From: "Daniel P. Berrangé" <berrange@redhat.com>
To: "Marc-André Lureau" <marcandre.lureau@redhat.com>
Cc: "Gerd Hoffmann" <kraxel@redhat.com>,
qemu-devel@nongnu.org, graf@amazon.com,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Michael Roth" <michael.roth@amd.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Thomas Huth" <thuth@redhat.com>,
qemu-arm@nongnu.org, "Eric Blake" <eblake@redhat.com>,
"Peter Maydell" <peter.maydell@linaro.org>,
"Markus Armbruster" <armbru@redhat.com>
Subject: Re: [PATCH v2 00/21] hw/uefi: add uefi variable service
Date: Wed, 8 Jan 2025 12:24:53 +0000 [thread overview]
Message-ID: <Z35ulWfiCNq-cd3Y@redhat.com> (raw)
In-Reply-To: <CAMxuvazrd+3v2qqO-5o3qpky-ULRTwvU48jkwdxMPZG5c1RA1A@mail.gmail.com>
On Wed, Jan 08, 2025 at 03:53:21PM +0400, Marc-André Lureau wrote:
> Hi
>
> On Tue, Jan 7, 2025 at 7:34 PM Gerd Hoffmann <kraxel@redhat.com> wrote:
> >
> > This patch adds a virtual device to qemu which the uefi firmware can use
> > to store variables. This moves the UEFI variable management from
> > privileged guest code (managing vars in pflash) to the host. Main
> > advantage is that the need to have privilege separation in the guest
> > goes away.
> >
> > On x86 privileged guest code runs in SMM. It's supported by kvm, but
> > not liked much by various stakeholders in cloud space due to the
> > complexity SMM emulation brings.
> >
> > On arm privileged guest code runs in el3 (aka secure world). This is
> > not supported by kvm, which is unlikely to change anytime soon given
> > that even el2 support (nested virt) is being worked on for years and is
> > not yet in mainline.
> >
> > The design idea is to reuse the request serialization protocol edk2 uses
>
> I suppose this is a stable protocol. (some parts are set by the UEFI
> spec probably)
>
> There doesn't seem to be a defined way to query either side version or
> capability, I suppose this could be added later assuming an initial
> behaviour/magic etc.
>
> > for communication between SMM and non-SMM code, so large chunks of the
> > edk2 variable driver stack can be used unmodified. Only the driver
> > which traps into SMM mode must be replaced by a driver which talks to
> > qemu instead.
> >
> > A edk2 test branch can be found here (build with "-D QEMU_VARS=TRUE").
> > https://github.com/kraxel/edk2/commits/devel/secure-boot-external-vars
> >
>
> ok, perhaps it would be nice to have some basic unit tests in qemu
> too. Almost none of this new code is exercised by the qemu tests yet.
>
> > The uefi-vars device re-implements the privileged edk2 protocols
> > (i.e. the code running in SMM mode).
>
> Typically the kind of new code that I wish would be in Rust. But I
> suppose it is too early yet, and you came to the same conclusion.
> Probably a good candidate for rewrite though!
Perhaps too early for the device impl, but I would have thought
the general var-service code could be done in rust today. It does
not have all that much interaction with other parts of the QEMU
codebase & thus wouldn't be building on the moving target of the
QOM/Device abstractions. It would also be the prime part that
could be shared with coconut-svsm too.
>
> >
> > v2 changes:
> > - fully implement authenticated variables.
> > - various cleanups and fixes.
> >
> > enjoy & take care,
> > Gerd
> >
> > Gerd Hoffmann (21):
> > hw/uefi: add include/hw/uefi/var-service-api.h
> > hw/uefi: add include/hw/uefi/var-service-edk2.h
> > hw/uefi: add include/hw/uefi/var-service.h
> > hw/uefi: add var-service-guid.c
> > hw/uefi: add var-service-utils.c
> > hw/uefi: add var-service-vars.c
> > hw/uefi: add var-service-auth.c
> > hw/uefi: add var-service-policy.c
> > hw/uefi: add var-service-core.c
> > hw/uefi: add var-service-pkcs7.c
> > hw/uefi: add var-service-pkcs7-stub.c
> > hw/uefi: add var-service-siglist.c
> > hw/uefi: add var-service-json.c + qapi for NV vars.
> > hw/uefi: add trace-events
> > hw/uefi: add UEFI_VARS to Kconfig
> > hw/uefi: add to meson
> > hw/uefi: add uefi-vars-sysbus device
> > hw/uefi: add uefi-vars-isa device
> > hw/arm: add uefi variable support to virt machine type
> > docs: add uefi variable service documentation
> > hw/uefi: add MAINTAINERS entry
> >
> > include/hw/arm/virt.h | 2 +
> > include/hw/uefi/var-service-api.h | 40 ++
> > include/hw/uefi/var-service-edk2.h | 227 +++++++++
> > include/hw/uefi/var-service.h | 186 ++++++++
> > hw/arm/virt.c | 41 ++
> > hw/uefi/var-service-auth.c | 361 ++++++++++++++
> > hw/uefi/var-service-core.c | 237 ++++++++++
> > hw/uefi/var-service-guid.c | 99 ++++
> > hw/uefi/var-service-isa.c | 91 ++++
> > hw/uefi/var-service-json.c | 242 ++++++++++
> > hw/uefi/var-service-pkcs7-stub.c | 16 +
> > hw/uefi/var-service-pkcs7.c | 436 +++++++++++++++++
> > hw/uefi/var-service-policy.c | 370 +++++++++++++++
> > hw/uefi/var-service-siglist.c | 212 +++++++++
> > hw/uefi/var-service-sysbus.c | 90 ++++
> > hw/uefi/var-service-utils.c | 241 ++++++++++
> > hw/uefi/var-service-vars.c | 725 +++++++++++++++++++++++++++++
> > MAINTAINERS | 6 +
> > docs/devel/index-internals.rst | 1 +
> > docs/devel/uefi-vars.rst | 66 +++
> > hw/Kconfig | 1 +
> > hw/meson.build | 1 +
> > hw/uefi/Kconfig | 9 +
> > hw/uefi/LIMITATIONS.md | 7 +
> > hw/uefi/meson.build | 24 +
> > hw/uefi/trace-events | 17 +
> > meson.build | 1 +
> > qapi/meson.build | 1 +
> > qapi/qapi-schema.json | 1 +
> > qapi/uefi.json | 45 ++
> > 30 files changed, 3796 insertions(+)
> > create mode 100644 include/hw/uefi/var-service-api.h
> > create mode 100644 include/hw/uefi/var-service-edk2.h
> > create mode 100644 include/hw/uefi/var-service.h
> > create mode 100644 hw/uefi/var-service-auth.c
> > create mode 100644 hw/uefi/var-service-core.c
> > create mode 100644 hw/uefi/var-service-guid.c
> > create mode 100644 hw/uefi/var-service-isa.c
> > create mode 100644 hw/uefi/var-service-json.c
> > create mode 100644 hw/uefi/var-service-pkcs7-stub.c
> > create mode 100644 hw/uefi/var-service-pkcs7.c
> > create mode 100644 hw/uefi/var-service-policy.c
> > create mode 100644 hw/uefi/var-service-siglist.c
> > create mode 100644 hw/uefi/var-service-sysbus.c
> > create mode 100644 hw/uefi/var-service-utils.c
> > create mode 100644 hw/uefi/var-service-vars.c
> > create mode 100644 docs/devel/uefi-vars.rst
> > create mode 100644 hw/uefi/Kconfig
> > create mode 100644 hw/uefi/LIMITATIONS.md
> > create mode 100644 hw/uefi/meson.build
> > create mode 100644 hw/uefi/trace-events
> > create mode 100644 qapi/uefi.json
> >
> > --
> > 2.47.1
> >
>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2025-01-08 12:29 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-07 15:33 [PATCH v2 00/21] hw/uefi: add uefi variable service Gerd Hoffmann
2025-01-07 15:33 ` [PATCH v2 01/21] hw/uefi: add include/hw/uefi/var-service-api.h Gerd Hoffmann
2025-01-07 15:33 ` [PATCH v2 02/21] hw/uefi: add include/hw/uefi/var-service-edk2.h Gerd Hoffmann
2025-01-07 15:33 ` [PATCH v2 03/21] hw/uefi: add include/hw/uefi/var-service.h Gerd Hoffmann
2025-01-07 15:33 ` [PATCH v2 04/21] hw/uefi: add var-service-guid.c Gerd Hoffmann
2025-01-07 15:33 ` [PATCH v2 05/21] hw/uefi: add var-service-utils.c Gerd Hoffmann
2025-01-07 15:33 ` [PATCH v2 06/21] hw/uefi: add var-service-vars.c Gerd Hoffmann
2025-01-07 15:33 ` [PATCH v2 07/21] hw/uefi: add var-service-auth.c Gerd Hoffmann
2025-01-07 15:33 ` [PATCH v2 08/21] hw/uefi: add var-service-policy.c Gerd Hoffmann
2025-01-07 15:33 ` [PATCH v2 09/21] hw/uefi: add var-service-core.c Gerd Hoffmann
2025-01-07 15:33 ` [PATCH v2 10/21] hw/uefi: add var-service-pkcs7.c Gerd Hoffmann
2025-01-07 15:33 ` [PATCH v2 11/21] hw/uefi: add var-service-pkcs7-stub.c Gerd Hoffmann
2025-01-07 15:33 ` [PATCH v2 12/21] hw/uefi: add var-service-siglist.c Gerd Hoffmann
2025-01-07 15:33 ` [PATCH v2 13/21] hw/uefi: add var-service-json.c + qapi for NV vars Gerd Hoffmann
2025-01-07 15:49 ` Daniel P. Berrangé
2025-01-07 16:16 ` Gerd Hoffmann
2025-01-07 15:33 ` [PATCH v2 14/21] hw/uefi: add trace-events Gerd Hoffmann
2025-01-07 15:33 ` [PATCH v2 15/21] hw/uefi: add UEFI_VARS to Kconfig Gerd Hoffmann
2025-01-07 15:33 ` [PATCH v2 16/21] hw/uefi: add to meson Gerd Hoffmann
2025-01-07 15:33 ` [PATCH v2 17/21] hw/uefi: add uefi-vars-sysbus device Gerd Hoffmann
2025-01-07 15:33 ` [PATCH v2 18/21] hw/uefi: add uefi-vars-isa device Gerd Hoffmann
2025-01-07 15:33 ` [PATCH v2 19/21] hw/arm: add uefi variable support to virt machine type Gerd Hoffmann
2025-01-07 15:33 ` [PATCH v2 20/21] docs: add uefi variable service documentation Gerd Hoffmann
2025-01-07 15:33 ` [PATCH v2 21/21] hw/uefi: add MAINTAINERS entry Gerd Hoffmann
2025-01-07 15:41 ` [PATCH v2 00/21] hw/uefi: add uefi variable service Daniel P. Berrangé
2025-01-07 15:51 ` Gerd Hoffmann
2025-01-08 11:53 ` Marc-André Lureau
2025-01-08 12:24 ` Daniel P. Berrangé [this message]
2025-01-08 13:45 ` Gerd Hoffmann
2025-01-08 14:02 ` Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z35ulWfiCNq-cd3Y@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=eblake@redhat.com \
--cc=graf@amazon.com \
--cc=kraxel@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=michael.roth@amd.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.