If we detect that the UEFI image is build to require SMM feature we should configure the guest to enable SMM feature and set q35 machine type. Without this user wouldn't be able to boot the guest. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1387479 Signed-off-by: Pavel Hrdina <phrdina@xxxxxxxxxx> --- tests/capabilities-xml/kvm-x86_64-domcaps-q35.xml | 126 +++++++++++++++++++++ .../compare/virt-install-boot-uefi.xml | 61 ++++++++++ tests/clitest.py | 4 + tests/utils.py | 2 + virtManager/domain.py | 1 + virtinst/guest.py | 23 ++++ 6 files changed, 217 insertions(+) create mode 100644 tests/capabilities-xml/kvm-x86_64-domcaps-q35.xml create mode 100644 tests/cli-test-xml/compare/virt-install-boot-uefi.xml diff --git a/tests/capabilities-xml/kvm-x86_64-domcaps-q35.xml b/tests/capabilities-xml/kvm-x86_64-domcaps-q35.xml new file mode 100644 index 00000000..780ada61 --- /dev/null +++ b/tests/capabilities-xml/kvm-x86_64-domcaps-q35.xml @@ -0,0 +1,126 @@ +<domainCapabilities> + <path>/home/phrdina/work/qemu/x86_64-softmmu/qemu-system-x86_64</path> + <domain>kvm</domain> + <machine>pc-q35-2.9</machine> + <arch>x86_64</arch> + <vcpu max='288'/> + <os supported='yes'> + <loader supported='yes'> + <value>/usr/share/ovmf/OVMF_CODE.secboot.fd</value> + <enum name='type'> + <value>rom</value> + <value>pflash</value> + </enum> + <enum name='readonly'> + <value>yes</value> + <value>no</value> + </enum> + </loader> + </os> + <cpu> + <mode name='host-passthrough' supported='yes'/> + <mode name='host-model' supported='yes'> + <model fallback='forbid'>Skylake-Client</model> + <vendor>Intel</vendor> + <feature policy='require' name='ss'/> + <feature policy='require' name='vmx'/> + <feature policy='require' name='hypervisor'/> + <feature policy='require' name='tsc_adjust'/> + <feature policy='require' name='clflushopt'/> + <feature policy='require' name='xsaves'/> + <feature policy='require' name='pdpe1gb'/> + <feature policy='require' name='invtsc'/> + </mode> + <mode name='custom' supported='yes'> + <model usable='yes'>qemu64</model> + <model usable='yes'>qemu32</model> + <model usable='no'>phenom</model> + <model usable='yes'>pentium3</model> + <model usable='yes'>pentium2</model> + <model usable='yes'>pentium</model> + <model usable='yes'>n270</model> + <model usable='yes'>kvm64</model> + <model usable='yes'>kvm32</model> + <model usable='yes'>coreduo</model> + <model usable='yes'>core2duo</model> + <model usable='no'>athlon</model> + <model usable='yes'>Westmere</model> + <model usable='yes'>Skylake-Client</model> + <model usable='yes'>SandyBridge</model> + <model usable='yes'>Penryn</model> + <model usable='no'>Opteron_G5</model> + <model usable='no'>Opteron_G4</model> + <model usable='no'>Opteron_G3</model> + <model usable='yes'>Opteron_G2</model> + <model usable='yes'>Opteron_G1</model> + <model usable='yes'>Nehalem</model> + <model usable='yes'>IvyBridge</model> + <model usable='yes'>Haswell</model> + <model usable='yes'>Haswell-noTSX</model> + <model usable='yes'>Conroe</model> + <model usable='yes'>Broadwell</model> + <model usable='yes'>Broadwell-noTSX</model> + <model usable='yes'>486</model> + </mode> + </cpu> + <devices> + <disk supported='yes'> + <enum name='diskDevice'> + <value>disk</value> + <value>cdrom</value> + <value>floppy</value> + <value>lun</value> + </enum> + <enum name='bus'> + <value>fdc</value> + <value>scsi</value> + <value>virtio</value> + <value>usb</value> + <value>sata</value> + </enum> + </disk> + <graphics supported='yes'> + <enum name='type'> + <value>sdl</value> + <value>vnc</value> + <value>spice</value> + </enum> + </graphics> + <video supported='yes'> + <enum name='modelType'> + <value>vga</value> + <value>cirrus</value> + <value>vmvga</value> + <value>qxl</value> + <value>virtio</value> + </enum> + </video> + <hostdev supported='yes'> + <enum name='mode'> + <value>subsystem</value> + </enum> + <enum name='startupPolicy'> + <value>default</value> + <value>mandatory</value> + <value>requisite</value> + <value>optional</value> + </enum> + <enum name='subsysType'> + <value>usb</value> + <value>pci</value> + <value>scsi</value> + </enum> + <enum name='capsType'/> + <enum name='pciBackend'> + <value>default</value> + <value>kvm</value> + <value>vfio</value> + </enum> + </hostdev> + </devices> + <features> + <gic supported='no'/> + </features> +</domainCapabilities> + + diff --git a/tests/cli-test-xml/compare/virt-install-boot-uefi.xml b/tests/cli-test-xml/compare/virt-install-boot-uefi.xml new file mode 100644 index 00000000..e0f2089f --- /dev/null +++ b/tests/cli-test-xml/compare/virt-install-boot-uefi.xml @@ -0,0 +1,61 @@ +<domain type="kvm"> + <name>foobar</name> + <uuid>00000000-1111-2222-3333-444444444444</uuid> + <memory>65536</memory> + <currentMemory>65536</currentMemory> + <vcpu>1</vcpu> + <os> + <type arch="x86_64" machine="q35">hvm</type> + <loader readonly="yes" type="pflash">/usr/share/ovmf/OVMF_CODE.secboot.fd</loader> + <boot dev="hd"/> + </os> + <features> + <acpi/> + <apic/> + <smm state="on"/> + <vmport state="off"/> + </features> + <cpu mode="custom" match="exact"> + <model>Opteron_G4</model> + </cpu> + <clock offset="utc"> + <timer name="rtc" tickpolicy="catchup"/> + <timer name="pit" tickpolicy="delay"/> + <timer name="hpet" present="no"/> + </clock> + <pm> + <suspend-to-mem enabled="no"/> + <suspend-to-disk enabled="no"/> + </pm> + <devices> + <emulator>/usr/bin/qemu-kvm</emulator> + <controller type="usb" index="0" model="ich9-ehci1"/> + <controller type="usb" index="0" model="ich9-uhci1"> + <master startport="0"/> + </controller> + <controller type="usb" index="0" model="ich9-uhci2"> + <master startport="2"/> + </controller> + <controller type="usb" index="0" model="ich9-uhci3"> + <master startport="4"/> + </controller> + <interface type="bridge"> + <source bridge="eth0"/> + <mac address="00:11:22:33:44:55"/> + </interface> + <input type="mouse" bus="ps2"/> + <graphics type="spice" port="-1" tlsPort="-1" autoport="yes"> + <image compression="off"/> + </graphics> + <console type="pty"/> + <channel type="spicevmc"> + <target type="virtio" name="com.redhat.spice.0"/> + </channel> + <sound model="ich6"/> + <video> + <model type="qxl"/> + </video> + <redirdev bus="usb" type="spicevmc"/> + <redirdev bus="usb" type="spicevmc"/> + </devices> +</domain> diff --git a/tests/clitest.py b/tests/clitest.py index ae330538..08d32c68 100644 --- a/tests/clitest.py +++ b/tests/clitest.py @@ -71,6 +71,7 @@ test_files = { 'URI-TEST-DEFAULT': utils.uri_test_default, 'URI-TEST-REMOTE': utils.uri_test_remote, 'URI-KVM': utils.uri_kvm, + 'URI-KVM-Q35': utils.uri_kvm_q35, 'URI-KVM-SESSION': utils.uri_kvm_session, 'URI-KVM-REMOTE': utils.uri_kvm + ",remote", 'URI-KVM-NODOMCAPS': utils.uri_kvm_nodomcaps, @@ -782,6 +783,9 @@ c.add_invalid("--disk none --boot network --machine foobar") # Unknown machine c.add_invalid("--nodisks --boot network --arch mips --virt-type kvm") # Invalid domain type for arch c.add_invalid("--nodisks --boot network --paravirt --arch mips") # Invalid arch/virt combo +c = vinst.add_category("kvm-q35", "--connect %(URI-KVM-Q35)s --noautoconsole", compare_check=support.SUPPORT_CONN_VMPORT) +c.add_compare("--boot uefi --disk none", "boot-uefi") + ###################### # LXC specific tests # diff --git a/tests/utils.py b/tests/utils.py index 0b8fc365..9947f3b0 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -37,10 +37,12 @@ uri_test_remote = uri_test + ",remote" _uri_qemu = "%s,qemu" % uri_test _uri_kvm_domcaps = (_uri_qemu + _domcapsprefix + "kvm-x86_64-domcaps.xml") +_uri_kvm_domcaps_q35 = (_uri_qemu + _domcapsprefix + "kvm-x86_64-domcaps-q35.xml") _uri_kvm_aarch64_domcaps = (_uri_qemu + _domcapsprefix + "kvm-aarch64-domcaps.xml") uri_kvm_nodomcaps = (_uri_qemu + _capsprefix + "kvm-x86_64.xml") uri_kvm_rhel = (_uri_kvm_domcaps + _capsprefix + "kvm-x86_64-rhel7.xml") uri_kvm = (_uri_kvm_domcaps + _capsprefix + "kvm-x86_64.xml") +uri_kvm_q35 = (_uri_kvm_domcaps_q35 + _capsprefix + "kvm-x86_64.xml") uri_kvm_session = uri_kvm + ",session" uri_kvm_armv7l = (_uri_kvm_domcaps + _capsprefix + "kvm-armv7l.xml") diff --git a/virtManager/domain.py b/virtManager/domain.py index 6b94455d..6fb10266 100644 --- a/virtManager/domain.py +++ b/virtManager/domain.py @@ -698,6 +698,7 @@ class vmmDomain(vmmLibvirtObject): guest.os.loader = loader guest.os.loader_type = "pflash" guest.os.loader_ro = True + guest.check_uefi_smm() if nvram != _SENTINEL: guest.os.nvram = nvram diff --git a/virtinst/guest.py b/virtinst/guest.py index aa956449..d6dd5aa6 100644 --- a/virtinst/guest.py +++ b/virtinst/guest.py @@ -561,6 +561,29 @@ class Guest(XMLBuilder): self.os.loader_type = "pflash" self.os.loader = path + self.check_uefi_smm() + + + def check_uefi_smm(self): + """ + If the firmware name contains "secboot" it is probably build + with SMM feature required so we need to enable that feature, + otherwise the firmware may fail to load. True secure boot is + currently supported only on x86 architecture and with q35 with + SMM feature enabled so change the machine to q35 as well. + """ + + if not self.os.is_x86(): + return + + if "secboot" not in self.os.loader: + return + + if not self.conn.check_support(self.conn.SUPPORT_DOMAIN_FEATURE_SMM): + return + + self.features.smm = True + self.os.machine = "q35" ################### # Device defaults # -- 2.13.0 _______________________________________________ virt-tools-list mailing list virt-tools-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/virt-tools-list
