From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Kostiantyn Kostiuk <kkostiuk@redhat.com>
Cc: "Elizabeth Ashurov" <eashurov@redhat.com>,
qemu-devel@nongnu.org,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
"Yan Vugenfirer" <yvugenfi@redhat.com>
Subject: Re: [PATCH v1] qga: add guest-get-windows-security-info command
Date: Tue, 17 Mar 2026 14:15:26 +0000 [thread overview]
Message-ID: <ablh_gd57v3vGP6m@redhat.com> (raw)
In-Reply-To: <CAPMcbCr1XmSnHG_KUvDekU=OzKWhuD7=PjHcxB6VmCYrZCqY4Q@mail.gmail.com>
On Tue, Mar 17, 2026 at 04:07:59PM +0200, Kostiantyn Kostiuk wrote:
> On Mon, Mar 16, 2026 at 2:32 PM Elizabeth Ashurov <eashurov@redhat.com>
> wrote:
>
> > Add a new Windows-only QGA command to retrieve Windows security
> > features status including VBS, Secure Boot, and TPM information
> > from the guest.
> >
> > The implementation queries Win32_DeviceGuard and Win32_Tpm via
> > WMI, and reads the SecureBoot UEFI variable through
> > GetFirmwareEnvironmentVariable().
> >
> > Signed-off-by: Elizabeth Ashurov <eashurov@redhat.com>
> > ---
> > qga/commands-win32.c | 404 +++++++++++++++++++++++++++++++++++++++++++
> > qga/qapi-schema.json | 56 ++++++
> > 2 files changed, 460 insertions(+)
snip
> > diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json
> > index c57bc9a02f..f54fdf942f 100644
> > --- a/qga/qapi-schema.json
> > +++ b/qga/qapi-schema.json
> > @@ -1952,3 +1952,59 @@
> > 'returns': ['GuestNetworkRoute'],
> > 'if': { 'any': ['CONFIG_LINUX', 'CONFIG_WIN32'] }
> > }
> > +
> > +##
> > +# @GuestWindowsSecurityInfo:
> > +#
> > +# Windows security features status.
> > +#
> > +# @vbs-status: VirtualizationBasedSecurityStatus
> > +#
> > +# @available-security-properties: AvailableSecurityProperties
> > +#
> > +# @code-integrity-policy-enforcement-status:
> > +# CodeIntegrityPolicyEnforcementStatus
> > +#
> > +# @required-security-properties: RequiredSecurityProperties
> > +#
> > +# @security-services-configured: SecurityServicesConfigured
> > +#
> > +# @security-services-running: SecurityServicesRunning
> > +#
> > +# @usr-cfg-code-integrity-policy-enforcement-status:
> > +# UsermodeCodeIntegrityPolicyEnforcementStatus
> > +#
> > +# @secure-boot: Whether UEFI Secure Boot is enabled
> > +#
> > +# @tpm-present: Whether a TPM device is present
> > +#
> > +# @tpm-version: TPM specification version string (e.g. "2.0")
> > +#
> > +# Since: 10.3
> > +##
> > +{ 'struct': 'GuestWindowsSecurityInfo',
> > + 'data': {
> > + 'vbs-status': 'int',
> > + '*available-security-properties': ['int'],
> > + '*code-integrity-policy-enforcement-status': 'int',
> > + '*required-security-properties': ['int'],
> > + '*security-services-configured': ['int'],
> > + '*security-services-running': ['int'],
> > + '*usr-cfg-code-integrity-policy-enforcement-status': 'int',
> > + 'secure-boot': 'bool',
> > + 'tpm-present': 'bool',
> > + '*tpm-version': 'str' },
> > + 'if': 'CONFIG_WIN32' }
> >
> >
> Let's make this more generic
> command guest-get-security-info
> use 'union' to describe OS specific option like VBS
> { 'tmp_present': false, 'secure_boot': true, 'os': { 'type': 'windows',
> 'vbs': false, .... } }
>
> make tmp_present, secure_boot, vbs_status optiononal
> missing = unknown - as we can have it unimplemented for some POSIX/BSD OSes
>
> vbs_status is Win10+ only feature, so it can be unknown for Win8
I wonder if a new command is justifiable / needed.
Should we consider returning more info with 'guest-get-osinfo' ? It
is slightly different from the info returned there currently, but
at the same time reasonably in scope in the sense that it is
essentially reporting a set of OS "feature flags". They happen to
be security related in this case, but we could have other feature
flags we want to report too in future.
With regards,
Daniel
--
|: https://berrange.com ~~ https://hachyderm.io/@berrange :|
|: https://libvirt.org ~~ https://entangle-photo.org :|
|: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
next prev parent reply other threads:[~2026-03-17 14:16 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-16 12:31 [PATCH v1] qga: add guest-get-windows-security-info command Elizabeth Ashurov
2026-03-17 14:07 ` Kostiantyn Kostiuk
2026-03-17 14:15 ` Daniel P. Berrangé [this message]
2026-03-17 14:45 ` Kostiantyn Kostiuk
2026-03-17 14:58 ` Daniel P. Berrangé
2026-03-17 16:35 ` Kostiantyn Kostiuk
2026-03-18 12:38 ` Yan Vugenfirer
2026-03-18 12:41 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ablh_gd57v3vGP6m@redhat.com \
--to=berrange@redhat.com \
--cc=eashurov@redhat.com \
--cc=kkostiuk@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=yvugenfi@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox