From 6b63334233f4f56b5408b9fb52a15f8162017951 Mon Sep 17 00:00:00 2001 From: Michal Privoznik Date: Tue, 4 Mar 2025 15:46:13 +0100 Subject: [PATCH] conf: Introduce os/shim element For secure boot environments where is signed, it may be unfeasible to keep the binary up to date (esp. when revoking certificates contained within). To address that, QEMU introduced '-shim' cmd line option which side loads another UEFI binary which can then contain new certification authorities or list of revocations. Expose it as element that's nested under , just like kernel and initrd are. Signed-off-by: Michal Privoznik Reviewed-by: Pavel Hrdina --- docs/formatdomain.rst | 5 +++++ src/conf/domain_conf.c | 12 ++++++++---- src/conf/domain_conf.h | 1 + src/conf/domain_validate.c | 6 ++++++ src/conf/schemas/domaincommon.rng | 5 +++++ ...unch-security-sev-direct.x86_64-latest+amdsev.xml | 1 + .../launch-security-sev-direct.x86_64-latest.xml | 1 + tests/qemuxmlconfdata/launch-security-sev-direct.xml | 1 + 8 files changed, 28 insertions(+), 4 deletions(-) diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst index bcae6a3443..4d03768c5f 100644 --- a/docs/formatdomain.rst +++ b/docs/formatdomain.rst @@ -397,6 +397,7 @@ and full virtualized guests. /root/f8-i386-vmlinuz /root/f8-i386-initrd console=ttyS0 ks=http://example.com/f8-i386/os/ + /path/to/shim.efi /root/ppc.dtb ... @@ -417,6 +418,10 @@ and full virtualized guests. The contents of this element specify arguments to be passed to the kernel (or installer) at boot time. This is often used to specify an alternate primary console (eg serial port), or the installation media source / kickstart file +``shim`` + Use specified fully-qualified path to load an initial UEFI bootloader that + handles chaining to a trusted full bootloader under secure boot + environments. ``dtb`` The contents of this element specify the fully-qualified path to the (optional) device tree binary (dtb) image in the host OS. diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 09093cd9f1..d555873848 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -3939,6 +3939,7 @@ virDomainOSDefClear(virDomainOSDef *os) g_free(os->kernel); g_free(os->initrd); g_free(os->cmdline); + g_free(os->shim); g_free(os->dtb); g_free(os->root); for (i = 0; i < os->nacpiTables; i++) @@ -17751,6 +17752,7 @@ virDomainDefParseBootKernelOptions(virDomainDef *def, def->os.kernel = virXPathString("string(./os/kernel[1])", ctxt); def->os.initrd = virXPathString("string(./os/initrd[1])", ctxt); def->os.cmdline = virXPathString("string(./os/cmdline[1])", ctxt); + def->os.shim = virXPathString("string(./os/shim[1])", ctxt); def->os.dtb = virXPathString("string(./os/dtb[1])", ctxt); def->os.root = virXPathString("string(./os/root[1])", ctxt); } @@ -17941,10 +17943,10 @@ virDomainDefParseBootOptions(virDomainDef *def, /* * Booting options for different OS types.... * - * - A bootloader (and optional kernel+initrd) (xen) - * - A kernel + initrd (xen) - * - A boot device (and optional kernel+initrd) (hvm) - * - An init script (exe) + * - A bootloader (and optional kernel+initrd) (xen) + * - A kernel + initrd (xen) + * - A boot device (and optional kernel+initrd(+shim)) (hvm) + * - An init script (exe) */ switch ((virDomainOSType) def->os.type) { @@ -28469,6 +28471,8 @@ virDomainDefFormatInternalSetRootName(virDomainDef *def, def->os.initrd); virBufferEscapeString(buf, "%s\n", def->os.cmdline); + virBufferEscapeString(buf, "%s\n", + def->os.shim); virBufferEscapeString(buf, "%s\n", def->os.dtb); virBufferEscapeString(buf, "%s\n", diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index 2c034faf6d..3a97fd866c 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -2522,6 +2522,7 @@ struct _virDomainOSDef { char *kernel; char *initrd; char *cmdline; + char *shim; char *dtb; char *root; size_t nacpiTables; diff --git a/src/conf/domain_validate.c b/src/conf/domain_validate.c index 5e2bbb1d9f..f2a98f143d 100644 --- a/src/conf/domain_validate.c +++ b/src/conf/domain_validate.c @@ -1733,6 +1733,12 @@ virDomainDefOSValidate(const virDomainDef *def, } } + if (def->os.shim && !def->os.kernel) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("shim only allowed with kernel option")); + return -1; + } + return 0; } diff --git a/src/conf/schemas/domaincommon.rng b/src/conf/schemas/domaincommon.rng index 39d5604454..3276569325 100644 --- a/src/conf/schemas/domaincommon.rng +++ b/src/conf/schemas/domaincommon.rng @@ -1552,6 +1552,11 @@ + + + + + diff --git a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.xml b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.xml index e289b1e95e..dea8236540 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.xml +++ b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.xml @@ -9,6 +9,7 @@ /vmlinuz /initrd runme + /shim diff --git a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.xml b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.xml index e289b1e95e..dea8236540 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.xml +++ b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.xml @@ -9,6 +9,7 @@ /vmlinuz /initrd runme + /shim diff --git a/tests/qemuxmlconfdata/launch-security-sev-direct.xml b/tests/qemuxmlconfdata/launch-security-sev-direct.xml index 80ce6412dd..76277b6278 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-direct.xml +++ b/tests/qemuxmlconfdata/launch-security-sev-direct.xml @@ -9,6 +9,7 @@ /vmlinuz /initrd runme + /shim destroy -- 2.47.3