy5weLMUUb40UCiVBnMw2Xc0y19A7uz9g6m1UVYXin20OBdKa7T9Y+o+LVUGW8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 174109275147927.92733178323374; Tue, 4 Mar 2025 04:52:31 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tpRhf-0004rv-VQ; Tue, 04 Mar 2025 07:48:56 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhT-0004i6-74 for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:43 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhQ-0006kE-5o for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:42 -0500 Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-672-N11TO3MgMAO7nsnphXuBGQ-1; Tue, 04 Mar 2025 07:48:31 -0500 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 941AE1944D29; Tue, 4 Mar 2025 12:48:29 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.44.32.122]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 0759A180087C; Tue, 4 Mar 2025 12:48:29 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 9DD1E18003A3; Tue, 04 Mar 2025 13:48:15 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741092519; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zWDljEzQh9kvu112X/0Kh5HIwOGin4sEZeIN27KQ9sg=; b=IOvl9OY5pP0b+mu6q78YvhHiZJNYCule/1U9Ct1sPe2BB/DHBuWXHTW3LhDk97V0SfI8NU /RmgPWP+KQLj0EVKqNItaHez+noRMAdSLtUgnuApe7QTC3SCz2jYUyCMWvlm7paQGeIfqM 0nZUXAGua0ghqU37F3iJTP6OA4rzxM4= X-MC-Unique: N11TO3MgMAO7nsnphXuBGQ-1 X-Mimecast-MFC-AGG-ID: N11TO3MgMAO7nsnphXuBGQ_1741092509 From: Gerd Hoffmann To: qemu-devel@nongnu.org Cc: Richard Henderson , Marcel Apfelbaum , "Michael S. Tsirkin" , Eric Blake , Paolo Bonzini , Gerd Hoffmann , Peter Maydell , qemu-arm@nongnu.org, Michael Roth , Markus Armbruster , Eduardo Habkost , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Subject: [PULL 07/24] hw/uefi: add var-service-vars.c Date: Tue, 4 Mar 2025 13:47:55 +0100 Message-ID: <20250304124815.591749-8-kraxel@redhat.com> In-Reply-To: <20250304124815.591749-1-kraxel@redhat.com> References: <20250304124815.591749-1-kraxel@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1741092752036019000 Content-Type: text/plain; charset="utf-8" This is the uefi variable service (EfiSmmVariableProtocol), providing functions for listing, reading and updating variables. Signed-off-by: Gerd Hoffmann Message-ID: <20250225163031.1409078-8-kraxel@redhat.com> --- hw/uefi/var-service-vars.c | 725 +++++++++++++++++++++++++++++++++++++ 1 file changed, 725 insertions(+) create mode 100644 hw/uefi/var-service-vars.c diff --git a/hw/uefi/var-service-vars.c b/hw/uefi/var-service-vars.c new file mode 100644 index 000000000000..7f98d77a38d1 --- /dev/null +++ b/hw/uefi/var-service-vars.c @@ -0,0 +1,725 @@ +/* + * SPDX-License-Identifier: GPL-2.0-or-later + * + * uefi vars device - EfiSmmVariableProtocol implementation + */ +#include "qemu/osdep.h" +#include "qemu/error-report.h" +#include "system/dma.h" +#include "migration/vmstate.h" + +#include "hw/uefi/var-service.h" +#include "hw/uefi/var-service-api.h" +#include "hw/uefi/var-service-edk2.h" + +#include "trace/trace-hw_uefi.h" + +#define EFI_VARIABLE_ATTRIBUTE_SUPPORTED \ + (EFI_VARIABLE_NON_VOLATILE | \ + EFI_VARIABLE_BOOTSERVICE_ACCESS | \ + EFI_VARIABLE_RUNTIME_ACCESS | \ + EFI_VARIABLE_HARDWARE_ERROR_RECORD | \ + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS | \ + EFI_VARIABLE_APPEND_WRITE) + + +const VMStateDescription vmstate_uefi_time =3D { + .name =3D "uefi-time", + .fields =3D (VMStateField[]) { + VMSTATE_UINT16(year, efi_time), + VMSTATE_UINT8(month, efi_time), + VMSTATE_UINT8(day, efi_time), + VMSTATE_UINT8(hour, efi_time), + VMSTATE_UINT8(minute, efi_time), + VMSTATE_UINT8(second, efi_time), + VMSTATE_UINT32(nanosecond, efi_time), + VMSTATE_END_OF_LIST() + }, +}; + +const VMStateDescription vmstate_uefi_variable =3D { + .name =3D "uefi-variable", + .fields =3D (VMStateField[]) { + VMSTATE_UINT8_ARRAY_V(guid.data, uefi_variable, sizeof(QemuUUID), = 0), + VMSTATE_UINT32(name_size, uefi_variable), + VMSTATE_UINT32(data_size, uefi_variable), + VMSTATE_UINT32(attributes, uefi_variable), + VMSTATE_VBUFFER_ALLOC_UINT32(name, uefi_variable, 0, NULL, name_si= ze), + VMSTATE_VBUFFER_ALLOC_UINT32(data, uefi_variable, 0, NULL, data_si= ze), + VMSTATE_STRUCT(time, uefi_variable, 0, vmstate_uefi_time, efi_time= ), + VMSTATE_END_OF_LIST() + }, +}; + +uefi_variable *uefi_vars_find_variable(uefi_vars_state *uv, QemuUUID guid, + const uint16_t *name, uint64_t name= _size) +{ + uefi_variable *var; + + QTAILQ_FOREACH(var, &uv->variables, next) { + if (!uefi_str_equal(var->name, var->name_size, + name, name_size)) { + continue; + } + if (!qemu_uuid_is_equal(&var->guid, &guid)) { + continue; + } + if (!var->data_size) { + /* in process of being created/updated */ + continue; + } + return var; + } + return NULL; +} + +static uefi_variable *add_variable(uefi_vars_state *uv, QemuUUID guid, + const uint16_t *name, uint64_t name_siz= e, + uint32_t attributes) +{ + uefi_variable *var; + + var =3D g_new0(uefi_variable, 1); + var->guid =3D guid; + var->name =3D g_malloc(name_size); + memcpy(var->name, name, name_size); + var->name_size =3D name_size; + var->attributes =3D attributes; + + var->attributes &=3D ~EFI_VARIABLE_APPEND_WRITE; + + QTAILQ_INSERT_TAIL(&uv->variables, var, next); + return var; +} + +static void del_variable(uefi_vars_state *uv, uefi_variable *var) +{ + if (!var) { + return; + } + + QTAILQ_REMOVE(&uv->variables, var, next); + g_free(var->data); + g_free(var->name); + g_free(var->digest); + g_free(var); +} + +static size_t variable_size(uefi_variable *var) +{ + size_t size; + + size =3D sizeof(*var); + size +=3D var->name_size; + size +=3D var->data_size; + size +=3D var->digest_size; + return size; +} + +void uefi_vars_set_variable(uefi_vars_state *uv, QemuUUID guid, + const uint16_t *name, uint64_t name_size, + uint32_t attributes, + void *data, uint64_t data_size) +{ + uefi_variable *old_var, *new_var; + + uefi_trace_variable(__func__, guid, name, name_size); + + old_var =3D uefi_vars_find_variable(uv, guid, name, name_size); + if (old_var) { + uv->used_storage -=3D variable_size(old_var); + del_variable(uv, old_var); + } + + new_var =3D add_variable(uv, guid, name, name_size, attributes); + new_var->data =3D g_malloc(data_size); + new_var->data_size =3D data_size; + memcpy(new_var->data, data, data_size); + uv->used_storage +=3D variable_size(new_var); +} + +void uefi_vars_clear_volatile(uefi_vars_state *uv) +{ + uefi_variable *var, *n; + + QTAILQ_FOREACH_SAFE(var, &uv->variables, next, n) { + if (var->attributes & EFI_VARIABLE_NON_VOLATILE) { + continue; + } + uv->used_storage -=3D variable_size(var); + del_variable(uv, var); + } +} + +void uefi_vars_clear_all(uefi_vars_state *uv) +{ + uefi_variable *var, *n; + + QTAILQ_FOREACH_SAFE(var, &uv->variables, next, n) { + del_variable(uv, var); + } + uv->used_storage =3D 0; +} + +void uefi_vars_update_storage(uefi_vars_state *uv) +{ + uefi_variable *var; + + uv->used_storage =3D 0; + QTAILQ_FOREACH(var, &uv->variables, next) { + uv->used_storage +=3D variable_size(var); + } +} + +static gboolean check_access(uefi_vars_state *uv, uefi_variable *var) +{ + if (!uv->exit_boot_service) { + if (!(var->attributes & EFI_VARIABLE_BOOTSERVICE_ACCESS)) { + return false; + } + } else { + if (!(var->attributes & EFI_VARIABLE_RUNTIME_ACCESS)) { + return false; + } + } + return true; +} + +static efi_status check_update(uefi_vars_state *uv, uefi_variable *old_var, + uefi_variable *new_var) +{ + efi_status status; + + if (old_var) { + if (!check_access(uv, old_var)) { + return EFI_ACCESS_DENIED; + } + } + + if (new_var) { + if (new_var->attributes & ~EFI_VARIABLE_ATTRIBUTE_SUPPORTED) { + return EFI_UNSUPPORTED; + } + if (!check_access(uv, new_var)) { + return EFI_ACCESS_DENIED; + } + } + + if (old_var && new_var) { + if (old_var->attributes !=3D new_var->attributes) { + return EFI_INVALID_PARAMETER; + } + } + + if (new_var) { + /* create + update */ + status =3D uefi_vars_policy_check(uv, new_var, old_var =3D=3D NULL= ); + } else { + /* delete */ + g_assert(old_var); + status =3D uefi_vars_policy_check(uv, old_var, false); + } + if (status !=3D EFI_SUCCESS) { + return status; + } + + status =3D uefi_vars_check_secure_boot(uv, new_var ?: old_var); + if (status !=3D EFI_SUCCESS) { + return status; + } + + return EFI_SUCCESS; +} + +static void append_write(uefi_variable *old_var, + uefi_variable *new_var) +{ + uefi_vars_siglist siglist; + uint64_t size; + void *data; + + uefi_vars_siglist_init(&siglist); + uefi_vars_siglist_parse(&siglist, old_var->data, old_var->data_size); + uefi_vars_siglist_parse(&siglist, new_var->data, new_var->data_size); + + size =3D uefi_vars_siglist_blob_size(&siglist); + data =3D g_malloc(size); + uefi_vars_siglist_blob_generate(&siglist, data, size); + + g_free(new_var->data); + new_var->data =3D data; + new_var->data_size =3D size; + + uefi_vars_siglist_free(&siglist); +} + +static size_t uefi_vars_mm_error(mm_header *mhdr, mm_variable *mvar, + uint64_t status) +{ + mvar->status =3D status; + return sizeof(*mvar); +} + +static size_t uefi_vars_mm_get_variable(uefi_vars_state *uv, mm_header *mh= dr, + mm_variable *mvar, void *func) +{ + mm_variable_access *va =3D func; + uint16_t *name; + void *data; + uefi_variable *var; + uint64_t length; + + length =3D sizeof(*mvar) + sizeof(*va); + if (mhdr->length < length) { + return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE); + } + + if (va->name_size > uv->max_storage || + va->data_size > uv->max_storage) { + return uefi_vars_mm_error(mhdr, mvar, EFI_OUT_OF_RESOURCES); + } + + name =3D func + sizeof(*va); + if (uadd64_overflow(length, va->name_size, &length)) { + return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE); + } + if (mhdr->length < length) { + return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE); + } + + if (!uefi_str_is_valid(name, va->name_size, true)) { + return uefi_vars_mm_error(mhdr, mvar, EFI_INVALID_PARAMETER); + } + + uefi_trace_variable(__func__, va->guid, name, va->name_size); + + var =3D uefi_vars_find_variable(uv, va->guid, name, va->name_size); + if (!var) { + return uefi_vars_mm_error(mhdr, mvar, EFI_NOT_FOUND); + } + + /* check permissions etc. */ + if (!check_access(uv, var)) { + return uefi_vars_mm_error(mhdr, mvar, EFI_ACCESS_DENIED); + } + + data =3D func + sizeof(*va) + va->name_size; + if (uadd64_overflow(length, va->data_size, &length)) { + return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE); + } + if (uv->buf_size < length) { + return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE); + } + + va->attributes =3D var->attributes; + if (va->data_size < var->data_size) { + va->data_size =3D var->data_size; + length -=3D va->data_size; + mvar->status =3D EFI_BUFFER_TOO_SMALL; + } else { + va->data_size =3D var->data_size; + memcpy(data, var->data, var->data_size); + mvar->status =3D EFI_SUCCESS; + } + return length; +} + +static size_t +uefi_vars_mm_get_next_variable(uefi_vars_state *uv, mm_header *mhdr, + mm_variable *mvar, void *func) +{ + mm_next_variable *nv =3D func; + uefi_variable *var; + uint16_t *name; + uint64_t length; + + length =3D sizeof(*mvar) + sizeof(*nv); + if (mhdr->length < length) { + return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE); + } + + if (nv->name_size > uv->max_storage) { + return uefi_vars_mm_error(mhdr, mvar, EFI_OUT_OF_RESOURCES); + } + + name =3D func + sizeof(*nv); + if (uadd64_overflow(length, nv->name_size, &length)) { + return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE); + } + if (mhdr->length < length) { + return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE); + } + + if (!uefi_str_is_valid(name, nv->name_size, true)) { + return uefi_vars_mm_error(mhdr, mvar, EFI_INVALID_PARAMETER); + } + + if (uefi_strlen(name, nv->name_size) =3D=3D 0) { + /* empty string -> first */ + var =3D QTAILQ_FIRST(&uv->variables); + if (!var) { + return uefi_vars_mm_error(mhdr, mvar, EFI_NOT_FOUND); + } + } else { + var =3D uefi_vars_find_variable(uv, nv->guid, name, nv->name_size); + if (!var) { + return uefi_vars_mm_error(mhdr, mvar, EFI_INVALID_PARAMETER); + } + do { + var =3D QTAILQ_NEXT(var, next); + } while (var && !check_access(uv, var)); + if (!var) { + return uefi_vars_mm_error(mhdr, mvar, EFI_NOT_FOUND); + } + } + + length =3D sizeof(*mvar) + sizeof(*nv) + var->name_size; + if (uv->buf_size < length) { + return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE); + } + + nv->guid =3D var->guid; + nv->name_size =3D var->name_size; + memcpy(name, var->name, var->name_size); + mvar->status =3D EFI_SUCCESS; + return length; +} + +static bool uefi_vars_mm_digest_compare(uefi_variable *old_var, + uefi_variable *new_var) +{ + if (!old_var->digest || + !new_var->digest || + !old_var->digest_size || + !new_var->digest_size) { + /* should not happen */ + trace_uefi_vars_security_violation("inconsistent authvar digest st= ate"); + return false; + } + if (old_var->digest_size !=3D new_var->digest_size) { + trace_uefi_vars_security_violation("authvar digest size mismatch"); + return false; + } + if (memcmp(old_var->digest, new_var->digest, + old_var->digest_size) !=3D 0) { + trace_uefi_vars_security_violation("authvar digest data mismatch"); + return false; + } + return true; +} + +static size_t uefi_vars_mm_set_variable(uefi_vars_state *uv, mm_header *mh= dr, + mm_variable *mvar, void *func) +{ + mm_variable_access *va =3D func; + uint32_t attributes =3D 0; + uint16_t *name; + void *data; + uefi_variable *old_var, *new_var; + uint64_t length; + size_t new_storage; + efi_status status; + + length =3D sizeof(*mvar) + sizeof(*va); + if (mhdr->length < length) { + return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE); + } + + if (va->name_size > uv->max_storage || + va->data_size > uv->max_storage) { + return uefi_vars_mm_error(mhdr, mvar, EFI_OUT_OF_RESOURCES); + } + + name =3D func + sizeof(*va); + if (uadd64_overflow(length, va->name_size, &length)) { + return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE); + } + if (mhdr->length < length) { + return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE); + } + + data =3D func + sizeof(*va) + va->name_size; + if (uadd64_overflow(length, va->data_size, &length)) { + return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE); + } + if (mhdr->length < length) { + return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE); + } + + g_assert(va->name_size < G_MAXUINT32); + g_assert(va->data_size < G_MAXUINT32); + + if (!uefi_str_is_valid(name, va->name_size, true)) { + return uefi_vars_mm_error(mhdr, mvar, EFI_INVALID_PARAMETER); + } + + uefi_trace_variable(__func__, va->guid, name, va->name_size); + + old_var =3D uefi_vars_find_variable(uv, va->guid, name, va->name_size); + if (va->data_size) { + new_var =3D add_variable(uv, va->guid, name, va->name_size, + va->attributes); + if (va->attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) { + /* not implemented (deprecated in uefi spec) */ + warn_report("%s: AUTHENTICATED_WRITE_ACCESS", __func__); + mvar->status =3D EFI_UNSUPPORTED; + goto rollback; + } else if (va->attributes & + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) { + status =3D uefi_vars_check_auth_2(uv, new_var, va, data); + if (status !=3D EFI_SUCCESS) { + mvar->status =3D status; + goto rollback; + } + if (old_var && new_var) { + if (uefi_time_compare(&old_var->time, &new_var->time) > 0)= { + trace_uefi_vars_security_violation("time check failed"= ); + mvar->status =3D EFI_SECURITY_VIOLATION; + goto rollback; + } + if (old_var->digest_size || new_var->digest_size) { + if (!uefi_vars_mm_digest_compare(old_var, new_var)) { + mvar->status =3D EFI_SECURITY_VIOLATION; + goto rollback; + } + } + } + } else { + new_var->data =3D g_malloc(va->data_size); + memcpy(new_var->data, data, va->data_size); + new_var->data_size =3D va->data_size; + } + if (!new_var->data) { + /* we land here when deleting authenticated variables */ + del_variable(uv, new_var); + new_var =3D NULL; + } + } else { + new_var =3D NULL; + } + + if (!old_var && !new_var) { + /* delete non-existing variable -> nothing to do */ + mvar->status =3D EFI_SUCCESS; + return sizeof(*mvar); + } + + /* check permissions etc. */ + status =3D check_update(uv, old_var, new_var); + if (status !=3D EFI_SUCCESS) { + mvar->status =3D status; + goto rollback; + } + + if (va->attributes & EFI_VARIABLE_APPEND_WRITE && old_var && new_var) { + /* merge signature databases */ + if (!uefi_vars_is_sb_any(new_var)) { + mvar->status =3D EFI_UNSUPPORTED; + goto rollback; + } + append_write(old_var, new_var); + } + + /* check storage space */ + new_storage =3D uv->used_storage; + if (old_var) { + new_storage -=3D variable_size(old_var); + } + if (new_var) { + new_storage +=3D variable_size(new_var); + } + if (new_storage > uv->max_storage) { + mvar->status =3D EFI_OUT_OF_RESOURCES; + goto rollback; + } + + attributes =3D new_var + ? new_var->attributes + : old_var->attributes; + + /* all good, commit */ + del_variable(uv, old_var); + uv->used_storage =3D new_storage; + + if (attributes & EFI_VARIABLE_NON_VOLATILE) { + uefi_vars_json_save(uv); + } + + if (new_var && uefi_vars_is_sb_pk(new_var)) { + uefi_vars_auth_init(uv); + } + + mvar->status =3D EFI_SUCCESS; + return sizeof(*mvar); + +rollback: + del_variable(uv, new_var); + return sizeof(*mvar); +} + +static size_t uefi_vars_mm_variable_info(uefi_vars_state *uv, mm_header *m= hdr, + mm_variable *mvar, void *func) +{ + mm_variable_info *vi =3D func; + uint64_t length; + + length =3D sizeof(*mvar) + sizeof(*vi); + if (uv->buf_size < length) { + return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE); + } + + vi->max_storage_size =3D uv->max_storage; + vi->free_storage_size =3D uv->max_storage - uv->used_storage; + vi->max_variable_size =3D uv->max_storage >> 2; + vi->attributes =3D 0; + + mvar->status =3D EFI_SUCCESS; + return length; +} + +static size_t +uefi_vars_mm_get_payload_size(uefi_vars_state *uv, mm_header *mhdr, + mm_variable *mvar, void *func) +{ + mm_get_payload_size *ps =3D func; + uint64_t length; + + length =3D sizeof(*mvar) + sizeof(*ps); + if (uv->buf_size < length) { + return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE); + } + + ps->payload_size =3D uv->buf_size; + mvar->status =3D EFI_SUCCESS; + return length; +} + +static size_t +uefi_vars_mm_lock_variable(uefi_vars_state *uv, mm_header *mhdr, + mm_variable *mvar, void *func) +{ + mm_lock_variable *lv =3D func; + variable_policy_entry *pe; + uint16_t *name, *dest; + uint64_t length; + + length =3D sizeof(*mvar) + sizeof(*lv); + if (mhdr->length < length) { + return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE); + } + + name =3D func + sizeof(*lv); + if (uadd64_overflow(length, lv->name_size, &length)) { + return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE); + } + if (mhdr->length < length) { + return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE); + } + + uefi_trace_variable(__func__, lv->guid, name, lv->name_size); + + pe =3D g_malloc0(sizeof(*pe) + lv->name_size); + pe->version =3D VARIABLE_POLICY_ENTRY_REVISION; + pe->size =3D sizeof(*pe) + lv->name_size; + pe->offset_to_name =3D sizeof(*pe); + pe->namespace =3D lv->guid; + pe->min_size =3D 0; + pe->max_size =3D UINT32_MAX; + pe->attributes_must_have =3D 0; + pe->attributes_cant_have =3D 0; + pe->lock_policy_type =3D VARIABLE_POLICY_TYPE_LOCK_NOW; + + dest =3D (void *)pe + pe->offset_to_name; + memcpy(dest, name, lv->name_size); + + uefi_vars_add_policy(uv, pe); + g_free(pe); + + mvar->status =3D EFI_SUCCESS; + return length; +} + +uint32_t uefi_vars_mm_vars_proto(uefi_vars_state *uv) +{ + static const char *fnames[] =3D { + "zero", + "get-variable", + "get-next-variable-name", + "set-variable", + "query-variable-info", + "ready-to-boot", + "exit-boot-service", + "get-statistics", + "lock-variable", + "var-check-prop-set", + "var-check-prop-get", + "get-payload-size", + "init-runtime-cache-contect", + "sync-runtime-cache", + "get-runtime-cache-info", + }; + const char *fname; + uint64_t length; + + mm_header *mhdr =3D (mm_header *) uv->buffer; + mm_variable *mvar =3D (mm_variable *) (uv->buffer + sizeof(*mhdr)); + void *func =3D (uv->buffer + sizeof(*mhdr) + sizeof(*mvar)); + + if (mhdr->length < sizeof(*mvar)) { + return UEFI_VARS_STS_ERR_BAD_BUFFER_SIZE; + } + + fname =3D mvar->function < ARRAY_SIZE(fnames) + ? fnames[mvar->function] + : "unknown"; + trace_uefi_vars_proto_cmd(fname); + + switch (mvar->function) { + case SMM_VARIABLE_FUNCTION_GET_VARIABLE: + length =3D uefi_vars_mm_get_variable(uv, mhdr, mvar, func); + break; + + case SMM_VARIABLE_FUNCTION_GET_NEXT_VARIABLE_NAME: + length =3D uefi_vars_mm_get_next_variable(uv, mhdr, mvar, func); + break; + + case SMM_VARIABLE_FUNCTION_SET_VARIABLE: + length =3D uefi_vars_mm_set_variable(uv, mhdr, mvar, func); + break; + + case SMM_VARIABLE_FUNCTION_QUERY_VARIABLE_INFO: + length =3D uefi_vars_mm_variable_info(uv, mhdr, mvar, func); + break; + + case SMM_VARIABLE_FUNCTION_LOCK_VARIABLE: + length =3D uefi_vars_mm_lock_variable(uv, mhdr, mvar, func); + break; + + case SMM_VARIABLE_FUNCTION_GET_PAYLOAD_SIZE: + length =3D uefi_vars_mm_get_payload_size(uv, mhdr, mvar, func); + break; + + case SMM_VARIABLE_FUNCTION_READY_TO_BOOT: + trace_uefi_event("ready-to-boot"); + uv->ready_to_boot =3D true; + length =3D 0; + break; + + case SMM_VARIABLE_FUNCTION_EXIT_BOOT_SERVICE: + trace_uefi_event("exit-boot-service"); + uv->exit_boot_service =3D true; + length =3D 0; + break; + + default: + length =3D uefi_vars_mm_error(mhdr, mvar, EFI_UNSUPPORTED); + break; + } + + if (mhdr->length < length) { + mvar->status =3D EFI_BUFFER_TOO_SMALL; + } + + uefi_trace_status(__func__, mvar->status); + return UEFI_VARS_STS_SUCCESS; +} --=20 2.48.1 From nobody Wed Mar 5 02:14:02 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1741092683; cv=none; d=zohomail.com; s=zohoarc; b=dPK3nIxgwW+v6Wmnuv1eJWO2sUWMAhvUFRKbbbQ/kdKmGSw0ulEPNamGZowBCWVf/tiV4uy2KpGsoSNnSQkBJyq0wmrCdPhJd0GZYNZnMtfrVIEJ+GmEU1YwzXmsFjGjIyQtolEKYFZvzqu4nZ8SN7ynqKDtgs9d/A4DH1EF+sQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1741092683; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=KyL34CqJfDPMQJo2Yb1bInoaRtFAbLbBYP6iMKLk01c=; b=EHUqJRX0rgn0amdZoqUI+YyjtxF9gJ1Xr1Tt8qFjLnapofAy/bDLgye5D9xCv0BuNJRZU/XvuNmo7dAcaEOz5AnPYgSZZrX+IvqWOQveNuKuwMwl2+FoovGJOlxZ41SU2RdBkzNpgiPh+bNaMtKh+uxfzV7/sJh05nWGyWJ8zss= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1741092683352554.5344179953651; Tue, 4 Mar 2025 04:51:23 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tpRhf-0004r4-NX; Tue, 04 Mar 2025 07:48:55 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhR-0004gm-N8 for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:41 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhO-0006jq-7W for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:41 -0500 Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-148-EDcbei5JOxuftN3wDI-7ag-1; Tue, 04 Mar 2025 07:48:34 -0500 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id D37B5190ECDF; Tue, 4 Mar 2025 12:48:32 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.44.32.122]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 23A3C1800947; Tue, 4 Mar 2025 12:48:32 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id AEDC718003A5; Tue, 04 Mar 2025 13:48:15 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741092517; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KyL34CqJfDPMQJo2Yb1bInoaRtFAbLbBYP6iMKLk01c=; b=XfZex0RQjOapykBf11bQEI0A6Ki5vyoPAIFREVINMhgpkZucF+0GCwsZtCHDWoyg3S6SKy D1Dd5pLjIjI0NqlxQdaCLuApaE44f0OzradGdHeB/+98t/HETrmKA5JMtKtS6oUUVYfGPh xhJT5+628WQ/6GJUV1AEn10AUdSD4MA= X-MC-Unique: EDcbei5JOxuftN3wDI-7ag-1 X-Mimecast-MFC-AGG-ID: EDcbei5JOxuftN3wDI-7ag_1741092513 From: Gerd Hoffmann To: qemu-devel@nongnu.org Cc: Richard Henderson , Marcel Apfelbaum , "Michael S. Tsirkin" , Eric Blake , Paolo Bonzini , Gerd Hoffmann , Peter Maydell , qemu-arm@nongnu.org, Michael Roth , Markus Armbruster , Eduardo Habkost , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Subject: [PULL 08/24] hw/uefi: add var-service-auth.c Date: Tue, 4 Mar 2025 13:47:56 +0100 Message-ID: <20250304124815.591749-9-kraxel@redhat.com> In-Reply-To: <20250304124815.591749-1-kraxel@redhat.com> References: <20250304124815.591749-1-kraxel@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1741092684929019100 Content-Type: text/plain; charset="utf-8" This implements authenticated variable handling (see AuthVariableLib in edk2). The by far most common use case for auth variables is secure boot. The secure boot certificate databases ('PK', 'KEK', 'db' and 'dbx') are authenticated variables, with update rules being specified in the UEFI specification. Signed-off-by: Gerd Hoffmann Message-ID: <20250225163031.1409078-9-kraxel@redhat.com> --- hw/uefi/var-service-auth.c | 361 +++++++++++++++++++++++++++++++++++++ 1 file changed, 361 insertions(+) create mode 100644 hw/uefi/var-service-auth.c diff --git a/hw/uefi/var-service-auth.c b/hw/uefi/var-service-auth.c new file mode 100644 index 000000000000..fba5a0956a57 --- /dev/null +++ b/hw/uefi/var-service-auth.c @@ -0,0 +1,361 @@ +/* + * SPDX-License-Identifier: GPL-2.0-or-later + * + * uefi vars device - AuthVariableLib + */ + +#include "qemu/osdep.h" +#include "qemu/error-report.h" +#include "system/dma.h" + +#include "hw/uefi/var-service.h" + +static const uint16_t name_pk[] =3D u"PK"; +static const uint16_t name_kek[] =3D u"KEK"; +static const uint16_t name_db[] =3D u"db"; +static const uint16_t name_dbx[] =3D u"dbx"; +static const uint16_t name_setup_mode[] =3D u"SetupMode"; +static const uint16_t name_sigs_support[] =3D u"SignatureSupport"; +static const uint16_t name_sb[] =3D u"SecureBoot"; +static const uint16_t name_sb_enable[] =3D u"SecureBootEnable"; +static const uint16_t name_custom_mode[] =3D u"CustomMode"; +static const uint16_t name_vk[] =3D u"VendorKeys"; +static const uint16_t name_vk_nv[] =3D u"VendorKeysNv"; + +static const uint32_t sigdb_attrs =3D + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS | + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; + +static void set_secure_boot(uefi_vars_state *uv, uint8_t sb) +{ + uefi_vars_set_variable(uv, EfiGlobalVariable, + name_sb, sizeof(name_sb), + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS, + &sb, sizeof(sb)); +} + +static void set_secure_boot_enable(uefi_vars_state *uv, uint8_t sbe) +{ + uefi_vars_set_variable(uv, EfiSecureBootEnableDisable, + name_sb_enable, sizeof(name_sb_enable), + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, + &sbe, sizeof(sbe)); +} + +static void set_setup_mode(uefi_vars_state *uv, uint8_t sm) +{ + uefi_vars_set_variable(uv, EfiGlobalVariable, + name_setup_mode, sizeof(name_setup_mode), + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS, + &sm, sizeof(sm)); +} + +static void set_custom_mode(uefi_vars_state *uv, uint8_t cm) +{ + uefi_vars_set_variable(uv, EfiCustomModeEnable, + name_custom_mode, sizeof(name_custom_mode), + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, + &cm, sizeof(cm)); +} + +static void set_signature_support(uefi_vars_state *uv) +{ + QemuUUID sigs_support[5]; + + sigs_support[0] =3D EfiCertSha256Guid; + sigs_support[1] =3D EfiCertSha384Guid; + sigs_support[2] =3D EfiCertSha512Guid; + sigs_support[3] =3D EfiCertRsa2048Guid; + sigs_support[4] =3D EfiCertX509Guid; + + uefi_vars_set_variable(uv, EfiGlobalVariable, + name_sigs_support, sizeof(name_sigs_support), + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS, + sigs_support, sizeof(sigs_support)); +} + +static bool setup_mode_is_active(uefi_vars_state *uv) +{ + uefi_variable *var; + uint8_t *value; + + var =3D uefi_vars_find_variable(uv, EfiGlobalVariable, + name_setup_mode, sizeof(name_setup_mode)= ); + if (var) { + value =3D var->data; + if (value[0] =3D=3D SETUP_MODE) { + return true; + } + } + return false; +} + +static bool custom_mode_is_active(uefi_vars_state *uv) +{ + uefi_variable *var; + uint8_t *value; + + var =3D uefi_vars_find_variable(uv, EfiCustomModeEnable, + name_custom_mode, sizeof(name_custom_mod= e)); + if (var) { + value =3D var->data; + if (value[0] =3D=3D CUSTOM_SECURE_BOOT_MODE) { + return true; + } + } + return false; +} + +bool uefi_vars_is_sb_pk(uefi_variable *var) +{ + if (qemu_uuid_is_equal(&var->guid, &EfiGlobalVariable) && + uefi_str_equal(var->name, var->name_size, name_pk, sizeof(name_pk)= )) { + return true; + } + return false; +} + +static bool uefi_vars_is_sb_kek(uefi_variable *var) +{ + if (qemu_uuid_is_equal(&var->guid, &EfiGlobalVariable) && + uefi_str_equal(var->name, var->name_size, name_kek, sizeof(name_ke= k))) { + return true; + } + return false; +} + +static bool uefi_vars_is_sb_db(uefi_variable *var) +{ + if (!qemu_uuid_is_equal(&var->guid, &EfiImageSecurityDatabase)) { + return false; + } + if (uefi_str_equal(var->name, var->name_size, name_db, sizeof(name_db)= )) { + return true; + } + if (uefi_str_equal(var->name, var->name_size, name_dbx, sizeof(name_db= x))) { + return true; + } + return false; +} + +bool uefi_vars_is_sb_any(uefi_variable *var) +{ + if (uefi_vars_is_sb_pk(var) || + uefi_vars_is_sb_kek(var) || + uefi_vars_is_sb_db(var)) { + return true; + } + return false; +} + +static uefi_variable *uefi_vars_find_siglist(uefi_vars_state *uv, + uefi_variable *var) +{ + if (uefi_vars_is_sb_pk(var)) { + return uefi_vars_find_variable(uv, EfiGlobalVariable, + name_pk, sizeof(name_pk)); + } + if (uefi_vars_is_sb_kek(var)) { + return uefi_vars_find_variable(uv, EfiGlobalVariable, + name_pk, sizeof(name_pk)); + } + if (uefi_vars_is_sb_db(var)) { + return uefi_vars_find_variable(uv, EfiGlobalVariable, + name_kek, sizeof(name_kek)); + } + + return NULL; +} + +static efi_status uefi_vars_check_auth_2_sb(uefi_vars_state *uv, + uefi_variable *var, + mm_variable_access *va, + void *data, + uint64_t data_offset) +{ + variable_auth_2 *auth =3D data; + uefi_variable *siglist; + + if (custom_mode_is_active(uv)) { + /* no authentication in custom mode */ + return EFI_SUCCESS; + } + + if (setup_mode_is_active(uv) && !uefi_vars_is_sb_pk(var)) { + /* no authentication in setup mode (except PK) */ + return EFI_SUCCESS; + } + + if (auth->hdr_length =3D=3D 24) { + /* no signature (auth->cert_data is empty) */ + return EFI_SECURITY_VIOLATION; + } + + siglist =3D uefi_vars_find_siglist(uv, var); + if (!siglist && setup_mode_is_active(uv) && uefi_vars_is_sb_pk(var)) { + /* check PK is self-signed */ + uefi_variable tmp =3D { + .guid =3D EfiGlobalVariable, + .name =3D (uint16_t *)name_pk, + .name_size =3D sizeof(name_pk), + .attributes =3D sigdb_attrs, + .data =3D data + data_offset, + .data_size =3D va->data_size - data_offset, + }; + return uefi_vars_check_pkcs7_2(&tmp, NULL, NULL, va, data); + } + + return uefi_vars_check_pkcs7_2(siglist, NULL, NULL, va, data); +} + +efi_status uefi_vars_check_auth_2(uefi_vars_state *uv, uefi_variable *var, + mm_variable_access *va, void *data) +{ + variable_auth_2 *auth =3D data; + uint64_t data_offset; + efi_status status; + + if (va->data_size < sizeof(*auth)) { + return EFI_SECURITY_VIOLATION; + } + if (uadd64_overflow(sizeof(efi_time), auth->hdr_length, &data_offset))= { + return EFI_SECURITY_VIOLATION; + } + if (va->data_size < data_offset) { + return EFI_SECURITY_VIOLATION; + } + + if (auth->hdr_revision !=3D 0x0200 || + auth->hdr_cert_type !=3D WIN_CERT_TYPE_EFI_GUID || + !qemu_uuid_is_equal(&auth->guid_cert_type, &EfiCertTypePkcs7Guid))= { + return EFI_UNSUPPORTED; + } + + if (uefi_vars_is_sb_any(var)) { + /* secure boot variables */ + status =3D uefi_vars_check_auth_2_sb(uv, var, va, data, data_offse= t); + if (status !=3D EFI_SUCCESS) { + return status; + } + } else { + /* other authenticated variables */ + status =3D uefi_vars_check_pkcs7_2(NULL, + &var->digest, &var->digest_size, + va, data); + if (status !=3D EFI_SUCCESS) { + return status; + } + } + + /* checks passed, set variable data */ + var->time =3D auth->timestamp; + if (va->data_size - data_offset > 0) { + var->data =3D g_malloc(va->data_size - data_offset); + memcpy(var->data, data + data_offset, va->data_size - data_offset); + var->data_size =3D va->data_size - data_offset; + } + + return EFI_SUCCESS; +} + +efi_status uefi_vars_check_secure_boot(uefi_vars_state *uv, uefi_variable = *var) +{ + uint8_t *value =3D var->data; + + if (uefi_vars_is_sb_any(var)) { + if (var->attributes !=3D sigdb_attrs) { + return EFI_INVALID_PARAMETER; + } + } + + /* reject SecureBootEnable updates if force_secure_boot is set */ + if (qemu_uuid_is_equal(&var->guid, &EfiSecureBootEnableDisable) && + uefi_str_equal(var->name, var->name_size, + name_sb_enable, sizeof(name_sb_enable)) && + uv->force_secure_boot && + value[0] !=3D SECURE_BOOT_ENABLE) { + return EFI_WRITE_PROTECTED; + } + + /* reject CustomMode updates if disable_custom_mode is set */ + if (qemu_uuid_is_equal(&var->guid, &EfiCustomModeEnable) && + uefi_str_equal(var->name, var->name_size, + name_custom_mode, sizeof(name_custom_mode)) && + uv->disable_custom_mode) { + return EFI_WRITE_PROTECTED; + } + + return EFI_SUCCESS; +} + +/* AuthVariableLibInitialize */ +void uefi_vars_auth_init(uefi_vars_state *uv) +{ + uefi_variable *pk_var, *sbe_var; + uint8_t platform_mode, sb, sbe, vk; + + /* SetupMode */ + pk_var =3D uefi_vars_find_variable(uv, EfiGlobalVariable, + name_pk, sizeof(name_pk)); + if (!pk_var) { + platform_mode =3D SETUP_MODE; + } else { + platform_mode =3D USER_MODE; + } + set_setup_mode(uv, platform_mode); + + /* SignatureSupport */ + set_signature_support(uv); + + /* SecureBootEnable */ + sbe =3D SECURE_BOOT_DISABLE; + sbe_var =3D uefi_vars_find_variable(uv, EfiSecureBootEnableDisable, + name_sb_enable, sizeof(name_sb_enabl= e)); + if (sbe_var) { + if (platform_mode =3D=3D USER_MODE) { + sbe =3D ((uint8_t *)sbe_var->data)[0]; + } + } else if (platform_mode =3D=3D USER_MODE) { + sbe =3D SECURE_BOOT_ENABLE; + set_secure_boot_enable(uv, sbe); + } + + if (uv->force_secure_boot && sbe !=3D SECURE_BOOT_ENABLE) { + sbe =3D SECURE_BOOT_ENABLE; + set_secure_boot_enable(uv, sbe); + } + + /* SecureBoot */ + if ((sbe =3D=3D SECURE_BOOT_ENABLE) && (platform_mode =3D=3D USER_MODE= )) { + sb =3D SECURE_BOOT_MODE_ENABLE; + } else { + sb =3D SECURE_BOOT_MODE_DISABLE; + } + set_secure_boot(uv, sb); + + /* CustomMode */ + set_custom_mode(uv, STANDARD_SECURE_BOOT_MODE); + + vk =3D 0; + uefi_vars_set_variable(uv, EfiGlobalVariable, + name_vk_nv, sizeof(name_vk_nv), + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACC= ESS, + &vk, sizeof(vk)); + uefi_vars_set_variable(uv, EfiGlobalVariable, + name_vk, sizeof(name_vk), + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS, + &vk, sizeof(vk)); + + /* flush to disk */ + uefi_vars_json_save(uv); +} --=20 2.48.1 From nobody Wed Mar 5 02:14:02 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1741092626; cv=none; d=zohomail.com; s=zohoarc; b=Gb2vFlg0Q9FOBQ2GKL+/b+Xy+cM7FOHgex4IOwTIjuBv/3q3P+fcI2ueLh0bAtl+4VsQcL01Jimrt4vvsSqCAvBwOrBjDV35NxIcCLdBCY6EYN/0501tRvctOONvQTIyPPB5NbL0AENW+4M/gdbs4vfwJwiJ5wZOBWQwDzT1wd8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1741092626; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=nEp0wa7kN8TqmuXz9IZBz+esr3YO5CC4s+LaE6AJniI=; b=VWa0ZHRRzs7OCTT/R+3Ur1pCZArwVshtX4YIWMdSJeBm5E03LlEelU5J8gH+q4mWfcxpBdYNAyELwTYJMm/y5IEAFjY3Ru3DvHloiUI18KQJOtIQHsrPbNgBPID/THMbHDP2YkqpdIB7KrvCWq8InOq8NYKMyAJDwmlIRdp7/U4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 174109262685597.28724390370894; Tue, 4 Mar 2025 04:50:26 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tpRid-0005cZ-JJ; Tue, 04 Mar 2025 07:49:56 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhb-0004nj-HF for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:51 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhX-0006mN-U3 for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:50 -0500 Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-138-zUA-SbQ5PSmtAJFexOuOzg-1; Tue, 04 Mar 2025 07:48:34 -0500 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id A4330180087C; Tue, 4 Mar 2025 12:48:32 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.44.32.122]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 18CF9180087D; Tue, 4 Mar 2025 12:48:32 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id C07EE18003A6; Tue, 04 Mar 2025 13:48:15 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741092527; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nEp0wa7kN8TqmuXz9IZBz+esr3YO5CC4s+LaE6AJniI=; b=deFEg96dKyzNCowTduzSrlmtE02MHf4deyyK4gg1yDNEveSye7HnVF7OfG+wJ9GeP/wxnJ sFhEhMz3pfD5Q99wx6dvLdJwQoCaKwP8gipWEM6QRsZux/O3AHNCxjv7fYv2k5fQQHAOkx TssJMEmSFAQnnXgwVhgELESotocllSE= X-MC-Unique: zUA-SbQ5PSmtAJFexOuOzg-1 X-Mimecast-MFC-AGG-ID: zUA-SbQ5PSmtAJFexOuOzg_1741092512 From: Gerd Hoffmann To: qemu-devel@nongnu.org Cc: Richard Henderson , Marcel Apfelbaum , "Michael S. Tsirkin" , Eric Blake , Paolo Bonzini , Gerd Hoffmann , Peter Maydell , qemu-arm@nongnu.org, Michael Roth , Markus Armbruster , Eduardo Habkost , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Subject: [PULL 09/24] hw/uefi: add var-service-policy.c Date: Tue, 4 Mar 2025 13:47:57 +0100 Message-ID: <20250304124815.591749-10-kraxel@redhat.com> In-Reply-To: <20250304124815.591749-1-kraxel@redhat.com> References: <20250304124815.591749-1-kraxel@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1741092629007019100 Implement variable policies (Edk2VariablePolicyProtocol). This EFI protocol allows to define restrictions for variables. It also allows to lock down variables (disallow write access). Signed-off-by: Gerd Hoffmann Message-ID: <20250225163031.1409078-10-kraxel@redhat.com> --- hw/uefi/var-service-policy.c | 370 +++++++++++++++++++++++++++++++++++ 1 file changed, 370 insertions(+) create mode 100644 hw/uefi/var-service-policy.c diff --git a/hw/uefi/var-service-policy.c b/hw/uefi/var-service-policy.c new file mode 100644 index 000000000000..3b1155fe4ea1 --- /dev/null +++ b/hw/uefi/var-service-policy.c @@ -0,0 +1,370 @@ +/* + * SPDX-License-Identifier: GPL-2.0-or-later + * + * uefi vars device - VarCheckPolicyLibMmiHandler implementation + * + * variable policy specs: + * https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Library/Vari= ablePolicyLib/ReadMe.md + */ +#include "qemu/osdep.h" +#include "system/dma.h" +#include "migration/vmstate.h" + +#include "hw/uefi/var-service.h" +#include "hw/uefi/var-service-api.h" +#include "hw/uefi/var-service-edk2.h" + +#include "trace/trace-hw_uefi.h" + +static void calc_policy(uefi_var_policy *pol); + +static int uefi_var_policy_post_load(void *opaque, int version_id) +{ + uefi_var_policy *pol =3D opaque; + + calc_policy(pol); + return 0; +} + +const VMStateDescription vmstate_uefi_var_policy =3D { + .name =3D "uefi-var-policy", + .post_load =3D uefi_var_policy_post_load, + .fields =3D (VMStateField[]) { + VMSTATE_UINT32(entry_size, uefi_var_policy), + VMSTATE_VBUFFER_ALLOC_UINT32(entry, uefi_var_policy, + 0, NULL, entry_size), + VMSTATE_END_OF_LIST() + }, +}; + +static void print_policy_entry(variable_policy_entry *pe) +{ + uint16_t *name =3D (void *)pe + pe->offset_to_name; + + fprintf(stderr, "%s:\n", __func__); + + fprintf(stderr, " name =C2=B4"); + while (*name) { + fprintf(stderr, "%c", *name); + name++; + } + fprintf(stderr, "', version=3D%d.%d, size=3D%d\n", + pe->version >> 16, pe->version & 0xffff, pe->size); + + if (pe->min_size) { + fprintf(stderr, " size min=3D%d\n", pe->min_size); + } + if (pe->max_size !=3D UINT32_MAX) { + fprintf(stderr, " size max=3D%u\n", pe->max_size); + } + if (pe->attributes_must_have) { + fprintf(stderr, " attr must=3D0x%x\n", pe->attributes_must_have= ); + } + if (pe->attributes_cant_have) { + fprintf(stderr, " attr cant=3D0x%x\n", pe->attributes_cant_have= ); + } + if (pe->lock_policy_type) { + fprintf(stderr, " lock policy type %d\n", pe->lock_policy_type); + } +} + +static gboolean wildcard_str_equal(uefi_var_policy *pol, + uefi_variable *var) +{ + return uefi_str_equal_ex(pol->name, pol->name_size, + var->name, var->name_size, + true); +} + +static uefi_var_policy *find_policy(uefi_vars_state *uv, QemuUUID guid, + uint16_t *name, uint64_t name_size) +{ + uefi_var_policy *pol; + + QTAILQ_FOREACH(pol, &uv->var_policies, next) { + if (!qemu_uuid_is_equal(&pol->entry->namespace, &guid)) { + continue; + } + if (!uefi_str_equal(pol->name, pol->name_size, + name, name_size)) { + continue; + } + return pol; + } + return NULL; +} + +static uefi_var_policy *wildcard_find_policy(uefi_vars_state *uv, + uefi_variable *var) +{ + uefi_var_policy *pol; + + QTAILQ_FOREACH(pol, &uv->var_policies, next) { + if (!qemu_uuid_is_equal(&pol->entry->namespace, &var->guid)) { + continue; + } + if (!wildcard_str_equal(pol, var)) { + continue; + } + return pol; + } + return NULL; +} + +static void calc_policy(uefi_var_policy *pol) +{ + variable_policy_entry *pe =3D pol->entry; + unsigned int i; + + pol->name =3D (void *)pol->entry + pe->offset_to_name; + pol->name_size =3D pe->size - pe->offset_to_name; + + for (i =3D 0; i < pol->name_size / 2; i++) { + if (pol->name[i] =3D=3D '#') { + pol->hashmarks++; + } + } +} + +uefi_var_policy *uefi_vars_add_policy(uefi_vars_state *uv, + variable_policy_entry *pe) +{ + uefi_var_policy *pol, *p; + + pol =3D g_new0(uefi_var_policy, 1); + pol->entry =3D g_malloc(pe->size); + memcpy(pol->entry, pe, pe->size); + pol->entry_size =3D pe->size; + + calc_policy(pol); + + /* keep list sorted by priority, add to tail of priority group */ + QTAILQ_FOREACH(p, &uv->var_policies, next) { + if ((p->hashmarks > pol->hashmarks) || + (!p->name_size && pol->name_size)) { + QTAILQ_INSERT_BEFORE(p, pol, next); + return pol; + } + } + + QTAILQ_INSERT_TAIL(&uv->var_policies, pol, next); + return pol; +} + +efi_status uefi_vars_policy_check(uefi_vars_state *uv, + uefi_variable *var, + gboolean is_newvar) +{ + uefi_var_policy *pol; + variable_policy_entry *pe; + variable_lock_on_var_state *lvarstate; + uint16_t *lvarname; + size_t lvarnamesize; + uefi_variable *lvar; + + if (!uv->end_of_dxe) { + return EFI_SUCCESS; + } + + pol =3D wildcard_find_policy(uv, var); + if (!pol) { + return EFI_SUCCESS; + } + pe =3D pol->entry; + + uefi_trace_variable(__func__, var->guid, var->name, var->name_size); + print_policy_entry(pe); + + if ((var->attributes & pe->attributes_must_have) !=3D pe->attributes_m= ust_have) { + trace_uefi_vars_policy_deny("must-have-attr"); + return EFI_INVALID_PARAMETER; + } + if ((var->attributes & pe->attributes_cant_have) !=3D 0) { + trace_uefi_vars_policy_deny("cant-have-attr"); + return EFI_INVALID_PARAMETER; + } + + if (var->data_size < pe->min_size) { + trace_uefi_vars_policy_deny("min-size"); + return EFI_INVALID_PARAMETER; + } + if (var->data_size > pe->max_size) { + trace_uefi_vars_policy_deny("max-size"); + return EFI_INVALID_PARAMETER; + } + + switch (pe->lock_policy_type) { + case VARIABLE_POLICY_TYPE_NO_LOCK: + break; + + case VARIABLE_POLICY_TYPE_LOCK_NOW: + trace_uefi_vars_policy_deny("lock-now"); + return EFI_WRITE_PROTECTED; + + case VARIABLE_POLICY_TYPE_LOCK_ON_CREATE: + if (!is_newvar) { + trace_uefi_vars_policy_deny("lock-on-create"); + return EFI_WRITE_PROTECTED; + } + break; + + case VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE: + lvarstate =3D (void *)pol->entry + sizeof(*pe); + lvarname =3D (void *)pol->entry + sizeof(*pe) + sizeof(*lvarst= ate); + lvarnamesize =3D pe->offset_to_name - sizeof(*pe) - sizeof(*lvarst= ate); + + uefi_trace_variable(__func__, lvarstate->namespace, + lvarname, lvarnamesize); + lvar =3D uefi_vars_find_variable(uv, lvarstate->namespace, + lvarname, lvarnamesize); + if (lvar && lvar->data_size =3D=3D 1) { + uint8_t *value =3D lvar->data; + if (lvarstate->value =3D=3D *value) { + return EFI_WRITE_PROTECTED; + } + } + break; + } + + return EFI_SUCCESS; +} + +void uefi_vars_policies_clear(uefi_vars_state *uv) +{ + uefi_var_policy *pol; + + while (!QTAILQ_EMPTY(&uv->var_policies)) { + pol =3D QTAILQ_FIRST(&uv->var_policies); + QTAILQ_REMOVE(&uv->var_policies, pol, next); + g_free(pol->entry); + g_free(pol); + } +} + +static size_t uefi_vars_mm_policy_error(mm_header *mhdr, + mm_check_policy *mchk, + uint64_t status) +{ + mchk->result =3D status; + return sizeof(*mchk); +} + +static uint32_t uefi_vars_mm_check_policy_is_enabled(uefi_vars_state *uv, + mm_header *mhdr, + mm_check_policy *mchk, + void *func) +{ + mm_check_policy_is_enabled *mpar =3D func; + size_t length; + + length =3D sizeof(*mchk) + sizeof(*mpar); + if (mhdr->length < length) { + return uefi_vars_mm_policy_error(mhdr, mchk, EFI_BAD_BUFFER_SIZE); + } + + mpar->state =3D TRUE; + mchk->result =3D EFI_SUCCESS; + return sizeof(*mchk); +} + +static uint32_t uefi_vars_mm_check_policy_register(uefi_vars_state *uv, + mm_header *mhdr, + mm_check_policy *mchk, + void *func) +{ + variable_policy_entry *pe =3D func; + uefi_var_policy *pol; + uint64_t length; + + if (uadd64_overflow(sizeof(*mchk), pe->size, &length)) { + return uefi_vars_mm_policy_error(mhdr, mchk, EFI_BAD_BUFFER_SIZE); + } + if (mhdr->length < length) { + return uefi_vars_mm_policy_error(mhdr, mchk, EFI_BAD_BUFFER_SIZE); + } + if (pe->size < sizeof(*pe)) { + return uefi_vars_mm_policy_error(mhdr, mchk, EFI_BAD_BUFFER_SIZE); + } + if (pe->offset_to_name < sizeof(*pe)) { + return uefi_vars_mm_policy_error(mhdr, mchk, EFI_BAD_BUFFER_SIZE); + } + + if (pe->lock_policy_type =3D=3D VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE= && + pe->offset_to_name < sizeof(*pe) + sizeof(variable_lock_on_var_sta= te)) { + return uefi_vars_mm_policy_error(mhdr, mchk, EFI_BAD_BUFFER_SIZE); + } + + /* check space for minimum string length */ + if (pe->size < (size_t)pe->offset_to_name) { + return uefi_vars_mm_policy_error(mhdr, mchk, EFI_BAD_BUFFER_SIZE); + } + + if (!uefi_str_is_valid((void *)pe + pe->offset_to_name, + pe->size - pe->offset_to_name, + false)) { + return uefi_vars_mm_policy_error(mhdr, mchk, EFI_INVALID_PARAMETER= ); + } + + pol =3D find_policy(uv, pe->namespace, + (void *)pe + pe->offset_to_name, + pe->size - pe->offset_to_name); + if (pol) { + return uefi_vars_mm_policy_error(mhdr, mchk, EFI_ALREADY_STARTED); + } + + uefi_vars_add_policy(uv, pe); + + mchk->result =3D EFI_SUCCESS; + return sizeof(*mchk); +} + +uint32_t uefi_vars_mm_check_policy_proto(uefi_vars_state *uv) +{ + static const char *fnames[] =3D { + "zero", + "disable", + "is-enabled", + "register", + "dump", + "lock", + }; + const char *fname; + mm_header *mhdr =3D (mm_header *) uv->buffer; + mm_check_policy *mchk =3D (mm_check_policy *) (uv->buffer + sizeof(*mh= dr)); + void *func =3D (uv->buffer + sizeof(*mhdr) + sizeof(*mchk)); + + if (mhdr->length < sizeof(*mchk)) { + return UEFI_VARS_STS_ERR_BAD_BUFFER_SIZE; + } + + fname =3D mchk->command < ARRAY_SIZE(fnames) + ? fnames[mchk->command] + : "unknown"; + trace_uefi_vars_policy_cmd(fname); + + switch (mchk->command) { + case VAR_CHECK_POLICY_COMMAND_DISABLE: + mchk->result =3D EFI_UNSUPPORTED; + break; + case VAR_CHECK_POLICY_COMMAND_IS_ENABLED: + uefi_vars_mm_check_policy_is_enabled(uv, mhdr, mchk, func); + break; + case VAR_CHECK_POLICY_COMMAND_REGISTER: + if (uv->policy_locked) { + mchk->result =3D EFI_WRITE_PROTECTED; + } else { + uefi_vars_mm_check_policy_register(uv, mhdr, mchk, func); + } + break; + case VAR_CHECK_POLICY_COMMAND_LOCK: + uv->policy_locked =3D true; + mchk->result =3D EFI_SUCCESS; + break; + default: + mchk->result =3D EFI_UNSUPPORTED; + break; + } + + uefi_trace_status(__func__, mchk->result); + return UEFI_VARS_STS_SUCCESS; +} --=20 2.48.1 From nobody Wed Mar 5 02:14:02 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1741092644; cv=none; d=zohomail.com; s=zohoarc; b=cdbljfM4PNLnuXE5US5iHTb7qu786NBP5oaT+odJPGijU6VPpdDusXIlb48dAOyNsdlCPcdwf9nqOQvmVzcmMqAn3RHtlvymuhYnkU9R/N1Dd92Ztl+oqDEEWGo2odN83jzRCszn6N3Oz8d0637sQZP5sU9CiXypmOUUJJtm8vs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1741092644; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=JIz4TSVObydKkF1nfUUI4YeQIpc7+o66+8nyRGQKqxM=; b=DviEljRDCiCNheP3iQWPuDqvGEVf62RYRCqd9Vl4r7QzdPde8MkI6IxRBu0q3KBH0dqqp5EaYb7TqUGl6vWWKXrnmvnmrglNH1tJKc1fS09kIu8P7ZBGUhIOJ40iZAna9QYPl4C0Xnd4mEi/1qSbAXaVn/0KvsYwxkVmOZZi7yk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1741092644430285.4297316916733; Tue, 4 Mar 2025 04:50:44 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tpRjD-0006fr-UL; Tue, 04 Mar 2025 07:50:32 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhb-0004nt-Jg for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:51 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhZ-0006mr-1x for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:51 -0500 Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-35-Hql--rErNKCJ3YUK4goscg-1; Tue, 04 Mar 2025 07:48:38 -0500 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 890A01954B20; Tue, 4 Mar 2025 12:48:36 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.44.32.122]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 16D7E19560A3; Tue, 4 Mar 2025 12:48:35 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id D129018003AD; Tue, 04 Mar 2025 13:48:15 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741092528; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JIz4TSVObydKkF1nfUUI4YeQIpc7+o66+8nyRGQKqxM=; b=NNGgFKeykO/dnO+8x3gluDxS2/muw3+tcieidBhP2s4dyUXH9vVGFn1ikR6eXvwC6eAl3D RQj7oXc0eWufappaWq0+jzxjEtye9rFpIkzBPa/dj8GRp4ztDWyAZk+lzN1AU7rnCKfm6O e3su+MUejA4f1c+gOff3FK1ks0jZq+0= X-MC-Unique: Hql--rErNKCJ3YUK4goscg-1 X-Mimecast-MFC-AGG-ID: Hql--rErNKCJ3YUK4goscg_1741092516 From: Gerd Hoffmann To: qemu-devel@nongnu.org Cc: Richard Henderson , Marcel Apfelbaum , "Michael S. Tsirkin" , Eric Blake , Paolo Bonzini , Gerd Hoffmann , Peter Maydell , qemu-arm@nongnu.org, Michael Roth , Markus Armbruster , Eduardo Habkost , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Subject: [PULL 10/24] hw/uefi: add var-service-core.c Date: Tue, 4 Mar 2025 13:47:58 +0100 Message-ID: <20250304124815.591749-11-kraxel@redhat.com> In-Reply-To: <20250304124815.591749-1-kraxel@redhat.com> References: <20250304124815.591749-1-kraxel@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1741092645722019000 Content-Type: text/plain; charset="utf-8" This is the core code for guest <-> host communication. This accepts request messages from the guest, dispatches them to the service called, and sends back the response message. Signed-off-by: Gerd Hoffmann Message-ID: <20250225163031.1409078-11-kraxel@redhat.com> --- hw/uefi/var-service-core.c | 321 +++++++++++++++++++++++++++++++++++++ 1 file changed, 321 insertions(+) create mode 100644 hw/uefi/var-service-core.c diff --git a/hw/uefi/var-service-core.c b/hw/uefi/var-service-core.c new file mode 100644 index 000000000000..8ed8378ab991 --- /dev/null +++ b/hw/uefi/var-service-core.c @@ -0,0 +1,321 @@ +/* + * SPDX-License-Identifier: GPL-2.0-or-later + * + * uefi vars device + */ +#include "qemu/osdep.h" +#include "qemu/crc32c.h" +#include "system/dma.h" +#include "migration/vmstate.h" + +#include "hw/uefi/var-service.h" +#include "hw/uefi/var-service-api.h" +#include "hw/uefi/var-service-edk2.h" + +#include "trace/trace-hw_uefi.h" + +static int uefi_vars_pre_load(void *opaque) +{ + uefi_vars_state *uv =3D opaque; + + uefi_vars_clear_all(uv); + uefi_vars_policies_clear(uv); + g_free(uv->buffer); + return 0; +} + +static int uefi_vars_post_load(void *opaque, int version_id) +{ + uefi_vars_state *uv =3D opaque; + + uefi_vars_update_storage(uv); + uv->buffer =3D g_malloc(uv->buf_size); + return 0; +} + +const VMStateDescription vmstate_uefi_vars =3D { + .name =3D "uefi-vars", + .pre_load =3D uefi_vars_pre_load, + .post_load =3D uefi_vars_post_load, + .fields =3D (VMStateField[]) { + VMSTATE_UINT16(sts, uefi_vars_state), + VMSTATE_UINT32(buf_size, uefi_vars_state), + VMSTATE_UINT32(buf_addr_lo, uefi_vars_state), + VMSTATE_UINT32(buf_addr_hi, uefi_vars_state), + VMSTATE_UINT32(pio_xfer_offset, uefi_vars_state), + VMSTATE_VBUFFER_ALLOC_UINT32(pio_xfer_buffer, uefi_vars_state, + 0, NULL, buf_size), + VMSTATE_BOOL(end_of_dxe, uefi_vars_state), + VMSTATE_BOOL(ready_to_boot, uefi_vars_state), + VMSTATE_BOOL(exit_boot_service, uefi_vars_state), + VMSTATE_BOOL(policy_locked, uefi_vars_state), + VMSTATE_UINT64(used_storage, uefi_vars_state), + VMSTATE_QTAILQ_V(variables, uefi_vars_state, 0, + vmstate_uefi_variable, uefi_variable, next), + VMSTATE_QTAILQ_V(var_policies, uefi_vars_state, 0, + vmstate_uefi_var_policy, uefi_var_policy, next), + VMSTATE_END_OF_LIST() + }, +}; + +static uint32_t uefi_vars_cmd_mm(uefi_vars_state *uv, bool dma_mode) +{ + hwaddr dma; + mm_header *mhdr; + uint64_t size; + uint32_t retval; + + dma =3D uv->buf_addr_lo | ((hwaddr)uv->buf_addr_hi << 32); + mhdr =3D (mm_header *) uv->buffer; + + if (!uv->buffer || uv->buf_size < sizeof(*mhdr)) { + return UEFI_VARS_STS_ERR_BAD_BUFFER_SIZE; + } + + /* read header */ + if (dma_mode) { + dma_memory_read(&address_space_memory, dma, + uv->buffer, sizeof(*mhdr), + MEMTXATTRS_UNSPECIFIED); + } else { + memcpy(uv->buffer, uv->pio_xfer_buffer, sizeof(*mhdr)); + } + + if (uadd64_overflow(sizeof(*mhdr), mhdr->length, &size)) { + return UEFI_VARS_STS_ERR_BAD_BUFFER_SIZE; + } + if (uv->buf_size < size) { + return UEFI_VARS_STS_ERR_BAD_BUFFER_SIZE; + } + + /* read buffer (excl header) */ + if (dma_mode) { + dma_memory_read(&address_space_memory, dma + sizeof(*mhdr), + uv->buffer + sizeof(*mhdr), mhdr->length, + MEMTXATTRS_UNSPECIFIED); + } else { + memcpy(uv->buffer + sizeof(*mhdr), + uv->pio_xfer_buffer + sizeof(*mhdr), + mhdr->length); + } + memset(uv->buffer + size, 0, uv->buf_size - size); + + /* dispatch */ + if (qemu_uuid_is_equal(&mhdr->guid, &EfiSmmVariableProtocolGuid)) { + retval =3D uefi_vars_mm_vars_proto(uv); + + } else if (qemu_uuid_is_equal(&mhdr->guid, &VarCheckPolicyLibMmiHandle= rGuid)) { + retval =3D uefi_vars_mm_check_policy_proto(uv); + + } else if (qemu_uuid_is_equal(&mhdr->guid, &EfiEndOfDxeEventGroupGuid)= ) { + trace_uefi_event("end-of-dxe"); + uv->end_of_dxe =3D true; + retval =3D UEFI_VARS_STS_SUCCESS; + + } else if (qemu_uuid_is_equal(&mhdr->guid, &EfiEventReadyToBootGuid)) { + trace_uefi_event("ready-to-boot"); + uv->ready_to_boot =3D true; + retval =3D UEFI_VARS_STS_SUCCESS; + + } else if (qemu_uuid_is_equal(&mhdr->guid, &EfiEventExitBootServicesGu= id)) { + trace_uefi_event("exit-boot-service"); + uv->exit_boot_service =3D true; + retval =3D UEFI_VARS_STS_SUCCESS; + + } else { + retval =3D UEFI_VARS_STS_ERR_NOT_SUPPORTED; + } + + /* write buffer */ + if (dma_mode) { + dma_memory_write(&address_space_memory, dma, + uv->buffer, sizeof(*mhdr) + mhdr->length, + MEMTXATTRS_UNSPECIFIED); + } else { + memcpy(uv->pio_xfer_buffer + sizeof(*mhdr), + uv->buffer + sizeof(*mhdr), + sizeof(*mhdr) + mhdr->length); + } + + return retval; +} + +static void uefi_vars_soft_reset(uefi_vars_state *uv) +{ + g_free(uv->buffer); + uv->buffer =3D NULL; + uv->buf_size =3D 0; + uv->buf_addr_lo =3D 0; + uv->buf_addr_hi =3D 0; +} + +void uefi_vars_hard_reset(uefi_vars_state *uv) +{ + trace_uefi_hard_reset(); + uefi_vars_soft_reset(uv); + + uv->end_of_dxe =3D false; + uv->ready_to_boot =3D false; + uv->exit_boot_service =3D false; + uv->policy_locked =3D false; + + uefi_vars_clear_volatile(uv); + uefi_vars_policies_clear(uv); + uefi_vars_auth_init(uv); +} + +static uint32_t uefi_vars_cmd(uefi_vars_state *uv, uint32_t cmd) +{ + switch (cmd) { + case UEFI_VARS_CMD_RESET: + uefi_vars_soft_reset(uv); + return UEFI_VARS_STS_SUCCESS; + case UEFI_VARS_CMD_DMA_MM: + return uefi_vars_cmd_mm(uv, true); + case UEFI_VARS_CMD_PIO_MM: + return uefi_vars_cmd_mm(uv, false); + case UEFI_VARS_CMD_PIO_ZERO_OFFSET: + uv->pio_xfer_offset =3D 0; + return UEFI_VARS_STS_SUCCESS; + default: + return UEFI_VARS_STS_ERR_NOT_SUPPORTED; + } +} + +static uint64_t uefi_vars_read(void *opaque, hwaddr addr, unsigned size) +{ + uefi_vars_state *uv =3D opaque; + uint64_t retval =3D -1; + void *xfer_ptr; + + trace_uefi_reg_read(addr, size); + + switch (addr) { + case UEFI_VARS_REG_MAGIC: + retval =3D UEFI_VARS_MAGIC_VALUE; + break; + case UEFI_VARS_REG_CMD_STS: + retval =3D uv->sts; + break; + case UEFI_VARS_REG_BUFFER_SIZE: + retval =3D uv->buf_size; + break; + case UEFI_VARS_REG_DMA_BUFFER_ADDR_LO: + retval =3D uv->buf_addr_lo; + break; + case UEFI_VARS_REG_DMA_BUFFER_ADDR_HI: + retval =3D uv->buf_addr_hi; + break; + case UEFI_VARS_REG_PIO_BUFFER_TRANSFER: + if (uv->pio_xfer_offset + size > uv->buf_size) { + retval =3D 0; + break; + } + xfer_ptr =3D uv->pio_xfer_buffer + uv->pio_xfer_offset; + switch (size) { + case 1: + retval =3D *(uint8_t *)xfer_ptr; + break; + case 2: + retval =3D *(uint16_t *)xfer_ptr; + break; + case 4: + retval =3D *(uint32_t *)xfer_ptr; + break; + case 8: + retval =3D *(uint64_t *)xfer_ptr; + break; + } + uv->pio_xfer_offset +=3D size; + break; + case UEFI_VARS_REG_PIO_BUFFER_CRC32C: + retval =3D crc32c(0xffffffff, uv->pio_xfer_buffer, uv->pio_xfer_of= fset); + break; + case UEFI_VARS_REG_FLAGS: + retval =3D 0; + if (uv->use_pio) { + retval |=3D UEFI_VARS_FLAG_USE_PIO; + } + } + return retval; +} + +static void uefi_vars_write(void *opaque, hwaddr addr, uint64_t val, unsig= ned size) +{ + uefi_vars_state *uv =3D opaque; + void *xfer_ptr; + + trace_uefi_reg_write(addr, val, size); + + switch (addr) { + case UEFI_VARS_REG_CMD_STS: + uv->sts =3D uefi_vars_cmd(uv, val); + break; + case UEFI_VARS_REG_BUFFER_SIZE: + if (val > MAX_BUFFER_SIZE) { + val =3D MAX_BUFFER_SIZE; + } + uv->buf_size =3D val; + g_free(uv->buffer); + g_free(uv->pio_xfer_buffer); + uv->buffer =3D g_malloc(uv->buf_size); + uv->pio_xfer_buffer =3D g_malloc(uv->buf_size); + break; + case UEFI_VARS_REG_DMA_BUFFER_ADDR_LO: + uv->buf_addr_lo =3D val; + break; + case UEFI_VARS_REG_DMA_BUFFER_ADDR_HI: + uv->buf_addr_hi =3D val; + break; + case UEFI_VARS_REG_PIO_BUFFER_TRANSFER: + if (uv->pio_xfer_offset + size > uv->buf_size) { + break; + } + xfer_ptr =3D uv->pio_xfer_buffer + uv->pio_xfer_offset; + switch (size) { + case 1: + *(uint8_t *)xfer_ptr =3D val; + break; + case 2: + *(uint16_t *)xfer_ptr =3D val; + break; + case 4: + *(uint32_t *)xfer_ptr =3D val; + break; + case 8: + *(uint64_t *)xfer_ptr =3D val; + break; + } + uv->pio_xfer_offset +=3D size; + break; + case UEFI_VARS_REG_PIO_BUFFER_CRC32C: + case UEFI_VARS_REG_FLAGS: + default: + break; + } +} + +static const MemoryRegionOps uefi_vars_ops =3D { + .read =3D uefi_vars_read, + .write =3D uefi_vars_write, + .endianness =3D DEVICE_LITTLE_ENDIAN, + .impl =3D { + .min_access_size =3D 2, + .max_access_size =3D 4, + }, +}; + +void uefi_vars_init(Object *obj, uefi_vars_state *uv) +{ + QTAILQ_INIT(&uv->variables); + QTAILQ_INIT(&uv->var_policies); + uv->jsonfd =3D -1; + memory_region_init_io(&uv->mr, obj, &uefi_vars_ops, uv, + "uefi-vars", UEFI_VARS_REGS_SIZE); +} + +void uefi_vars_realize(uefi_vars_state *uv, Error **errp) +{ + uefi_vars_json_init(uv, errp); + uefi_vars_json_load(uv, errp); +} --=20 2.48.1 From nobody Wed Mar 5 02:14:02 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1741093074; cv=none; d=zohomail.com; s=zohoarc; b=EH8PjTda8cHKanE2xHWxEZyidb5Le8B3i39yymIi2ICh/7UHbkHHhHPvnS7YdAOdzfF07Fmqh9GUqQ2yeXz4uvdtEZ49QcjYNv9tWJT9dl9oR12m169BBFLLPADeYrIEyOeZ+q1QOOReOzwuzOq4rTceL+zQby+WzGaaWKWCglw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1741093074; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=TekiRy230m6fXrzIpS8SrOi2EMfP9enRBb5+yH9gjMs=; b=mSanTZS//Yp2POoXA6HRVk1bTcou88cFv2Wy3fji3zS7J/dHROSI+s0WESheUfQSFB2Ta5qLehONDlaF0APaF6dbjq0NpLGCyXJY1WuSMDovTiPH8yV9vF+NzkJ2jzHnbU+zgP+ouR2JkZXEXQ9fRApwubz182qzPpN6TmN2oN8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1741093074147352.9317746578197; Tue, 4 Mar 2025 04:57:54 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tpRhn-0004uD-5P; Tue, 04 Mar 2025 07:49:05 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhW-0004iZ-M2 for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:47 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhT-0006lV-UJ for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:46 -0500 Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-413-XJR9CKONNtyLErloDS68ew-1; Tue, 04 Mar 2025 07:48:38 -0500 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 8566C180087B; Tue, 4 Mar 2025 12:48:36 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.44.32.122]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 382A6180087C; Tue, 4 Mar 2025 12:48:35 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id E277518003B4; Tue, 04 Mar 2025 13:48:15 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741092523; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TekiRy230m6fXrzIpS8SrOi2EMfP9enRBb5+yH9gjMs=; b=d7KyIpxeUefYgclpSuUFgixr7lv/XR4SKc0POz0EPfV8bBQRcxokp9L/ZEHXxbDh82PRCe dMLIaA4Z60Y6oUxegAjkdmIIpf56k5zthYOw4IAhmpIQGZOipODi7e5LNsalyAG562rveo 42SoXryZhQncDwbNIH3Yr4ekiKDdl/s= X-MC-Unique: XJR9CKONNtyLErloDS68ew-1 X-Mimecast-MFC-AGG-ID: XJR9CKONNtyLErloDS68ew_1741092516 From: Gerd Hoffmann To: qemu-devel@nongnu.org Cc: Richard Henderson , Marcel Apfelbaum , "Michael S. Tsirkin" , Eric Blake , Paolo Bonzini , Gerd Hoffmann , Peter Maydell , qemu-arm@nongnu.org, Michael Roth , Markus Armbruster , Eduardo Habkost , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Subject: [PULL 11/24] hw/uefi: add var-service-pkcs7.c Date: Tue, 4 Mar 2025 13:47:59 +0100 Message-ID: <20250304124815.591749-12-kraxel@redhat.com> In-Reply-To: <20250304124815.591749-1-kraxel@redhat.com> References: <20250304124815.591749-1-kraxel@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1741093075464019000 Content-Type: text/plain; charset="utf-8" This implements pkcs7 signature verification using gnutls. Needed to check authenticated variable updates. Signed-off-by: Gerd Hoffmann Message-ID: <20250225163031.1409078-12-kraxel@redhat.com> --- hw/uefi/var-service-pkcs7.c | 436 ++++++++++++++++++++++++++++++++++++ 1 file changed, 436 insertions(+) create mode 100644 hw/uefi/var-service-pkcs7.c diff --git a/hw/uefi/var-service-pkcs7.c b/hw/uefi/var-service-pkcs7.c new file mode 100644 index 000000000000..32accf4e44e0 --- /dev/null +++ b/hw/uefi/var-service-pkcs7.c @@ -0,0 +1,436 @@ +/* + * SPDX-License-Identifier: GPL-2.0-or-later + * + * uefi vars device - pkcs7 verification + */ +#include "qemu/osdep.h" +#include "qemu/error-report.h" +#include "system/dma.h" + +#include +#include +#include + +#include "hw/uefi/var-service.h" + +#define AUTHVAR_DIGEST_ALGO GNUTLS_DIG_SHA256 +#define AUTHVAR_DIGEST_SIZE 32 + +/* + * Replicate the signed data for signature verification. + */ +static gnutls_datum_t *build_signed_data(mm_variable_access *va, void *dat= a) +{ + variable_auth_2 *auth =3D data; + uint64_t data_offset =3D sizeof(efi_time) + auth->hdr_length; + uint16_t *name =3D (void *)va + sizeof(mm_variable_access); + gnutls_datum_t *sdata; + uint64_t pos =3D 0; + + sdata =3D g_new(gnutls_datum_t, 1); + sdata->size =3D (va->name_size - 2 + + sizeof(QemuUUID) + + sizeof(va->attributes) + + sizeof(auth->timestamp) + + va->data_size - data_offset); + sdata->data =3D g_malloc(sdata->size); + + /* Variable Name (without terminating \0) */ + memcpy(sdata->data + pos, name, va->name_size - 2); + pos +=3D va->name_size - 2; + + /* Variable Namespace Guid */ + memcpy(sdata->data + pos, &va->guid, sizeof(va->guid)); + pos +=3D sizeof(va->guid); + + /* Attributes */ + memcpy(sdata->data + pos, &va->attributes, sizeof(va->attributes)); + pos +=3D sizeof(va->attributes); + + /* TimeStamp */ + memcpy(sdata->data + pos, &auth->timestamp, sizeof(auth->timestamp)); + pos +=3D sizeof(auth->timestamp); + + /* Variable Content */ + memcpy(sdata->data + pos, data + data_offset, va->data_size - data_off= set); + pos +=3D va->data_size - data_offset; + + assert(pos =3D=3D sdata->size); + return sdata; +} + +/* + * See WrapPkcs7Data() in edk2. + * + * UEFI spec allows pkcs7 signatures being used without the envelope which + * identifies them as pkcs7 signatures. openssl and gnutls will not parse= them + * without the envelope though. So add it if needed. + */ +static void wrap_pkcs7(gnutls_datum_t *pkcs7) +{ + static uint8_t signed_data_oid[9] =3D { + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02 + }; + gnutls_datum_t wrap; + + if (pkcs7->data[4] =3D=3D 0x06 && + pkcs7->data[5] =3D=3D 0x09 && + memcmp(pkcs7->data + 6, signed_data_oid, sizeof(signed_data_oid)) = =3D=3D 0 && + pkcs7->data[15] =3D=3D 0x0a && + pkcs7->data[16] =3D=3D 0x82) { + return; + } + + wrap.size =3D pkcs7->size + 19; + wrap.data =3D g_malloc(wrap.size); + + wrap.data[0] =3D 0x30; + wrap.data[1] =3D 0x82; + wrap.data[2] =3D (wrap.size - 4) >> 8; + wrap.data[3] =3D (wrap.size - 4) & 0xff; + wrap.data[4] =3D 0x06; + wrap.data[5] =3D 0x09; + memcpy(wrap.data + 6, signed_data_oid, sizeof(signed_data_oid)); + + wrap.data[15] =3D 0xa0; + wrap.data[16] =3D 0x82; + wrap.data[17] =3D pkcs7->size >> 8; + wrap.data[18] =3D pkcs7->size & 0xff; + memcpy(wrap.data + 19, pkcs7->data, pkcs7->size); + + g_free(pkcs7->data); + *pkcs7 =3D wrap; +} + +static gnutls_datum_t *build_pkcs7(void *data) +{ + variable_auth_2 *auth =3D data; + gnutls_datum_t *pkcs7; + + pkcs7 =3D g_new(gnutls_datum_t, 1); + pkcs7->size =3D auth->hdr_length - 24; + pkcs7->data =3D g_malloc(pkcs7->size); + memcpy(pkcs7->data, data + 16 + 24, pkcs7->size); + + wrap_pkcs7(pkcs7); + + return pkcs7; +} + +/* + * Read UEFI signature database, store x509 all certificates found in + * gnutls_x509_trust_list_t. + */ +static gnutls_x509_trust_list_t build_trust_list_sb(uefi_variable *var) +{ + gnutls_x509_trust_list_t tlist; + gnutls_datum_t cert_data; + gnutls_x509_crt_t cert; + uefi_vars_siglist siglist; + uefi_vars_cert *c; + int rc; + + rc =3D gnutls_x509_trust_list_init(&tlist, 0); + if (rc < 0) { + warn_report("gnutls_x509_trust_list_init error: %s", + gnutls_strerror(rc)); + return NULL; + } + + uefi_vars_siglist_init(&siglist); + uefi_vars_siglist_parse(&siglist, var->data, var->data_size); + + QTAILQ_FOREACH(c, &siglist.x509, next) { + cert_data.size =3D c->size; + cert_data.data =3D c->data; + + rc =3D gnutls_x509_crt_init(&cert); + if (rc < 0) { + warn_report("gnutls_x509_crt_init error: %s", gnutls_strerror(= rc)); + break; + } + rc =3D gnutls_x509_crt_import(cert, &cert_data, GNUTLS_X509_FMT_DE= R); + if (rc < 0) { + warn_report("gnutls_x509_crt_import error: %s", + gnutls_strerror(rc)); + gnutls_x509_crt_deinit(cert); + break; + } + rc =3D gnutls_x509_trust_list_add_cas(tlist, &cert, 1, 0); + if (rc < 0) { + warn_report("gnutls_x509_crt_import error: %s", + gnutls_strerror(rc)); + gnutls_x509_crt_deinit(cert); + break; + } + } + + uefi_vars_siglist_free(&siglist); + + return tlist; +} + +static int build_digest_authvar(gnutls_x509_crt_t signer, + gnutls_x509_crt_t root, + uint8_t *hash_digest) +{ + char *cn; + size_t cn_size =3D 0; + uint8_t fp[AUTHVAR_DIGEST_SIZE]; + size_t fp_size =3D sizeof(fp); + gnutls_hash_hd_t hash; + int rc; + + /* get signer CN */ + rc =3D gnutls_x509_crt_get_dn_by_oid(signer, GNUTLS_OID_X520_COMMON_NA= ME, + 0, 0, NULL, &cn_size); + if (rc !=3D GNUTLS_E_SHORT_MEMORY_BUFFER) { + warn_report("gnutls_x509_crt_get_dn_by_oid error #1: %s", + gnutls_strerror(rc)); + return rc; + } + + cn =3D g_malloc(cn_size); + rc =3D gnutls_x509_crt_get_dn_by_oid(signer, GNUTLS_OID_X520_COMMON_NA= ME, + 0, 0, cn, &cn_size); + if (rc < 0) { + warn_report("gnutls_x509_crt_get_dn_by_oid error #2: %s", + gnutls_strerror(rc)); + goto err; + } + + /* get root certificate fingerprint */ + rc =3D gnutls_x509_crt_get_fingerprint(root, AUTHVAR_DIGEST_ALGO, + fp, &fp_size); + if (rc < 0) { + warn_report("gnutls_x509_crt_get_fingerprint error: %s", + gnutls_strerror(rc)); + goto err; + } + + /* digest both items */ + rc =3D gnutls_hash_init(&hash, AUTHVAR_DIGEST_ALGO); + if (rc < 0) { + warn_report("gnutls_hash_init error: %s", + gnutls_strerror(rc)); + goto err; + } + rc =3D gnutls_hash(hash, cn, cn_size); + if (rc < 0) { + warn_report("gnutls_hash error: %s", + gnutls_strerror(rc)); + goto err; + } + rc =3D gnutls_hash(hash, fp, fp_size); + if (rc < 0) { + warn_report("gnutls_hash error: %s", + gnutls_strerror(rc)); + goto err; + } + gnutls_hash_deinit(hash, hash_digest); + + return 0; + +err: + g_free(cn); + return rc; +} + +/* + * uefi spec 2.9, section 8.2.2 + * + * For EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS variables which = are + * NOT secure boot variables we should track the root certificate of the t= rust + * chain, and the subject CN of the signer certificate. + * + * So we'll go store a digest of these two items so we can verify this. A= lso + * create a gnutls_x509_trust_list_t with the root certificate, so + * gnutls_pkcs7_verify() will pass (assuming the signature is otherwise + * correct). + */ +static gnutls_x509_trust_list_t build_trust_list_authvar(gnutls_pkcs7_t pk= cs7, + uint8_t *hash_dig= est) +{ + gnutls_datum_t signer_data =3D { 0 }; + gnutls_datum_t root_data =3D { 0 }; + gnutls_x509_crt_t signer =3D NULL; + gnutls_x509_crt_t root =3D NULL; + gnutls_x509_trust_list_t tlist =3D NULL; + int n, rc; + + n =3D gnutls_pkcs7_get_crt_count(pkcs7); + + /* first is signer certificate */ + rc =3D gnutls_pkcs7_get_crt_raw2(pkcs7, 0, &signer_data); + if (rc < 0) { + warn_report("gnutls_pkcs7_get_crt_raw2(0) error: %s", + gnutls_strerror(rc)); + goto done; + } + rc =3D gnutls_x509_crt_init(&signer); + if (rc < 0) { + warn_report("gnutls_x509_crt_init error: %s", gnutls_strerror(rc)); + goto done; + } + rc =3D gnutls_x509_crt_import(signer, &signer_data, GNUTLS_X509_FMT_DE= R); + if (rc < 0) { + warn_report("gnutls_x509_crt_import error: %s", + gnutls_strerror(rc)); + gnutls_x509_crt_deinit(signer); + goto done; + } + + /* last is root-of-trust certificate (can be identical to signer) */ + rc =3D gnutls_pkcs7_get_crt_raw2(pkcs7, n - 1, &root_data); + if (rc < 0) { + warn_report("gnutls_pkcs7_get_crt_raw2(%d) error: %s", + n - 1, gnutls_strerror(rc)); + goto done; + } + rc =3D gnutls_x509_crt_init(&root); + if (rc < 0) { + warn_report("gnutls_x509_crt_init error: %s", gnutls_strerror(rc)); + goto done; + } + rc =3D gnutls_x509_crt_import(root, &root_data, GNUTLS_X509_FMT_DER); + if (rc < 0) { + warn_report("gnutls_x509_crt_import error: %s", + gnutls_strerror(rc)); + goto done; + } + + /* calc digest for signer CN + root cert */ + rc =3D build_digest_authvar(signer, root, hash_digest); + if (rc < 0) { + goto done; + } + + /* add root to trust list */ + rc =3D gnutls_x509_trust_list_init(&tlist, 0); + if (rc < 0) { + warn_report("gnutls_x509_trust_list_init error: %s", + gnutls_strerror(rc)); + goto done; + } + rc =3D gnutls_x509_trust_list_add_cas(tlist, &root, 1, 0); + if (rc < 0) { + warn_report("gnutls_x509_crt_import error: %s", + gnutls_strerror(rc)); + gnutls_x509_trust_list_deinit(tlist, 1); + tlist =3D NULL; + goto done; + } else { + /* ownership passed to tlist */ + root =3D NULL; + } + +done: + if (signer_data.data) { + gnutls_free(signer_data.data); + } + if (root_data.data) { + gnutls_free(root_data.data); + } + if (signer) { + gnutls_x509_crt_deinit(signer); + } + if (root) { + gnutls_x509_crt_deinit(root); + } + return tlist; +} + +static void free_datum(gnutls_datum_t *ptr) +{ + if (!ptr) { + return; + } + g_free(ptr->data); + g_free(ptr); +} + +static void gnutls_log_stderr(int level, const char *msg) +{ + if (strncmp(msg, "ASSERT:", 7) =3D=3D 0) { + return; + } + fprintf(stderr, " %d: %s", level, msg); +} + +/* + * pkcs7 signature verification (EFI_VARIABLE_AUTHENTICATION_2). + */ +efi_status uefi_vars_check_pkcs7_2(uefi_variable *siglist, + void **digest, uint32_t *digest_size, + mm_variable_access *va, void *data) +{ + gnutls_x509_trust_list_t tlist =3D NULL; + gnutls_datum_t *signed_data =3D NULL; + gnutls_datum_t *pkcs7_data =3D NULL; + gnutls_pkcs7_t pkcs7 =3D NULL; + efi_status status =3D EFI_SECURITY_VIOLATION; + int rc; + + if (0) { + /* gnutls debug logging */ + static bool first =3D true; + + if (first) { + first =3D false; + gnutls_global_set_log_function(gnutls_log_stderr); + gnutls_global_set_log_level(99); + } + } + + signed_data =3D build_signed_data(va, data); + pkcs7_data =3D build_pkcs7(data); + + rc =3D gnutls_pkcs7_init(&pkcs7); + if (rc < 0) { + warn_report("gnutls_pkcs7_init error: %s", gnutls_strerror(rc)); + goto out; + } + + rc =3D gnutls_pkcs7_import(pkcs7, pkcs7_data, GNUTLS_X509_FMT_DER); + if (rc < 0) { + warn_report("gnutls_pkcs7_import error: %s", gnutls_strerror(rc)); + goto out; + } + + if (siglist) { + /* secure boot variables */ + tlist =3D build_trust_list_sb(siglist); + } else if (digest && digest_size) { + /* other authenticated variables */ + *digest_size =3D AUTHVAR_DIGEST_SIZE; + *digest =3D g_malloc(*digest_size); + tlist =3D build_trust_list_authvar(pkcs7, *digest); + } else { + /* should not happen */ + goto out; + } + + rc =3D gnutls_pkcs7_verify(pkcs7, tlist, + NULL, 0, + 0, signed_data, + GNUTLS_VERIFY_DISABLE_TIME_CHECKS | + GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS); + if (rc < 0) { + warn_report("gnutls_pkcs7_verify error: %s", gnutls_strerror(rc)); + goto out; + } + + /* check passed */ + status =3D EFI_SUCCESS; + +out: + free_datum(signed_data); + free_datum(pkcs7_data); + if (tlist) { + gnutls_x509_trust_list_deinit(tlist, 1); + } + if (pkcs7) { + gnutls_pkcs7_deinit(pkcs7); + } + return status; +} --=20 2.48.1 From nobody Wed Mar 5 02:14:02 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1741093074; cv=none; d=zohomail.com; s=zohoarc; b=RjJCVm/SWEGn2fdRaWHmfYEiawcBbmVTYD1xv7nkZ8R5UBlbEOq3lQCEulvbwMT0CMLa/x0QQCerHeHhvcSxgQXgZH0bdVoLDBSmPMEGv3mrL4Iv0uLy7kjyEr0xALO8Q5eSP1nvwV3plAWS4dzgcvFOfD6pu1PWRzpqxNqQAG8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1741093074; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=MeGTPtM30ba86rMRX4J7QzRLY9n745SbXLhW4mrJkQ4=; b=j74iA4816D3q0aZKoVI7Mk2oAiXU1jvUcFJdbh2JFUJV8qwB7dSRuIyAdsILGP/6zeaNojXZbZbYJKOtPtrQFj8xxJIlyjOTdPeiBnKZIyAmFkqkt0D1b/i9+MzB3/4vVlXcYbpEoFXksbNqk9LyFTRW63MLewUe9IwsFyyK/1M= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1741093074552794.7283730871603; Tue, 4 Mar 2025 04:57:54 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tpRm1-0002Z6-DZ; Tue, 04 Mar 2025 07:53:27 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhr-0004wG-M8 for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:49:08 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhp-0007Rv-Ib for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:49:06 -0500 Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-91-lmKxBvfHMEy7BxjH_HzVWQ-1; Tue, 04 Mar 2025 07:48:43 -0500 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 8F1C41944CFD; Tue, 4 Mar 2025 12:48:41 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.44.32.122]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id A12DB1800359; Tue, 4 Mar 2025 12:48:39 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id F1EF218003B7; Tue, 04 Mar 2025 13:48:15 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741092544; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MeGTPtM30ba86rMRX4J7QzRLY9n745SbXLhW4mrJkQ4=; b=ghExlTL4HZ7PFuahBGhC6OhkxuaevqmZc69MzL+cvDHs4L4DSkxjalpGIhFdVTyEzINW+B KarDo+y84p13/RalQ5OZ8V8zxmEq7Xf0H9ABWtzV1ao9NVWRHNwOAWDpOhvRepdmX851lx Xeud49Bx6+ZzxMXKqjSmO9bUoAiSiMo= X-MC-Unique: lmKxBvfHMEy7BxjH_HzVWQ-1 X-Mimecast-MFC-AGG-ID: lmKxBvfHMEy7BxjH_HzVWQ_1741092521 From: Gerd Hoffmann To: qemu-devel@nongnu.org Cc: Richard Henderson , Marcel Apfelbaum , "Michael S. Tsirkin" , Eric Blake , Paolo Bonzini , Gerd Hoffmann , Peter Maydell , qemu-arm@nongnu.org, Michael Roth , Markus Armbruster , Eduardo Habkost , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Subject: [PULL 12/24] hw/uefi: add var-service-pkcs7-stub.c Date: Tue, 4 Mar 2025 13:48:00 +0100 Message-ID: <20250304124815.591749-13-kraxel@redhat.com> In-Reply-To: <20250304124815.591749-1-kraxel@redhat.com> References: <20250304124815.591749-1-kraxel@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1741093075319019000 Content-Type: text/plain; charset="utf-8" pkcs7 stub which is used in case gnutls is not available. It throws EFI_WRITE_PROTECTED errors unconditionally, so all authenticated variables are readonly for the guest. Signed-off-by: Gerd Hoffmann Message-ID: <20250225163031.1409078-13-kraxel@redhat.com> --- hw/uefi/var-service-pkcs7-stub.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 hw/uefi/var-service-pkcs7-stub.c diff --git a/hw/uefi/var-service-pkcs7-stub.c b/hw/uefi/var-service-pkcs7-s= tub.c new file mode 100644 index 000000000000..118cba446d4b --- /dev/null +++ b/hw/uefi/var-service-pkcs7-stub.c @@ -0,0 +1,16 @@ +/* + * SPDX-License-Identifier: GPL-2.0-or-later + * + * uefi vars device - pkcs7 stubs + */ +#include "qemu/osdep.h" +#include "system/dma.h" + +#include "hw/uefi/var-service.h" + +efi_status uefi_vars_check_pkcs7_2(uefi_variable *siglist, + void **digest, uint32_t *digest_size, + mm_variable_access *va, void *data) +{ + return EFI_WRITE_PROTECTED; +} --=20 2.48.1 From nobody Wed Mar 5 02:14:02 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1741092677; cv=none; d=zohomail.com; s=zohoarc; b=AkYYmSXzLfr/q/Agd8y17MknPa6FTdCK7cFjxsCV0u24K82hm/kM7hZ3jEpe5iIM2Bgc6TrGxW29w9cY27Go6zaIh4B3HuelVZfClcI+1Dqh0kAtYZC8PTTCp1fmSKGiW/PbawwD/wWDFbTlMQVcyb7x28lBcpiYjVN+Q8/NP6A= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1741092677; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=ydBGlShTDPJYMLjz/X2qz59THSz0YWcjw1GnDWb2eHo=; b=Qb072AsZZBImTPpL07nDjgztFZ/PRT0YBoIAXja3ntsjVa0k2Xtr0HRR7/FE+QBFiEFCjIiFLWkAvTOxay68PoqbG5FT676scmRWYY9VlVKNPX7UWCnlBUV6v2PHpKjNyRMECkplt7j3HKoGLZCTVKESsZohR09bvp+kpikA9zY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1741092677727630.1735808452751; Tue, 4 Mar 2025 04:51:17 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tpRhh-0004sz-TS; Tue, 04 Mar 2025 07:48:58 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhZ-0004n3-Om for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:49 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhX-0006m5-9D for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:49 -0500 Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-160-X5H4n883PPWqhEaGN0bJIA-1; Tue, 04 Mar 2025 07:48:43 -0500 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 12DB31801A1F; Tue, 4 Mar 2025 12:48:42 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.44.32.122]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id A13831800361; Tue, 4 Mar 2025 12:48:39 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 0DC8118003B9; Tue, 04 Mar 2025 13:48:16 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741092526; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ydBGlShTDPJYMLjz/X2qz59THSz0YWcjw1GnDWb2eHo=; b=My8rdX+WOBqDTRwsoHQ/E8e9VzWRA1JJhSDOMtELJIcTYpkhAYimDHdZPYiWOUZAcLA1Hr j8CQEhOw2CsAg+N/PTeipmfqjWvVenGwRt+47eCPjrjTqdQO1Jckvbd9oBUlVybQCM9fDW we+AL+r7+1KqBJ3A8CXPoa0WB8xAfvk= X-MC-Unique: X5H4n883PPWqhEaGN0bJIA-1 X-Mimecast-MFC-AGG-ID: X5H4n883PPWqhEaGN0bJIA_1741092522 From: Gerd Hoffmann To: qemu-devel@nongnu.org Cc: Richard Henderson , Marcel Apfelbaum , "Michael S. Tsirkin" , Eric Blake , Paolo Bonzini , Gerd Hoffmann , Peter Maydell , qemu-arm@nongnu.org, Michael Roth , Markus Armbruster , Eduardo Habkost , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Subject: [PULL 13/24] hw/uefi: add var-service-siglist.c Date: Tue, 4 Mar 2025 13:48:01 +0100 Message-ID: <20250304124815.591749-14-kraxel@redhat.com> In-Reply-To: <20250304124815.591749-1-kraxel@redhat.com> References: <20250304124815.591749-1-kraxel@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1741092678840019100 Content-Type: text/plain; charset="utf-8" Functions to serialize and de-serialize EFI signature databases. This is needed to merge signature databases (happens in practice when appending dbx updates) and also to extract the certificates for pkcs7 signature verification. Signed-off-by: Gerd Hoffmann Message-ID: <20250225163031.1409078-14-kraxel@redhat.com> --- hw/uefi/var-service-siglist.c | 212 ++++++++++++++++++++++++++++++++++ 1 file changed, 212 insertions(+) create mode 100644 hw/uefi/var-service-siglist.c diff --git a/hw/uefi/var-service-siglist.c b/hw/uefi/var-service-siglist.c new file mode 100644 index 000000000000..8948f1b78471 --- /dev/null +++ b/hw/uefi/var-service-siglist.c @@ -0,0 +1,212 @@ +/* + * SPDX-License-Identifier: GPL-2.0-or-later + * + * uefi vars device - parse and generate efi signature databases + */ + +#include "qemu/osdep.h" +#include "qemu/error-report.h" +#include "system/dma.h" + +#include "hw/uefi/var-service.h" + +/* + * Add x509 certificate to list (with duplicate check). + */ +static void uefi_vars_siglist_add_x509(uefi_vars_siglist *siglist, + QemuUUID *owner, + void *data, uint64_t size) +{ + uefi_vars_cert *c; + + QTAILQ_FOREACH(c, &siglist->x509, next) { + if (c->size !=3D size) { + continue; + } + if (memcmp(c->data, data, size) !=3D 0) { + continue; + } + return; + } + + c =3D g_malloc(sizeof(*c) + size); + c->owner =3D *owner; + c->size =3D size; + memcpy(c->data, data, size); + QTAILQ_INSERT_TAIL(&siglist->x509, c, next); +} + +/* + * Add sha256 hash to list (with duplicate check). + */ +static void uefi_vars_siglist_add_sha256(uefi_vars_siglist *siglist, + QemuUUID *owner, + void *data) +{ + uefi_vars_hash *h; + + QTAILQ_FOREACH(h, &siglist->sha256, next) { + if (memcmp(h->data, data, 32) !=3D 0) { + continue; + } + return; + } + + h =3D g_malloc(sizeof(*h) + 32); + h->owner =3D *owner; + memcpy(h->data, data, 32); + QTAILQ_INSERT_TAIL(&siglist->sha256, h, next); +} + +void uefi_vars_siglist_init(uefi_vars_siglist *siglist) +{ + memset(siglist, 0, sizeof(*siglist)); + QTAILQ_INIT(&siglist->x509); + QTAILQ_INIT(&siglist->sha256); +} + +void uefi_vars_siglist_free(uefi_vars_siglist *siglist) +{ + uefi_vars_cert *c, *cs; + uefi_vars_hash *h, *hs; + + QTAILQ_FOREACH_SAFE(c, &siglist->x509, next, cs) { + QTAILQ_REMOVE(&siglist->x509, c, next); + g_free(c); + } + QTAILQ_FOREACH_SAFE(h, &siglist->sha256, next, hs) { + QTAILQ_REMOVE(&siglist->sha256, h, next); + g_free(h); + } +} + +/* + * Parse UEFI signature list. + */ +void uefi_vars_siglist_parse(uefi_vars_siglist *siglist, + void *data, uint64_t size) +{ + efi_siglist *efilist; + uint64_t start; + + while (size) { + if (size < sizeof(*efilist)) { + break; + } + efilist =3D data; + if (size < efilist->siglist_size) { + break; + } + + if (uadd64_overflow(sizeof(*efilist), efilist->header_size, &start= )) { + break; + } + if (efilist->sig_size <=3D sizeof(QemuUUID)) { + break; + } + + if (qemu_uuid_is_equal(&efilist->guid_type, &EfiCertX509Guid)) { + if (start + efilist->sig_size !=3D efilist->siglist_size) { + break; + } + uefi_vars_siglist_add_x509(siglist, + (QemuUUID *)(data + start), + data + start + sizeof(QemuUUID), + efilist->sig_size - sizeof(QemuUUID= )); + + } else if (qemu_uuid_is_equal(&efilist->guid_type, &EfiCertSha256G= uid)) { + if (efilist->sig_size !=3D sizeof(QemuUUID) + 32) { + break; + } + if (start + efilist->sig_size > efilist->siglist_size) { + break; + } + while (start <=3D efilist->siglist_size - efilist->sig_size) { + uefi_vars_siglist_add_sha256(siglist, + (QemuUUID *)(data + start), + data + start + sizeof(QemuUUI= D)); + start +=3D efilist->sig_size; + } + + } else { + QemuUUID be =3D qemu_uuid_bswap(efilist->guid_type); + char *str_uuid =3D qemu_uuid_unparse_strdup(&be); + warn_report("%s: unknown type (%s)", __func__, str_uuid); + g_free(str_uuid); + } + + data +=3D efilist->siglist_size; + size -=3D efilist->siglist_size; + } +} + +uint64_t uefi_vars_siglist_blob_size(uefi_vars_siglist *siglist) +{ + uefi_vars_cert *c; + uefi_vars_hash *h; + uint64_t size =3D 0; + + QTAILQ_FOREACH(c, &siglist->x509, next) { + size +=3D sizeof(efi_siglist) + sizeof(QemuUUID) + c->size; + } + + if (!QTAILQ_EMPTY(&siglist->sha256)) { + size +=3D sizeof(efi_siglist); + QTAILQ_FOREACH(h, &siglist->sha256, next) { + size +=3D sizeof(QemuUUID) + 32; + } + } + + return size; +} + +/* + * Generate UEFI signature list. + */ +void uefi_vars_siglist_blob_generate(uefi_vars_siglist *siglist, + void *data, uint64_t size) +{ + uefi_vars_cert *c; + uefi_vars_hash *h; + efi_siglist *efilist; + uint64_t pos =3D 0, start; + uint32_t i; + + QTAILQ_FOREACH(c, &siglist->x509, next) { + efilist =3D data + pos; + efilist->guid_type =3D EfiCertX509Guid; + efilist->sig_size =3D sizeof(QemuUUID) + c->size; + efilist->header_size =3D 0; + + start =3D pos + sizeof(efi_siglist); + memcpy(data + start, + &c->owner, sizeof(QemuUUID)); + memcpy(data + start + sizeof(QemuUUID), + c->data, c->size); + + efilist->siglist_size =3D sizeof(efi_siglist) + efilist->sig_size; + pos +=3D efilist->siglist_size; + } + + if (!QTAILQ_EMPTY(&siglist->sha256)) { + efilist =3D data + pos; + efilist->guid_type =3D EfiCertSha256Guid; + efilist->sig_size =3D sizeof(QemuUUID) + 32; + efilist->header_size =3D 0; + + i =3D 0; + start =3D pos + sizeof(efi_siglist); + QTAILQ_FOREACH(h, &siglist->sha256, next) { + memcpy(data + start + efilist->sig_size * i, + &h->owner, sizeof(QemuUUID)); + memcpy(data + start + efilist->sig_size * i + sizeof(QemuUUID), + h->data, 32); + i++; + } + + efilist->siglist_size =3D sizeof(efi_siglist) + efilist->sig_size = * i; + pos +=3D efilist->siglist_size; + } + + assert(pos =3D=3D size); +} --=20 2.48.1 From nobody Wed Mar 5 02:14:02 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1741092858; cv=none; d=zohomail.com; s=zohoarc; b=iCYT+oq4JR8Hos1KJqca/3+3p5Ik4K1VTvONijRL3vEj5zab8MS9E5KcgOsGpYnJL5UtJq2sBccc7MgqwISptjWJ8AF+I9FlOArs3A1JqkrfxKHtqDYlh/CZORC/sy8ByV7xidtSy75SSigYMvtrdDXtGOzdumjM4hXKhvDsVt0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1741092858; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=eSA53h4Tq1ld+EUgLayekMHRu0q1zKVUKG7i9WfYbL0=; b=TVSw3tBgTWGERErwTz5cpE77HPuTVbm6uvQmKe/T199xMi9pCDNS6GBf68HxE5CAFe1I8fncxni1sr//CE1iryzliEz+iUH7NDUQWV8pSIMQHFdQvIHRkAqZrqoG5nU/qtiBhI4fSii3tnEhXhB+Q4Im4rzUiCYfyA1+S/ptC8s= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1741092858485599.8764059796961; Tue, 4 Mar 2025 04:54:18 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tpRmR-0003dk-14; Tue, 04 Mar 2025 07:53:51 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhu-0004wl-Fc for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:49:13 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhr-0007VM-9S for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:49:09 -0500 Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-593-R3YktBr-NUe4Q2yq612kWw-1; Tue, 04 Mar 2025 07:48:48 -0500 Received: from mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id E2F051800873; Tue, 4 Mar 2025 12:48:46 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.44.32.122]) by mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id C565219560AA; Tue, 4 Mar 2025 12:48:45 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 2631818003BB; Tue, 04 Mar 2025 13:48:16 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741092545; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=eSA53h4Tq1ld+EUgLayekMHRu0q1zKVUKG7i9WfYbL0=; b=fXFfBe1gLaz2JfJKjTBoQmY7MRyqnTW/H5sSER+kqwae0K/mpektldxF7QRuLR9RQNVxC+ xejJ4DMlu9QDyBakrNTQ4v8O8HqPEWEPD3Hpqyu2I0zrMWywfjTI6oy8tMvZFFAcCkfNJe kYQfHeDayFdP7VOwQEeW6y0cBdM1RUI= X-MC-Unique: R3YktBr-NUe4Q2yq612kWw-1 X-Mimecast-MFC-AGG-ID: R3YktBr-NUe4Q2yq612kWw_1741092527 From: Gerd Hoffmann To: qemu-devel@nongnu.org Cc: Richard Henderson , Marcel Apfelbaum , "Michael S. Tsirkin" , Eric Blake , Paolo Bonzini , Gerd Hoffmann , Peter Maydell , qemu-arm@nongnu.org, Michael Roth , Markus Armbruster , Eduardo Habkost , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Subject: [PULL 14/24] hw/uefi: add var-service-json.c + qapi for NV vars. Date: Tue, 4 Mar 2025 13:48:02 +0100 Message-ID: <20250304124815.591749-15-kraxel@redhat.com> In-Reply-To: <20250304124815.591749-1-kraxel@redhat.com> References: <20250304124815.591749-1-kraxel@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.40 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1741092860562019000 Content-Type: text/plain; charset="utf-8" Define qapi schema for the uefi variable store state. Use it and the generated visitor helper functions to store persistent (EFI_VARIABLE_NON_VOLATILE) variables in JSON format on disk. Acked-by: Markus Armbruster Signed-off-by: Gerd Hoffmann Message-ID: <20250225163031.1409078-15-kraxel@redhat.com> [ incremental fix squashed in ] Message-ID: --- hw/uefi/var-service-json.c | 243 +++++++++++++++++++++++++++++++++++++ qapi/meson.build | 1 + qapi/qapi-schema.json | 1 + qapi/uefi.json | 64 ++++++++++ 4 files changed, 309 insertions(+) create mode 100644 hw/uefi/var-service-json.c create mode 100644 qapi/uefi.json diff --git a/hw/uefi/var-service-json.c b/hw/uefi/var-service-json.c new file mode 100644 index 000000000000..761082c11fc1 --- /dev/null +++ b/hw/uefi/var-service-json.c @@ -0,0 +1,243 @@ +/* + * SPDX-License-Identifier: GPL-2.0-or-later + * + * uefi vars device - serialize non-volatile varstore from/to json, + * using qapi + * + * tools which can read/write these json files: + * - https://gitlab.com/kraxel/virt-firmware + * - https://github.com/awslabs/python-uefivars + */ +#include "qemu/osdep.h" +#include "qemu/cutils.h" +#include "qemu/error-report.h" +#include "system/dma.h" + +#include "hw/uefi/var-service.h" + +#include "qobject/qobject.h" +#include "qobject/qjson.h" + +#include "qapi/dealloc-visitor.h" +#include "qapi/qobject-input-visitor.h" +#include "qapi/qobject-output-visitor.h" +#include "qapi/qapi-types-uefi.h" +#include "qapi/qapi-visit-uefi.h" + +static char *generate_hexstr(void *data, size_t len) +{ + static const char hex[] =3D { + '0', '1', '2', '3', '4', '5', '6', '7', + '8', '9', 'a', 'b', 'c', 'd', 'e', 'f', + }; + uint8_t *src =3D data; + char *dest; + size_t i; + + dest =3D g_malloc(len * 2 + 1); + for (i =3D 0; i < len * 2;) { + dest[i++] =3D hex[*src >> 4]; + dest[i++] =3D hex[*src & 15]; + src++; + } + dest[i++] =3D 0; + + return dest; +} + +static UefiVarStore *uefi_vars_to_qapi(uefi_vars_state *uv) +{ + UefiVarStore *vs; + UefiVariableList **tail; + UefiVariable *v; + QemuUUID be; + uefi_variable *var; + + vs =3D g_new0(UefiVarStore, 1); + vs->version =3D 2; + tail =3D &vs->variables; + + QTAILQ_FOREACH(var, &uv->variables, next) { + if (!(var->attributes & EFI_VARIABLE_NON_VOLATILE)) { + continue; + } + + v =3D g_new0(UefiVariable, 1); + be =3D qemu_uuid_bswap(var->guid); + v->guid =3D qemu_uuid_unparse_strdup(&be); + v->name =3D uefi_ucs2_to_ascii(var->name, var->name_size); + v->attr =3D var->attributes; + + v->data =3D generate_hexstr(var->data, var->data_size); + + if (var->attributes & + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) { + v->time =3D generate_hexstr(&var->time, sizeof(var->time)); + if (var->digest && var->digest_size) { + v->digest =3D generate_hexstr(var->digest, var->digest_siz= e); + } + } + + QAPI_LIST_APPEND(tail, v); + } + return vs; +} + +static unsigned parse_hexchar(char c) +{ + switch (c) { + case '0' ... '9': return c - '0'; + case 'a' ... 'f': return c - 'a' + 0xa; + case 'A' ... 'F': return c - 'A' + 0xA; + default: return 0; + } +} + +static void parse_hexstr(void *dest, char *src, int len) +{ + uint8_t *data =3D dest; + size_t i; + + for (i =3D 0; i < len; i +=3D 2) { + *(data++) =3D + parse_hexchar(src[i]) << 4 | + parse_hexchar(src[i + 1]); + } +} + +static void uefi_vars_from_qapi(uefi_vars_state *uv, UefiVarStore *vs) +{ + UefiVariableList *item; + UefiVariable *v; + QemuUUID be; + uefi_variable *var; + uint8_t *data; + size_t i, len; + + for (item =3D vs->variables; item !=3D NULL; item =3D item->next) { + v =3D item->value; + + var =3D g_new0(uefi_variable, 1); + var->attributes =3D v->attr; + qemu_uuid_parse(v->guid, &be); + var->guid =3D qemu_uuid_bswap(be); + + len =3D strlen(v->name); + var->name_size =3D len * 2 + 2; + var->name =3D g_malloc(var->name_size); + for (i =3D 0; i <=3D len; i++) { + var->name[i] =3D v->name[i]; + } + + len =3D strlen(v->data); + var->data_size =3D len / 2; + var->data =3D data =3D g_malloc(var->data_size); + parse_hexstr(var->data, v->data, len); + + if (v->time && strlen(v->time) =3D=3D 32) { + parse_hexstr(&var->time, v->time, 32); + } + + if (v->digest) { + len =3D strlen(v->digest); + var->digest_size =3D len / 2; + var->digest =3D g_malloc(var->digest_size); + parse_hexstr(var->digest, v->digest, len); + } + + QTAILQ_INSERT_TAIL(&uv->variables, var, next); + } +} + +static GString *uefi_vars_to_json(uefi_vars_state *uv) +{ + UefiVarStore *vs =3D uefi_vars_to_qapi(uv); + QObject *qobj =3D NULL; + Visitor *v; + GString *gstr; + + v =3D qobject_output_visitor_new(&qobj); + if (visit_type_UefiVarStore(v, NULL, &vs, NULL)) { + visit_complete(v, &qobj); + } + visit_free(v); + qapi_free_UefiVarStore(vs); + + gstr =3D qobject_to_json_pretty(qobj, true); + qobject_unref(qobj); + + return gstr; +} + +void uefi_vars_json_init(uefi_vars_state *uv, Error **errp) +{ + if (uv->jsonfile) { + uv->jsonfd =3D qemu_create(uv->jsonfile, O_RDWR, 0666, errp); + } +} + +void uefi_vars_json_save(uefi_vars_state *uv) +{ + GString *gstr; + int rc; + + if (uv->jsonfd =3D=3D -1) { + return; + } + + gstr =3D uefi_vars_to_json(uv); + + lseek(uv->jsonfd, 0, SEEK_SET); + rc =3D ftruncate(uv->jsonfd, 0); + if (rc !=3D 0) { + warn_report("%s: ftruncate error", __func__); + } + rc =3D write(uv->jsonfd, gstr->str, gstr->len); + if (rc !=3D gstr->len) { + warn_report("%s: write error", __func__); + } + fsync(uv->jsonfd); + + g_string_free(gstr, true); +} + +void uefi_vars_json_load(uefi_vars_state *uv, Error **errp) +{ + UefiVarStore *vs; + QObject *qobj; + Visitor *v; + char *str; + size_t len; + int rc; + + if (uv->jsonfd =3D=3D -1) { + return; + } + + len =3D lseek(uv->jsonfd, 0, SEEK_END); + if (len =3D=3D 0) { + return; + } + + str =3D g_malloc(len + 1); + lseek(uv->jsonfd, 0, SEEK_SET); + rc =3D read(uv->jsonfd, str, len); + if (rc !=3D len) { + warn_report("%s: read error", __func__); + } + str[len] =3D 0; + + qobj =3D qobject_from_json(str, errp); + v =3D qobject_input_visitor_new(qobj); + visit_type_UefiVarStore(v, NULL, &vs, errp); + visit_free(v); + + if (!(*errp)) { + uefi_vars_from_qapi(uv, vs); + uefi_vars_update_storage(uv); + } + + qapi_free_UefiVarStore(vs); + qobject_unref(qobj); + g_free(str); +} diff --git a/qapi/meson.build b/qapi/meson.build index e7bc54e5d047..eadde4db307f 100644 --- a/qapi/meson.build +++ b/qapi/meson.build @@ -65,6 +65,7 @@ if have_system 'pci', 'rocker', 'tpm', + 'uefi', ] endif if have_system or have_tools diff --git a/qapi/qapi-schema.json b/qapi/qapi-schema.json index b1581988e4eb..2877aff73d0c 100644 --- a/qapi/qapi-schema.json +++ b/qapi/qapi-schema.json @@ -81,3 +81,4 @@ { 'include': 'vfio.json' } { 'include': 'cryptodev.json' } { 'include': 'cxl.json' } +{ 'include': 'uefi.json' } diff --git a/qapi/uefi.json b/qapi/uefi.json new file mode 100644 index 000000000000..bdfcabe1df4d --- /dev/null +++ b/qapi/uefi.json @@ -0,0 +1,64 @@ +# -*- Mode: Python -*- +# vim: filetype=3Dpython +# + +## +# =3D UEFI Variable Store +# +# The qemu efi variable store implementation (hw/uefi/) uses this to +# store non-volatile variables in json format on disk. +# +# This is an existing format already supported by (at least) two other +# projects, specifically https://gitlab.com/kraxel/virt-firmware and +# https://github.com/awslabs/python-uefivars. +## + +## +# @UefiVariable: +# +# UEFI Variable. Check the UEFI specifification for more detailed +# information on the fields. +# +# @guid: variable namespace GUID +# +# @name: variable name, in UTF-8 encoding. +# +# @attr: variable attributes. +# +# @data: variable value, encoded as hex string. +# +# @time: variable modification time. EFI_TIME struct, encoded as hex +# string. Used only for authenticated variables, where the +# EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute bit +# is set. +# +# @digest: variable certificate digest. Used to verify the signature +# of updates for authenticated variables. UEFI has two kinds of +# authenticated variables. The secure boot variables ('PK', +# 'KEK', 'db' and 'dbx') have hard coded signature checking rules. +# For other authenticated variables the firmware stores a digest +# of the signing certificate at variable creation time, and any +# updates must be signed with the same certificate. +# +# Since: 10.0 +## +{ 'struct' : 'UefiVariable', + 'data' : { 'guid' : 'str', + 'name' : 'str', + 'attr' : 'int', + 'data' : 'str', + '*time' : 'str', + '*digest' : 'str'}} + +## +# @UefiVarStore: +# +# @version: currently always 2 +# +# @variables: list of UEFI variables +# +# Since: 10.0 +## +{ 'struct' : 'UefiVarStore', + 'data' : { 'version' : 'int', + 'variables' : [ 'UefiVariable' ] }} --=20 2.48.1 From nobody Wed Mar 5 02:14:02 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1741092858; cv=none; d=zohomail.com; s=zohoarc; b=PK4W/jHzIZrNiMrpKXAdIjSQ+oj+Y/v9s1JDXxtPS4tCIMCmtCJm/Ppc3nNlgHM/uUf0bEpAsBn9qxgQQBS5LLffvFRSNIeXnPfoqtSLm6vI8YkqzHr6eCs2hCIBX7Yznater4Aq8bp52RrO1qMZB3i4WHuCyzSLN0D0RzFcJwk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1741092858; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=3qeXiKKN9mN2MvQuP0cwS67dllhWH2AESVU9x5DwHPk=; b=gDwQgH804g1CKcVYYlnPTLudKdBcuZsjfKTynEIITHOeP8m8Px8pnj0LINpmZI8/7ZIaK5ynojnlpoasZPiCis6wpXuEWn7K/NIFinhutUy30id6kJvpKt1b8KgD02E+K/noztrsfPiUxEG6VdXQYsWqFmb3FKXpzbsvqmSV2Wg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1741092858535372.9854736643805; Tue, 4 Mar 2025 04:54:18 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tpRjJ-00071y-Kt; Tue, 04 Mar 2025 07:50:38 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhh-0004t0-IK for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:57 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhg-0006uK-0H for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:57 -0500 Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-437-No_hiDLhNKigmvXSDToysg-1; Tue, 04 Mar 2025 07:48:47 -0500 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id A0ABF1954201; Tue, 4 Mar 2025 12:48:45 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.44.32.122]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 9A2001954B00; Tue, 4 Mar 2025 12:48:44 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 34E151800603; Tue, 04 Mar 2025 13:48:16 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741092535; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3qeXiKKN9mN2MvQuP0cwS67dllhWH2AESVU9x5DwHPk=; b=iIP18KbNNGm8aaCVflvhFgZ7SEo5ZXjWD5UtdeDT6r6BSQV17rp06/bqddsicqzNyVD1Vd IStZTZqsT8BvbjfAqHtthSrjXuHtsjQH3CNWVWOb+kXFzVOLY3M89/VzywwqA9yH086RUP dJgT8xJZP+z5MffmKweJ3G/qcZ2WKCc= X-MC-Unique: No_hiDLhNKigmvXSDToysg-1 X-Mimecast-MFC-AGG-ID: No_hiDLhNKigmvXSDToysg_1741092525 From: Gerd Hoffmann To: qemu-devel@nongnu.org Cc: Richard Henderson , Marcel Apfelbaum , "Michael S. Tsirkin" , Eric Blake , Paolo Bonzini , Gerd Hoffmann , Peter Maydell , qemu-arm@nongnu.org, Michael Roth , Markus Armbruster , Eduardo Habkost , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Subject: [PULL 15/24] hw/uefi: add trace-events Date: Tue, 4 Mar 2025 13:48:03 +0100 Message-ID: <20250304124815.591749-16-kraxel@redhat.com> In-Reply-To: <20250304124815.591749-1-kraxel@redhat.com> References: <20250304124815.591749-1-kraxel@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1741092860578019000 Content-Type: text/plain; charset="utf-8" Add trace events for debugging and trouble shooting. Signed-off-by: Gerd Hoffmann Message-ID: <20250225163031.1409078-16-kraxel@redhat.com> --- hw/uefi/trace-events | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 hw/uefi/trace-events diff --git a/hw/uefi/trace-events b/hw/uefi/trace-events new file mode 100644 index 000000000000..3694712a946d --- /dev/null +++ b/hw/uefi/trace-events @@ -0,0 +1,17 @@ +# device +uefi_reg_read(uint64_t addr, unsigned size) "addr 0x%" PRIx64 ", size %u" +uefi_reg_write(uint64_t addr, uint64_t val, unsigned size) "addr 0x%" PRIx= 64 ", val 0x%" PRIx64 ", size %d" +uefi_hard_reset(void) "" + +# generic uefi +uefi_variable(const char *context, const char *name, uint64_t size, const = char *uuid) "context %s, name %s, size %" PRIu64 ", uuid %s" +uefi_status(const char *context, const char *name) "context %s, status %s" +uefi_event(const char *name) "event %s" + +# variable protocol +uefi_vars_proto_cmd(const char *cmd) "cmd %s" +uefi_vars_security_violation(const char *reason) "reason %s" + +# variable policy protocol +uefi_vars_policy_cmd(const char *cmd) "cmd %s" +uefi_vars_policy_deny(const char *reason) "reason %s" --=20 2.48.1 From nobody Wed Mar 5 02:14:02 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1741092693; cv=none; d=zohomail.com; s=zohoarc; b=GBhyEOr5P6uQ6Js7Dnvw3DL5bVLkyb+SATkw7tXxMkUtPQ8w58cG+6godRxqssa+QPCStJbRqZAUvxjOU9M4Q+ZoRr0ihVcFXbQ0Y+8km8Ks/7GVTRKtddO4vlq+zbyuPVfsKNa2iHwNsY9i3wMTqDuSD4x+ZFheVtCmdNX2K6c= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1741092693; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=mvD6ERtdNZvA+ha9/RWDeUr8FDIVyFXGhPtG732HzTI=; b=HHIqnRH3BshmD3flmk8ezEsu/pEbcAogSU9EFcYu4cLne8UGrO6EGp2XQG3ePkDAkg5bSGNcFkABQmNUpf7BOcXABH6WsFiaEIISJAD9NsBVb35qaVa1ZDD1uiyzTkRNhZq0omvI2MZEgIgtLtMLYF0wN9+EPaCHpY4tqp0zQaQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1741092693684798.8245401011086; Tue, 4 Mar 2025 04:51:33 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tpRjZ-000872-GO; Tue, 04 Mar 2025 07:50:54 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRho-0004us-AO for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:49:05 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhm-0007KW-NE for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:49:04 -0500 Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-586-5jMaWxRtPSmzp6Eh4lSCrg-1; Tue, 04 Mar 2025 07:48:50 -0500 Received: from mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id EB269180087C; Tue, 4 Mar 2025 12:48:48 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.44.32.122]) by mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 381B519560AB; Tue, 4 Mar 2025 12:48:48 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 460F61800604; Tue, 04 Mar 2025 13:48:16 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741092542; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mvD6ERtdNZvA+ha9/RWDeUr8FDIVyFXGhPtG732HzTI=; b=TGqtjhpW2bNUp+CcVWhfOlqtHXjapAG5mJ1ZTLMNw/DjpaSKxF8X6u8B7NWaItbyWOdHMx bwjlyktPZnESCt6zPlb0MomaPvL+caw/5SKFJM1OLN6gGu86RJI9aGuBkFWWXhZuZ5luw2 bOxZzoDAETqTvFQwChrndATyuqkKswo= X-MC-Unique: 5jMaWxRtPSmzp6Eh4lSCrg-1 X-Mimecast-MFC-AGG-ID: 5jMaWxRtPSmzp6Eh4lSCrg_1741092529 From: Gerd Hoffmann To: qemu-devel@nongnu.org Cc: Richard Henderson , Marcel Apfelbaum , "Michael S. Tsirkin" , Eric Blake , Paolo Bonzini , Gerd Hoffmann , Peter Maydell , qemu-arm@nongnu.org, Michael Roth , Markus Armbruster , Eduardo Habkost , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Subject: [PULL 16/24] hw/uefi: add UEFI_VARS to Kconfig Date: Tue, 4 Mar 2025 13:48:04 +0100 Message-ID: <20250304124815.591749-17-kraxel@redhat.com> In-Reply-To: <20250304124815.591749-1-kraxel@redhat.com> References: <20250304124815.591749-1-kraxel@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.15 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1741092694935019100 Content-Type: text/plain; charset="utf-8" Add UEFI_VARS config option, enable by default for x86_64 and aarch64. Signed-off-by: Gerd Hoffmann Message-ID: <20250225163031.1409078-17-kraxel@redhat.com> --- hw/Kconfig | 1 + hw/uefi/Kconfig | 3 +++ 2 files changed, 4 insertions(+) create mode 100644 hw/uefi/Kconfig diff --git a/hw/Kconfig b/hw/Kconfig index 1b4e9bb07f7d..c4dfe2e7af7c 100644 --- a/hw/Kconfig +++ b/hw/Kconfig @@ -37,6 +37,7 @@ source smbios/Kconfig source ssi/Kconfig source timer/Kconfig source tpm/Kconfig +source uefi/Kconfig source ufs/Kconfig source usb/Kconfig source virtio/Kconfig diff --git a/hw/uefi/Kconfig b/hw/uefi/Kconfig new file mode 100644 index 000000000000..ca6c2bc46a96 --- /dev/null +++ b/hw/uefi/Kconfig @@ -0,0 +1,3 @@ +config UEFI_VARS + bool + default y if X86_64 || AARCH64 --=20 2.48.1 From nobody Wed Mar 5 02:14:02 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1741092884; cv=none; d=zohomail.com; s=zohoarc; b=QCfZDsDYthHSRgwRJGm3SWzlbaR0g7jlq36ME2QJQvjbfnTb+CeKeMVWTu99j2TEAyRsJmCsHQdyfTADWbDcETvbOjBJdQ6fGFILl6jLMNHNJXcLWPwwhhtRxgxhVpHIiyz3SmYW0blXyv7HZx2hPg0Ev1+T1XtugpBW9jfGAK4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1741092884; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=UH+gxr284seD1s6rKwaAfaRG6h2gEVK2XY5pxCJ+vbU=; b=iHJtou1xcPkTmxjourSiCSoM+o/0UY+/sJ+qRsNjIP1WZmG344YZycEVEUVNg7BAGhnMbALAIA+NlQeQZTg6mFnmnwcaqHU4lyqZWla/ALeffiMwLUxMdSg86xoYitpq7CQZlBgIj3OY7UOVyql6UB0EWOQKmLMexgS1Dc8rhCk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 174109288432984.6067534790476; Tue, 4 Mar 2025 04:54:44 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tpRih-0005qP-EE; Tue, 04 Mar 2025 07:49:59 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhh-0004t6-Vq for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:58 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhg-0006uO-Cg for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:48:57 -0500 Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-414-113AWx1yMaCdY1yyN-bLrg-1; Tue, 04 Mar 2025 07:48:52 -0500 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 8F7C7193585F; Tue, 4 Mar 2025 12:48:50 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.44.32.122]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 4D29D180087C; Tue, 4 Mar 2025 12:48:49 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 5A44D1800605; Tue, 04 Mar 2025 13:48:16 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741092535; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UH+gxr284seD1s6rKwaAfaRG6h2gEVK2XY5pxCJ+vbU=; b=eF9nf9eF8IAmv3a3ymuM218B8P0LLAkEIQXk7ua4mmmORZ+hR94zSbcQfv65uTClGO+KuH Ojj236Os0rwkaxKMgyt8AqAswlMQ6WCZleHX5KpEeJnjvx7wXjdcqFhnFC9gw77fKUueg8 aM1zDSFmphj7DYoA2g6QAWn0x7ZTD80= X-MC-Unique: 113AWx1yMaCdY1yyN-bLrg-1 X-Mimecast-MFC-AGG-ID: 113AWx1yMaCdY1yyN-bLrg_1741092530 From: Gerd Hoffmann To: qemu-devel@nongnu.org Cc: Richard Henderson , Marcel Apfelbaum , "Michael S. Tsirkin" , Eric Blake , Paolo Bonzini , Gerd Hoffmann , Peter Maydell , qemu-arm@nongnu.org, Michael Roth , Markus Armbruster , Eduardo Habkost , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Subject: [PULL 17/24] hw/uefi: add to meson Date: Tue, 4 Mar 2025 13:48:05 +0100 Message-ID: <20250304124815.591749-18-kraxel@redhat.com> In-Reply-To: <20250304124815.591749-1-kraxel@redhat.com> References: <20250304124815.591749-1-kraxel@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1741092885693019100 Content-Type: text/plain; charset="utf-8" Wire up uefi-vars in the build system. Signed-off-by: Gerd Hoffmann Message-ID: <20250225163031.1409078-18-kraxel@redhat.com> --- hw/meson.build | 1 + hw/uefi/meson.build | 19 +++++++++++++++++++ meson.build | 1 + 3 files changed, 21 insertions(+) diff --git a/hw/meson.build b/hw/meson.build index b827c82c5d7b..138f5d59e178 100644 --- a/hw/meson.build +++ b/hw/meson.build @@ -35,6 +35,7 @@ subdir('smbios') subdir('ssi') subdir('timer') subdir('tpm') +subdir('uefi') subdir('ufs') subdir('usb') subdir('vfio') diff --git a/hw/uefi/meson.build b/hw/uefi/meson.build index a8b168941255..e63708aa164f 100644 --- a/hw/uefi/meson.build +++ b/hw/uefi/meson.build @@ -1 +1,20 @@ system_ss.add(files('hardware-info.c')) + +uefi_vars_ss =3D ss.source_set() +if (config_all_devices.has_key('CONFIG_UEFI_VARS')) + uefi_vars_ss.add(files('var-service-core.c', + 'var-service-json.c', + 'var-service-vars.c', + 'var-service-auth.c', + 'var-service-guid.c', + 'var-service-utils.c', + 'var-service-policy.c')) + uefi_vars_ss.add(when: gnutls, + if_true: files('var-service-pkcs7.c'), + if_false: files('var-service-pkcs7-stub.c')) + uefi_vars_ss.add(files('var-service-siglist.c')) +endif + +modules +=3D { 'hw-uefi' : { + 'vars' : uefi_vars_ss, +}} diff --git a/meson.build b/meson.build index 0a2c61d2bfa0..1c1982dac3b0 100644 --- a/meson.build +++ b/meson.build @@ -3601,6 +3601,7 @@ if have_system 'hw/ssi', 'hw/timer', 'hw/tpm', + 'hw/uefi', 'hw/ufs', 'hw/usb', 'hw/vfio', --=20 2.48.1 From nobody Wed Mar 5 02:14:02 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1741092840; cv=none; d=zohomail.com; s=zohoarc; b=drZREhHc8Qp9POUkcVVNeRlqwE5o8UIZ+fPcfnSkV5dFZph0fmcDUK44X2u3kkOUYsNyral/mD9DbXvvHO4gQt73/776SjxkXf9uidsb8k6h+iH4moJtNl269Lxq52T25+/+IXQToMX6zJ9PTFD+dZzXRtOa/7LtLARl5dz6Y2U= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1741092840; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=e2u9omNZBitCXUqKxUNmPV8npW4CggDgtLN2KruyGkQ=; b=YQgMeQvX/ouXVlqly+Qy/1Fr5wKVD/YR1lQpVU7Py0/zWRgZToc1Q6uHc9kcICta7jnsjOWq6CNQKONKi+51ihHbXFN9Rbt324aHLUhpvmClf7bNTyS1haXGljG0evF6DDWCDbmLHXHvylu18XS4RDoYgQq1OA4e/uzh0JjnTdo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1741092840956249.00785550357773; Tue, 4 Mar 2025 04:54:00 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tpRjP-0007dN-NJ; Tue, 04 Mar 2025 07:50:44 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhk-0004tX-OJ for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:49:00 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhi-00074P-Oi for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:49:00 -0500 Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-401-W4DTbsqDPQelac5JlWY1JA-1; Tue, 04 Mar 2025 07:48:54 -0500 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id D7A001954201; Tue, 4 Mar 2025 12:48:52 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.44.32.122]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 89B15180087C; Tue, 4 Mar 2025 12:48:51 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 70E3B1800607; Tue, 04 Mar 2025 13:48:16 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741092538; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=e2u9omNZBitCXUqKxUNmPV8npW4CggDgtLN2KruyGkQ=; b=M7KVrNn/PbyVY8yYYjIrTiA1j7fIDYtkIviCtg3yFUlyZPflKfQUJ1Cmreq1XkNTQdzcNU 9hl3vcxkmza7g73VW9icwALJ6Nhh8xWWsN49NeC4gPU3JnZ2AjNbhfd6JdYLM5nZWuMgey 9hWoN769WChEMiXznyn7Bjnk6pI3z+c= X-MC-Unique: W4DTbsqDPQelac5JlWY1JA-1 X-Mimecast-MFC-AGG-ID: W4DTbsqDPQelac5JlWY1JA_1741092533 From: Gerd Hoffmann To: qemu-devel@nongnu.org Cc: Richard Henderson , Marcel Apfelbaum , "Michael S. Tsirkin" , Eric Blake , Paolo Bonzini , Gerd Hoffmann , Peter Maydell , qemu-arm@nongnu.org, Michael Roth , Markus Armbruster , Eduardo Habkost , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Subject: [PULL 18/24] hw/uefi: add uefi-vars-sysbus device Date: Tue, 4 Mar 2025 13:48:06 +0100 Message-ID: <20250304124815.591749-19-kraxel@redhat.com> In-Reply-To: <20250304124815.591749-1-kraxel@redhat.com> References: <20250304124815.591749-1-kraxel@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1741092843280019100 Content-Type: text/plain; charset="utf-8" This adds sysbus bindings for the variable service. Signed-off-by: Gerd Hoffmann Message-ID: <20250225163031.1409078-19-kraxel@redhat.com> --- hw/uefi/var-service-sysbus.c | 91 ++++++++++++++++++++++++++++++++++++ hw/uefi/meson.build | 3 +- 2 files changed, 93 insertions(+), 1 deletion(-) create mode 100644 hw/uefi/var-service-sysbus.c diff --git a/hw/uefi/var-service-sysbus.c b/hw/uefi/var-service-sysbus.c new file mode 100644 index 000000000000..60072c8815cd --- /dev/null +++ b/hw/uefi/var-service-sysbus.c @@ -0,0 +1,91 @@ +/* + * SPDX-License-Identifier: GPL-2.0-or-later + * + * uefi vars device - sysbus variant. + */ +#include "qemu/osdep.h" +#include "migration/vmstate.h" + +#include "hw/qdev-properties.h" +#include "hw/sysbus.h" + +#include "hw/uefi/var-service.h" +#include "hw/uefi/var-service-api.h" + +OBJECT_DECLARE_SIMPLE_TYPE(uefi_vars_sysbus_state, UEFI_VARS_SYSBUS) + +struct uefi_vars_sysbus_state { + SysBusDevice parent_obj; + struct uefi_vars_state state; +}; + +static const VMStateDescription vmstate_uefi_vars_sysbus =3D { + .name =3D TYPE_UEFI_VARS_SYSBUS, + .fields =3D (VMStateField[]) { + VMSTATE_STRUCT(state, uefi_vars_sysbus_state, 0, + vmstate_uefi_vars, uefi_vars_state), + VMSTATE_END_OF_LIST() + } +}; + +static const Property uefi_vars_sysbus_properties[] =3D { + DEFINE_PROP_SIZE("size", uefi_vars_sysbus_state, state.max_storage, + 256 * 1024), + DEFINE_PROP_STRING("jsonfile", uefi_vars_sysbus_state, state.jsonfile), + DEFINE_PROP_BOOL("force-secure-boot", uefi_vars_sysbus_state, + state.force_secure_boot, false), + DEFINE_PROP_BOOL("disable-custom-mode", uefi_vars_sysbus_state, + state.disable_custom_mode, false), + DEFINE_PROP_BOOL("use-pio", uefi_vars_sysbus_state, + state.use_pio, false), +}; + +static void uefi_vars_sysbus_init(Object *obj) +{ + uefi_vars_sysbus_state *uv =3D UEFI_VARS_SYSBUS(obj); + + uefi_vars_init(obj, &uv->state); +} + +static void uefi_vars_sysbus_reset(DeviceState *dev) +{ + uefi_vars_sysbus_state *uv =3D UEFI_VARS_SYSBUS(dev); + + uefi_vars_hard_reset(&uv->state); +} + +static void uefi_vars_sysbus_realize(DeviceState *dev, Error **errp) +{ + uefi_vars_sysbus_state *uv =3D UEFI_VARS_SYSBUS(dev); + SysBusDevice *sysbus =3D SYS_BUS_DEVICE(dev); + + sysbus_init_mmio(sysbus, &uv->state.mr); + uefi_vars_realize(&uv->state, errp); +} + +static void uefi_vars_sysbus_class_init(ObjectClass *klass, void *data) +{ + DeviceClass *dc =3D DEVICE_CLASS(klass); + + dc->realize =3D uefi_vars_sysbus_realize; + dc->vmsd =3D &vmstate_uefi_vars_sysbus; + device_class_set_legacy_reset(dc, uefi_vars_sysbus_reset); + device_class_set_props(dc, uefi_vars_sysbus_properties); + set_bit(DEVICE_CATEGORY_MISC, dc->categories); +} + +static const TypeInfo uefi_vars_sysbus_info =3D { + .name =3D TYPE_UEFI_VARS_SYSBUS, + .parent =3D TYPE_SYS_BUS_DEVICE, + .instance_size =3D sizeof(uefi_vars_sysbus_state), + .instance_init =3D uefi_vars_sysbus_init, + .class_init =3D uefi_vars_sysbus_class_init, +}; +module_obj(TYPE_UEFI_VARS_SYSBUS); + +static void uefi_vars_sysbus_register_types(void) +{ + type_register_static(&uefi_vars_sysbus_info); +} + +type_init(uefi_vars_sysbus_register_types) diff --git a/hw/uefi/meson.build b/hw/uefi/meson.build index e63708aa164f..91eb95f89e6d 100644 --- a/hw/uefi/meson.build +++ b/hw/uefi/meson.build @@ -8,7 +8,8 @@ if (config_all_devices.has_key('CONFIG_UEFI_VARS')) 'var-service-auth.c', 'var-service-guid.c', 'var-service-utils.c', - 'var-service-policy.c')) + 'var-service-policy.c', + 'var-service-sysbus.c')) uefi_vars_ss.add(when: gnutls, if_true: files('var-service-pkcs7.c'), if_false: files('var-service-pkcs7-stub.c')) --=20 2.48.1 From nobody Wed Mar 5 02:14:02 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1741092737; cv=none; d=zohomail.com; s=zohoarc; b=A20zlUR3/S6AVapjrK+O86oZLB4i58LL03pz6LxMtV0l1o2j5WC5xKqxNu+wnzxvus+M+6DZkSdh8FxqfscLw8BVFkMky7j5FQLB5WUWVyTEqxjQ5j4hwDN+nh8SkMgimCLwJLXGn6zjGViNySHQHQJdz0LcTkkDzZqdyBW41Ds= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1741092737; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=SAdiIJiUwrj5gQVF9Cv0rcwpZOldLe7N7G1jvU/ZJZw=; b=il2RiK3Qq35p0KysIGskqm2QKJxl2NMXZxlMywH4lqp7/LFLygzGcrUssNRP7q5hzbGARd4GhyfjsQzKQkLi3fFWzKYxbFbMtvbH201ri+NkhKV3NuBJE3BUUII6JjdoAq/V75BUkyczK9UAOoRkp/Pj6QRnsFBqLmPajwkdgzY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1741092737497229.64409347616424; Tue, 4 Mar 2025 04:52:17 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tpRjJ-00070e-7M; Tue, 04 Mar 2025 07:50:37 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhu-0004wo-GM for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:49:13 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhs-0007Y8-Fw for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:49:09 -0500 Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-633-G8FJ5tHHNliirB2-PViYjQ-1; Tue, 04 Mar 2025 07:48:54 -0500 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 26E041800264; Tue, 4 Mar 2025 12:48:53 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.44.32.122]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id D010C1800361; Tue, 4 Mar 2025 12:48:52 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 824A81800609; Tue, 04 Mar 2025 13:48:16 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741092547; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SAdiIJiUwrj5gQVF9Cv0rcwpZOldLe7N7G1jvU/ZJZw=; b=PLgP4LFgcdJtJPnspT4sCeLjnKDhf4ErGBmJ8NJsL9Rs4zjKQfI9iKnSd9gKHCIHBJRyQA hss+aoUs1R0La0VOV0nbNChDGbT7ZeWQ82Y5JdLgFkPvHW1e3EjX0c/3k/8zKn56zcVrkP GtwM/79lphFU3w5TLOP5qXwLDAKd25U= X-MC-Unique: G8FJ5tHHNliirB2-PViYjQ-1 X-Mimecast-MFC-AGG-ID: G8FJ5tHHNliirB2-PViYjQ_1741092533 From: Gerd Hoffmann To: qemu-devel@nongnu.org Cc: Richard Henderson , Marcel Apfelbaum , "Michael S. Tsirkin" , Eric Blake , Paolo Bonzini , Gerd Hoffmann , Peter Maydell , qemu-arm@nongnu.org, Michael Roth , Markus Armbruster , Eduardo Habkost , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Subject: [PULL 19/24] hw/uefi-vars-sysbus: qemu platform bus support Date: Tue, 4 Mar 2025 13:48:07 +0100 Message-ID: <20250304124815.591749-20-kraxel@redhat.com> In-Reply-To: <20250304124815.591749-1-kraxel@redhat.com> References: <20250304124815.591749-1-kraxel@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1741092738452019000 Content-Type: text/plain; charset="utf-8" Add and register function to create an device tree entry when the device is added to the qemu platform bus. Signed-off-by: Gerd Hoffmann Message-ID: <20250225163031.1409078-20-kraxel@redhat.com> --- hw/core/sysbus-fdt.c | 24 ++++++++++++++++++++++++ hw/uefi/var-service-sysbus.c | 1 + 2 files changed, 25 insertions(+) diff --git a/hw/core/sysbus-fdt.c b/hw/core/sysbus-fdt.c index 774c0aed41b5..e85066b90563 100644 --- a/hw/core/sysbus-fdt.c +++ b/hw/core/sysbus-fdt.c @@ -36,6 +36,7 @@ #include "hw/vfio/vfio-calxeda-xgmac.h" #include "hw/vfio/vfio-amd-xgbe.h" #include "hw/display/ramfb.h" +#include "hw/uefi/var-service-api.h" #include "hw/arm/fdt.h" =20 /* @@ -471,6 +472,28 @@ static int add_tpm_tis_fdt_node(SysBusDevice *sbdev, v= oid *opaque) } #endif =20 +static int add_uefi_vars_node(SysBusDevice *sbdev, void *opaque) +{ + PlatformBusFDTData *data =3D opaque; + PlatformBusDevice *pbus =3D data->pbus; + const char *parent_node =3D data->pbus_node_name; + void *fdt =3D data->fdt; + uint64_t mmio_base; + char *nodename; + + mmio_base =3D platform_bus_get_mmio_addr(pbus, sbdev, 0); + nodename =3D g_strdup_printf("%s/%s@%" PRIx64, parent_node, + UEFI_VARS_FDT_NODE, mmio_base); + qemu_fdt_add_subnode(fdt, nodename); + qemu_fdt_setprop_string(fdt, nodename, + "compatible", UEFI_VARS_FDT_COMPAT); + qemu_fdt_setprop_sized_cells(fdt, nodename, "reg", + 1, mmio_base, + 1, UEFI_VARS_REGS_SIZE); + g_free(nodename); + return 0; +} + static int no_fdt_node(SysBusDevice *sbdev, void *opaque) { return 0; @@ -495,6 +518,7 @@ static const BindingEntry bindings[] =3D { TYPE_BINDING(TYPE_TPM_TIS_SYSBUS, add_tpm_tis_fdt_node), #endif TYPE_BINDING(TYPE_RAMFB_DEVICE, no_fdt_node), + TYPE_BINDING(TYPE_UEFI_VARS_SYSBUS, add_uefi_vars_node), TYPE_BINDING("", NULL), /* last element */ }; =20 diff --git a/hw/uefi/var-service-sysbus.c b/hw/uefi/var-service-sysbus.c index 60072c8815cd..28572981c2af 100644 --- a/hw/uefi/var-service-sysbus.c +++ b/hw/uefi/var-service-sysbus.c @@ -69,6 +69,7 @@ static void uefi_vars_sysbus_class_init(ObjectClass *klas= s, void *data) =20 dc->realize =3D uefi_vars_sysbus_realize; dc->vmsd =3D &vmstate_uefi_vars_sysbus; + dc->user_creatable =3D true; device_class_set_legacy_reset(dc, uefi_vars_sysbus_reset); device_class_set_props(dc, uefi_vars_sysbus_properties); set_bit(DEVICE_CATEGORY_MISC, dc->categories); --=20 2.48.1 From nobody Wed Mar 5 02:14:02 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1741093125; cv=none; d=zohomail.com; s=zohoarc; b=Nwq+pkXOmrJOzOAy+CbxPzF9G/Wa0y6MJhqErEIy1IxIiEufGqwq2OaKh7TBA1yFLAMgiGVhQwydjjyFQHl6k0zqnGuPpaxo5N/gQr9S6Jh89ST3gdeXAdRlxU85FJRDoSitYURJ6+Getz73VLe37Ac8a7Y2Os8UHqusNJ3GUWU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1741093125; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=WCfTLGK5BCPPyuAOyalwI7XVH4IGkc4LkKHa1QF2XYI=; b=TtI5wXnBIhnZSRM7MbQgeVD38BU/xedZELpEbWNd0rUqZob4KVQZqEIcVwAuwq+svTA69dU6GF/XiN5DoMsKvzniYmgf9DInX8WFmKJjz0sJHlvk35ugDPk4FdJB4T4RZTIS6zXtx8cU4bflp3MiML1YGVUh7OQzlAf1vi8YrRk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1741093125227131.09362656534427; Tue, 4 Mar 2025 04:58:45 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tpRki-0001Kh-U0; Tue, 04 Mar 2025 07:52:05 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhq-0004vU-1A for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:49:07 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhm-0007Ka-Ui for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:49:05 -0500 Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-137-E2cBlXwAMnGUepkLmjbCdg-1; Tue, 04 Mar 2025 07:48:58 -0500 Received: from mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 964F11944D01; Tue, 4 Mar 2025 12:48:56 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.44.32.122]) by mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 2004819560AA; Tue, 4 Mar 2025 12:48:56 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 91455180060A; Tue, 04 Mar 2025 13:48:16 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741092542; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WCfTLGK5BCPPyuAOyalwI7XVH4IGkc4LkKHa1QF2XYI=; b=PgIdhtMN/S5bEE+AFAlpMFOg9AOPAuraHapvfL9UJEtoMv61uTUsU72GHjMRstxkQ8SfvA DmB0zbcDrBPhyTU6E9JPmLYN4x1IxFTWLwDG3phfjkJ3a6DU1x4LOEjpx0U7tDi4V8mNsJ qN9svjkMMYs1f6qNwJm3km76Ch2BYMM= X-MC-Unique: E2cBlXwAMnGUepkLmjbCdg-1 X-Mimecast-MFC-AGG-ID: E2cBlXwAMnGUepkLmjbCdg_1741092536 From: Gerd Hoffmann To: qemu-devel@nongnu.org Cc: Richard Henderson , Marcel Apfelbaum , "Michael S. Tsirkin" , Eric Blake , Paolo Bonzini , Gerd Hoffmann , Peter Maydell , qemu-arm@nongnu.org, Michael Roth , Markus Armbruster , Eduardo Habkost , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Subject: [PULL 20/24] hw/uefi-vars-sysbus: add x64 variant Date: Tue, 4 Mar 2025 13:48:08 +0100 Message-ID: <20250304124815.591749-21-kraxel@redhat.com> In-Reply-To: <20250304124815.591749-1-kraxel@redhat.com> References: <20250304124815.591749-1-kraxel@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.40 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1741093127432019000 Content-Type: text/plain; charset="utf-8" The x86 variant of the device is mapped on the fixed address 0xfef10000 and uses etc/hardware-info instead of FDT to pass the mapping location to the edk2 firmware. The latter allows to move the device to a different location should that turn out to be necessary in the future. Signed-off-by: Gerd Hoffmann Message-ID: <20250225163031.1409078-21-kraxel@redhat.com> --- hw/uefi/var-service-sysbus.c | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/hw/uefi/var-service-sysbus.c b/hw/uefi/var-service-sysbus.c index 28572981c2af..97da8672ee95 100644 --- a/hw/uefi/var-service-sysbus.c +++ b/hw/uefi/var-service-sysbus.c @@ -9,6 +9,7 @@ #include "hw/qdev-properties.h" #include "hw/sysbus.h" =20 +#include "hw/uefi/hardware-info.h" #include "hw/uefi/var-service.h" #include "hw/uefi/var-service-api.h" =20 @@ -75,6 +76,7 @@ static void uefi_vars_sysbus_class_init(ObjectClass *klas= s, void *data) set_bit(DEVICE_CATEGORY_MISC, dc->categories); } =20 +/* generic: hardware discovery via FDT */ static const TypeInfo uefi_vars_sysbus_info =3D { .name =3D TYPE_UEFI_VARS_SYSBUS, .parent =3D TYPE_SYS_BUS_DEVICE, @@ -84,9 +86,39 @@ static const TypeInfo uefi_vars_sysbus_info =3D { }; module_obj(TYPE_UEFI_VARS_SYSBUS); =20 +static void uefi_vars_x64_realize(DeviceState *dev, Error **errp) +{ + HARDWARE_INFO_SIMPLE_DEVICE hwinfo =3D { + .mmio_address =3D cpu_to_le64(0xfef10000), + }; + SysBusDevice *sysbus =3D SYS_BUS_DEVICE(dev); + + uefi_vars_sysbus_realize(dev, errp); + + hardware_info_register(HardwareInfoQemuUefiVars, + &hwinfo, sizeof(hwinfo)); + sysbus_mmio_map(sysbus, 0, hwinfo.mmio_address); +} + +static void uefi_vars_x64_class_init(ObjectClass *klass, void *data) +{ + DeviceClass *dc =3D DEVICE_CLASS(klass); + + dc->realize =3D uefi_vars_x64_realize; +} + +/* x64: hardware discovery via etc/hardware-info fw_cfg */ +static const TypeInfo uefi_vars_x64_info =3D { + .name =3D TYPE_UEFI_VARS_X64, + .parent =3D TYPE_UEFI_VARS_SYSBUS, + .class_init =3D uefi_vars_x64_class_init, +}; +module_obj(TYPE_UEFI_VARS_X64); + static void uefi_vars_sysbus_register_types(void) { type_register_static(&uefi_vars_sysbus_info); + type_register_static(&uefi_vars_x64_info); } =20 type_init(uefi_vars_sysbus_register_types) --=20 2.48.1 From nobody Wed Mar 5 02:14:02 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1741092837; cv=none; d=zohomail.com; s=zohoarc; b=lajDfpjPsLRRmi9NBZyrcSSQOA5p4V2tj4bnx1A9FOXjp+cKf17ErLZw702mzw2p9d0C0hzb379zr5306t9PS1dH15cJFfxGt53W8HtdawJHIZGqWtfzGy+HSbIgJNfdhBHzNh10UMInEWYtdeUIIW/M1gKaI+yF44B196SwxXI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1741092837; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=mUBOE9OT+pY4tCy5GFBKI+k5VNKGF2elTDpalQAv3lI=; b=l2ha4Gj8DFceOInwW7/pbAXbVVVYL75zV73PaSyPaRyIxMRJdRMiy+3CWpAt48gNtwwKvQXl/NDW/mEGErYRQsf5P/j1PWW+SuyWC5zzEydIJczqFEcVIcqJGGcVsnlm8kdvvGeOnx029yK3bEx6XmOeDtyP7Vb3B+KT/p4QfDo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1741092837637347.02588848240214; Tue, 4 Mar 2025 04:53:57 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tpRih-0005pY-Cr; Tue, 04 Mar 2025 07:49:59 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhp-0004vR-NA for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:49:07 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhm-0007KO-Ny for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:49:05 -0500 Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-681-4s8HRx6YN0qQWL9hTwBEGg-1; Tue, 04 Mar 2025 07:48:57 -0500 Received: from mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id D9C781800877; Tue, 4 Mar 2025 12:48:55 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.44.32.122]) by mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 81C6819560AB; Tue, 4 Mar 2025 12:48:55 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id A01D6180060B; Tue, 04 Mar 2025 13:48:16 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741092541; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mUBOE9OT+pY4tCy5GFBKI+k5VNKGF2elTDpalQAv3lI=; b=Iapz+g3+OowvCuWMoN/WyKZP9HzglCjPoRAvkv2eRKkRjLGxNuCQkjcdqS/4NQMEsEJ8Io uWwzi7iIZvzyztOc67IRqLmYzaJO1Ri4WVa3tIjhgf1t/IRUXqkJYuC9FNV5hS9VUIOWoO sI6/PLcrqDmHCYDi/aTjT2YBfcyXsH4= X-MC-Unique: 4s8HRx6YN0qQWL9hTwBEGg-1 X-Mimecast-MFC-AGG-ID: 4s8HRx6YN0qQWL9hTwBEGg_1741092536 From: Gerd Hoffmann To: qemu-devel@nongnu.org Cc: Richard Henderson , Marcel Apfelbaum , "Michael S. Tsirkin" , Eric Blake , Paolo Bonzini , Gerd Hoffmann , Peter Maydell , qemu-arm@nongnu.org, Michael Roth , Markus Armbruster , Eduardo Habkost , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Subject: [PULL 21/24] hw/uefi-vars-sysbus: allow for arm virt Date: Tue, 4 Mar 2025 13:48:09 +0100 Message-ID: <20250304124815.591749-22-kraxel@redhat.com> In-Reply-To: <20250304124815.591749-1-kraxel@redhat.com> References: <20250304124815.591749-1-kraxel@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.15 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1741092838444019000 Content-Type: text/plain; charset="utf-8" Allow the device being added to aarch64 virt VMs. Signed-off-by: Gerd Hoffmann Message-ID: <20250225163031.1409078-22-kraxel@redhat.com> --- hw/arm/virt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hw/arm/virt.c b/hw/arm/virt.c index ee69081ef421..904c698b1406 100644 --- a/hw/arm/virt.c +++ b/hw/arm/virt.c @@ -82,6 +82,7 @@ #include "hw/mem/pc-dimm.h" #include "hw/mem/nvdimm.h" #include "hw/acpi/generic_event_device.h" +#include "hw/uefi/var-service-api.h" #include "hw/virtio/virtio-md-pci.h" #include "hw/virtio/virtio-iommu.h" #include "hw/char/pl011.h" @@ -3162,6 +3163,7 @@ static void virt_machine_class_init(ObjectClass *oc, = void *data) machine_class_allow_dynamic_sysbus_dev(mc, TYPE_VFIO_AMD_XGBE); machine_class_allow_dynamic_sysbus_dev(mc, TYPE_RAMFB_DEVICE); machine_class_allow_dynamic_sysbus_dev(mc, TYPE_VFIO_PLATFORM); + machine_class_allow_dynamic_sysbus_dev(mc, TYPE_UEFI_VARS_SYSBUS); #ifdef CONFIG_TPM machine_class_allow_dynamic_sysbus_dev(mc, TYPE_TPM_TIS_SYSBUS); #endif --=20 2.48.1 From nobody Wed Mar 5 02:14:02 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1741093079; cv=none; d=zohomail.com; s=zohoarc; b=jJr5hRTcyxziIIHd4dSfpgtO0CwXDe0P+zxPm0QY3/iFcMZKXMPKzT/zRsSR16gSfiQcs7etOh/nL9pecRDUO8b8gjXEdUPHVW4tVfBOaIgYRant0L8QKLVoUrxH5vtIJvyeZWKEzIfVCmm85IDDceX9mfSRUiXGQC5mTPqE0H8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1741093079; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=zVp+0VC3CI/pTYGir7lOjrfKbLyjEB7fzi9n2GPzZtg=; b=JKDRGltI7kxqWdhI8Z+InjAUIL+hP/1QHH9qVHRi97QLkakbTt09aHUVTkCaHmtVCpQxXKf0Bc6kuR3oaaB/HTTz70wO4txOMZetbc7xaeYCWkDfEu9lVYUMAYCqtI3la91moo7UfVjcsbK3J2NONYGQkYNEEQPnewQcdwUgmOg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1741093079015448.4967359346417; Tue, 4 Mar 2025 04:57:59 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tpRkh-0001HS-6T; Tue, 04 Mar 2025 07:52:03 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhu-0004wn-Fp for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:49:13 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhr-0007Xg-BI for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:49:09 -0500 Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-122-ctaTKCBmOt2smEoWQJqxOw-1; Tue, 04 Mar 2025 07:49:02 -0500 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 17EE7180087B; Tue, 4 Mar 2025 12:49:01 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.44.32.122]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id BFA7719560A3; Tue, 4 Mar 2025 12:48:59 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id B22A31800610; Tue, 04 Mar 2025 13:48:16 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741092546; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zVp+0VC3CI/pTYGir7lOjrfKbLyjEB7fzi9n2GPzZtg=; b=dlI1qf0XChgLEIyiqcoHSccqY0P4CDED3kazId5aIiq2ArDX7koWjGh6EbUxCKogoxvTsC GLP8NXIfI+MTtcssU42K0j5m9yFrGwyK4ozWvLNmayryMkmyRSqmtlDCJhOkFr4ES/0BuR nc5nijX3WAnrm2x90IP4lP7/zyhsuts= X-MC-Unique: ctaTKCBmOt2smEoWQJqxOw-1 X-Mimecast-MFC-AGG-ID: ctaTKCBmOt2smEoWQJqxOw_1741092541 From: Gerd Hoffmann To: qemu-devel@nongnu.org Cc: Richard Henderson , Marcel Apfelbaum , "Michael S. Tsirkin" , Eric Blake , Paolo Bonzini , Gerd Hoffmann , Peter Maydell , qemu-arm@nongnu.org, Michael Roth , Markus Armbruster , Eduardo Habkost , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Subject: [PULL 22/24] hw/uefi-vars-sysbus: allow for pc and q35 Date: Tue, 4 Mar 2025 13:48:10 +0100 Message-ID: <20250304124815.591749-23-kraxel@redhat.com> In-Reply-To: <20250304124815.591749-1-kraxel@redhat.com> References: <20250304124815.591749-1-kraxel@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1741093079245019000 Content-Type: text/plain; charset="utf-8" Allow the device being added to x86_64 pc and q35 VMs. Signed-off-by: Gerd Hoffmann Message-ID: <20250225163031.1409078-23-kraxel@redhat.com> --- hw/i386/pc_piix.c | 2 ++ hw/i386/pc_q35.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c index 04d2957adcd7..6c91e2d29298 100644 --- a/hw/i386/pc_piix.c +++ b/hw/i386/pc_piix.c @@ -65,6 +65,7 @@ #include "system/numa.h" #include "hw/hyperv/vmbus-bridge.h" #include "hw/mem/nvdimm.h" +#include "hw/uefi/var-service-api.h" #include "hw/i386/acpi-build.h" #include "target/i386/cpu.h" =20 @@ -468,6 +469,7 @@ static void pc_i440fx_machine_options(MachineClass *m) m->no_parallel =3D !module_object_class_by_name(TYPE_ISA_PARALLEL); machine_class_allow_dynamic_sysbus_dev(m, TYPE_RAMFB_DEVICE); machine_class_allow_dynamic_sysbus_dev(m, TYPE_VMBUS_BRIDGE); + machine_class_allow_dynamic_sysbus_dev(m, TYPE_UEFI_VARS_X64); =20 object_class_property_add_enum(oc, "x-south-bridge", "PCSouthBridgeOpt= ion", &PCSouthBridgeOption_lookup, diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c index 77536dd697f5..fd96d0345c7d 100644 --- a/hw/i386/pc_q35.c +++ b/hw/i386/pc_q35.c @@ -58,6 +58,7 @@ #include "system/numa.h" #include "hw/hyperv/vmbus-bridge.h" #include "hw/mem/nvdimm.h" +#include "hw/uefi/var-service-api.h" #include "hw/i386/acpi-build.h" #include "target/i386/cpu.h" =20 @@ -355,6 +356,7 @@ static void pc_q35_machine_options(MachineClass *m) machine_class_allow_dynamic_sysbus_dev(m, TYPE_INTEL_IOMMU_DEVICE); machine_class_allow_dynamic_sysbus_dev(m, TYPE_RAMFB_DEVICE); machine_class_allow_dynamic_sysbus_dev(m, TYPE_VMBUS_BRIDGE); + machine_class_allow_dynamic_sysbus_dev(m, TYPE_UEFI_VARS_X64); compat_props_add(m->compat_props, pc_q35_compat_defaults, pc_q35_compat_defaults_len); } --=20 2.48.1 From nobody Wed Mar 5 02:14:02 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1741092668; cv=none; d=zohomail.com; s=zohoarc; b=iaiAZoqrIr6DGVlW0NEQu7EuD4aNFbB0G8KtRdyVke5yZ1EH6QR8CsTnwgjVzE3ag0qqpZMvjUvrW0qKpbwITUTQg35lx9+oNJFqrjIto+CaYDAkcVnlLLYCOMHSWnzB0EDw0wioxFdvcReKEyUdYdqH8fYoGo+zRz5BxXFQx3o= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1741092668; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=cQw78ltI3ylZpkrVq+7yl4SkzQeRNu8mVe+6P1nQhcc=; b=igeXLcxQY0G3AY6eut6wKK+Ri99DR/ymzWGyxwnT1RnWAkKIkcBv9cPEJOCZqbcTxGbW2PGi9yby+kzchoCq+NL17pghVnJ1JeRDFRiNGoASQQu3BRQBiW6Ei+QCHlw3z3bjQwBmSS/WgzPLzKqVpxV04ivWdG3Na/+K1sG7h3k= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1741092668538729.6759610102736; Tue, 4 Mar 2025 04:51:08 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tpRjJ-00070c-76; Tue, 04 Mar 2025 07:50:37 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhr-0004w8-Jk for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:49:08 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhp-0007Rf-1R for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:49:06 -0500 Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-172-soQX7L0DNhyg5_AmkMCvcw-1; Tue, 04 Mar 2025 07:49:00 -0500 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 5D3B21801A0D; Tue, 4 Mar 2025 12:48:59 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.44.32.122]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 0EE28180087D; Tue, 4 Mar 2025 12:48:59 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id C0C541800615; Tue, 04 Mar 2025 13:48:16 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741092544; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=cQw78ltI3ylZpkrVq+7yl4SkzQeRNu8mVe+6P1nQhcc=; b=gNHiz/xPfpd0Nx7DQf837MHojFkTA5rE9IfcF74gjIdGbv9hXDgVQyhxJ7bFs8WYsuToL5 Jc52Y5W5gxb4EBlckCohOJ5Q47Es/PcWFdd4W3LVlnNpxv6QsZ6gY2taWUlRmJ7eXaVXcG 51vDQi7jnOsPyQ8FeIoW3yDHkjj+nlE= X-MC-Unique: soQX7L0DNhyg5_AmkMCvcw-1 X-Mimecast-MFC-AGG-ID: soQX7L0DNhyg5_AmkMCvcw_1741092539 From: Gerd Hoffmann To: qemu-devel@nongnu.org Cc: Richard Henderson , Marcel Apfelbaum , "Michael S. Tsirkin" , Eric Blake , Paolo Bonzini , Gerd Hoffmann , Peter Maydell , qemu-arm@nongnu.org, Michael Roth , Markus Armbruster , Eduardo Habkost , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Subject: [PULL 23/24] hw/uefi: add MAINTAINERS entry Date: Tue, 4 Mar 2025 13:48:11 +0100 Message-ID: <20250304124815.591749-24-kraxel@redhat.com> In-Reply-To: <20250304124815.591749-1-kraxel@redhat.com> References: <20250304124815.591749-1-kraxel@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1741092670822019100 Content-Type: text/plain; charset="utf-8" Signed-off-by: Gerd Hoffmann Message-ID: <20250225163031.1409078-24-kraxel@redhat.com> --- MAINTAINERS | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/MAINTAINERS b/MAINTAINERS index 2e7fc6fa912a..27cdfbebddef 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -2820,6 +2820,12 @@ F: hw/misc/ivshmem-flat.c F: include/hw/misc/ivshmem-flat.h F: docs/system/devices/ivshmem-flat.rst =20 +UEFI variable service +M: Gerd Hoffmann +S: Maintained +F: hw/uefi/ +F: include/hw/uefi/ + Subsystems ---------- Overall Audio backends --=20 2.48.1 From nobody Wed Mar 5 02:14:02 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1741093074; cv=none; d=zohomail.com; s=zohoarc; b=lshGGfUkEsI3OqlgTP9jqtXqLQGB6AffYT4q1cJ6pbkrIz1S8xYB1FUSSTrOPv1oqLoTB/IeY5AgzVyFj/h8gyfK63HTXFxMEey0KuXf7P7HFzVqH8K4vCMKp86yQTELgtSG0emMLUP/HZ7Kur9AbveeSoAwZj+RXHoFWOC7DR0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1741093074; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=mqi3DdaTu4ALCTwdK1EdsuKOZviWGVA8D/zmVKVPbIw=; b=Q6hRgd7xIVy79Mwpt2YoO7rO6U013BFnWVhVkn5sc2vcyy9+Zzmms2Jh9kOsKYFALp6spn5QALlncT9rv/qLx368yoVz1Rz2CFsJrR2hbQbYnOIYMkE8lKC3DbnzwRrGpKuwHjiPxcSB9Rf3qkEUSGfZMWypb4i5/slijtEJnuk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1741093074977444.7422302788692; Tue, 4 Mar 2025 04:57:54 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tpRkr-0001lD-7D; Tue, 04 Mar 2025 07:52:14 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRi4-00053v-8R for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:49:36 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tpRhy-0007Zg-Vv for qemu-devel@nongnu.org; Tue, 04 Mar 2025 07:49:16 -0500 Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-658-8GWymiyVPIK-4F02zqkAhQ-1; Tue, 04 Mar 2025 07:49:05 -0500 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 0ADBE1800877; Tue, 4 Mar 2025 12:49:04 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.44.32.122]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 75E89180087C; Tue, 4 Mar 2025 12:49:03 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id D4A5D1800616; Tue, 04 Mar 2025 13:48:16 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741092553; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mqi3DdaTu4ALCTwdK1EdsuKOZviWGVA8D/zmVKVPbIw=; b=ZeLCxxIiA1tOjlf+oL4/jubAFKw+PG3G6ZVUMxG3ss3Z0T4vJr7x2aIx++2b/Ao/M0KOzh ZuHwdy9tEQsLRcYit6nwQ2lc1grxE6qISA7oWU2AlI/bJ5vFI7XTWIv1+RAHnkJTnUuCy3 Wq0gdlVpCR1L0Kfgle3IGe1wUQ2e8Qk= X-MC-Unique: 8GWymiyVPIK-4F02zqkAhQ-1 X-Mimecast-MFC-AGG-ID: 8GWymiyVPIK-4F02zqkAhQ_1741092544 From: Gerd Hoffmann To: qemu-devel@nongnu.org Cc: Richard Henderson , Marcel Apfelbaum , "Michael S. Tsirkin" , Eric Blake , Paolo Bonzini , Gerd Hoffmann , Peter Maydell , qemu-arm@nongnu.org, Michael Roth , Markus Armbruster , Eduardo Habkost , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Subject: [PULL 24/24] docs: add uefi variable service documentation Date: Tue, 4 Mar 2025 13:48:12 +0100 Message-ID: <20250304124815.591749-25-kraxel@redhat.com> In-Reply-To: <20250304124815.591749-1-kraxel@redhat.com> References: <20250304124815.591749-1-kraxel@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1741093075387019000 Content-Type: text/plain; charset="utf-8" Signed-off-by: Gerd Hoffmann Message-ID: <20250225163031.1409078-25-kraxel@redhat.com> --- docs/devel/index-internals.rst | 1 + docs/devel/uefi-vars.rst | 68 ++++++++++++++++++++++++++++++++++ hw/uefi/LIMITATIONS.md | 7 ++++ 3 files changed, 76 insertions(+) create mode 100644 docs/devel/uefi-vars.rst create mode 100644 hw/uefi/LIMITATIONS.md diff --git a/docs/devel/index-internals.rst b/docs/devel/index-internals.rst index bca597c65895..7a0678cbdd3a 100644 --- a/docs/devel/index-internals.rst +++ b/docs/devel/index-internals.rst @@ -20,6 +20,7 @@ Details about QEMU's various subsystems including how to = add features to them. s390-cpu-topology s390-dasd-ipl tracing + uefi-vars vfio-iommufd writing-monitor-commands virtio-backends diff --git a/docs/devel/uefi-vars.rst b/docs/devel/uefi-vars.rst new file mode 100644 index 000000000000..0151a26a0a6f --- /dev/null +++ b/docs/devel/uefi-vars.rst @@ -0,0 +1,68 @@ +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +UEFI variables +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +Guest UEFI variable management +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D + +The traditional approach for UEFI Variable storage in qemu guests is +to work as close as possible to physical hardware. That means +providing pflash as storage and leaving the management of variables +and flash to the guest. + +Secure boot support comes with the requirement that the UEFI variable +storage must be protected against direct access by the OS. All update +requests must pass the sanity checks. (Parts of) the firmware must +run with a higher privilege level than the OS so this can be enforced +by the firmware. On x86 this has been implemented using System +Management Mode (SMM) in qemu and kvm, which again is the same +approach taken by physical hardware. Only privileged code running in +SMM mode is allowed to access flash storage. + +Communication with the firmware code running in SMM mode works by +serializing the requests to a shared buffer, then trapping into SMM +mode via SMI. The SMM code processes the request, stores the reply in +the same buffer and returns. + +Host UEFI variable service +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D + +Instead of running the privileged code inside the guest we can run it +on the host. The serialization protocol can be reused. The +communication with the host uses a virtual device, which essentially +configures the shared buffer location and size, and traps to the host +to process the requests. + +The ``uefi-vars`` device implements the UEFI virtual device. It comes +in ``uefi-vars-x86`` and ``uefi-vars-sysbus`` flavours. The device +reimplements the handlers needed, specifically +``EfiSmmVariableProtocol`` and ``VarCheckPolicyLibMmiHandler``. It +also consumes events (``EfiEndOfDxeEventGroup``, +``EfiEventReadyToBoot`` and ``EfiEventExitBootServices``). + +The advantage of the approach is that we do not need a special +privilege level for the firmware to protect itself, i.e. it does not +depend on SMM emulation on x64, which allows the removal of a bunch of +complex code for SMM emulation from the linux kernel +(CONFIG_KVM_SMM=3Dn). It also allows support for secure boot on arm +without implementing secure world (el3) emulation in kvm. + +Of course there are also downsides. The added device increases the +attack surface of the host, and we are adding some code duplication +because we have to reimplement some edk2 functionality in qemu. + +usage on x86_64 +--------------- + +.. code:: + + qemu-system-x86_64 \ + -device uefi-vars-x86,jsonfile=3D/path/to/vars.json + +usage on aarch64 +---------------- + +.. code:: + + qemu-system-aarch64 -M virt \ + -device uefi-vars-sysbus,jsonfile=3D/path/to/vars.json diff --git a/hw/uefi/LIMITATIONS.md b/hw/uefi/LIMITATIONS.md new file mode 100644 index 000000000000..29308bd587aa --- /dev/null +++ b/hw/uefi/LIMITATIONS.md @@ -0,0 +1,7 @@ +known issues and limitations +---------------------------- + +* works only on little endian hosts + - accessing structs in guest ram is done without endian conversion. +* works only for 64-bit guests + - UINTN is mapped to uint64_t, for 32-bit guests that would be uint32_t --=20 2.48.1