From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 97A24FD8770 for ; Tue, 17 Mar 2026 14:16:49 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w2VDP-0000SV-Tg; Tue, 17 Mar 2026 10:16:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w2VCz-0000Cn-QT for qemu-devel@nongnu.org; Tue, 17 Mar 2026 10:16:00 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w2VCv-0000eU-Lx for qemu-devel@nongnu.org; Tue, 17 Mar 2026 10:15:45 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1773756935; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zHYZWyNFOfep3pNKiSPHWfrg9XIJAGV/Zbt5CSJyvNw=; b=Rd/6zcfC/z7Sdpf69trKVwW8k3CxpfqV4B+VQOet+x2YJCUa65F51xgXJ/X1+8CnnkStPO x/Igb/0HrtLuT7mTtFzdh3ozKc0nW/AvJ50bQ4epbldaQLK6fcXuyq0MP+0U/USDjxr3IT Oth8jG8nZTGQ5oXBtqazcckB4Y3PUQ4= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-235-x2HP2YzDMwW24iq7ew3QWg-1; Tue, 17 Mar 2026 10:15:33 -0400 X-MC-Unique: x2HP2YzDMwW24iq7ew3QWg-1 X-Mimecast-MFC-AGG-ID: x2HP2YzDMwW24iq7ew3QWg_1773756932 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 6B2B51800616 for ; Tue, 17 Mar 2026 14:15:32 +0000 (UTC) Received: from redhat.com (unknown [10.44.33.252]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 1915D180075F; Tue, 17 Mar 2026 14:15:29 +0000 (UTC) Date: Tue, 17 Mar 2026 14:15:26 +0000 From: Daniel =?utf-8?B?UC4gQmVycmFuZ8Op?= To: Kostiantyn Kostiuk Cc: Elizabeth Ashurov , qemu-devel@nongnu.org, =?utf-8?Q?Marc-Andr=C3=A9?= Lureau , Yan Vugenfirer Subject: Re: [PATCH v1] qga: add guest-get-windows-security-info command Message-ID: References: <20260316123144.1758888-1-eashurov@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/2.2.14 (2025-02-20) X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -3 X-Spam_score: -0.4 X-Spam_bar: / X-Spam_report: (-0.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Daniel =?utf-8?B?UC4gQmVycmFuZ8Op?= Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org On Tue, Mar 17, 2026 at 04:07:59PM +0200, Kostiantyn Kostiuk wrote: > On Mon, Mar 16, 2026 at 2:32 PM Elizabeth Ashurov > wrote: > > > Add a new Windows-only QGA command to retrieve Windows security > > features status including VBS, Secure Boot, and TPM information > > from the guest. > > > > The implementation queries Win32_DeviceGuard and Win32_Tpm via > > WMI, and reads the SecureBoot UEFI variable through > > GetFirmwareEnvironmentVariable(). > > > > Signed-off-by: Elizabeth Ashurov > > --- > > qga/commands-win32.c | 404 +++++++++++++++++++++++++++++++++++++++++++ > > qga/qapi-schema.json | 56 ++++++ > > 2 files changed, 460 insertions(+) snip > > diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json > > index c57bc9a02f..f54fdf942f 100644 > > --- a/qga/qapi-schema.json > > +++ b/qga/qapi-schema.json > > @@ -1952,3 +1952,59 @@ > > 'returns': ['GuestNetworkRoute'], > > 'if': { 'any': ['CONFIG_LINUX', 'CONFIG_WIN32'] } > > } > > + > > +## > > +# @GuestWindowsSecurityInfo: > > +# > > +# Windows security features status. > > +# > > +# @vbs-status: VirtualizationBasedSecurityStatus > > +# > > +# @available-security-properties: AvailableSecurityProperties > > +# > > +# @code-integrity-policy-enforcement-status: > > +# CodeIntegrityPolicyEnforcementStatus > > +# > > +# @required-security-properties: RequiredSecurityProperties > > +# > > +# @security-services-configured: SecurityServicesConfigured > > +# > > +# @security-services-running: SecurityServicesRunning > > +# > > +# @usr-cfg-code-integrity-policy-enforcement-status: > > +# UsermodeCodeIntegrityPolicyEnforcementStatus > > +# > > +# @secure-boot: Whether UEFI Secure Boot is enabled > > +# > > +# @tpm-present: Whether a TPM device is present > > +# > > +# @tpm-version: TPM specification version string (e.g. "2.0") > > +# > > +# Since: 10.3 > > +## > > +{ 'struct': 'GuestWindowsSecurityInfo', > > + 'data': { > > + 'vbs-status': 'int', > > + '*available-security-properties': ['int'], > > + '*code-integrity-policy-enforcement-status': 'int', > > + '*required-security-properties': ['int'], > > + '*security-services-configured': ['int'], > > + '*security-services-running': ['int'], > > + '*usr-cfg-code-integrity-policy-enforcement-status': 'int', > > + 'secure-boot': 'bool', > > + 'tpm-present': 'bool', > > + '*tpm-version': 'str' }, > > + 'if': 'CONFIG_WIN32' } > > > > > Let's make this more generic > command guest-get-security-info > use 'union' to describe OS specific option like VBS > { 'tmp_present': false, 'secure_boot': true, 'os': { 'type': 'windows', > 'vbs': false, .... } } > > make tmp_present, secure_boot, vbs_status optiononal > missing = unknown - as we can have it unimplemented for some POSIX/BSD OSes > > vbs_status is Win10+ only feature, so it can be unknown for Win8 I wonder if a new command is justifiable / needed. Should we consider returning more info with 'guest-get-osinfo' ? It is slightly different from the info returned there currently, but at the same time reasonably in scope in the sense that it is essentially reporting a set of OS "feature flags". They happen to be security related in this case, but we could have other feature flags we want to report too in future. With regards, Daniel -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|