[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2 00/21] hw/uefi: add uefi variable service
|
From: |
Marc-André Lureau |
|
Subject: |
Re: [PATCH v2 00/21] hw/uefi: add uefi variable service |
|
Date: |
Wed, 8 Jan 2025 15:53:21 +0400 |
Hi
On Tue, Jan 7, 2025 at 7:34 PM Gerd Hoffmann <kraxel@redhat.com> wrote:
>
> This patch adds a virtual device to qemu which the uefi firmware can use
> to store variables. This moves the UEFI variable management from
> privileged guest code (managing vars in pflash) to the host. Main
> advantage is that the need to have privilege separation in the guest
> goes away.
>
> On x86 privileged guest code runs in SMM. It's supported by kvm, but
> not liked much by various stakeholders in cloud space due to the
> complexity SMM emulation brings.
>
> On arm privileged guest code runs in el3 (aka secure world). This is
> not supported by kvm, which is unlikely to change anytime soon given
> that even el2 support (nested virt) is being worked on for years and is
> not yet in mainline.
>
> The design idea is to reuse the request serialization protocol edk2 uses
I suppose this is a stable protocol. (some parts are set by the UEFI
spec probably)
There doesn't seem to be a defined way to query either side version or
capability, I suppose this could be added later assuming an initial
behaviour/magic etc.
> for communication between SMM and non-SMM code, so large chunks of the
> edk2 variable driver stack can be used unmodified. Only the driver
> which traps into SMM mode must be replaced by a driver which talks to
> qemu instead.
>
> A edk2 test branch can be found here (build with "-D QEMU_VARS=TRUE").
> https://github.com/kraxel/edk2/commits/devel/secure-boot-external-vars
>
ok, perhaps it would be nice to have some basic unit tests in qemu
too. Almost none of this new code is exercised by the qemu tests yet.
> The uefi-vars device re-implements the privileged edk2 protocols
> (i.e. the code running in SMM mode).
Typically the kind of new code that I wish would be in Rust. But I
suppose it is too early yet, and you came to the same conclusion.
Probably a good candidate for rewrite though!
>
> v2 changes:
> - fully implement authenticated variables.
> - various cleanups and fixes.
>
> enjoy & take care,
> Gerd
>
> Gerd Hoffmann (21):
> hw/uefi: add include/hw/uefi/var-service-api.h
> hw/uefi: add include/hw/uefi/var-service-edk2.h
> hw/uefi: add include/hw/uefi/var-service.h
> hw/uefi: add var-service-guid.c
> hw/uefi: add var-service-utils.c
> hw/uefi: add var-service-vars.c
> hw/uefi: add var-service-auth.c
> hw/uefi: add var-service-policy.c
> hw/uefi: add var-service-core.c
> hw/uefi: add var-service-pkcs7.c
> hw/uefi: add var-service-pkcs7-stub.c
> hw/uefi: add var-service-siglist.c
> hw/uefi: add var-service-json.c + qapi for NV vars.
> hw/uefi: add trace-events
> hw/uefi: add UEFI_VARS to Kconfig
> hw/uefi: add to meson
> hw/uefi: add uefi-vars-sysbus device
> hw/uefi: add uefi-vars-isa device
> hw/arm: add uefi variable support to virt machine type
> docs: add uefi variable service documentation
> hw/uefi: add MAINTAINERS entry
>
> include/hw/arm/virt.h | 2 +
> include/hw/uefi/var-service-api.h | 40 ++
> include/hw/uefi/var-service-edk2.h | 227 +++++++++
> include/hw/uefi/var-service.h | 186 ++++++++
> hw/arm/virt.c | 41 ++
> hw/uefi/var-service-auth.c | 361 ++++++++++++++
> hw/uefi/var-service-core.c | 237 ++++++++++
> hw/uefi/var-service-guid.c | 99 ++++
> hw/uefi/var-service-isa.c | 91 ++++
> hw/uefi/var-service-json.c | 242 ++++++++++
> hw/uefi/var-service-pkcs7-stub.c | 16 +
> hw/uefi/var-service-pkcs7.c | 436 +++++++++++++++++
> hw/uefi/var-service-policy.c | 370 +++++++++++++++
> hw/uefi/var-service-siglist.c | 212 +++++++++
> hw/uefi/var-service-sysbus.c | 90 ++++
> hw/uefi/var-service-utils.c | 241 ++++++++++
> hw/uefi/var-service-vars.c | 725 +++++++++++++++++++++++++++++
> MAINTAINERS | 6 +
> docs/devel/index-internals.rst | 1 +
> docs/devel/uefi-vars.rst | 66 +++
> hw/Kconfig | 1 +
> hw/meson.build | 1 +
> hw/uefi/Kconfig | 9 +
> hw/uefi/LIMITATIONS.md | 7 +
> hw/uefi/meson.build | 24 +
> hw/uefi/trace-events | 17 +
> meson.build | 1 +
> qapi/meson.build | 1 +
> qapi/qapi-schema.json | 1 +
> qapi/uefi.json | 45 ++
> 30 files changed, 3796 insertions(+)
> create mode 100644 include/hw/uefi/var-service-api.h
> create mode 100644 include/hw/uefi/var-service-edk2.h
> create mode 100644 include/hw/uefi/var-service.h
> create mode 100644 hw/uefi/var-service-auth.c
> create mode 100644 hw/uefi/var-service-core.c
> create mode 100644 hw/uefi/var-service-guid.c
> create mode 100644 hw/uefi/var-service-isa.c
> create mode 100644 hw/uefi/var-service-json.c
> create mode 100644 hw/uefi/var-service-pkcs7-stub.c
> create mode 100644 hw/uefi/var-service-pkcs7.c
> create mode 100644 hw/uefi/var-service-policy.c
> create mode 100644 hw/uefi/var-service-siglist.c
> create mode 100644 hw/uefi/var-service-sysbus.c
> create mode 100644 hw/uefi/var-service-utils.c
> create mode 100644 hw/uefi/var-service-vars.c
> create mode 100644 docs/devel/uefi-vars.rst
> create mode 100644 hw/uefi/Kconfig
> create mode 100644 hw/uefi/LIMITATIONS.md
> create mode 100644 hw/uefi/meson.build
> create mode 100644 hw/uefi/trace-events
> create mode 100644 qapi/uefi.json
>
> --
> 2.47.1
>
- Re: [PATCH v2 13/21] hw/uefi: add var-service-json.c + qapi for NV vars., (continued)
- [PATCH v2 17/21] hw/uefi: add uefi-vars-sysbus device, Gerd Hoffmann, 2025/01/07
- [PATCH v2 16/21] hw/uefi: add to meson, Gerd Hoffmann, 2025/01/07
- [PATCH v2 18/21] hw/uefi: add uefi-vars-isa device, Gerd Hoffmann, 2025/01/07
- [PATCH v2 20/21] docs: add uefi variable service documentation, Gerd Hoffmann, 2025/01/07
- [PATCH v2 21/21] hw/uefi: add MAINTAINERS entry, Gerd Hoffmann, 2025/01/07
- [PATCH v2 19/21] hw/arm: add uefi variable support to virt machine type, Gerd Hoffmann, 2025/01/07
- Re: [PATCH v2 00/21] hw/uefi: add uefi variable service, Daniel P . Berrangé, 2025/01/07
- Re: [PATCH v2 00/21] hw/uefi: add uefi variable service,
Marc-André Lureau <=