Design for custom UEFI firmware in PVE

[Christian Ludwig <christian_ludwig@genua.de>]

[-- Attachment #1: Type: text/plain, Size: 1891 bytes --]

Hi,

there are certain situations when a VM template might bundle its own
UEFI firmware [1], [2]. TL;DR: Some virtual security appliances like
SonicWall or Genuscreen, bring their own OVMF implementation.
Especially in a confidential computing environment, the goal is to not
trust the hypervisor. It makes perfect sense to not use the firmware
shipped with Proxmox in that scenario.

At Genua we plan to bring support for custom UEFI firmware to Proxmox.
We are new to Proxmox VE development, so bear with us. I want to share
our design, before we start the effort to implement it.

The current UEFI firmware implementation in PVE has two firmware files.
A host provided code image that ships with each Proxmox release and is
the same for every VM. And a per-VM writable data store. We plan to
implement a way to upload and use a custom code image per VM.

Our design introduces a new 'firmware' content type for directory-based
storage volumes. The admin can then upload UEFI firmware files there.
This might even be useful for other types of firmware in the future.
The firmware file can then be connected to a VM using the VM's QEMU
config setting, but only if the VM was configured to boot in UEFI mode
before. If set, the image overrides the -bios QEMU command line option
for confidential VMs. These do not have a UEFI data store. For
conventional VMs the option overrides the -pflash0 command line option.
This does not change anything for efidisk0.

Storage handling for firmware files and VM configuration shall be
accessible from the API as a first step. We are not very concerned
about the web interface. Does that approach make sense to you? Is it ok
to go with a new content type or are there better alternatives?


  - Christian

[1] https://bugzilla.proxmox.com/show_bug.cgi?id=5898
[2] https://bugzilla.proxmox.com/show_bug.cgi?id=7258