Re: Some questions regarding firmware handling in the qemu driver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 6/8/22 10:20, Andrea Bolognani wrote:
On Tue, Jun 07, 2022 at 02:57:17PM -0600, Jim Fehlig wrote:
Hi All,

I received a bug report (private, sorry) about inability to "deploy uefi
virtual machine with secureboot enabled on aarch64 kvm host". Indeed the
qemu driver has some checks that would prohibit using secure boot with
aarch64 virt machines, e.g.

https://gitlab.com/libvirt/libvirt/-/blob/master/src/qemu/qemu_validate.c#L571

However it appears qemu does not restrict booting a firmware with keys
enrolled and secure boot enabled. E.g.

qemu-system-aarch64 -m 4096 -cpu host -accel kvm -smp 4 -M virt -drive if=pflash,format=raw,readonly=on,file=/usr/share/qemu/aavmf-aarch64-opensuse-code.bin
-drive
if=pflash,format=raw,file=/vm_images/jim/images/test/test-vars-store.bin ...

seems to work fine and within the guest I see db keys loaded by kernel

[    4.782777] integrity: Loading X.509 certificate: UEFI:db
[    4.789494] integrity: Loaded X.509 cert 'Build time autogenerated kernel
key: 44e3470bd0c5eb190e3292dfc42db061521184ee'
[    4.789548] integrity: Loading X.509 certificate: UEFI:db
[    4.789701] integrity: Loaded X.509 cert 'openSUSE Secure Boot Signkey:
0332fa9cbf0d88bf21924b0de82a09a54d5defc8'
[    4.789710] integrity: Loading X.509 certificate: UEFI:db
[    4.789841] integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure
Boot Signkey: 3fb077b6cebc6ff2522e1c148c57c777c788e3e7'

Can we consider easing the secure boot restrictions in qemuValidateDomainDefBoot?

Will such a configuration refuse to boot an unsigned guest OS? Is it
reasonably tamper-proof (see below)? If the answer to both of these
question is yes, then relaxing the check sounds reasonable.

The answer to your first question is yes, although with an unfriendly assert in ovmf

ASSERT [ArmCpuDxe] /home/abuild/rpmbuild/BUILD/edk2-edk2-stable202202/ArmPkg/Library/DefaultExceptionHandlerLib/AArch64/DefaultExceptionHandler.c(333): ((BOOLEAN)(0==1))

I don't know the answer to your second question. I think we agree it is achieved with SMM on x86, but as Daniel mentioned it is arch-specific. I see ARM has the notion of a Management Mode [1], but not sure if that provides all the functionality of SMM. The ARM Server Base Security Guide [2] also notes requirements for UEFI Secure Boot (page 17), although I wonder if any server manufacturers provide that.

Regards,
Jim

[1] https://documentation-service.arm.com/static/5ed11e40ca06a95ce53f905c?token=
[2] https://documentation-service.arm.com/static/5fb7e9e5ca04df4095c1d669?token=




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux