This series makes it possible to use Secure Boot with aarch64 VMs.
https://issues.redhat.com/browse/RHEL-82645
Note that, while I consider the entire series to be ready for review,
there are two patches that are marked as DONOTMERGE: that's because
they respectively implement support for a JSON firmware descriptor
syntax extension that has not yet been approved, and import into the
tree firmware descriptor that are not yet part of the Fedora edk2
package. The latter depends on the former, of course, for which
patches have been posted[1] to the QEMU mailing list.
Changes from [v1]:
* rewrite based on review feedback: the <nvram> element is no
longer used, and a dedicated <varstore> element is introduced
instead;
* additional test coverage, as well as fixes and improvements
related to firmware selection and its documentation, are present
as well.
[1] https://mail.gnu.org/archive/html/qemu-devel/2026-02/msg02498.html
[v1]
https://lists.libvirt.org/archives/list/[email protected]/thread/TGLFMPRXCATRPA6MPHH5KYXY5XCTSRDT/
Andrea Bolognani (38):
qemu_firmware: Only set format for custom loader if path is present
conf: Move type=rom default for loader to drivers
qemu_firmware: Improve matching when loader.type is absent
tests: Rename custom JSON firmware descriptors
tests: Update JSON firmware descriptor for BIOS
schema: Add varstore element
conf: Parse and format varstore element
conf: Update validation to consider varstore element
qemu_capabilities: Introduce QEMU_CAPS_DEVICE_UEFI_VARS
qemu: Validate presence of uefi-vars device
tests: Add firmware-manual-efi-varstore-q35
tests: Add firmware-manual-efi-varstore-aarch64
tests: Add firmware-auto-efi-varstore-q35
tests: Add firmware-auto-efi-varstore-aarch64
tests: Add firmware-auto-efi-enrolled-keys-aarch64
qemu_firmware: Parse host-uefi-vars firmware feature
qemu_firmware: Split sanity check
qemu_firmware: Consider host-uefi-vars feature in sanity check
DONOTMERGE: qemu_firmware: Support extended syntax for ROM firmware
descriptors
qemu_firmware: Report NVRAM template path for ROMs
schema: Add varstore element for domcaps
conf: Include varstore element in domcaps
qemu: Fill in varstore element in domcaps
qemu_firmware: Use of NVRAM implies stateful firmware
qemu_firmware: Allow matching stateful ROMs
qemu_firmware: Fill in varstore information
qemu: Introduce varstoreDir
qemu_firmware: Generate varstore path when necessary
DONOTMERGE: tests: Add firmware descriptors for uefi-vars builds
qemu_command: Use uefi-vars device where appropriate
qemu: Introduce qemuPrepareNVRAMFileCommon()
qemu: Create and delete varstore file
security: Mark ROMs as read only when using AppArmor
security: Handle varstore file
include: Mention varstore where applicable
virsh: Update for varstore handling
docs: Update for varstore and improve
news: Document support for uefi-vars device and firmwares
NEWS.rst | 16 ++
docs/formatcaps.rst | 2 +-
docs/formatdomain.rst | 47 +++--
docs/formatdomaincaps.rst | 81 +++++---
docs/kbase/secureboot.rst | 46 +++--
docs/manpages/virsh.rst | 44 +++--
include/libvirt/libvirt-domain-snapshot.h | 2 +-
include/libvirt/libvirt-domain.h | 4 +-
libvirt.spec.in | 1 +
src/conf/domain_capabilities.c | 10 +
src/conf/domain_capabilities.h | 6 +
src/conf/domain_conf.c | 79 +++++++-
src/conf/domain_conf.h | 9 +
src/conf/domain_postparse.c | 19 --
src/conf/domain_validate.c | 82 +++-----
src/conf/schemas/domaincaps.rng | 9 +
src/conf/schemas/domaincommon.rng | 64 +++---
src/conf/virconftypes.h | 2 +
src/libvirt_private.syms | 2 +
src/libxl/libxl_domain.c | 6 +
src/qemu/meson.build | 1 +
src/qemu/qemu_capabilities.c | 31 ++-
src/qemu/qemu_capabilities.h | 3 +
src/qemu/qemu_command.c | 34 ++++
src/qemu/qemu_conf.c | 4 +
src/qemu/qemu_conf.h | 1 +
src/qemu/qemu_driver.c | 27 ++-
src/qemu/qemu_firmware.c | 182 ++++++++++++++++--
src/qemu/qemu_firmware.h | 1 +
src/qemu/qemu_process.c | 84 ++++++--
src/qemu/qemu_validate.c | 20 ++
src/security/security_dac.c | 22 ++-
src/security/security_selinux.c | 53 +++--
src/security/virt-aa-helper.c | 36 +++-
.../qemu_10.0.0-q35.x86_64+amdsev.xml | 1 +
.../domaincapsdata/qemu_10.0.0-q35.x86_64.xml | 1 +
.../qemu_10.0.0-tcg.x86_64+amdsev.xml | 1 +
.../domaincapsdata/qemu_10.0.0-tcg.x86_64.xml | 1 +
.../qemu_10.0.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_10.0.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_10.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_10.0.0.s390x.xml | 1 +
.../qemu_10.0.0.x86_64+amdsev.xml | 1 +
tests/domaincapsdata/qemu_10.0.0.x86_64.xml | 1 +
.../qemu_10.1.0-q35.x86_64+inteltdx.xml | 1 +
.../domaincapsdata/qemu_10.1.0-q35.x86_64.xml | 1 +
.../qemu_10.1.0-tcg.x86_64+inteltdx.xml | 1 +
.../domaincapsdata/qemu_10.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_10.1.0.s390x.xml | 1 +
.../qemu_10.1.0.x86_64+inteltdx.xml | 1 +
tests/domaincapsdata/qemu_10.1.0.x86_64.xml | 1 +
.../qemu_10.2.0-q35.x86_64+mshv.xml | 1 +
.../domaincapsdata/qemu_10.2.0-q35.x86_64.xml | 1 +
.../qemu_10.2.0-tcg.x86_64+mshv.xml | 1 +
.../domaincapsdata/qemu_10.2.0-tcg.x86_64.xml | 1 +
.../qemu_10.2.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_10.2.0.aarch64.xml | 1 +
.../qemu_10.2.0.x86_64+mshv.xml | 1 +
tests/domaincapsdata/qemu_10.2.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_11.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_11.0.0-tcg.x86_64.xml | 1 +
.../qemu_11.0.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_11.0.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_11.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_6.2.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_6.2.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_6.2.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_6.2.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_7.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_7.0.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_7.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_7.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_7.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_7.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_7.1.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_7.1.0.x86_64.xml | 1 +
.../qemu_7.2.0-hvf.x86_64+hvf.xml | 1 +
.../domaincapsdata/qemu_7.2.0-q35.x86_64.xml | 1 +
.../qemu_7.2.0-tcg.x86_64+hvf.xml | 1 +
.../domaincapsdata/qemu_7.2.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_7.2.0.ppc.xml | 1 +
tests/domaincapsdata/qemu_7.2.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_8.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_8.0.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_8.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_8.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_8.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_8.1.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_8.1.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_8.2.0-q35.x86_64.xml | 1 +
.../qemu_8.2.0-tcg-virt.loongarch64.xml | 1 +
.../domaincapsdata/qemu_8.2.0-tcg.x86_64.xml | 1 +
.../qemu_8.2.0-virt.aarch64.xml | 1 +
.../qemu_8.2.0-virt.loongarch64.xml | 1 +
tests/domaincapsdata/qemu_8.2.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_8.2.0.armv7l.xml | 1 +
tests/domaincapsdata/qemu_8.2.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_8.2.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_9.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_9.0.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_9.0.0.sparc.xml | 1 +
tests/domaincapsdata/qemu_9.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_9.1.0-q35.x86_64.xml | 1 +
.../qemu_9.1.0-tcg-virt.riscv64.xml | 1 +
.../domaincapsdata/qemu_9.1.0-tcg.x86_64.xml | 1 +
.../qemu_9.1.0-virt.riscv64.xml | 1 +
tests/domaincapsdata/qemu_9.1.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_9.1.0.x86_64.xml | 1 +
.../qemu_9.2.0-hvf.aarch64+hvf.xml | 1 +
.../qemu_9.2.0-q35.x86_64+amdsev.xml | 1 +
.../domaincapsdata/qemu_9.2.0-q35.x86_64.xml | 1 +
.../qemu_9.2.0-tcg.x86_64+amdsev.xml | 1 +
.../domaincapsdata/qemu_9.2.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_9.2.0.s390x.xml | 1 +
.../qemu_9.2.0.x86_64+amdsev.xml | 1 +
tests/domaincapsdata/qemu_9.2.0.x86_64.xml | 1 +
.../caps_10.0.0_aarch64.xml | 1 +
.../caps_10.0.0_x86_64+amdsev.xml | 1 +
.../caps_10.0.0_x86_64.xml | 1 +
.../caps_10.1.0_s390x.xml | 1 +
.../caps_10.1.0_x86_64+inteltdx.xml | 1 +
.../caps_10.1.0_x86_64.xml | 1 +
.../caps_10.2.0_aarch64.xml | 1 +
.../caps_10.2.0_x86_64+mshv.xml | 1 +
.../caps_10.2.0_x86_64.xml | 1 +
.../caps_11.0.0_aarch64.xml | 1 +
.../caps_11.0.0_x86_64.xml | 1 +
.../etc/qemu/firmware/20-bios.json | 1 -
.../etc/qemu/firmware/20-libvirt-bios.json | 1 +
.../etc/qemu/firmware/59-combined.json | 1 -
.../qemu/firmware/59-libvirt-combined.json | 1 +
...{92-masked.json => 92-libvirt-masked.json} | 0
.../{10-bios.json => 10-libvirt-bios.json} | 0
...0-edk2-ovmf-qemuvars-x64-sb-enrolled.json} | 15 +-
.../70-edk2-qemuvars-aarch64-sb-enrolled.json | 28 +++
...json => 71-edk2-ovmf-qemuvars-x64-sb.json} | 16 +-
.../firmware/71-edk2-qemuvars-aarch64-sb.json | 27 +++
...combined.json => 90-libvirt-combined.json} | 0
.../{91-bios.json => 91-libvirt-bios.json} | 2 +-
...{92-masked.json => 92-libvirt-masked.json} | 0
...3-invalid.json => 93-libvirt-invalid.json} | 0
tests/qemufirmwaretest.c | 71 ++++---
...-auto-bios-not-stateless.x86_64-latest.err | 2 +-
...auto-bios-not-stateless.x86_64-latest.xml} | 6 +-
...firmware-auto-bios-nvram.x86_64-latest.err | 2 +-
...are-auto-bios-stateless.x86_64-latest.args | 2 +-
...ware-auto-bios-stateless.x86_64-latest.xml | 2 +-
.../firmware-auto-bios.x86_64-latest.args | 2 +-
.../firmware-auto-bios.x86_64-latest.xml | 2 +-
...fi-enrolled-keys-aarch64.aarch64-8.2.0.err | 1 +
...enrolled-keys-aarch64.aarch64-latest.args} | 12 +-
...i-enrolled-keys-aarch64.aarch64-latest.xml | 32 +++
...irmware-auto-efi-enrolled-keys-aarch64.xml | 20 ++
...-efi-varstore-aarch64.aarch64-latest.args} | 12 +-
...to-efi-varstore-aarch64.aarch64-latest.xml | 32 +++
.../firmware-auto-efi-varstore-aarch64.xml | 18 ++
...-auto-efi-varstore-q35.x86_64-latest.args} | 5 +-
...e-auto-efi-varstore-q35.x86_64-latest.xml} | 11 +-
.../firmware-auto-efi-varstore-q35.xml | 18 ++
...ual-bios-not-stateless.x86_64-latest.args} | 8 +-
...anual-bios-not-stateless.x86_64-latest.err | 1 -
...nual-bios-not-stateless.x86_64-latest.xml} | 2 +-
...re-manual-bios-stateless.x86_64-latest.xml | 6 +-
.../firmware-manual-bios.x86_64-latest.xml | 6 +-
...nual-efi-nvram-stateless.x86_64-latest.err | 2 +-
...nvram-template-stateless.x86_64-latest.err | 2 +-
...ware-manual-efi-rw-nvram.x86_64-latest.err | 2 +-
...ual-efi-varstore-aarch64.aarch64-8.2.0.err | 1 +
...-efi-varstore-aarch64.aarch64-latest.args} | 12 +-
...al-efi-varstore-aarch64.aarch64-latest.xml | 32 +++
.../firmware-manual-efi-varstore-aarch64.xml | 19 ++
...e-manual-efi-varstore-q35.x86_64-8.2.0.err | 1 +
...anual-efi-varstore-q35.x86_64-latest.args} | 5 +-
...manual-efi-varstore-q35.x86_64-latest.xml} | 11 +-
.../firmware-manual-efi-varstore-q35.xml | 19 ++
tests/qemuxmlconftest.c | 16 +-
tests/testutilsqemu.c | 2 +
tools/virsh-domain.c | 55 ++++--
tools/virsh-snapshot.c | 9 +-
179 files changed, 1296 insertions(+), 380 deletions(-)
delete mode 120000 tests/qemufirmwaredata/etc/qemu/firmware/20-bios.json
create mode 120000
tests/qemufirmwaredata/etc/qemu/firmware/20-libvirt-bios.json
delete mode 120000 tests/qemufirmwaredata/etc/qemu/firmware/59-combined.json
create mode 120000
tests/qemufirmwaredata/etc/qemu/firmware/59-libvirt-combined.json
rename tests/qemufirmwaredata/etc/qemu/firmware/{92-masked.json =>
92-libvirt-masked.json} (100%)
rename tests/qemufirmwaredata/home/user/.config/qemu/firmware/{10-bios.json =>
10-libvirt-bios.json} (100%)
copy tests/qemufirmwaredata/usr/share/qemu/firmware/{90-combined.json =>
70-edk2-ovmf-qemuvars-x64-sb-enrolled.json} (55%)
create mode 100644
tests/qemufirmwaredata/usr/share/qemu/firmware/70-edk2-qemuvars-aarch64-sb-enrolled.json
copy tests/qemufirmwaredata/usr/share/qemu/firmware/{90-combined.json =>
71-edk2-ovmf-qemuvars-x64-sb.json} (51%)
create mode 100644
tests/qemufirmwaredata/usr/share/qemu/firmware/71-edk2-qemuvars-aarch64-sb.json
rename tests/qemufirmwaredata/usr/share/qemu/firmware/{90-combined.json =>
90-libvirt-combined.json} (100%)
rename tests/qemufirmwaredata/usr/share/qemu/firmware/{91-bios.json =>
91-libvirt-bios.json} (90%)
rename tests/qemufirmwaredata/usr/share/qemu/firmware/{92-masked.json =>
92-libvirt-masked.json} (100%)
rename tests/qemufirmwaredata/usr/share/qemu/firmware/{93-invalid.json =>
93-libvirt-invalid.json} (100%)
copy tests/qemuxmlconfdata/{firmware-auto-bios.x86_64-latest.xml =>
firmware-auto-bios-not-stateless.x86_64-latest.xml} (84%)
create mode 100644
tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.aarch64-8.2.0.err
copy tests/qemuxmlconfdata/{firmware-auto-bios.x86_64-latest.args =>
firmware-auto-efi-enrolled-keys-aarch64.aarch64-latest.args} (72%)
create mode 100644
tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.aarch64-latest.xml
create mode 100644
tests/qemuxmlconfdata/firmware-auto-efi-enrolled-keys-aarch64.xml
copy tests/qemuxmlconfdata/{firmware-auto-bios.x86_64-latest.args =>
firmware-auto-efi-varstore-aarch64.aarch64-latest.args} (72%)
create mode 100644
tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.aarch64-latest.xml
create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-varstore-aarch64.xml
copy tests/qemuxmlconfdata/{firmware-auto-bios-stateless.x86_64-latest.args =>
firmware-auto-efi-varstore-q35.x86_64-latest.args} (83%)
copy tests/qemuxmlconfdata/{firmware-auto-bios-stateless.x86_64-latest.xml =>
firmware-auto-efi-varstore-q35.x86_64-latest.xml} (73%)
create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-varstore-q35.xml
copy tests/qemuxmlconfdata/{firmware-auto-bios.x86_64-latest.args =>
firmware-manual-bios-not-stateless.x86_64-latest.args} (84%)
delete mode 100644
tests/qemuxmlconfdata/firmware-manual-bios-not-stateless.x86_64-latest.err
copy tests/qemuxmlconfdata/{firmware-manual-bios.x86_64-latest.xml =>
firmware-manual-bios-not-stateless.x86_64-latest.xml} (90%)
create mode 100644
tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.aarch64-8.2.0.err
copy tests/qemuxmlconfdata/{firmware-auto-bios.x86_64-latest.args =>
firmware-manual-efi-varstore-aarch64.aarch64-latest.args} (73%)
create mode 100644
tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.aarch64-latest.xml
create mode 100644
tests/qemuxmlconfdata/firmware-manual-efi-varstore-aarch64.xml
create mode 100644
tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.x86_64-8.2.0.err
copy tests/qemuxmlconfdata/{firmware-auto-bios.x86_64-latest.args =>
firmware-manual-efi-varstore-q35.x86_64-latest.args} (85%)
copy tests/qemuxmlconfdata/{firmware-auto-bios-stateless.x86_64-latest.xml =>
firmware-manual-efi-varstore-q35.x86_64-latest.xml} (74%)
create mode 100644 tests/qemuxmlconfdata/firmware-manual-efi-varstore-q35.xml
--
2.53.0
