On 2/23/26 19:30, Andrea Bolognani via Devel wrote: > This series makes it possible to use Secure Boot with aarch64 VMs. > > https://issues.redhat.com/browse/RHEL-82645 > > Changes from [v3]: > > * changes to JSON firmware descriptors shipped by the edk2 package > have been merged in Fedora, so the corresponding patch is no > longer marked as DONOTMERGE; > > * drop new varstore-specific flags from virsh, the existing > NVRAM-related flags will work for varstore too; > > * drop some changes to firmware selection that were not related to > varstore support, to be reworked and submitted again at a later > date; > > * split, join and shuffle around patches; > > * tweak things according to review feedback. > > Changes from [v2]: > > * changes to the schema for JSON firmware descriptors have been > queued for merge in QEMU, so the corresponding patch is no longer > marked as DONOTMERGE; > > * improve documentation; > > * rebase on top of master, addressing conflicts that I have caused > with some recent changes related to this work. > > Changes from [v1]: > > * rewrite based on review feedback: the <nvram> element is no > longer used, and a dedicated <varstore> element is introduced > instead; > > * additional test coverage, as well as fixes and improvements > related to firmware selection and its documentation, are present > as well. > > [v3] > https://lists.libvirt.org/archives/list/[email protected]/thread/5JTQAESR4TQHGWAYZHHQVZW6O2D6A3BU/ > [v2] > https://lists.libvirt.org/archives/list/[email protected]/thread/WVWT3BX3J5HM4FKRG3IW7HAW6JMU2VOH/ > [v1] > https://lists.libvirt.org/archives/list/[email protected]/thread/TGLFMPRXCATRPA6MPHH5KYXY5XCTSRDT/ > > Andrea Bolognani (36): > docs: Rename "BIOS bootloader" section to "guest firmware" > docs: Improvement related to firmware selection > qemu_firmware: Only set format for custom loader if path is present > conf: Move type=rom default for loader to drivers > tests: Rename custom JSON firmware descriptors > schema: Introduce osnvram define > conf: Parse and format varstore element > conf: Update validation to consider varstore element > qemu_capabilities: Introduce QEMU_CAPS_DEVICE_UEFI_VARS > qemu: Validate presence of uefi-vars device > tests: Add firmware-manual-efi-varstore-q35 > tests: Add firmware-manual-efi-varstore-aarch64 > tests: Add firmware-auto-efi-varstore-q35 > tests: Add firmware-auto-efi-varstore-aarch64 > tests: Add firmware-auto-efi-enrolled-keys-aarch64 > qemu_firmware: Parse host-uefi-vars firmware feature > qemu_firmware: Split sanity check > qemu_firmware: Consider host-uefi-vars feature in sanity check > qemu_firmware: Support extended syntax for ROM firmware descriptors > qemu_firmware: Report NVRAM template path for ROMs > conf: Include varstore element in domcaps > qemu: Fill in varstore element in domcaps > qemu_firmware: Use of NVRAM implies stateful firmware > qemu_firmware: Allow matching stateful ROMs > qemu_firmware: Fill in varstore information > qemu: Introduce varstoreDir > qemu_firmware: Generate varstore path when necessary > qemu: Introduce qemuPrepareNVRAMFileCommon() > qemu: Create and delete varstore file > security: Mark ROMs as read only when using AppArmor > security: Handle varstore file > tests: Add firmware descriptors for uefi-vars builds > qemu_command: Use uefi-vars device where appropriate > include: Mention varstore where applicable > virsh: Update for varstore handling > news: Document support for uefi-vars device and firmwares >
> 173 files changed, 1546 insertions(+), 307 deletions(-) Reviewed-by: Michal Privoznik <[email protected]> Michal
