This patch adds a virtual device to qemu which the uefi firmware can use to store variables. This moves the UEFI variable management from privileged guest code (managing vars in pflash) to the host. Main advantage is that the need to have privilege separation in the guest goes away.
On x86 privileged guest code runs in SMM. It's supported by kvm, but not liked much by various stakeholders in cloud space due to the complexity SMM emulation brings. On arm privileged guest code runs in el3 (aka secure world). This is not supported by kvm, which is unlikely to change anytime soon given that even el2 support (nested virt) is being worked on for years and is not yet in mainline. The design idea is to reuse the request serialization protocol edk2 uses for communication between SMM and non-SMM code, so large chunks of the edk2 variable driver stack can be used unmodified. Only the driver which traps into SMM mode must be replaced by a driver which talks to qemu instead. A edk2 test branch can be found here (build with "-D QEMU_VARS=TRUE"). https://github.com/kraxel/edk2/commits/devel/secure-boot-external-vars The uefi-vars device must re-implement the privileged edk2 protocols (i.e. the code running in SMM mode). The implementation is not complete yet, specifically updating authenticated variables is not implemented. These variables are simply read-only for now. But there is enough functionality working that it is possible to run guests, including guests in secure boot mode, so I'm sending this out for feedback (before tackling the remaining 20% which evidently will need 80% of the time ;) Because the guest can not write to authenticated variables (yet) it can not enroll secure boot keys itself, this must be done on the host. The virt-firmware tools (https://gitlab.com/kraxel/virt-firmware) can be used for that: virt-fw-vars --enroll-redhat --secure-boot --output-json uefivars.json enjoy & take care, Gerd Gerd Hoffmann (16): hw/uefi: add include/hw/uefi/var-service-api.h hw/uefi: add include/hw/uefi/var-service-edk2.h hw/uefi: add include/hw/uefi/var-service.h hw/uefi: add var-service-guid.c hw/uefi: add var-service-core.c hw/uefi: add var-service-vars.c hw/uefi: add var-service-auth.c hw/uefi: add var-service-policy.c hw/uefi: add support for storing persistent variables on disk hw/uefi: add trace-events hw/uefi: add to Kconfig hw/uefi: add to meson hw/uefi: add uefi-vars-sysbus device hw/uefi: add uefi-vars-isa device hw/arm: add uefi variable support to virt machine type docs: add uefi variable service documentation and TODO list. include/hw/arm/virt.h | 2 + include/hw/uefi/var-service-api.h | 40 ++ include/hw/uefi/var-service-edk2.h | 184 +++++++++ include/hw/uefi/var-service.h | 119 ++++++ hw/arm/virt.c | 41 ++ hw/uefi/var-service-auth.c | 91 +++++ hw/uefi/var-service-core.c | 350 +++++++++++++++++ hw/uefi/var-service-guid.c | 61 +++ hw/uefi/var-service-isa.c | 88 +++++ hw/uefi/var-service-json.c | 194 ++++++++++ hw/uefi/var-service-policy.c | 390 +++++++++++++++++++ hw/uefi/var-service-sysbus.c | 87 +++++ hw/uefi/var-service-vars.c | 602 +++++++++++++++++++++++++++++ docs/devel/index-internals.rst | 1 + docs/devel/uefi-vars.rst | 66 ++++ hw/Kconfig | 1 + hw/meson.build | 1 + hw/uefi/Kconfig | 9 + hw/uefi/TODO.md | 17 + hw/uefi/meson.build | 18 + hw/uefi/trace-events | 16 + meson.build | 1 + qapi/meson.build | 1 + qapi/qapi-schema.json | 1 + qapi/uefi.json | 40 ++ 25 files changed, 2421 insertions(+) create mode 100644 include/hw/uefi/var-service-api.h create mode 100644 include/hw/uefi/var-service-edk2.h create mode 100644 include/hw/uefi/var-service.h create mode 100644 hw/uefi/var-service-auth.c create mode 100644 hw/uefi/var-service-core.c create mode 100644 hw/uefi/var-service-guid.c create mode 100644 hw/uefi/var-service-isa.c create mode 100644 hw/uefi/var-service-json.c create mode 100644 hw/uefi/var-service-policy.c create mode 100644 hw/uefi/var-service-sysbus.c create mode 100644 hw/uefi/var-service-vars.c create mode 100644 docs/devel/uefi-vars.rst create mode 100644 hw/uefi/Kconfig create mode 100644 hw/uefi/TODO.md create mode 100644 hw/uefi/meson.build create mode 100644 hw/uefi/trace-events create mode 100644 qapi/uefi.json -- 2.41.0
