From nobody Sun Apr 5 04:43:10 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1773664454; cv=none; d=zohomail.com; s=zohoarc; b=l2Y04xFcgMgVLWLQEEo5pf8Mb+3qASnxWdQtNCU2Jc85nCAWf+HfE3FCSP8+Xiv5tshl8DYwOnjbMhdU9muaWtGFRKnwqaTUhizMBtJPbIt8f4fHzM00TujRIQt30GyCAfzYpr1vRffu4MWMtEjbdGljcdnx/l3kz+8hoh/8wSU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1773664454; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=O+Hpy1ArqlIu124DGvtA7z9hNV0JwJ6yTa03OYWNFWU=; b=BJkwlS2MGmBtvK64mlOftz6Terw++oA3Pb7DArb0HghyjgYLeydQnBOA7gFaPEkxuzYwhYV9Kt8vurR918JKMGiiR6lFiTBS2aAcAP1NXIzgKs71vVDJqVhwuNCFGyWaTEqb9AR+MMBls2kVn/EcISiKKFiVLwVSxxsgHNDuZSg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1773664454672670.9681123125202; Mon, 16 Mar 2026 05:34:14 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w278U-0007iU-Bd; Mon, 16 Mar 2026 08:33:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w277h-0007bv-Sy for qemu-devel@nongnu.org; Mon, 16 Mar 2026 08:32:55 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w277c-0007Rp-Gg for qemu-devel@nongnu.org; Mon, 16 Mar 2026 08:32:40 -0400 Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-626-YwLYdWq7MCOYXqF2GFD_2w-1; Mon, 16 Mar 2026 08:32:32 -0400 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id A78BE1944F12 for ; Mon, 16 Mar 2026 12:32:31 +0000 (UTC) Received: from eashurov-thinkpadx1carbongen12.raanaii.csb (unknown [10.47.238.154]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id EED731955F19; Mon, 16 Mar 2026 12:32:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1773664354; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=O+Hpy1ArqlIu124DGvtA7z9hNV0JwJ6yTa03OYWNFWU=; b=RAzaTVB6USUMOj9KA69h66KIzJmzB8ZHK99/7JEQeG57GXDTzQ8EaSLyOQex2dYKgd0UG9 NZ9H137wmtfGtjWJBwq9ovPYh5KIDZSqwpgSzBkrtcd3alGWSLUVA11eUBrGIDAmNijNvE ezt+sGiJiI+yDwgPJW0+6kV1M1vv5JQ= X-MC-Unique: YwLYdWq7MCOYXqF2GFD_2w-1 X-Mimecast-MFC-AGG-ID: YwLYdWq7MCOYXqF2GFD_2w_1773664351 From: Elizabeth Ashurov To: qemu-devel@nongnu.org Cc: kkostiuk@redhat.com, Elizabeth Ashurov Subject: [PATCH v1] qga: add guest-get-windows-security-info command Date: Mon, 16 Mar 2026 14:31:43 +0200 Message-ID: <20260316123144.1758888-1-eashurov@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=eashurov@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -3 X-Spam_score: -0.4 X-Spam_bar: / X-Spam_report: (-0.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1773664459393158500 Content-Type: text/plain; charset="utf-8" Add a new Windows-only QGA command to retrieve Windows security features status including VBS, Secure Boot, and TPM information from the guest. The implementation queries Win32_DeviceGuard and Win32_Tpm via WMI, and reads the SecureBoot UEFI variable through GetFirmwareEnvironmentVariable(). Signed-off-by: Elizabeth Ashurov --- qga/commands-win32.c | 404 +++++++++++++++++++++++++++++++++++++++++++ qga/qapi-schema.json | 56 ++++++ 2 files changed, 460 insertions(+) diff --git a/qga/commands-win32.c b/qga/commands-win32.c index c0bf3467bd..8da9ef521f 100644 --- a/qga/commands-win32.c +++ b/qga/commands-win32.c @@ -28,6 +28,7 @@ #include #include #include +#include =20 #include "guest-agent-core.h" #include "vss-win32.h" @@ -2764,3 +2765,406 @@ GuestNetworkRouteList *qmp_guest_network_get_route(= Error **errp) g_hash_table_destroy(interface_metric_cache); return head; } + +/* + * WMI GUIDs + */ +static const GUID qga_CLSID_WbemLocator =3D { + 0x4590f811, 0x1d3a, 0x11d0, + {0x89, 0x1f, 0x00, 0xaa, 0x00, 0x4b, 0x2e, 0x24} +}; +static const GUID qga_IID_IWbemLocator =3D { + 0xdc12a687, 0x737f, 0x11cf, + {0x88, 0x4d, 0x00, 0xaa, 0x00, 0x4b, 0x2e, 0x24} +}; + +static IWbemServices *wmi_connect_to_namespace(const wchar_t *namespace_pa= th, + Error **errp) +{ + HRESULT hr; + IWbemLocator *locator =3D NULL; + IWbemServices *services =3D NULL; + BSTR bstr_ns =3D SysAllocString(namespace_path); + + if (!bstr_ns) { + error_setg(errp, "failed to allocate WMI namespace string"); + return NULL; + } + + hr =3D CoCreateInstance(&qga_CLSID_WbemLocator, NULL, CLSCTX_INPROC_SE= RVER, + &qga_IID_IWbemLocator, (LPVOID *)&locator); + if (FAILED(hr)) { + error_setg_win32(errp, hr, "failed to create IWbemLocator"); + goto out; + } + + hr =3D locator->lpVtbl->ConnectServer(locator, bstr_ns, NULL, NULL, NU= LL, + 0, NULL, NULL, &services); + if (FAILED(hr)) { + error_setg_win32(errp, hr, "failed to connect to WMI namespace"); + goto out; + } + + hr =3D CoSetProxyBlanket((IUnknown *)services, + RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE, NULL, + RPC_C_AUTHN_LEVEL_CALL, + RPC_C_IMP_LEVEL_IMPERSONATE, + NULL, EOAC_NONE); + if (FAILED(hr)) { + error_setg_win32(errp, hr, "failed to set WMI proxy blanket"); + services->lpVtbl->Release(services); + services =3D NULL; + } + +out: + SysFreeString(bstr_ns); + if (locator) { + locator->lpVtbl->Release(locator); + } + return services; +} + +static IEnumWbemClassObject *wmi_exec_query(IWbemServices *services, + const wchar_t *query, + Error **errp) +{ + HRESULT hr; + IEnumWbemClassObject *enumerator =3D NULL; + BSTR bstr_wql =3D SysAllocString(L"WQL"); + BSTR bstr_query =3D SysAllocString(query); + + if (!bstr_wql || !bstr_query) { + error_setg(errp, "failed to allocate WMI query strings"); + goto out; + } + + hr =3D services->lpVtbl->ExecQuery(services, bstr_wql, bstr_query, + WBEM_FLAG_RETURN_IMMEDIATELY | + WBEM_FLAG_FORWARD_ONLY, + NULL, &enumerator); + if (FAILED(hr)) { + error_setg_win32(errp, hr, "WMI query failed"); + } + +out: + SysFreeString(bstr_wql); + SysFreeString(bstr_query); + return enumerator; +} + +static HRESULT wmi_get_property(IWbemClassObject *obj, const wchar_t *name, + VARIANT *var) +{ + return obj->lpVtbl->Get(obj, name, 0, var, NULL, NULL); +} + +/* Read a WMI integer property (VT_I4 or VT_UI4). */ +static bool wmi_get_int_property(IWbemClassObject *obj, + const wchar_t *name, + int64_t *out) +{ + VARIANT var; + bool ret =3D false; + + VariantInit(&var); + if (SUCCEEDED(wmi_get_property(obj, name, &var))) { + if (V_VT(&var) =3D=3D VT_I4) { + *out =3D V_I4(&var); + ret =3D true; + } else if (V_VT(&var) =3D=3D VT_UI4) { + *out =3D V_UI4(&var); + ret =3D true; + } + } + VariantClear(&var); + return ret; +} + +/* Read an integer SAFEARRAY WMI property into a QAPI intList. */ +static bool wmi_safearray_to_int_list(IWbemClassObject *obj, + const wchar_t *prop_name, + intList **list) +{ + VARIANT var; + HRESULT hr; + LONG lb, ub, i; + uint32_t *data =3D NULL; + + VariantInit(&var); + hr =3D wmi_get_property(obj, prop_name, &var); + if (FAILED(hr) || V_VT(&var) =3D=3D VT_NULL) { + VariantClear(&var); + return false; + } + + if (!(V_VT(&var) & VT_ARRAY)) { + VariantClear(&var); + return false; + } + + SAFEARRAY *sa =3D V_ARRAY(&var); + if (FAILED(SafeArrayGetLBound(sa, 1, &lb)) || + FAILED(SafeArrayGetUBound(sa, 1, &ub))) { + VariantClear(&var); + return false; + } + + if (FAILED(SafeArrayAccessData(sa, (void **)&data))) { + VariantClear(&var); + return false; + } + + intList **tail =3D list; + for (i =3D 0; i <=3D ub - lb; i++) { + QAPI_LIST_APPEND(tail, (int64_t)data[i]); + } + + SafeArrayUnaccessData(sa); + VariantClear(&var); + return true; +} + +/* + * Query Win32_DeviceGuard WMI class for VBS and related properties. + */ +static void get_device_guard_info(GuestWindowsSecurityInfo *info, + Error **errp) +{ + Error *local_err =3D NULL; + IWbemServices *services =3D NULL; + IEnumWbemClassObject *enumerator =3D NULL; + IWbemClassObject *obj =3D NULL; + ULONG count =3D 0; + HRESULT hr; + int64_t val; + + services =3D wmi_connect_to_namespace( + L"ROOT\\Microsoft\\Windows\\DeviceGuard", &local_err); + if (!services) { + error_propagate(errp, local_err); + return; + } + + enumerator =3D wmi_exec_query(services, + L"SELECT * FROM Win32_DeviceGuard", &local_err); + if (!enumerator) { + error_propagate(errp, local_err); + goto out; + } + + hr =3D enumerator->lpVtbl->Next(enumerator, WBEM_INFINITE, 1, + &obj, &count); + if (FAILED(hr)) { + error_setg_win32(errp, hr, "failed to enumerate Win32_DeviceGuard"= ); + goto out; + } + if (count =3D=3D 0) { + error_setg(errp, "no Win32_DeviceGuard instance found"); + goto out; + } + + if (wmi_get_int_property(obj, L"VirtualizationBasedSecurityStatus", + &val)) { + info->vbs_status =3D val; + } + + if (wmi_get_int_property(obj, L"CodeIntegrityPolicyEnforcementStatus", + &val)) { + info->has_code_integrity_policy_enforcement_status =3D true; + info->code_integrity_policy_enforcement_status =3D val; + } + + if (wmi_get_int_property(obj, + L"UsermodeCodeIntegrityPolicyEnforcementStatu= s", + &val)) { + info->has_usr_cfg_code_integrity_policy_enforcement_status =3D tru= e; + info->usr_cfg_code_integrity_policy_enforcement_status =3D val; + } + + if (wmi_safearray_to_int_list(obj, L"AvailableSecurityProperties", + &info->available_security_properties)) { + info->has_available_security_properties =3D true; + } + + if (wmi_safearray_to_int_list(obj, L"RequiredSecurityProperties", + &info->required_security_properties)) { + info->has_required_security_properties =3D true; + } + + if (wmi_safearray_to_int_list(obj, L"SecurityServicesConfigured", + &info->security_services_configured)) { + info->has_security_services_configured =3D true; + } + + if (wmi_safearray_to_int_list(obj, L"SecurityServicesRunning", + &info->security_services_running)) { + info->has_security_services_running =3D true; + } + + obj->lpVtbl->Release(obj); + obj =3D NULL; + + /* Drain remaining results */ + while (true) { + hr =3D enumerator->lpVtbl->Next(enumerator, WBEM_INFINITE, 1, + &obj, &count); + if (FAILED(hr) || count =3D=3D 0) { + break; + } + obj->lpVtbl->Release(obj); + obj =3D NULL; + } + +out: + if (obj) { + obj->lpVtbl->Release(obj); + } + if (enumerator) { + enumerator->lpVtbl->Release(enumerator); + } + if (services) { + services->lpVtbl->Release(services); + } +} + +/* + * Read the SecureBoot UEFI variable to determine whether Secure Boot + * is enabled. Returns false on legacy BIOS systems. + */ +static bool get_secure_boot_status(Error **errp) +{ + Error *local_err =3D NULL; + BYTE value =3D 0; + DWORD ret; + + acquire_privilege(SE_SYSTEM_ENVIRONMENT_NAME, &local_err); + if (local_err) { + error_propagate(errp, local_err); + return false; + } + + ret =3D GetFirmwareEnvironmentVariableA("SecureBoot", + "{8be4df61-93ca-11d2-aa0d-00e098032b8c}", &value, sizeof(value)); + + if (ret =3D=3D 0) { + DWORD err =3D GetLastError(); + if (err =3D=3D ERROR_INVALID_FUNCTION || err =3D=3D ERROR_ENVVAR_N= OT_FOUND) { + return false; + } + error_setg_win32(errp, err, + "failed to read SecureBoot UEFI variable"); + return false; + } + + return value =3D=3D 1; +} + +/* + * Query Win32_Tpm WMI class for TPM presence and version. + */ +static void get_tpm_info(GuestWindowsSecurityInfo *info, Error **errp) +{ + Error *local_err =3D NULL; + IWbemServices *services =3D NULL; + IEnumWbemClassObject *enumerator =3D NULL; + IWbemClassObject *obj =3D NULL; + ULONG count =3D 0; + HRESULT hr; + VARIANT var; + + services =3D wmi_connect_to_namespace( + L"ROOT\\CIMV2\\Security\\MicrosoftTpm", &local_err); + if (!services) { + /* TPM namespace may not exist -- not an error */ + error_free(local_err); + info->tpm_present =3D false; + return; + } + + enumerator =3D wmi_exec_query(services, + L"SELECT * FROM Win32_Tpm", &local_err); + if (!enumerator) { + error_free(local_err); + info->tpm_present =3D false; + goto out; + } + + hr =3D enumerator->lpVtbl->Next(enumerator, WBEM_INFINITE, 1, + &obj, &count); + if (FAILED(hr) || count =3D=3D 0) { + info->tpm_present =3D false; + goto out; + } + + info->tpm_present =3D true; + + VariantInit(&var); + if (SUCCEEDED(wmi_get_property(obj, L"SpecVersion", &var)) && + V_VT(&var) =3D=3D VT_BSTR && V_BSTR(&var)) { + info->tpm_version =3D g_utf16_to_utf8( + (const gunichar2 *)V_BSTR(&var), -1, NULL, NULL, NULL); + if (info->tpm_version) { + /* keep only the part before the first comma */ + char *comma =3D strchr(info->tpm_version, ','); + if (comma) { + *comma =3D '\0'; + } + } + } + VariantClear(&var); + + obj->lpVtbl->Release(obj); + obj =3D NULL; + + /* Drain remaining results */ + while (true) { + hr =3D enumerator->lpVtbl->Next(enumerator, WBEM_INFINITE, 1, + &obj, &count); + if (FAILED(hr) || count =3D=3D 0) { + break; + } + obj->lpVtbl->Release(obj); + obj =3D NULL; + } + +out: + if (obj) { + obj->lpVtbl->Release(obj); + } + if (enumerator) { + enumerator->lpVtbl->Release(enumerator); + } + if (services) { + services->lpVtbl->Release(services); + } +} + +GuestWindowsSecurityInfo *qmp_guest_get_windows_security_info(Error **errp) +{ + Error *local_err =3D NULL; + GuestWindowsSecurityInfo *info =3D g_new0(GuestWindowsSecurityInfo, 1); + + get_device_guard_info(info, &local_err); + if (local_err) { + error_propagate(errp, local_err); + goto err; + } + + info->secure_boot =3D get_secure_boot_status(&local_err); + if (local_err) { + error_propagate(errp, local_err); + goto err; + } + + get_tpm_info(info, &local_err); + if (local_err) { + error_propagate(errp, local_err); + goto err; + } + + return info; + +err: + qapi_free_GuestWindowsSecurityInfo(info); + return NULL; +} diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json index c57bc9a02f..f54fdf942f 100644 --- a/qga/qapi-schema.json +++ b/qga/qapi-schema.json @@ -1952,3 +1952,59 @@ 'returns': ['GuestNetworkRoute'], 'if': { 'any': ['CONFIG_LINUX', 'CONFIG_WIN32'] } } + +## +# @GuestWindowsSecurityInfo: +# +# Windows security features status. +# +# @vbs-status: VirtualizationBasedSecurityStatus +# +# @available-security-properties: AvailableSecurityProperties +# +# @code-integrity-policy-enforcement-status: +# CodeIntegrityPolicyEnforcementStatus +# +# @required-security-properties: RequiredSecurityProperties +# +# @security-services-configured: SecurityServicesConfigured +# +# @security-services-running: SecurityServicesRunning +# +# @usr-cfg-code-integrity-policy-enforcement-status: +# UsermodeCodeIntegrityPolicyEnforcementStatus +# +# @secure-boot: Whether UEFI Secure Boot is enabled +# +# @tpm-present: Whether a TPM device is present +# +# @tpm-version: TPM specification version string (e.g. "2.0") +# +# Since: 10.3 +## +{ 'struct': 'GuestWindowsSecurityInfo', + 'data': { + 'vbs-status': 'int', + '*available-security-properties': ['int'], + '*code-integrity-policy-enforcement-status': 'int', + '*required-security-properties': ['int'], + '*security-services-configured': ['int'], + '*security-services-running': ['int'], + '*usr-cfg-code-integrity-policy-enforcement-status': 'int', + 'secure-boot': 'bool', + 'tpm-present': 'bool', + '*tpm-version': 'str' }, + 'if': 'CONFIG_WIN32' } + +## +# @guest-get-windows-security-info: +# +# Retrieve Windows security features status (VBS, Secure Boot, TPM). +# +# Returns: @GuestWindowsSecurityInfo +# +# Since: 10.3 +## +{ 'command': 'guest-get-windows-security-info', + 'returns': 'GuestWindowsSecurityInfo', + 'if': 'CONFIG_WIN32' } --=20 2.51.0