vmspawn: drop ICH9-LPC S3 disable and guard cfi.pflash01 for x86

The ICH9-LPC disable_s3 global QEMU config was a workaround for an
OVMF limitation where S3 resume didn't work with X64 PEI + SMM. SMM is
required for secure boot as it prevents the guest from writing directly
to the pflash, bypassing UEFI variable protections. With X64 PEI + SMM
enabled and S3 advertised, OVMF would hang on S3 resume. The
workaround was to tell QEMU not to advertise S3 support.

This limitation has been resolved in edk2 — the S3Verification() check
was removed in edk2 commit 098c5570 ("OvmfPkg/PlatformPei: drop
S3Verification()") after edk2 gained native X64 PEI + SMM + S3 resume
support. See https://github.com/tianocore/edk2/commit/098c5570.

Drop the now-unnecessary ICH9-LPC disable_s3 config entirely, and
guard the cfi.pflash01 secure=on setting with an x86 architecture
check since SMM is x86-specific and this option is invalid on ARM.

diff --git a/src/vmspawn/vmspawn.c b/src/vmspawn/vmspawn.c
index 8777948626356950925ce03c3d477ae14d2b2e27..1b1e31bb5b1034f4ecebd0305d28fd00a4a13294 100644 (file)
--- a/src/vmspawn/vmspawn.c
+++ b/src/vmspawn/vmspawn.c
@@ -2748,19 +2748,18 @@ static int run_virtual_machine(int kvm_device_fd, int vhost_device_fd) {
 
                 destroy_path = mfree(destroy_path); /* disarm auto-destroy */
 
-                r = qemu_config_section(config_file, "global", /* id= */ NULL,
-                                        "driver", "ICH9-LPC",
-                                        "property", "disable_s3",
-                                        "value", "1");
-                if (r < 0)
-                        return r;
-
-                r = qemu_config_section(config_file, "global", /* id= */ NULL,
-                                        "driver", "cfi.pflash01",
-                                        "property", "secure",
-                                        "value", "on");
-                if (r < 0)
-                        return r;
+                /* Mark the UEFI variable store pflash as requiring SMM access. This
+                 * prevents the guest OS from writing to pflash directly, ensuring all
+                 * variable updates go through the firmware's validation checks. Without
+                 * this, secure boot keys could be overwritten by the OS. */
+                if (ARCHITECTURE_SUPPORTS_SMM) {
+                        r = qemu_config_section(config_file, "global", /* id= */ NULL,
+                                                "driver", "cfi.pflash01",
+                                                "property", "secure",
+                                                "value", "on");
+                        if (r < 0)
+                                return r;
+                }
 
                 r = qemu_config_section(config_file, "drive", "ovmf-vars",
                                         "file", state,