qemu_firmware: Enable loader.secure when requires-smm

Currently, a firmware configuration such as

  <os firmware='efi'>
    <firmware>
      <feature enabled='yes' name='enrolled-keys'/>
    </firmware>
  </os>

will correctly pick a firmware that implements the Secure Boot
feature and initialize the NVRAM file so that it contains the
keys necessary to enforce the signing requirements. However, the
lack of a

  <loader secure='yes'/>

element makes it possible for pflash writes to happen outside
of SMM mode. This means that the authenticated UEFI variables
where the keys are stored could potentially be overwritten by
malicious code running in the guest, thus making it possible to
circumvent Secure Boot.

To prevent that from happening, automatically turn on the
loader.secure feature whenever a firmware that implements Secure
Boot is chosen by the firmware autoselection logic. This is
identical to the way we already automatically enable SMM in such
a scenario.

Note that, while this is technically a guest-visible change, it
will not affect migration of existings VMs and will not prevent
legitimate guest code from running.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index c8f462bfcfa1003ef097ce91876466e78732200b..5b2fa51a9cd62f7fcedd4aa627fe42d4e48a36ac 100644 (file)
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -1240,6 +1240,8 @@ qemuFirmwareEnableFeatures(virQEMUDriver *driver,
             case VIR_TRISTATE_SWITCH_LAST:
                 break;
             }
+            VIR_DEBUG("Enabling secure loader");
+            def->os.loader->secure = VIR_TRISTATE_BOOL_YES;
             break;
 
         case QEMU_FIRMWARE_FEATURE_NONE:

diff --git a/tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys.x86_64-latest.args b/tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys.x86_64-latest.args
index 885c83445d33eda094d4e34dd0a60c52625e8e9d..7479b05af4cbbcd1be62d5b4791faef0ae04ceec 100644 (file)
--- a/tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys.x86_64-latest.args
+++ b/tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys.x86_64-latest.args
@@ -17,6 +17,7 @@ XDG_CONFIG_HOME=/tmp/lib/domain--1-fedora/.config \
 -machine pc-q35-4.0,usb=off,smm=on,dump-guest-core=off,pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format,memory-backend=pc.ram \
 -accel kvm \
 -cpu qemu64 \
+-global driver=cfi.pflash01,property=secure,value=on \
 -m 8 \
 -object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":8388608}' \
 -overcommit mem-lock=off \

diff --git a/tests/qemuxml2argvdata/firmware-auto-efi-nvram.x86_64-latest.args b/tests/qemuxml2argvdata/firmware-auto-efi-nvram.x86_64-latest.args
index e37521b0a3fb7ff87e4fb30b430dd94426984405..1061e935540763a59a65f3aeecf7c4cff65c31b5 100644 (file)
--- a/tests/qemuxml2argvdata/firmware-auto-efi-nvram.x86_64-latest.args
+++ b/tests/qemuxml2argvdata/firmware-auto-efi-nvram.x86_64-latest.args
@@ -17,6 +17,7 @@ XDG_CONFIG_HOME=/tmp/lib/domain--1-fedora/.config \
 -machine pc-q35-4.0,usb=off,smm=on,dump-guest-core=off,pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format,memory-backend=pc.ram \
 -accel kvm \
 -cpu qemu64 \
+-global driver=cfi.pflash01,property=secure,value=on \
 -m 8 \
 -object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":8388608}' \
 -overcommit mem-lock=off \

diff --git a/tests/qemuxml2argvdata/firmware-auto-efi-secboot.x86_64-latest.args b/tests/qemuxml2argvdata/firmware-auto-efi-secboot.x86_64-latest.args
index 885c83445d33eda094d4e34dd0a60c52625e8e9d..7479b05af4cbbcd1be62d5b4791faef0ae04ceec 100644 (file)
--- a/tests/qemuxml2argvdata/firmware-auto-efi-secboot.x86_64-latest.args
+++ b/tests/qemuxml2argvdata/firmware-auto-efi-secboot.x86_64-latest.args
@@ -17,6 +17,7 @@ XDG_CONFIG_HOME=/tmp/lib/domain--1-fedora/.config \
 -machine pc-q35-4.0,usb=off,smm=on,dump-guest-core=off,pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format,memory-backend=pc.ram \
 -accel kvm \
 -cpu qemu64 \
+-global driver=cfi.pflash01,property=secure,value=on \
 -m 8 \
 -object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":8388608}' \
 -overcommit mem-lock=off \

diff --git a/tests/qemuxml2argvdata/firmware-auto-efi.x86_64-latest.args b/tests/qemuxml2argvdata/firmware-auto-efi.x86_64-latest.args
index 885c83445d33eda094d4e34dd0a60c52625e8e9d..7479b05af4cbbcd1be62d5b4791faef0ae04ceec 100644 (file)
--- a/tests/qemuxml2argvdata/firmware-auto-efi.x86_64-latest.args
+++ b/tests/qemuxml2argvdata/firmware-auto-efi.x86_64-latest.args
@@ -17,6 +17,7 @@ XDG_CONFIG_HOME=/tmp/lib/domain--1-fedora/.config \
 -machine pc-q35-4.0,usb=off,smm=on,dump-guest-core=off,pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format,memory-backend=pc.ram \
 -accel kvm \
 -cpu qemu64 \
+-global driver=cfi.pflash01,property=secure,value=on \
 -m 8 \
 -object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":8388608}' \
 -overcommit mem-lock=off \