From: Markus Armbruster via qemu development <qemu-devel@nongnu.org>
To: Elizabeth Ashurov <eashurov@redhat.com>
Cc: qemu-devel@nongnu.org, kkostiuk@redhat.com,
yvugenfi@redhat.com, berrange@redhat.com
Subject: Re: [PATCH v2] qga: add security info to guest-get-osinfo
Date: Tue, 31 Mar 2026 08:07:04 +0200 [thread overview]
Message-ID: <87tstwwn07.fsf@pond.sub.org> (raw)
In-Reply-To: <20260330151941.2207789-1-eashurov@redhat.com> (Elizabeth Ashurov's message of "Mon, 30 Mar 2026 18:19:41 +0300")
Hi Elizabeth! You neglected to cc: me. Recommend to use
scripts/get_maintainer.pl to find all the possibly involved maintainers,
then use common sense to trim.
Elizabeth Ashurov <eashurov@redhat.com> writes:
> Extend guest-get-osinfo to include security features status
> (VBS, Secure Boot, TPM) in a nested 'security' field.
> OS-specific data (e.g. Windows DeviceGuard) is separated
> using a union to allow future per-OS extensions.
>
> The implementation queries Win32_DeviceGuard and Win32_Tpm via
> WMI, and reads the SecureBoot UEFI variable through
> GetFirmwareEnvironmentVariable().
>
> Signed-off-by: Elizabeth Ashurov <eashurov@redhat.com>
[...]
> diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json
> index c57bc9a02f..2247f77cff 100644
> --- a/qga/qapi-schema.json
> +++ b/qga/qapi-schema.json
> @@ -1490,6 +1490,8 @@
> # * POSIX: as defined by os-release(5)
> # * Windows: contains string "server" or "client"
> #
> +# @security: Security features status (since 10.3)
> +#
When is this member present?
Since 11.1. More of the same below, not flagging it again.
> # .. note:: On POSIX systems the fields @id, @name, @pretty-name,
> # @version, @version-id, @variant and @variant-id follow the
> # definition specified in os-release(5). Refer to the manual page
> @@ -1508,7 +1510,8 @@
> '*kernel-release': 'str', '*kernel-version': 'str',
> '*machine': 'str', '*id': 'str', '*name': 'str',
> '*pretty-name': 'str', '*version': 'str', '*version-id': 'str',
> - '*variant': 'str', '*variant-id': 'str' } }
> + '*variant': 'str', '*variant-id': 'str',
> + '*security': 'GuestSecurityInfo' } }
>
> ##
> # @guest-get-osinfo:
> @@ -1952,3 +1955,89 @@
> 'returns': ['GuestNetworkRoute'],
> 'if': { 'any': ['CONFIG_LINUX', 'CONFIG_WIN32'] }
> }
> +
> +##
> +# @GuestSecurityInfoWindows:
> +#
> +# Windows-specific security features from Win32_DeviceGuard.
> +#
> +# @vbs-status: VirtualizationBasedSecurityStatus
PleaseWriteNemberDescriptionsInEnglish: words, spaces, punctuation, the
works.
> +#
> +# @available-security-properties:
> +# AvailableSecurityProperties
> +#
> +# @code-integrity-policy-enforcement-status:
> +# CodeIntegrityPolicyEnforcementStatus
> +#
> +# @required-security-properties: RequiredSecurityProperties
> +#
> +# @security-services-configured:
> +# SecurityServicesConfigured
> +#
> +# @security-services-running: SecurityServicesRunning
> +#
> +# @usr-cfg-code-integrity-policy-enforcement-status:
> +# UsermodeCodeIntegrityPolicyEnforcementStatus
> +#
> +# Since: 10.3
> +##
> +{ 'struct': 'GuestSecurityInfoWindows',
> + 'data': {
> + '*vbs-status': 'int',
> + '*available-security-properties': ['int'],
> + '*code-integrity-policy-enforcement-status': 'int',
> + '*required-security-properties': ['int'],
> + '*security-services-configured': ['int'],
> + '*security-services-running': ['int'],
> + '*usr-cfg-code-integrity-policy-enforcement-status':
> + 'int' } }
Please don't break this line.
> +
> +##
> +# @GuestSecurityInfoType:
> +#
> +# Guest operating system type for security info.
> +#
> +# @windows: Microsoft Windows
> +#
> +# Since: 10.3
> +##
> +{ 'enum': 'GuestSecurityInfoType',
> + 'data': ['windows'] }
> +
> +##
> +# @GuestSecurityInfoOs:
> +#
> +# OS-specific security information.
> +#
> +# @type: guest operating system type
> +#
> +# Since: 10.3
> +##
> +{ 'union': 'GuestSecurityInfoOs',
> + 'base': { 'type': 'GuestSecurityInfoType' },
> + 'discriminator': 'type',
> + 'data': {
> + 'windows': 'GuestSecurityInfoWindows' } }
> +
> +##
> +# @GuestSecurityInfo:
> +#
> +# Guest security features status. Fields are optional; a missing
> +# field means the information is not available on this platform.
What do you mean by "platform"? Host, guest, both?
> +#
> +# @tpm-present: Whether a TPM device is present
> +#
> +# @tpm-version: TPM specification version (e.g. "2.0")
> +#
> +# @secure-boot: Whether UEFI Secure Boot is enabled
> +#
> +# @os: OS-specific security information
> +#
> +# Since: 10.3
> +##
> +{ 'struct': 'GuestSecurityInfo',
> + 'data': {
> + '*tpm-present': 'bool',
> + '*tpm-version': 'str',
> + '*secure-boot': 'bool',
> + '*os': 'GuestSecurityInfoOs' } }
next prev parent reply other threads:[~2026-03-31 6:08 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-30 15:19 [PATCH v2] qga: add security info to guest-get-osinfo Elizabeth Ashurov
2026-03-31 6:07 ` Markus Armbruster via qemu development [this message]
2026-03-31 12:08 ` Daniel P. Berrangé
2026-03-31 12:55 ` Kostiantyn Kostiuk
2026-03-31 13:07 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87tstwwn07.fsf@pond.sub.org \
--to=qemu-devel@nongnu.org \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=eashurov@redhat.com \
--cc=kkostiuk@redhat.com \
--cc=yvugenfi@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.