From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Markus Armbruster" <armbru@redhat.com>,
"Eduardo Habkost" <eduardo@habkost.net>,
qemu-arm@nongnu.org, "Ard Biesheuvel" <ardb@kernel.org>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
"Thomas Huth" <thuth@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
"Marcel Apfelbaum" <marcel.apfelbaum@gmail.com>,
"Peter Maydell" <peter.maydell@linaro.org>,
graf@amazon.com, "Eric Blake" <eblake@redhat.com>,
"Michael Roth" <michael.roth@amd.com>,
"Richard Henderson" <richard.henderson@linaro.org>,
"Daniel P. Berrangé" <berrange@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>
Subject: [PATCH v5 00/24] hw/uefi: add uefi variable service
Date: Tue, 25 Feb 2025 17:30:04 +0100 [thread overview]
Message-ID: <20250225163031.1409078-1-kraxel@redhat.com> (raw)
This patch adds a virtual device to qemu which the uefi firmware can use
to store variables. This moves the UEFI variable management from
privileged guest code (managing vars in pflash) to the host. Main
advantage is that the need to have privilege separation in the guest
goes away.
On x86 privileged guest code runs in SMM. It's supported by kvm, but
not liked much by various stakeholders in cloud space due to the
complexity SMM emulation brings.
On arm privileged guest code runs in el3 (aka secure world). This is
not supported by kvm, which is unlikely to change anytime soon given
that even el2 support (nested virt) is being worked on for years and is
not yet in mainline.
The design idea is to reuse the request serialization protocol edk2 uses
for communication between SMM and non-SMM code, so large chunks of the
edk2 variable driver stack can be used unmodified. Only the driver
which traps into SMM mode must be replaced by a driver which talks to
qemu instead.
A edk2 test branch can be found here (build with "-D QEMU_PV_VARS=TRUE").
https://github.com/kraxel/edk2/commits/devel/secure-boot-external-vars
The uefi-vars device re-implements the privileged edk2 protocols
(i.e. the code running in SMM mode).
v5 changes:
- improve qapi documentation (Markus)
- fixes etc/hardware-info code (byte order, double free).
v4 changes:
- drop the isa variant in favor of a x64-specific sysbus variant using
mmio to expose the device registers.
- use etc/hardware-info for device discovery on x64.
- add pio transfer mode support.
v3 changes:
- switch sysbus device variant to use the qemu platform bus.
- misc minor changes.
v2 changes:
- fully implement authenticated variables.
- various cleanups and fixes.
enjoy & take care,
Gerd
Gerd Hoffmann (24):
Add support for etc/hardware-info fw_cfg file
hw/uefi: add include/hw/uefi/var-service-api.h
hw/uefi: add include/hw/uefi/var-service-edk2.h
hw/uefi: add include/hw/uefi/var-service.h
hw/uefi: add var-service-guid.c
hw/uefi: add var-service-utils.c
hw/uefi: add var-service-vars.c
hw/uefi: add var-service-auth.c
hw/uefi: add var-service-policy.c
hw/uefi: add var-service-core.c
hw/uefi: add var-service-pkcs7.c
hw/uefi: add var-service-pkcs7-stub.c
hw/uefi: add var-service-siglist.c
hw/uefi: add var-service-json.c + qapi for NV vars.
hw/uefi: add trace-events
hw/uefi: add UEFI_VARS to Kconfig
hw/uefi: add to meson
hw/uefi: add uefi-vars-sysbus device
hw/uefi-vars-sysbus: qemu platform bus support
hw/uefi-vars-sysbus: add x64 variant
hw/uefi-vars-sysbus: allow for arm virt
hw/uefi-vars-sysbus: allow for pc and q35
hw/uefi: add MAINTAINERS entry
docs: add uefi variable service documentation
include/hw/uefi/hardware-info.h | 35 ++
include/hw/uefi/var-service-api.h | 48 ++
include/hw/uefi/var-service-edk2.h | 227 +++++++++
include/hw/uefi/var-service.h | 191 ++++++++
hw/arm/virt.c | 2 +
hw/core/sysbus-fdt.c | 24 +
hw/i386/pc_piix.c | 2 +
hw/i386/pc_q35.c | 2 +
hw/uefi/hardware-info.c | 31 ++
hw/uefi/var-service-auth.c | 361 ++++++++++++++
hw/uefi/var-service-core.c | 321 +++++++++++++
hw/uefi/var-service-guid.c | 99 ++++
hw/uefi/var-service-json.c | 243 ++++++++++
hw/uefi/var-service-pkcs7-stub.c | 16 +
hw/uefi/var-service-pkcs7.c | 436 +++++++++++++++++
hw/uefi/var-service-policy.c | 370 +++++++++++++++
hw/uefi/var-service-siglist.c | 212 +++++++++
hw/uefi/var-service-sysbus.c | 124 +++++
hw/uefi/var-service-utils.c | 241 ++++++++++
hw/uefi/var-service-vars.c | 725 +++++++++++++++++++++++++++++
MAINTAINERS | 6 +
docs/devel/index-internals.rst | 1 +
docs/devel/uefi-vars.rst | 68 +++
hw/Kconfig | 1 +
hw/meson.build | 1 +
hw/uefi/Kconfig | 3 +
hw/uefi/LIMITATIONS.md | 7 +
hw/uefi/meson.build | 21 +
hw/uefi/trace-events | 17 +
meson.build | 1 +
qapi/meson.build | 1 +
qapi/qapi-schema.json | 1 +
qapi/uefi.json | 55 +++
33 files changed, 3893 insertions(+)
create mode 100644 include/hw/uefi/hardware-info.h
create mode 100644 include/hw/uefi/var-service-api.h
create mode 100644 include/hw/uefi/var-service-edk2.h
create mode 100644 include/hw/uefi/var-service.h
create mode 100644 hw/uefi/hardware-info.c
create mode 100644 hw/uefi/var-service-auth.c
create mode 100644 hw/uefi/var-service-core.c
create mode 100644 hw/uefi/var-service-guid.c
create mode 100644 hw/uefi/var-service-json.c
create mode 100644 hw/uefi/var-service-pkcs7-stub.c
create mode 100644 hw/uefi/var-service-pkcs7.c
create mode 100644 hw/uefi/var-service-policy.c
create mode 100644 hw/uefi/var-service-siglist.c
create mode 100644 hw/uefi/var-service-sysbus.c
create mode 100644 hw/uefi/var-service-utils.c
create mode 100644 hw/uefi/var-service-vars.c
create mode 100644 docs/devel/uefi-vars.rst
create mode 100644 hw/uefi/Kconfig
create mode 100644 hw/uefi/LIMITATIONS.md
create mode 100644 hw/uefi/meson.build
create mode 100644 hw/uefi/trace-events
create mode 100644 qapi/uefi.json
--
2.48.1
next reply other threads:[~2025-02-25 16:31 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-25 16:30 Gerd Hoffmann [this message]
2025-02-25 16:30 ` [PATCH v5 01/24] Add support for etc/hardware-info fw_cfg file Gerd Hoffmann
2025-02-25 16:30 ` [PATCH v5 02/24] hw/uefi: add include/hw/uefi/var-service-api.h Gerd Hoffmann
2025-02-25 16:30 ` [PATCH v5 03/24] hw/uefi: add include/hw/uefi/var-service-edk2.h Gerd Hoffmann
2025-02-25 16:30 ` [PATCH v5 04/24] hw/uefi: add include/hw/uefi/var-service.h Gerd Hoffmann
2025-02-25 16:30 ` [PATCH v5 05/24] hw/uefi: add var-service-guid.c Gerd Hoffmann
2025-02-25 16:30 ` [PATCH v5 06/24] hw/uefi: add var-service-utils.c Gerd Hoffmann
2025-02-25 16:30 ` [PATCH v5 07/24] hw/uefi: add var-service-vars.c Gerd Hoffmann
2025-02-25 16:30 ` [PATCH v5 08/24] hw/uefi: add var-service-auth.c Gerd Hoffmann
2025-02-25 16:30 ` [PATCH v5 09/24] hw/uefi: add var-service-policy.c Gerd Hoffmann
2025-02-25 16:30 ` [PATCH v5 10/24] hw/uefi: add var-service-core.c Gerd Hoffmann
2025-02-25 16:30 ` [PATCH v5 11/24] hw/uefi: add var-service-pkcs7.c Gerd Hoffmann
2025-02-25 16:30 ` [PATCH v5 12/24] hw/uefi: add var-service-pkcs7-stub.c Gerd Hoffmann
2025-02-25 16:30 ` [PATCH v5 13/24] hw/uefi: add var-service-siglist.c Gerd Hoffmann
2025-02-25 16:30 ` [PATCH v5 14/24] hw/uefi: add var-service-json.c + qapi for NV vars Gerd Hoffmann
2025-02-26 5:43 ` Markus Armbruster
2025-02-26 7:47 ` Gerd Hoffmann
2025-02-26 8:30 ` Markus Armbruster
2025-02-26 9:12 ` Gerd Hoffmann
2025-02-26 9:49 ` Markus Armbruster
2025-02-25 16:30 ` [PATCH v5 15/24] hw/uefi: add trace-events Gerd Hoffmann
2025-02-25 16:30 ` [PATCH v5 16/24] hw/uefi: add UEFI_VARS to Kconfig Gerd Hoffmann
2025-02-25 16:30 ` [PATCH v5 17/24] hw/uefi: add to meson Gerd Hoffmann
2025-03-20 5:40 ` Michael Tokarev
2025-02-25 16:30 ` [PATCH v5 18/24] hw/uefi: add uefi-vars-sysbus device Gerd Hoffmann
2025-02-25 16:30 ` [PATCH v5 19/24] hw/uefi-vars-sysbus: qemu platform bus support Gerd Hoffmann
2025-02-25 16:30 ` [PATCH v5 20/24] hw/uefi-vars-sysbus: add x64 variant Gerd Hoffmann
2025-02-25 16:30 ` [PATCH v5 21/24] hw/uefi-vars-sysbus: allow for arm virt Gerd Hoffmann
2025-02-25 16:30 ` [PATCH v5 22/24] hw/uefi-vars-sysbus: allow for pc and q35 Gerd Hoffmann
2025-02-25 16:30 ` [PATCH v5 23/24] hw/uefi: add MAINTAINERS entry Gerd Hoffmann
2025-03-20 7:42 ` Philippe Mathieu-Daudé
2025-02-25 16:30 ` [PATCH v5 24/24] docs: add uefi variable service documentation Gerd Hoffmann
2025-03-20 7:41 ` Philippe Mathieu-Daudé
2025-09-16 11:41 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250225163031.1409078-1-kraxel@redhat.com \
--to=kraxel@redhat.com \
--cc=ardb@kernel.org \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=eblake@redhat.com \
--cc=eduardo@habkost.net \
--cc=graf@amazon.com \
--cc=marcandre.lureau@redhat.com \
--cc=marcel.apfelbaum@gmail.com \
--cc=michael.roth@amd.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).