conf: Introduce os/shim element

For secure boot environments where <loader/> is signed, it may be
unfeasible to keep the binary up to date (esp. when revoking
certificates contained within). To address that, QEMU introduced
'-shim' cmd line option which side loads another UEFI binary
which can then contain new certification authorities or list of
revocations. Expose it as <shim/> element that's nested under
<os/>, just like kernel and initrd are.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>

diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
index bcae6a3443da8185d69929b5abd79b3751dc17b5..4d03768c5f4ea19bf3f1b76b496c453643d7a916 100644 (file)
--- a/docs/formatdomain.rst
+++ b/docs/formatdomain.rst
@@ -397,6 +397,7 @@ and full virtualized guests.
      <kernel>/root/f8-i386-vmlinuz</kernel>
      <initrd>/root/f8-i386-initrd</initrd>
      <cmdline>console=ttyS0 ks=http://example.com/f8-i386/os/</cmdline>
+     <shim>/path/to/shim.efi</shim>
      <dtb>/root/ppc.dtb</dtb>
    </os>
    ...
@@ -417,6 +418,10 @@ and full virtualized guests.
    The contents of this element specify arguments to be passed to the kernel (or
    installer) at boot time. This is often used to specify an alternate primary
    console (eg serial port), or the installation media source / kickstart file
+``shim``
+   Use specified fully-qualified path to load an initial UEFI bootloader that
+   handles chaining to a trusted full bootloader under secure boot
+   environments.
 ``dtb``
    The contents of this element specify the fully-qualified path to the
    (optional) device tree binary (dtb) image in the host OS.

diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 09093cd9f17fd92a3e9a82e59bb0fd3d8f415fb1..d5558738485c0ee0fee0c68d88383b9e9189af81 100644 (file)
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -3939,6 +3939,7 @@ virDomainOSDefClear(virDomainOSDef *os)
     g_free(os->kernel);
     g_free(os->initrd);
     g_free(os->cmdline);
+    g_free(os->shim);
     g_free(os->dtb);
     g_free(os->root);
     for (i = 0; i < os->nacpiTables; i++)
@@ -17751,6 +17752,7 @@ virDomainDefParseBootKernelOptions(virDomainDef *def,
     def->os.kernel = virXPathString("string(./os/kernel[1])", ctxt);
     def->os.initrd = virXPathString("string(./os/initrd[1])", ctxt);
     def->os.cmdline = virXPathString("string(./os/cmdline[1])", ctxt);
+    def->os.shim = virXPathString("string(./os/shim[1])", ctxt);
     def->os.dtb = virXPathString("string(./os/dtb[1])", ctxt);
     def->os.root = virXPathString("string(./os/root[1])", ctxt);
 }
@@ -17941,10 +17943,10 @@ virDomainDefParseBootOptions(virDomainDef *def,
     /*
      * Booting options for different OS types....
      *
-     *   - A bootloader (and optional kernel+initrd)  (xen)
-     *   - A kernel + initrd                          (xen)
-     *   - A boot device (and optional kernel+initrd) (hvm)
-     *   - An init script                             (exe)
+     *   - A bootloader (and optional kernel+initrd)            (xen)
+     *   - A kernel + initrd                                    (xen)
+     *   - A boot device (and optional kernel+initrd(+shim))    (hvm)
+     *   - An init script                                       (exe)
      */
 
     switch ((virDomainOSType) def->os.type) {
@@ -28469,6 +28471,8 @@ virDomainDefFormatInternalSetRootName(virDomainDef *def,
                           def->os.initrd);
     virBufferEscapeString(buf, "<cmdline>%s</cmdline>\n",
                           def->os.cmdline);
+    virBufferEscapeString(buf, "<shim>%s</shim>\n",
+                          def->os.shim);
     virBufferEscapeString(buf, "<dtb>%s</dtb>\n",
                           def->os.dtb);
     virBufferEscapeString(buf, "<root>%s</root>\n",

diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 2c034faf6d599b639ba4554b602d47008fd695c8..3a97fd866c6a2a95a8d82319dbe2d804a57f11bc 100644 (file)
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2522,6 +2522,7 @@ struct _virDomainOSDef {
     char *kernel;
     char *initrd;
     char *cmdline;
+    char *shim;
     char *dtb;
     char *root;
     size_t nacpiTables;

diff --git a/src/conf/domain_validate.c b/src/conf/domain_validate.c
index 5e2bbb1d9fd2d2a9f8bf1349eeaa4a059018aa60..f2a98f143df95a8de798861ca368e25486423042 100644 (file)
--- a/src/conf/domain_validate.c
+++ b/src/conf/domain_validate.c
@@ -1733,6 +1733,12 @@ virDomainDefOSValidate(const virDomainDef *def,
         }
     }
 
+    if (def->os.shim && !def->os.kernel) {
+        virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                       _("shim only allowed with kernel option"));
+        return -1;
+    }
+
     return 0;
 }
 

diff --git a/src/conf/schemas/domaincommon.rng b/src/conf/schemas/domaincommon.rng
index 39d5604454099c11185c96464b721f8ef8f84dc0..3276569325a5285c7c81763966a954e265605f5b 100644 (file)
--- a/src/conf/schemas/domaincommon.rng
+++ b/src/conf/schemas/domaincommon.rng
@@ -1552,6 +1552,11 @@
           <text/>
         </element>
       </optional>
+      <optional>
+        <element name="shim">
+          <text/>
+        </element>
+      </optional>
       <optional>
         <element name="dtb">
           <ref name="absFilePath"/>

diff --git a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.xml b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.xml
index e289b1e95e2308ed46c660089622be1dbf8c0199..dea82365409d89c185c59bfdae60cc6c475cb9e9 100644 (file)
--- a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.xml
+++ b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.xml
@@ -9,6 +9,7 @@
     <kernel>/vmlinuz</kernel>
     <initrd>/initrd</initrd>
     <cmdline>runme</cmdline>
+    <shim>/shim</shim>
     <boot dev='hd'/>
   </os>
   <cpu mode='custom' match='exact' check='none'>

diff --git a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.xml b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.xml
index e289b1e95e2308ed46c660089622be1dbf8c0199..dea82365409d89c185c59bfdae60cc6c475cb9e9 100644 (file)
--- a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.xml
+++ b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.xml
@@ -9,6 +9,7 @@
     <kernel>/vmlinuz</kernel>
     <initrd>/initrd</initrd>
     <cmdline>runme</cmdline>
+    <shim>/shim</shim>
     <boot dev='hd'/>
   </os>
   <cpu mode='custom' match='exact' check='none'>

diff --git a/tests/qemuxmlconfdata/launch-security-sev-direct.xml b/tests/qemuxmlconfdata/launch-security-sev-direct.xml
index 80ce6412dd8d32dcac8be96df6b5722091f7da4d..76277b62785c5e0860067f4f565ddcab280ee871 100644 (file)
--- a/tests/qemuxmlconfdata/launch-security-sev-direct.xml
+++ b/tests/qemuxmlconfdata/launch-security-sev-direct.xml
@@ -9,6 +9,7 @@
     <kernel>/vmlinuz</kernel>
     <initrd>/initrd</initrd>
     <cmdline>runme</cmdline>
+    <shim>/shim</shim>
   </os>
   <clock offset='utc'/>
   <on_poweroff>destroy</on_poweroff>