From: Rohit Kumar <rohit.kumar3@xxxxxxxxxxx> Signed-off-by: Prerna Saxena <prerna.saxena@xxxxxxxxxxx> Signed-off-by: Florian Schmidt <flosch@xxxxxxxxxxx> Signed-off-by: Rohit Kumar <rohit.kumar3@xxxxxxxxxxx> Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx> --- src/qemu/qemu_validate.c | 108 ++++++++++++++++++++++++++++++--------- 1 file changed, 84 insertions(+), 24 deletions(-) diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c index 9b6245e6d7..48b7d08684 100644 --- a/src/qemu/qemu_validate.c +++ b/src/qemu/qemu_validate.c @@ -568,35 +568,95 @@ qemuValidateDomainDefPM(const virDomainDef *def, static int -qemuValidateDomainDefBoot(const virDomainDef *def) +qemuValidateDomainDefNvram(const virDomainDef *def, + virQEMUCaps *qemuCaps) { - if (def->os.loader && - def->os.loader->secure == VIR_TRISTATE_BOOL_YES) { - /* These are the QEMU implementation limitations. But we - * have to live with them for now. */ + virStorageSource *src = def->os.loader->nvram; - if (!qemuDomainIsQ35(def)) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("Secure boot is supported with q35 machine types only")); - return -1; - } + if (!src) + return 0; - /* Now, technically it is possible to have secure boot on - * 32bits too, but that would require some -cpu xxx magic - * too. Not worth it unless we are explicitly asked. */ - if (def->os.arch != VIR_ARCH_X86_64) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("Secure boot is supported for x86_64 architecture only")); - return -1; + switch (src->type) { + case VIR_STORAGE_TYPE_FILE: + case VIR_STORAGE_TYPE_BLOCK: + case VIR_STORAGE_TYPE_NETWORK: + break; + + case VIR_STORAGE_TYPE_DIR: + case VIR_STORAGE_TYPE_VOLUME: + case VIR_STORAGE_TYPE_NVME: + case VIR_STORAGE_TYPE_VHOST_USER: + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("unsupported nvram disk type '%s'"), + virStorageTypeToString(src->type)); + return -1; + + case VIR_STORAGE_TYPE_NONE: + case VIR_STORAGE_TYPE_LAST: + virReportEnumRangeError(virStorageType, src->type); + return -1; + } + + if (src->sliceStorage) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("slices are not supported with NVRAM")); + return -1; + } + + if (src->pr) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("persistent reservations are not supported with NVRAM")); + return -1; + } + + if (src->backingStore) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("backingStore is not supported with NVRAM")); + return -1; + } + + if (qemuDomainValidateStorageSource(src, qemuCaps, false) < 0) + return -1; + + return 0; +} + + +static int +qemuValidateDomainDefBoot(const virDomainDef *def, + virQEMUCaps *qemuCaps) +{ + if (def->os.loader) { + if (def->os.loader->secure == VIR_TRISTATE_BOOL_YES) { + /* These are the QEMU implementation limitations. But we + * have to live with them for now. */ + + if (!qemuDomainIsQ35(def)) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("Secure boot is supported with q35 machine types only")); + return -1; + } + + /* Now, technically it is possible to have secure boot on + * 32bits too, but that would require some -cpu xxx magic + * too. Not worth it unless we are explicitly asked. */ + if (def->os.arch != VIR_ARCH_X86_64) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("Secure boot is supported for x86_64 architecture only")); + return -1; + } + + /* SMM will be enabled by qemuFirmwareFillDomain() if needed. */ + if (def->os.firmware == VIR_DOMAIN_OS_DEF_FIRMWARE_NONE && + def->features[VIR_DOMAIN_FEATURE_SMM] != VIR_TRISTATE_SWITCH_ON) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("Secure boot requires SMM feature enabled")); + return -1; + } } - /* SMM will be enabled by qemuFirmwareFillDomain() if needed. */ - if (def->os.firmware == VIR_DOMAIN_OS_DEF_FIRMWARE_NONE && - def->features[VIR_DOMAIN_FEATURE_SMM] != VIR_TRISTATE_SWITCH_ON) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("Secure boot requires SMM feature enabled")); + if (qemuValidateDomainDefNvram(def, qemuCaps) < 0) return -1; - } } return 0; @@ -1174,7 +1234,7 @@ qemuValidateDomainDef(const virDomainDef *def, if (qemuValidateDomainDefPM(def, qemuCaps) < 0) return -1; - if (qemuValidateDomainDefBoot(def) < 0) + if (qemuValidateDomainDefBoot(def, qemuCaps) < 0) return -1; if (qemuValidateDomainVCpuTopology(def, qemuCaps) < 0) -- 2.35.3