[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2 00/21] hw/uefi: add uefi variable service
|
From: |
Daniel P . Berrangé |
|
Subject: |
Re: [PATCH v2 00/21] hw/uefi: add uefi variable service |
|
Date: |
Wed, 8 Jan 2025 12:24:53 +0000 |
|
User-agent: |
Mutt/2.2.13 (2024-03-09) |
On Wed, Jan 08, 2025 at 03:53:21PM +0400, Marc-André Lureau wrote:
> Hi
>
> On Tue, Jan 7, 2025 at 7:34 PM Gerd Hoffmann <kraxel@redhat.com> wrote:
> >
> > This patch adds a virtual device to qemu which the uefi firmware can use
> > to store variables. This moves the UEFI variable management from
> > privileged guest code (managing vars in pflash) to the host. Main
> > advantage is that the need to have privilege separation in the guest
> > goes away.
> >
> > On x86 privileged guest code runs in SMM. It's supported by kvm, but
> > not liked much by various stakeholders in cloud space due to the
> > complexity SMM emulation brings.
> >
> > On arm privileged guest code runs in el3 (aka secure world). This is
> > not supported by kvm, which is unlikely to change anytime soon given
> > that even el2 support (nested virt) is being worked on for years and is
> > not yet in mainline.
> >
> > The design idea is to reuse the request serialization protocol edk2 uses
>
> I suppose this is a stable protocol. (some parts are set by the UEFI
> spec probably)
>
> There doesn't seem to be a defined way to query either side version or
> capability, I suppose this could be added later assuming an initial
> behaviour/magic etc.
>
> > for communication between SMM and non-SMM code, so large chunks of the
> > edk2 variable driver stack can be used unmodified. Only the driver
> > which traps into SMM mode must be replaced by a driver which talks to
> > qemu instead.
> >
> > A edk2 test branch can be found here (build with "-D QEMU_VARS=TRUE").
> > https://github.com/kraxel/edk2/commits/devel/secure-boot-external-vars
> >
>
> ok, perhaps it would be nice to have some basic unit tests in qemu
> too. Almost none of this new code is exercised by the qemu tests yet.
>
> > The uefi-vars device re-implements the privileged edk2 protocols
> > (i.e. the code running in SMM mode).
>
> Typically the kind of new code that I wish would be in Rust. But I
> suppose it is too early yet, and you came to the same conclusion.
> Probably a good candidate for rewrite though!
Perhaps too early for the device impl, but I would have thought
the general var-service code could be done in rust today. It does
not have all that much interaction with other parts of the QEMU
codebase & thus wouldn't be building on the moving target of the
QOM/Device abstractions. It would also be the prime part that
could be shared with coconut-svsm too.
>
> >
> > v2 changes:
> > - fully implement authenticated variables.
> > - various cleanups and fixes.
> >
> > enjoy & take care,
> > Gerd
> >
> > Gerd Hoffmann (21):
> > hw/uefi: add include/hw/uefi/var-service-api.h
> > hw/uefi: add include/hw/uefi/var-service-edk2.h
> > hw/uefi: add include/hw/uefi/var-service.h
> > hw/uefi: add var-service-guid.c
> > hw/uefi: add var-service-utils.c
> > hw/uefi: add var-service-vars.c
> > hw/uefi: add var-service-auth.c
> > hw/uefi: add var-service-policy.c
> > hw/uefi: add var-service-core.c
> > hw/uefi: add var-service-pkcs7.c
> > hw/uefi: add var-service-pkcs7-stub.c
> > hw/uefi: add var-service-siglist.c
> > hw/uefi: add var-service-json.c + qapi for NV vars.
> > hw/uefi: add trace-events
> > hw/uefi: add UEFI_VARS to Kconfig
> > hw/uefi: add to meson
> > hw/uefi: add uefi-vars-sysbus device
> > hw/uefi: add uefi-vars-isa device
> > hw/arm: add uefi variable support to virt machine type
> > docs: add uefi variable service documentation
> > hw/uefi: add MAINTAINERS entry
> >
> > include/hw/arm/virt.h | 2 +
> > include/hw/uefi/var-service-api.h | 40 ++
> > include/hw/uefi/var-service-edk2.h | 227 +++++++++
> > include/hw/uefi/var-service.h | 186 ++++++++
> > hw/arm/virt.c | 41 ++
> > hw/uefi/var-service-auth.c | 361 ++++++++++++++
> > hw/uefi/var-service-core.c | 237 ++++++++++
> > hw/uefi/var-service-guid.c | 99 ++++
> > hw/uefi/var-service-isa.c | 91 ++++
> > hw/uefi/var-service-json.c | 242 ++++++++++
> > hw/uefi/var-service-pkcs7-stub.c | 16 +
> > hw/uefi/var-service-pkcs7.c | 436 +++++++++++++++++
> > hw/uefi/var-service-policy.c | 370 +++++++++++++++
> > hw/uefi/var-service-siglist.c | 212 +++++++++
> > hw/uefi/var-service-sysbus.c | 90 ++++
> > hw/uefi/var-service-utils.c | 241 ++++++++++
> > hw/uefi/var-service-vars.c | 725 +++++++++++++++++++++++++++++
> > MAINTAINERS | 6 +
> > docs/devel/index-internals.rst | 1 +
> > docs/devel/uefi-vars.rst | 66 +++
> > hw/Kconfig | 1 +
> > hw/meson.build | 1 +
> > hw/uefi/Kconfig | 9 +
> > hw/uefi/LIMITATIONS.md | 7 +
> > hw/uefi/meson.build | 24 +
> > hw/uefi/trace-events | 17 +
> > meson.build | 1 +
> > qapi/meson.build | 1 +
> > qapi/qapi-schema.json | 1 +
> > qapi/uefi.json | 45 ++
> > 30 files changed, 3796 insertions(+)
> > create mode 100644 include/hw/uefi/var-service-api.h
> > create mode 100644 include/hw/uefi/var-service-edk2.h
> > create mode 100644 include/hw/uefi/var-service.h
> > create mode 100644 hw/uefi/var-service-auth.c
> > create mode 100644 hw/uefi/var-service-core.c
> > create mode 100644 hw/uefi/var-service-guid.c
> > create mode 100644 hw/uefi/var-service-isa.c
> > create mode 100644 hw/uefi/var-service-json.c
> > create mode 100644 hw/uefi/var-service-pkcs7-stub.c
> > create mode 100644 hw/uefi/var-service-pkcs7.c
> > create mode 100644 hw/uefi/var-service-policy.c
> > create mode 100644 hw/uefi/var-service-siglist.c
> > create mode 100644 hw/uefi/var-service-sysbus.c
> > create mode 100644 hw/uefi/var-service-utils.c
> > create mode 100644 hw/uefi/var-service-vars.c
> > create mode 100644 docs/devel/uefi-vars.rst
> > create mode 100644 hw/uefi/Kconfig
> > create mode 100644 hw/uefi/LIMITATIONS.md
> > create mode 100644 hw/uefi/meson.build
> > create mode 100644 hw/uefi/trace-events
> > create mode 100644 qapi/uefi.json
> >
> > --
> > 2.47.1
> >
>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
- Re: [PATCH v2 13/21] hw/uefi: add var-service-json.c + qapi for NV vars., (continued)
- [PATCH v2 17/21] hw/uefi: add uefi-vars-sysbus device, Gerd Hoffmann, 2025/01/07
- [PATCH v2 16/21] hw/uefi: add to meson, Gerd Hoffmann, 2025/01/07
- [PATCH v2 18/21] hw/uefi: add uefi-vars-isa device, Gerd Hoffmann, 2025/01/07
- [PATCH v2 20/21] docs: add uefi variable service documentation, Gerd Hoffmann, 2025/01/07
- [PATCH v2 21/21] hw/uefi: add MAINTAINERS entry, Gerd Hoffmann, 2025/01/07
- [PATCH v2 19/21] hw/arm: add uefi variable support to virt machine type, Gerd Hoffmann, 2025/01/07
- Re: [PATCH v2 00/21] hw/uefi: add uefi variable service, Daniel P . Berrangé, 2025/01/07
- Re: [PATCH v2 00/21] hw/uefi: add uefi variable service, Marc-André Lureau, 2025/01/08