Some questions regarding firmware handling in the qemu driver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi All,
I received a bug report (private, sorry) about inability to "deploy uefi virtual machine with secureboot enabled on aarch64 kvm host". Indeed the qemu driver has some checks that would prohibit using secure boot with aarch64 virt machines, e.g. 

https://gitlab.com/libvirt/libvirt/-/blob/master/src/qemu/qemu_validate.c#L571
However it appears qemu does not restrict booting a firmware with keys enrolled and secure boot enabled. E.g.
qemu-system-aarch64 -m 4096 -cpu host -accel kvm -smp 4 -M virt -drive if=pflash,format=raw,readonly=on,file=/usr/share/qemu/aavmf-aarch64-opensuse-code.bin -drive if=pflash,format=raw,file=/vm_images/jim/images/test/test-vars-store.bin ... 

seems to work fine and within the guest I see db keys loaded by kernel

[    4.782777] integrity: Loading X.509 certificate: UEFI:db
[ 4.789494] integrity: Loaded X.509 cert 'Build time autogenerated kernel key: 44e3470bd0c5eb190e3292dfc42db061521184ee' 
[    4.789548] integrity: Loading X.509 certificate: UEFI:db
[ 4.789701] integrity: Loaded X.509 cert 'openSUSE Secure Boot Signkey: 0332fa9cbf0d88bf21924b0de82a09a54d5defc8' 
[    4.789710] integrity: Loading X.509 certificate: UEFI:db
[ 4.789841] integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: 3fb077b6cebc6ff2522e1c148c57c777c788e3e7' 

Can we consider easing the secure boot restrictions in qemuValidateDomainDefBoot?

Experimenting with the behavior on x86 raised other questions:
libvirt requires the firmware to support SMM to enable secure boot. But is SMM a strict requirement for secure boot? IIUC, lack of SMM makes the securely booted stack less secure since it is easier to tamper with it, but it does not prevent securely booting the components.
When selecting firmwares manually and marking the loader secure, VM creation fails unless SMM is explicitly set in <features>. E.g. the following will fail with "unsupported configuration: Secure boot requires SMM feature enabled" 

  <os>
    <type arch="x86_64" machine="q35">hvm</type>
<loader readonly="yes" secure="yes" type="pflash">/usr/share/qemu/ovmf-x86_64-smm-code.bin</loader> 
    <nvram template="/usr/share/qemu/ovmf-x86_64-smm-vars.bin"/>
    <boot dev="hd"/>
  </os>
even though the descriptor file for /usr/share/qemu/ovmf-x86_64-smm-code.bin advertises secure-boot and requires-smm. Is this just a case of trying to mix old style explicit firmware selection vs firmware auto-select? I.e., if selecting the firmware explicitly, the onus is on the user to also specify any related and required config? 

Regards,
Jim
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux