From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <s.reiter@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id B7197771E1
 for <pve-devel@lists.proxmox.com>; Thu, 21 Oct 2021 12:38:40 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id A5F681CE1E
 for <pve-devel@lists.proxmox.com>; Thu, 21 Oct 2021 12:38:10 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id B3FB81CE10
 for <pve-devel@lists.proxmox.com>; Thu, 21 Oct 2021 12:38:09 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 851684550F
 for <pve-devel@lists.proxmox.com>; Thu, 21 Oct 2021 12:38:09 +0200 (CEST)
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
 Dominik Csapak <d.csapak@proxmox.com>
References: <20211011121024.921936-1-d.csapak@proxmox.com>
From: Stefan Reiter <s.reiter@proxmox.com>
Message-ID: <6b31fe05-2221-2edd-a88c-9cad9b886c47@proxmox.com>
Date: Thu, 21 Oct 2021 12:38:08 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <20211011121024.921936-1-d.csapak@proxmox.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL 1.601 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 NICE_REPLY_A           -2.267 Looks like a legit reply (A)
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pve-devel] [PATCH qemu-server v2] use non SMM ovmf code file
 for i440fx machines
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Thu, 21 Oct 2021 10:38:40 -0000

Works as intended, both i440fx and Q35 run with a secure boot efidisk.

Tested-by: Stefan Reiter <s.reiter@proxmox.com>
Reviewed-by: Stefan Reiter <s.reiter@proxmox.com>

On 10/11/21 2:10 PM, Dominik Csapak wrote:
> ovmf with SMM enabled will not boot on i440fx (hangs on graphics
> initialization), so load the non SMM variant.
> 
> should be no issue regarding live-migration since it never worked with
> this anyway.
> 
> adapts the test and adds one with q35
> 
> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
> ---
> changes from v1:
> * encode 'no-smm' instead of machine type in the ovmf hash
> * move the is_q35 checks out of the get_ovmf_files
> 
>   PVE/API2/Qemu.pm                              |  4 ++-
>   PVE/QemuServer.pm                             | 26 +++++++++++------
>   test/cfg2cmd/efi-secboot-and-tpm-q35.conf     |  6 ++++
>   test/cfg2cmd/efi-secboot-and-tpm-q35.conf.cmd | 28 +++++++++++++++++++
>   test/cfg2cmd/efi-secboot-and-tpm.conf         |  2 +-
>   test/cfg2cmd/efi-secboot-and-tpm.conf.cmd     |  2 +-
>   6 files changed, 57 insertions(+), 11 deletions(-)
>   create mode 100644 test/cfg2cmd/efi-secboot-and-tpm-q35.conf
>   create mode 100644 test/cfg2cmd/efi-secboot-and-tpm-q35.conf.cmd
> 
> diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
> index cc2a543..9c21b70 100644
> --- a/PVE/API2/Qemu.pm
> +++ b/PVE/API2/Qemu.pm
> @@ -24,6 +24,7 @@ use PVE::QemuServer;
>   use PVE::QemuServer::Drive;
>   use PVE::QemuServer::CPUConfig;
>   use PVE::QemuServer::Monitor qw(mon_cmd);
> +use PVE::QemuServer::Machine;
>   use PVE::QemuMigrate;
>   use PVE::RPCEnvironment;
>   use PVE::AccessControl;
> @@ -183,8 +184,9 @@ my $create_disks = sub {
>   
>   	    my $volid;
>   	    if ($ds eq 'efidisk0') {
> +		my $smm = PVE::QemuServer::Machine::machine_type_is_q35($conf);
>   		($volid, $size) = PVE::QemuServer::create_efidisk(
> -		    $storecfg, $storeid, $vmid, $fmt, $arch, $disk);
> +		    $storecfg, $storeid, $vmid, $fmt, $arch, $disk, $smm);
>   	    } elsif ($ds eq 'tpmstate0') {
>   		# swtpm can only use raw volumes, and uses a fixed size
>   		$size = PVE::Tools::convert_size(PVE::QemuServer::Drive::TPMSTATE_DISK_SIZE, 'b' => 'kb');
> diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
> index eb29fc2..351a385 100644
> --- a/PVE/QemuServer.pm
> +++ b/PVE/QemuServer.pm
> @@ -64,6 +64,14 @@ eval {
>   my $EDK2_FW_BASE = '/usr/share/pve-edk2-firmware/';
>   my $OVMF = {
>       x86_64 => {
> +	'4m-no-smm' => [
> +	    "$EDK2_FW_BASE/OVMF_CODE_4M.fd",
> +	    "$EDK2_FW_BASE/OVMF_VARS_4M.fd",
> +	],
> +	'4m-no-smm-ms' => [
> +	    "$EDK2_FW_BASE/OVMF_CODE_4M.fd",
> +	    "$EDK2_FW_BASE/OVMF_VARS_4M.ms.fd",
> +	],
>   	'4m' => [
>   	    "$EDK2_FW_BASE/OVMF_CODE_4M.secboot.fd",
>   	    "$EDK2_FW_BASE/OVMF_VARS_4M.fd",
> @@ -3152,15 +3160,16 @@ sub get_vm_machine {
>       return $machine;
>   }
>   
> -sub get_ovmf_files($$) {
> -    my ($arch, $efidisk) = @_;
> +sub get_ovmf_files($$$) {
> +    my ($arch, $efidisk, $smm) = @_;
>   
>       my $types = $OVMF->{$arch}
>   	or die "no OVMF images known for architecture '$arch'\n";
>   
>       my $type = 'default';
>       if (defined($efidisk->{efitype}) && $efidisk->{efitype} eq '4m') {
> -	$type = $efidisk->{'pre-enrolled-keys'} ? "4m-ms" : "4m";
> +	$type = $smm ? "4m" : "4m-no-smm";
> +	$type .= '-ms' if $efidisk->{'pre-enrolled-keys'};
>       }
>   
>       return $types->{$type}->@*;
> @@ -3427,7 +3436,7 @@ sub config_to_command {
>   	    $d = parse_drive('efidisk0', $efidisk);
>   	}
>   
> -	my ($ovmf_code, $ovmf_vars) = get_ovmf_files($arch, $d);
> +	my ($ovmf_code, $ovmf_vars) = get_ovmf_files($arch, $d, $q35);
>   	die "uefi base image '$ovmf_code' not found\n" if ! -f $ovmf_code;
>   
>   	my ($path, $format);
> @@ -7523,7 +7532,8 @@ sub get_efivars_size {
>       my ($conf) = @_;
>       my $arch = get_vm_arch($conf);
>       my $efidisk = $conf->{efidisk0} ? parse_drive('efidisk0', $conf->{efidisk0}) : undef;
> -    my (undef, $ovmf_vars) = get_ovmf_files($arch, $efidisk);
> +    my $smm = PVE::QemuServer::Machine::machine_type_is_q35($conf);
> +    my (undef, $ovmf_vars) = get_ovmf_files($arch, $efidisk, $smm);
>       die "uefi vars image '$ovmf_vars' not found\n" if ! -f $ovmf_vars;
>       return -s $ovmf_vars;
>   }
> @@ -7548,10 +7558,10 @@ sub update_tpmstate_size {
>       $conf->{tpmstate0} = print_drive($disk);
>   }
>   
> -sub create_efidisk($$$$$$) {
> -    my ($storecfg, $storeid, $vmid, $fmt, $arch, $efidisk) = @_;
> +sub create_efidisk($$$$$$$) {
> +    my ($storecfg, $storeid, $vmid, $fmt, $arch, $efidisk, $smm) = @_;
>   
> -    my (undef, $ovmf_vars) = get_ovmf_files($arch, $efidisk);
> +    my (undef, $ovmf_vars) = get_ovmf_files($arch, $efidisk, $smm);
>       die "EFI vars default image not found\n" if ! -f $ovmf_vars;
>   
>       my $vars_size_b = -s $ovmf_vars;
> diff --git a/test/cfg2cmd/efi-secboot-and-tpm-q35.conf b/test/cfg2cmd/efi-secboot-and-tpm-q35.conf
> new file mode 100644
> index 0000000..5d4b5f5
> --- /dev/null
> +++ b/test/cfg2cmd/efi-secboot-and-tpm-q35.conf
> @@ -0,0 +1,6 @@
> +# TEST: Test newer 4MB efidisk with secureboot, smm enforce and a TPM device on Q35
> +smbios1: uuid=7b10d7af-b932-4c66-b2c3-3996152ec465
> +bios: ovmf
> +machine: q35
> +efidisk0: local:100/vm-disk-100-0.raw,efitype=4m,pre-enrolled-keys=1,size=528K
> +tpmstate0: local:108/vm-100-disk-1.raw,size=4M,version=v2.0
> diff --git a/test/cfg2cmd/efi-secboot-and-tpm-q35.conf.cmd b/test/cfg2cmd/efi-secboot-and-tpm-q35.conf.cmd
> new file mode 100644
> index 0000000..b2a2662
> --- /dev/null
> +++ b/test/cfg2cmd/efi-secboot-and-tpm-q35.conf.cmd
> @@ -0,0 +1,28 @@
> +/usr/bin/kvm \
> +  -id 8006 \
> +  -name vm8006 \
> +  -no-shutdown \
> +  -chardev 'socket,id=qmp,path=/var/run/qemu-server/8006.qmp,server=on,wait=off' \
> +  -mon 'chardev=qmp,mode=control' \
> +  -chardev 'socket,id=qmp-event,path=/var/run/qmeventd.sock,reconnect=5' \
> +  -mon 'chardev=qmp-event,mode=control' \
> +  -pidfile /var/run/qemu-server/8006.pid \
> +  -daemonize \
> +  -smbios 'type=1,uuid=7b10d7af-b932-4c66-b2c3-3996152ec465' \
> +  -drive 'if=pflash,unit=0,format=raw,readonly=on,file=/usr/share/pve-edk2-firmware//OVMF_CODE_4M.secboot.fd' \
> +  -drive 'if=pflash,unit=1,format=raw,id=drive-efidisk0,size=540672,file=/var/lib/vz/images/100/vm-disk-100-0.raw' \
> +  -smp '1,sockets=1,cores=1,maxcpus=1' \
> +  -nodefaults \
> +  -boot 'menu=on,strict=on,reboot-timeout=1000,splash=/usr/share/qemu-server/bootsplash.jpg' \
> +  -vnc 'unix:/var/run/qemu-server/8006.vnc,password=on' \
> +  -cpu kvm64,enforce,+kvm_pv_eoi,+kvm_pv_unhalt,+lahf_lm,+sep \
> +  -m 512 \
> +  -readconfig /usr/share/qemu-server/pve-q35-4.0.cfg
> +  -device 'usb-tablet,id=tablet,bus=ehci.0,port=1'
> +  -chardev 'socket,id=tpmchar,path=/var/run/qemu-server/8006.swtpm' \
> +  -tpmdev 'emulator,id=tpmdev,chardev=tpmchar' \
> +  -device 'tpm-tis,tpmdev=tpmdev' \
> +  -device 'VGA,id=vga,bus=pcie.0,addr=0x1' \
> +  -device 'virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3' \
> +  -iscsi 'initiator-name=iqn.1993-08.org.debian:01:aabbccddeeff' \
> +  -machine 'type=q35+pve0'
> diff --git a/test/cfg2cmd/efi-secboot-and-tpm.conf b/test/cfg2cmd/efi-secboot-and-tpm.conf
> index ba2601f..915424e 100644
> --- a/test/cfg2cmd/efi-secboot-and-tpm.conf
> +++ b/test/cfg2cmd/efi-secboot-and-tpm.conf
> @@ -1,4 +1,4 @@
> -# TEST: Test newer 4MB efidisk with secureboot, smm enforce and a TPM device
> +# TEST: Test newer 4MB efidisk with secureboot and a TPM device
>   smbios1: uuid=7b10d7af-b932-4c66-b2c3-3996152ec465
>   bios: ovmf
>   efidisk0: local:100/vm-disk-100-0.raw,efitype=4m,pre-enrolled-keys=1,size=528K
> diff --git a/test/cfg2cmd/efi-secboot-and-tpm.conf.cmd b/test/cfg2cmd/efi-secboot-and-tpm.conf.cmd
> index 499dbab..400db42 100644
> --- a/test/cfg2cmd/efi-secboot-and-tpm.conf.cmd
> +++ b/test/cfg2cmd/efi-secboot-and-tpm.conf.cmd
> @@ -9,7 +9,7 @@
>     -pidfile /var/run/qemu-server/8006.pid \
>     -daemonize \
>     -smbios 'type=1,uuid=7b10d7af-b932-4c66-b2c3-3996152ec465' \
> -  -drive 'if=pflash,unit=0,format=raw,readonly=on,file=/usr/share/pve-edk2-firmware//OVMF_CODE_4M.secboot.fd' \
> +  -drive 'if=pflash,unit=0,format=raw,readonly=on,file=/usr/share/pve-edk2-firmware//OVMF_CODE_4M.fd' \
>     -drive 'if=pflash,unit=1,format=raw,id=drive-efidisk0,size=540672,file=/var/lib/vz/images/100/vm-disk-100-0.raw' \
>     -smp '1,sockets=1,cores=1,maxcpus=1' \
>     -nodefaults \
>