On Wed, Jan 08, 2025 at 03:53:21PM +0400, Marc-André Lureau wrote: > Hi > > On Tue, Jan 7, 2025 at 7:34 PM Gerd Hoffmann <kra...@redhat.com> wrote: > > > > This patch adds a virtual device to qemu which the uefi firmware can use > > to store variables. This moves the UEFI variable management from > > privileged guest code (managing vars in pflash) to the host. Main > > advantage is that the need to have privilege separation in the guest > > goes away. > > > > On x86 privileged guest code runs in SMM. It's supported by kvm, but > > not liked much by various stakeholders in cloud space due to the > > complexity SMM emulation brings. > > > > On arm privileged guest code runs in el3 (aka secure world). This is > > not supported by kvm, which is unlikely to change anytime soon given > > that even el2 support (nested virt) is being worked on for years and is > > not yet in mainline. > > > > The design idea is to reuse the request serialization protocol edk2 uses > > I suppose this is a stable protocol. (some parts are set by the UEFI > spec probably) > > There doesn't seem to be a defined way to query either side version or > capability, I suppose this could be added later assuming an initial > behaviour/magic etc. > > > for communication between SMM and non-SMM code, so large chunks of the > > edk2 variable driver stack can be used unmodified. Only the driver > > which traps into SMM mode must be replaced by a driver which talks to > > qemu instead. > > > > A edk2 test branch can be found here (build with "-D QEMU_VARS=TRUE"). > > https://github.com/kraxel/edk2/commits/devel/secure-boot-external-vars > > > > ok, perhaps it would be nice to have some basic unit tests in qemu > too. Almost none of this new code is exercised by the qemu tests yet. > > > The uefi-vars device re-implements the privileged edk2 protocols > > (i.e. the code running in SMM mode). > > Typically the kind of new code that I wish would be in Rust. But I > suppose it is too early yet, and you came to the same conclusion. > Probably a good candidate for rewrite though!
Perhaps too early for the device impl, but I would have thought the general var-service code could be done in rust today. It does not have all that much interaction with other parts of the QEMU codebase & thus wouldn't be building on the moving target of the QOM/Device abstractions. It would also be the prime part that could be shared with coconut-svsm too. > > > > > v2 changes: > > - fully implement authenticated variables. > > - various cleanups and fixes. > > > > enjoy & take care, > > Gerd > > > > Gerd Hoffmann (21): > > hw/uefi: add include/hw/uefi/var-service-api.h > > hw/uefi: add include/hw/uefi/var-service-edk2.h > > hw/uefi: add include/hw/uefi/var-service.h > > hw/uefi: add var-service-guid.c > > hw/uefi: add var-service-utils.c > > hw/uefi: add var-service-vars.c > > hw/uefi: add var-service-auth.c > > hw/uefi: add var-service-policy.c > > hw/uefi: add var-service-core.c > > hw/uefi: add var-service-pkcs7.c > > hw/uefi: add var-service-pkcs7-stub.c > > hw/uefi: add var-service-siglist.c > > hw/uefi: add var-service-json.c + qapi for NV vars. > > hw/uefi: add trace-events > > hw/uefi: add UEFI_VARS to Kconfig > > hw/uefi: add to meson > > hw/uefi: add uefi-vars-sysbus device > > hw/uefi: add uefi-vars-isa device > > hw/arm: add uefi variable support to virt machine type > > docs: add uefi variable service documentation > > hw/uefi: add MAINTAINERS entry > > > > include/hw/arm/virt.h | 2 + > > include/hw/uefi/var-service-api.h | 40 ++ > > include/hw/uefi/var-service-edk2.h | 227 +++++++++ > > include/hw/uefi/var-service.h | 186 ++++++++ > > hw/arm/virt.c | 41 ++ > > hw/uefi/var-service-auth.c | 361 ++++++++++++++ > > hw/uefi/var-service-core.c | 237 ++++++++++ > > hw/uefi/var-service-guid.c | 99 ++++ > > hw/uefi/var-service-isa.c | 91 ++++ > > hw/uefi/var-service-json.c | 242 ++++++++++ > > hw/uefi/var-service-pkcs7-stub.c | 16 + > > hw/uefi/var-service-pkcs7.c | 436 +++++++++++++++++ > > hw/uefi/var-service-policy.c | 370 +++++++++++++++ > > hw/uefi/var-service-siglist.c | 212 +++++++++ > > hw/uefi/var-service-sysbus.c | 90 ++++ > > hw/uefi/var-service-utils.c | 241 ++++++++++ > > hw/uefi/var-service-vars.c | 725 +++++++++++++++++++++++++++++ > > MAINTAINERS | 6 + > > docs/devel/index-internals.rst | 1 + > > docs/devel/uefi-vars.rst | 66 +++ > > hw/Kconfig | 1 + > > hw/meson.build | 1 + > > hw/uefi/Kconfig | 9 + > > hw/uefi/LIMITATIONS.md | 7 + > > hw/uefi/meson.build | 24 + > > hw/uefi/trace-events | 17 + > > meson.build | 1 + > > qapi/meson.build | 1 + > > qapi/qapi-schema.json | 1 + > > qapi/uefi.json | 45 ++ > > 30 files changed, 3796 insertions(+) > > create mode 100644 include/hw/uefi/var-service-api.h > > create mode 100644 include/hw/uefi/var-service-edk2.h > > create mode 100644 include/hw/uefi/var-service.h > > create mode 100644 hw/uefi/var-service-auth.c > > create mode 100644 hw/uefi/var-service-core.c > > create mode 100644 hw/uefi/var-service-guid.c > > create mode 100644 hw/uefi/var-service-isa.c > > create mode 100644 hw/uefi/var-service-json.c > > create mode 100644 hw/uefi/var-service-pkcs7-stub.c > > create mode 100644 hw/uefi/var-service-pkcs7.c > > create mode 100644 hw/uefi/var-service-policy.c > > create mode 100644 hw/uefi/var-service-siglist.c > > create mode 100644 hw/uefi/var-service-sysbus.c > > create mode 100644 hw/uefi/var-service-utils.c > > create mode 100644 hw/uefi/var-service-vars.c > > create mode 100644 docs/devel/uefi-vars.rst > > create mode 100644 hw/uefi/Kconfig > > create mode 100644 hw/uefi/LIMITATIONS.md > > create mode 100644 hw/uefi/meson.build > > create mode 100644 hw/uefi/trace-events > > create mode 100644 qapi/uefi.json > > > > -- > > 2.47.1 > > > With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
