pool/virt-manager
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

An additional patch for guest UEFI booting

Browse Source 
b690908a-enable-secure-feature-together-with-smm-for-UEFI.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/virt-manager?expand=0&rev=354
This commit is contained in:
Charles Arnold 2017-06-07 19:32:43 +00:00 committed by Git OBS Bridge
parent ee70e1bd71
commit 71dc72807e
5 changed files with 85 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
b690908a-enable-secure-feature-together-with-smm-for-UEFI.patch Normal file
View File

@ -0,0 +1,77 @@
Subject: virtinst: enable secure feature together with smm for UEFI
From: Pavel Hrdina phrdina@redhat.com Wed Jun 7 20:47:59 2017 +0200
Date: Wed Jun 7 20:49:45 2017 +0200:
Git: b690908aa47ea4040a0b232328a7b79ff99ceabc
The secure feature actually enforce the secure boot if Secure Boot
Mode is configured.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1387479
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Index: virt-manager-1.4.1/tests/cli-test-xml/compare/virt-install-boot-uefi.xml
===================================================================
--- virt-manager-1.4.1.orig/tests/cli-test-xml/compare/virt-install-boot-uefi.xml
+++ virt-manager-1.4.1/tests/cli-test-xml/compare/virt-install-boot-uefi.xml
@@ -6,7 +6,7 @@
<vcpu>1</vcpu>
<os>
<type arch="x86_64" machine="q35">hvm</type>
- <loader readonly="yes" type="pflash">/usr/share/ovmf/OVMF_CODE.secboot.fd</loader>
+ <loader readonly="yes" type="pflash" secure="yes">/usr/share/ovmf/OVMF_CODE.secboot.fd</loader>
<boot dev="hd"/>
</os>
<features>
Index: virt-manager-1.4.1/virtManager/domain.py
===================================================================
--- virt-manager-1.4.1.orig/virtManager/domain.py
+++ virt-manager-1.4.1/virtManager/domain.py
@@ -698,7 +698,7 @@ class vmmDomain(vmmLibvirtObject):
guest.os.loader = loader
guest.os.loader_type = "pflash"
guest.os.loader_ro = True
- guest.check_uefi_smm()
+ guest.check_uefi_secure()
if nvram != _SENTINEL:
guest.os.nvram = nvram
Index: virt-manager-1.4.1/virtinst/guest.py
===================================================================
--- virt-manager-1.4.1.orig/virtinst/guest.py
+++ virt-manager-1.4.1/virtinst/guest.py
@@ -542,16 +542,18 @@ class Guest(XMLBuilder):
self.os.loader_type = "pflash"
self.os.loader = path
- self.check_uefi_smm()
+ self.check_uefi_secure()
- def check_uefi_smm(self):
+ def check_uefi_secure(self):
"""
If the firmware name contains "secboot" it is probably build
with SMM feature required so we need to enable that feature,
otherwise the firmware may fail to load. True secure boot is
currently supported only on x86 architecture and with q35 with
SMM feature enabled so change the machine to q35 as well.
+ To actually enforce the secure boot for the guest if Secure Boot
+ Mode is configured we need to enable loader secure feature.
"""
if not self.os.is_x86():
@@ -560,10 +562,12 @@ class Guest(XMLBuilder):
if "secboot" not in self.os.loader:
return
- if not self.conn.check_support(self.conn.SUPPORT_DOMAIN_FEATURE_SMM):
+ if (not self.conn.check_support(self.conn.SUPPORT_DOMAIN_FEATURE_SMM) or
+ not self.conn.check_support(self.conn.SUPPORT_DOMAIN_LOADER_SECURE)):
return
self.features.smm = True
+ self.os.loader_secure = True
self.os.machine = "q35"
###################

1
virt-manager.changes
View File

@ -12,6 +12,7 @@ Mon Jun 5 11:38:58 MDT 2017 - carnold@suse.com
f38c56c9-add-support-for-SMM-feature.patch
24f9d053-add-support-for-loader-secure-attribute.patch
4f8e795c-if-required-by-UEFI-enable-SMM-feature-and-set-q35-machine-type.patch
b690908a-enable-secure-feature-together-with-smm-for-UEFI.patch
-------------------------------------------------------------------
Thu May 25 16:31:57 MDT 2017 - carnold@suse.com

2
virt-manager.spec
View File

@ -52,6 +52,7 @@ Patch11: 7aee124d-fix-multiple-warnings-2.patch
Patch12: f38c56c9-add-support-for-SMM-feature.patch
Patch13: 24f9d053-add-support-for-loader-secure-attribute.patch
Patch14: 4f8e795c-if-required-by-UEFI-enable-SMM-feature-and-set-q35-machine-type.patch
Patch15: b690908a-enable-secure-feature-together-with-smm-for-UEFI.patch
# SUSE Only
Patch70: virtman-desktop.patch
Patch71: virtman-kvm.patch
@ -188,6 +189,7 @@ machine).
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
# SUSE Only
%patch70 -p1
%patch71 -p1

8
virtinst-s390x-disable-graphics.patch
View File

@ -16,7 +16,7 @@ Index: virt-manager-1.4.1/virtinst/guest.py
self.skip_default_rng = False
self.x86_cpu_default = self.cpu.SPECIAL_MODE_HOST_MODEL_ONLY
@@ -643,7 +646,7 @@ class Guest(XMLBuilder):
@@ -647,7 +650,7 @@ class Guest(XMLBuilder):
self.add_device(dev)
def add_default_video_device(self):
@ -25,7 +25,7 @@ Index: virt-manager-1.4.1/virtinst/guest.py
return
if self.get_devices("video"):
return
@@ -681,6 +684,8 @@ class Guest(XMLBuilder):
@@ -685,6 +688,8 @@ class Guest(XMLBuilder):
dev.target_type = "virtio"
dev.target_name = dev.CHANNEL_NAME_QEMUGA
self.add_device(dev)
@ -34,7 +34,7 @@ Index: virt-manager-1.4.1/virtinst/guest.py
def add_default_graphics(self):
if self.skip_default_graphics:
@@ -689,7 +694,7 @@ class Guest(XMLBuilder):
@@ -693,7 +698,7 @@ class Guest(XMLBuilder):
return
if self.os.is_container():
return
@ -43,7 +43,7 @@ Index: virt-manager-1.4.1/virtinst/guest.py
return
self.add_device(VirtualGraphics(self.conn))
@@ -1027,7 +1032,7 @@ class Guest(XMLBuilder):
@@ -1031,7 +1036,7 @@ class Guest(XMLBuilder):
if self._hv_only_supports_virtio():
return True

2
virtinst-set-qemu-emulator.patch
View File

@ -5,7 +5,7 @@ Index: virt-manager-1.4.1/virtinst/guest.py
===================================================================
--- virt-manager-1.4.1.orig/virtinst/guest.py
+++ virt-manager-1.4.1/virtinst/guest.py
@@ -840,14 +840,11 @@ class Guest(XMLBuilder):
@@ -844,14 +844,11 @@ class Guest(XMLBuilder):
self.emulator = None
return