This series makes it possible to use Secure Boot with aarch64 VMs. https://issues.redhat.com/browse/RHEL-82645
It needs a prerequisite series[1] to be applied first. Note that, while I consider the entire series to be ready for review, there are two patches that are marked as DONOTMERGE: that's because they respectively implement support for a JSON firmware descriptor syntax extension that has not yet been approved, and import into the tree firmware descriptor that are not yet part of the Fedora edk2 package. The latter depends on the former, of course, for which patches have been posted[2] to the QEMU mailing list. [1] https://lists.libvirt.org/archives/list/[email protected]/thread/N2ETTZ3WI5RWXGJG7DW5YYMZ7UGDYMHA/ [2] https://mail.gnu.org/archive/html/qemu-devel/2025-12/msg03462.html Andrea Bolognani (29): schemas: Drop pflashFormat schemas: Introduce firmware(Loader|Nvram)Formats schemas: Allow JSON format for NVRAM conf: Introduce VIR_STORAGE_FILE_JSON conf: Allow JSON format for NVRAM in the parser qemu_firmware: Rename qemuFirmwareFlashFile to qemuFirmwareFile qemu_firmware: Use qemuFirmwareFile in qemuFirmwareMappingMemory DONOTMERGE: qemu_firmware: Support extended syntax for ROM firmware descriptors qemu_firmware: Report NVRAM template path for ROMs qemu_firmware: Fill in more information for ROMs qemu_firmware: Don't skip EnsureNVRAM() for ROMs qemu_firmware: Parse host-uefi-vars firmware feature qemu_firmware: Split sanity check qemu_firmware: Consider host-uefi-vars feature in sanity check tests: Add firmware-manual-efi-qemuvars-q35 tests: Add firmware-manual-efi-qemuvars-aarch64 tests: Add firmware-manual-efi-qemuvars-nvram-network-nbd tests: Add firmware-auto-efi-enrolled-keys-aarch64 tests: Add firmware-auto-efi-format-nvram-json qemu_capabilities: Introduce QEMU_CAPS_DEVICE_UEFI_VARS qemu: Validate presence of uefi-vars device qemu: Don't allow remote locations for JSON format NVRAM qemu_firmware: Generate correct name for JSON format NVRAM qemu_firmware: Update matching logic for ROMs qemu_firmware: Require host-uefi-vars feature for JSON NVRAM qemu_firmware: Allow JSON format for NVRAM DONOTMERGE: tests: Add firmware descriptors for uefi-vars builds qemu_command: Use uefi-vars device where appropriate news: Document support for uefi-vars device and firmwares NEWS.rst | 10 + src/conf/domain_conf.c | 6 +- src/conf/schemas/domaincommon.rng | 22 +- src/conf/storage_source_conf.c | 2 +- src/conf/storage_source_conf.h | 1 + src/qemu/qemu_block.c | 2 + src/qemu/qemu_capabilities.c | 3 + src/qemu/qemu_capabilities.h | 1 + src/qemu/qemu_command.c | 36 ++ src/qemu/qemu_firmware.c | 353 +++++++++++++++--- src/qemu/qemu_validate.c | 13 + .../caps_10.0.0_aarch64.xml | 1 + .../caps_10.0.0_x86_64+amdsev.xml | 1 + .../caps_10.0.0_x86_64.xml | 1 + .../caps_10.1.0_s390x.xml | 1 + .../caps_10.1.0_x86_64+inteltdx.xml | 1 + .../caps_10.1.0_x86_64.xml | 1 + .../caps_10.2.0_x86_64+mshv.xml | 1 + .../caps_10.2.0_x86_64.xml | 1 + ...tdx.json => 50-edk2-ovmf-x64-microvm.json} | 12 +- .../firmware/60-edk2-ovmf-x64-inteltdx.json | 6 +- .../out/usr/share/qemu/firmware/91-bios.json | 33 ++ ...70-edk2-ovmf-qemuvars-x64-sb-enrolled.json | 35 ++ .../70-edk2-qemuvars-aarch64-sb-enrolled.json | 33 ++ tests/qemufirmwaretest.c | 10 +- ...ware-auto-bios-stateless.x86_64-latest.xml | 2 +- .../firmware-auto-bios.x86_64-latest.xml | 2 +- ...fi-enrolled-keys-aarch64.aarch64-8.2.0.err | 1 + ...-enrolled-keys-aarch64.aarch64-latest.args | 32 ++ ...i-enrolled-keys-aarch64.aarch64-latest.xml | 32 ++ ...irmware-auto-efi-enrolled-keys-aarch64.xml | 20 + ...uto-efi-format-nvram-json.x86_64-8.2.0.err | 1 + ...o-efi-format-nvram-json.x86_64-latest.args | 35 ++ ...o-efi-format-nvram-json.x86_64-latest.xml} | 11 +- .../firmware-auto-efi-format-nvram-json.xml | 18 + ...l-efi-qemuvars-aarch64.aarch64-latest.args | 33 ++ ...l-efi-qemuvars-aarch64.aarch64-latest.xml} | 24 +- .../firmware-manual-efi-qemuvars-aarch64.xml | 19 + ...muvars-nvram-network-nbd.x86_64-latest.err | 1 + ...-manual-efi-qemuvars-nvram-network-nbd.xml | 23 ++ ...manual-efi-qemuvars-q35.x86_64-latest.args | 35 ++ ...manual-efi-qemuvars-q35.x86_64-latest.xml} | 11 +- .../firmware-manual-efi-qemuvars-q35.xml | 19 + ...-manual-efi-tdx.x86_64-latest+inteltdx.xml | 2 +- tests/qemuxmlconftest.c | 8 + .../storagepoolcapsschemadata/poolcaps-fs.xml | 5 + .../poolcaps-full.xml | 5 + .../out/qcow2-qcow2_qcow2-qcow2_qcow2-auto | 2 +- .../out/qcow2-qcow2_qcow2-qcow2_raw-auto | 2 +- .../out/qcow2-qcow2_qcow2-qcow2_raw-raw | 2 +- tests/virstoragetestdata/out/qcow2-symlinks | 2 +- .../out/qcow2datafile-qcow2_qcow2-datafile | 2 +- 52 files changed, 824 insertions(+), 111 deletions(-) copy tests/qemufirmwaredata/out/usr/share/qemu/firmware/{60-edk2-ovmf-x64-inteltdx.json => 50-edk2-ovmf-x64-microvm.json} (56%) create mode 100644 tests/qemufirmwaredata/out/usr/share/qemu/firmware/91-bios.json create mode 100644 tests/qemufirmwaredata/usr/share/qemu/firmware/70-edk2-ovmf-qemuvars-x64-sb-enrolled.json create mode 100644 tests/qemufirmwaredata/usr/share/qemu/firmware/70-edk2-qemuvars-aarch64-sb-enrolled.json create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.aarch64-8.2.0.err create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.aarch64-latest.args create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.aarch64-latest.xml create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.xml create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-format-nvram-json.x86_64-8.2.0.err create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-format-nvram-json.x86_64-latest.args copy tests/qemuxmlconfdata/{firmware-auto-bios-stateless.x86_64-latest.xml => firmware-auto-efi-format-nvram-json.x86_64-latest.xml} (71%) create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-format-nvram-json.xml create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-qemuvars-aarch64.aarch64-latest.args copy tests/qemuxmlconfdata/{firmware-auto-bios.x86_64-latest.xml => firmware-manual-efi-qemuvars-aarch64.aarch64-latest.xml} (52%) create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-qemuvars-aarch64.xml create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-qemuvars-nvram-network-nbd.x86_64-latest.err create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-qemuvars-nvram-network-nbd.xml create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-qemuvars-q35.x86_64-latest.args copy tests/qemuxmlconfdata/{firmware-auto-bios-stateless.x86_64-latest.xml => firmware-manual-efi-qemuvars-q35.x86_64-latest.xml} (74%) create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-qemuvars-q35.xml -- 2.52.0
