[PULL 0/2] Firmware 20260519 patches

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PULL 0/2] Firmware 20260519 patches
@ 2026-05-19  8:55 Gerd Hoffmann
  2026-05-19  8:55 ` [PULL 1/2] hw/uefi: check auth.hdr_length minimum size Gerd Hoffmann
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Gerd Hoffmann @ 2026-05-19  8:55 UTC (permalink / raw)
  To: qemu-devel
  Cc: Sergio Lopez, Gerd Hoffmann, Michael S. Tsirkin,
	Richard Henderson, Paolo Bonzini

The following changes since commit ac6721b88df944ade0048822b2b74210f543d656:

  Merge tag 'vhost-user-rtc-pr-1' of https://gitlab.com/epilys/qemu into staging (2026-05-16 17:37:33 -0400)

are available in the Git repository at:

  https://gitlab.com/kraxel/qemu.git tags/firmware-20260519-pull-request

for you to fetch changes up to b25c602ec22ca472f98e6154bc60571902011618:

  hw/i386/microvm: Add IGVM support (2026-05-18 14:59:21 +0200)

----------------------------------------------------------------
- one more uefi-vars bugfix
- add igvm support for microvm

----------------------------------------------------------------

Gerd Hoffmann (1):
  hw/uefi: check auth.hdr_length minimum size

Luigi Leonardi (1):
  hw/i386/microvm: Add IGVM support

 hw/i386/microvm.c           | 21 ++++++++++++++++-----
 hw/uefi/var-service-auth.c  |  5 ++++-
 hw/uefi/var-service-pkcs7.c |  4 ++--
 3 files changed, 22 insertions(+), 8 deletions(-)

-- 
2.54.0



^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PULL 1/2] hw/uefi: check auth.hdr_length minimum size
  2026-05-19  8:55 [PULL 0/2] Firmware 20260519 patches Gerd Hoffmann
@ 2026-05-19  8:55 ` Gerd Hoffmann
  2026-05-19  8:55 ` [PULL 2/2] hw/i386/microvm: Add IGVM support Gerd Hoffmann
  2026-05-19 19:17 ` [PULL 0/2] Firmware 20260519 patches Stefan Hajnoczi
  2 siblings, 0 replies; 4+ messages in thread
From: Gerd Hoffmann @ 2026-05-19  8:55 UTC (permalink / raw)
  To: qemu-devel
  Cc: Sergio Lopez, Gerd Hoffmann, Michael S. Tsirkin,
	Richard Henderson, Paolo Bonzini, Feifan Qian,
	Daniel P. Berrangé

auth.hdr_length maximum is already checked (against buffer size).  The
header has some fixed fields which are included in the header length, so
there also is a minimum size which must be verified.  Add a check for
that.  Fixes possible integer underflow.

While being at it replace the magic number '24' with sizeof calculations
for better code documentation.

Fixes: CVE-2026-8341
Fixes: f1488fac0584 ("hw/uefi: add var-service-auth.c")
Reported-by: Feifan Qian <bea1e@proton.me>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20260512060523.17493-1-kraxel@redhat.com>
---
 hw/uefi/var-service-auth.c  | 5 ++++-
 hw/uefi/var-service-pkcs7.c | 4 ++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/hw/uefi/var-service-auth.c b/hw/uefi/var-service-auth.c
index 795f2f54e4ab..f3dc9c6ca608 100644
--- a/hw/uefi/var-service-auth.c
+++ b/hw/uefi/var-service-auth.c
@@ -194,7 +194,7 @@ static efi_status uefi_vars_check_auth_2_sb(uefi_vars_state *uv,
         return EFI_SUCCESS;
     }
 
-    if (auth.hdr_length == 24) {
+    if (auth.hdr_length == (sizeof(auth) - sizeof(auth.timestamp))) {
         /* no signature (auth->cert_data is empty) */
         return EFI_SECURITY_VIOLATION;
     }
@@ -228,6 +228,9 @@ efi_status uefi_vars_check_auth_2(uefi_vars_state *uv, uefi_variable *var,
     }
     memcpy(&auth, data, sizeof(auth));
 
+    if (auth.hdr_length < (sizeof(auth) - sizeof(auth.timestamp))) {
+        return EFI_SECURITY_VIOLATION;
+    }
     if (uadd64_overflow(sizeof(efi_time), auth.hdr_length, &data_offset)) {
         return EFI_SECURITY_VIOLATION;
     }
diff --git a/hw/uefi/var-service-pkcs7.c b/hw/uefi/var-service-pkcs7.c
index c859743e8677..8a1f1395a2fb 100644
--- a/hw/uefi/var-service-pkcs7.c
+++ b/hw/uefi/var-service-pkcs7.c
@@ -113,9 +113,9 @@ static gnutls_datum_t *build_pkcs7(void *data)
 
     memcpy(&auth, data, sizeof(auth));
     pkcs7 = g_new(gnutls_datum_t, 1);
-    pkcs7->size = auth.hdr_length - 24;
+    pkcs7->size = auth.hdr_length - (sizeof(auth) - sizeof(auth.timestamp));
     pkcs7->data = g_malloc(pkcs7->size);
-    memcpy(pkcs7->data, data + 16 + 24, pkcs7->size);
+    memcpy(pkcs7->data, data + sizeof(auth), pkcs7->size);
 
     wrap_pkcs7(pkcs7);
 
-- 
2.54.0



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PULL 2/2] hw/i386/microvm: Add IGVM support
  2026-05-19  8:55 [PULL 0/2] Firmware 20260519 patches Gerd Hoffmann
  2026-05-19  8:55 ` [PULL 1/2] hw/uefi: check auth.hdr_length minimum size Gerd Hoffmann
@ 2026-05-19  8:55 ` Gerd Hoffmann
  2026-05-19 19:17 ` [PULL 0/2] Firmware 20260519 patches Stefan Hajnoczi
  2 siblings, 0 replies; 4+ messages in thread
From: Gerd Hoffmann @ 2026-05-19  8:55 UTC (permalink / raw)
  To: qemu-devel
  Cc: Sergio Lopez, Gerd Hoffmann, Michael S. Tsirkin,
	Richard Henderson, Paolo Bonzini, Luigi Leonardi

From: Luigi Leonardi <leonardi@redhat.com>

The IGVM infrastructure operates on X86MachineState and is already
machine-type-agnostic, but the "igvm-cfg" QOM property is only
registered on the PC machine type. Register it on microvm as well.

When an IGVM file is configured, the firmware image is provided as
a payload of the IGVM file so skip loading the default BIOS.

Signed-off-by: Luigi Leonardi <leonardi@redhat.com>
Message-ID: <20260512-microvm_igvm-v1-1-8b1fd8861235@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/i386/microvm.c | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/hw/i386/microvm.c b/hw/i386/microvm.c
index 5a7889f21b8a..779741ec76ee 100644
--- a/hw/i386/microvm.c
+++ b/hw/i386/microvm.c
@@ -159,7 +159,6 @@ static int microvm_ioapics(MicrovmMachineState *mms)
 
 static void microvm_devices_init(MicrovmMachineState *mms)
 {
-    const char *default_firmware;
     X86MachineState *x86ms = X86_MACHINE(mms);
     ISABus *isa_bus;
     GSIState *gsi_state;
@@ -276,10 +275,12 @@ static void microvm_devices_init(MicrovmMachineState *mms)
         serial_hds_isa_init(isa_bus, 0, 1);
     }
 
-    default_firmware = x86_machine_is_acpi_enabled(x86ms)
-            ? MICROVM_BIOS_FILENAME
-            : MICROVM_QBOOT_FILENAME;
-    x86_bios_rom_init(x86ms, default_firmware, get_system_memory(), true);
+    if (!x86ms->igvm) {
+        const char *default_firmware = x86_machine_is_acpi_enabled(x86ms)
+                ? MICROVM_BIOS_FILENAME
+                : MICROVM_QBOOT_FILENAME;
+        x86_bios_rom_init(x86ms, default_firmware, get_system_memory(), true);
+    }
 }
 
 static void microvm_memory_init(MicrovmMachineState *mms)
@@ -717,6 +718,16 @@ static void microvm_class_init(ObjectClass *oc, const void *data)
 
     compat_props_add(mc->compat_props, microvm_properties,
                      G_N_ELEMENTS(microvm_properties));
+
+#if defined(CONFIG_IGVM)
+    object_class_property_add_link(oc, "igvm-cfg",
+                                   TYPE_IGVM_CFG,
+                                   offsetof(X86MachineState, igvm),
+                                   object_property_allow_set_link,
+                                   OBJ_PROP_LINK_STRONG);
+    object_class_property_set_description(oc, "igvm-cfg",
+                                          "Set IGVM configuration");
+#endif
 }
 
 static const TypeInfo microvm_machine_info = {
-- 
2.54.0



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PULL 0/2] Firmware 20260519 patches
  2026-05-19  8:55 [PULL 0/2] Firmware 20260519 patches Gerd Hoffmann
  2026-05-19  8:55 ` [PULL 1/2] hw/uefi: check auth.hdr_length minimum size Gerd Hoffmann
  2026-05-19  8:55 ` [PULL 2/2] hw/i386/microvm: Add IGVM support Gerd Hoffmann
@ 2026-05-19 19:17 ` Stefan Hajnoczi
  2 siblings, 0 replies; 4+ messages in thread
From: Stefan Hajnoczi @ 2026-05-19 19:17 UTC (permalink / raw)
  To: Gerd Hoffmann
  Cc: qemu-devel, Sergio Lopez, Gerd Hoffmann, Michael S. Tsirkin,
	Richard Henderson, Paolo Bonzini

[-- Attachment #1: Type: text/plain, Size: 116 bytes --]

Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/11.1 for any user-visible changes.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-05-19 19:17 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-19  8:55 [PULL 0/2] Firmware 20260519 patches Gerd Hoffmann
2026-05-19  8:55 ` [PULL 1/2] hw/uefi: check auth.hdr_length minimum size Gerd Hoffmann
2026-05-19  8:55 ` [PULL 2/2] hw/i386/microvm: Add IGVM support Gerd Hoffmann
2026-05-19 19:17 ` [PULL 0/2] Firmware 20260519 patches Stefan Hajnoczi

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.