From 3efd0c326c26e9ffbf7d5aafd6c60cd554ebf568 Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Sun, 22 Dec 2024 23:49:07 -0500 Subject: [PATCH] Use the UUID for the machine ID This avoids leaking the real machine ID into guests, and provides an easy way for guests to know their own UUID. Fixes: QubesOS/qubes-issues#8833 --- qubes/tests/vm/qubesvm.py | 57 ++++++++++++++++++++------------------- qubes/vm/qubesvm.py | 8 ++++-- 2 files changed, 36 insertions(+), 29 deletions(-) diff --git a/qubes/tests/vm/qubesvm.py b/qubes/tests/vm/qubesvm.py index 9dac1f4d9..71e9f11ec 100644 --- a/qubes/tests/vm/qubesvm.py +++ b/qubes/tests/vm/qubesvm.py @@ -26,6 +26,7 @@ import unittest import uuid +from uuid import UUID import datetime import asyncio @@ -313,8 +314,9 @@ def get_vm( None, qid=kwargs.pop("qid", 1), name=qubes.tests.VMPREFIX + name, - **kwargs + **kwargs, ) + vm.features["os"] = "Linux" self.app.domains[vm.qid] = vm self.app.domains[vm.uuid] = vm self.app.domains[vm.name] = vm @@ -846,7 +848,8 @@ def test_500_property_migrate_virt_mode(self): vm.hvm def test_600_libvirt_xml_pv(self): - expected = """ + my_uuid = "7db78950-c467-4863-94d1-af59806384ea" + expected = f""" test-inst-test 7db78950-c467-4863-94d1-af59806384ea 500 @@ -856,7 +859,7 @@ def test_600_libvirt_xml_pv(self): linux /tmp/qubes-test/vm-kernels/dummy/vmlinuz /tmp/qubes-test/vm-kernels/dummy/initramfs - root=/dev/mapper/dmroot ro nomodeset console=hvc0 rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0 swiotlb=2048 + systemd.machine_id={UUID(my_uuid).hex} root=/dev/mapper/dmroot ro nomodeset console=hvc0 rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0 swiotlb=2048 @@ -880,7 +883,6 @@ def test_600_libvirt_xml_pv(self): """ - my_uuid = "7db78950-c467-4863-94d1-af59806384ea" vm = self.get_vm(uuid=my_uuid) vm.netvm = None vm.virt_mode = "pv" @@ -910,6 +912,7 @@ def test_600_libvirt_xml_pv(self): ) def test_600_libvirt_xml_hvm(self): + my_uuid = "7db78950-c467-4863-94d1-af59806384ea" expected = """ test-inst-test 7db78950-c467-4863-94d1-af59806384ea @@ -958,7 +961,6 @@ def test_600_libvirt_xml_hvm(self): """ - my_uuid = "7db78950-c467-4863-94d1-af59806384ea" vm = self.get_vm(uuid=my_uuid) vm.netvm = None vm.virt_mode = "hvm" @@ -968,7 +970,8 @@ def test_600_libvirt_xml_hvm(self): ) def test_600_libvirt_xml_hvm_dom0_kernel(self): - expected = """ + my_uuid = "7db78950-c467-4863-94d1-af59806384ea" + expected = f""" test-inst-test 7db78950-c467-4863-94d1-af59806384ea 500 @@ -991,7 +994,7 @@ def test_600_libvirt_xml_hvm_dom0_kernel(self): hvmloader - root=/dev/mapper/dmroot ro nomodeset console=hvc0 rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0 swiotlb=2048 + systemd.machine_id={UUID(my_uuid).hex} root=/dev/mapper/dmroot ro nomodeset console=hvc0 rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0 swiotlb=2048 @@ -1017,7 +1020,6 @@ def test_600_libvirt_xml_hvm_dom0_kernel(self): """ - my_uuid = "7db78950-c467-4863-94d1-af59806384ea" vm = self.get_vm(uuid=my_uuid) vm.netvm = None vm.virt_mode = "hvm" @@ -1037,6 +1039,7 @@ def test_600_libvirt_xml_hvm_dom0_kernel(self): ) def test_600_libvirt_xml_hvm_dom0_kernel_kernelopts(self): + my_uuid = "7db78950-c467-4863-94d1-af59806384ea" expected = """ test-inst-test 7db78950-c467-4863-94d1-af59806384ea @@ -1086,8 +1089,8 @@ def test_600_libvirt_xml_hvm_dom0_kernel_kernelopts(self): """ - my_uuid = "7db78950-c467-4863-94d1-af59806384ea" vm = self.get_vm(uuid=my_uuid) + vm.features["os"] = "Other" vm.netvm = None vm.virt_mode = "hvm" vm.features["qrexec"] = True @@ -1110,7 +1113,8 @@ def test_600_libvirt_xml_hvm_dom0_kernel_kernelopts(self): ) def test_600_libvirt_xml_pvh(self): - expected = """ + my_uuid = "7db78950-c467-4863-94d1-af59806384ea" + expected = f""" test-inst-test 7db78950-c467-4863-94d1-af59806384ea 500 @@ -1127,7 +1131,7 @@ def test_600_libvirt_xml_pvh(self): xenpvh /tmp/qubes-test/vm-kernels/dummy/vmlinuz /tmp/qubes-test/vm-kernels/dummy/initramfs - root=/dev/mapper/dmroot ro nomodeset console=hvc0 rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0 swiotlb=2048 + systemd.machine_id={UUID(my_uuid).hex} root=/dev/mapper/dmroot ro nomodeset console=hvc0 rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0 swiotlb=2048 @@ -1155,7 +1159,6 @@ def test_600_libvirt_xml_pvh(self): """ - my_uuid = "7db78950-c467-4863-94d1-af59806384ea" vm = self.get_vm(uuid=my_uuid) vm.netvm = None vm.virt_mode = "pvh" @@ -1185,7 +1188,8 @@ def test_600_libvirt_xml_pvh(self): ) def test_600_libvirt_xml_pvh_no_initramfs(self): - expected = """ + my_uuid = "7db78950-c467-4863-94d1-af59806384ea" + expected = f""" test-inst-test 7db78950-c467-4863-94d1-af59806384ea 500 @@ -1201,7 +1205,7 @@ def test_600_libvirt_xml_pvh_no_initramfs(self): xenpvh /tmp/qubes-test/vm-kernels/dummy/vmlinuz - root=/dev/mapper/dmroot ro nomodeset console=hvc0 rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0 swiotlb=2048 + systemd.machine_id={UUID(my_uuid).hex} root=/dev/mapper/dmroot ro nomodeset console=hvc0 rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0 swiotlb=2048 @@ -1229,7 +1233,6 @@ def test_600_libvirt_xml_pvh_no_initramfs(self): """ - my_uuid = "7db78950-c467-4863-94d1-af59806384ea" vm = self.get_vm(uuid=my_uuid) vm.netvm = None vm.virt_mode = "pvh" @@ -1258,7 +1261,8 @@ def test_600_libvirt_xml_pvh_no_initramfs(self): ) def test_600_libvirt_xml_pvh_no_membalance(self): - expected = """ + my_uuid = "7db78950-c467-4863-94d1-af59806384ea" + expected = f""" test-inst-test 7db78950-c467-4863-94d1-af59806384ea 400 @@ -1275,7 +1279,7 @@ def test_600_libvirt_xml_pvh_no_membalance(self): xenpvh /tmp/qubes-test/vm-kernels/dummy/vmlinuz /tmp/qubes-test/vm-kernels/dummy/initramfs - root=/dev/mapper/dmroot ro nomodeset console=hvc0 rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0 swiotlb=2048 + systemd.machine_id={UUID(my_uuid).hex} root=/dev/mapper/dmroot ro nomodeset console=hvc0 rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0 swiotlb=2048 @@ -1303,7 +1307,6 @@ def test_600_libvirt_xml_pvh_no_membalance(self): """ - my_uuid = "7db78950-c467-4863-94d1-af59806384ea" vm = self.get_vm(uuid=my_uuid) vm.netvm = None vm.virt_mode = "pvh" @@ -1334,6 +1337,7 @@ def test_600_libvirt_xml_pvh_no_membalance(self): ) def test_600_libvirt_xml_hvm_pcidev(self): + my_uuid = "7db78950-c467-4863-94d1-af59806384ea" expected = """ test-inst-test 7db78950-c467-4863-94d1-af59806384ea @@ -1393,7 +1397,6 @@ def test_600_libvirt_xml_hvm_pcidev(self): """ - my_uuid = "7db78950-c467-4863-94d1-af59806384ea" # required for PCI devices listing self.app.vmm.offline_mode = False hostdev_details = unittest.mock.Mock( @@ -1443,6 +1446,7 @@ def test_600_libvirt_xml_hvm_pcidev(self): ) def test_600_libvirt_xml_hvm_pcidev_s0ix(self): + my_uuid = "7db78950-c467-4863-94d1-af59806384ea" expected = """ test-inst-test 7db78950-c467-4863-94d1-af59806384ea @@ -1503,7 +1507,6 @@ def test_600_libvirt_xml_hvm_pcidev_s0ix(self): """ - my_uuid = "7db78950-c467-4863-94d1-af59806384ea" # required for PCI devices listing self.app.vmm.offline_mode = False hostdev_details = unittest.mock.Mock( @@ -1554,6 +1557,7 @@ def test_600_libvirt_xml_hvm_pcidev_s0ix(self): ) def test_600_libvirt_xml_hvm_cdrom_boot(self): + my_uuid = "7db78950-c467-4863-94d1-af59806384ea" expected = """ test-inst-test 7db78950-c467-4863-94d1-af59806384ea @@ -1610,7 +1614,6 @@ def test_600_libvirt_xml_hvm_cdrom_boot(self): """ - my_uuid = "7db78950-c467-4863-94d1-af59806384ea" qdb = { "/qubes-block-devices/sda": b"", "/qubes-block-devices/sda/desc": b"Test device", @@ -1646,7 +1649,8 @@ def test_600_libvirt_xml_hvm_cdrom_boot(self): ) def test_600_libvirt_xml_hvm_cdrom_dom0_kernel_boot(self): - expected = """ + my_uuid = "7db78950-c467-4863-94d1-af59806384ea" + expected = f""" test-inst-test 7db78950-c467-4863-94d1-af59806384ea 400 @@ -1669,7 +1673,7 @@ def test_600_libvirt_xml_hvm_cdrom_dom0_kernel_boot(self): hvmloader - root=/dev/mapper/dmroot ro nomodeset console=hvc0 rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0 swiotlb=2048 + systemd.machine_id={UUID(my_uuid).hex} root=/dev/mapper/dmroot ro nomodeset console=hvc0 rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0 swiotlb=2048 @@ -1719,7 +1723,6 @@ def test_600_libvirt_xml_hvm_cdrom_dom0_kernel_boot(self): test_qdb = TestQubesDB(qdb) dom0 = qubes.vm.adminvm.AdminVM(self.app, None) dom0._qdb_connection = test_qdb - my_uuid = "7db78950-c467-4863-94d1-af59806384ea" vm = self.get_vm(uuid=my_uuid) vm.netvm = None vm.virt_mode = "hvm" @@ -1763,6 +1766,7 @@ def test_600_libvirt_xml_hvm_cdrom_dom0_kernel_boot(self): ) def test_610_libvirt_xml_network(self): + my_uuid = "7db78950-c467-4863-94d1-af59806384ea" expected = """ test-inst-test 7db78950-c467-4863-94d1-af59806384ea @@ -1818,7 +1822,6 @@ def test_610_libvirt_xml_network(self): """ - my_uuid = "7db78950-c467-4863-94d1-af59806384ea" netvm = self.get_vm(qid=2, name="netvm", provides_network=True) dom0 = self.get_vm(name="dom0", qid=0) @@ -1851,6 +1854,7 @@ def test_610_libvirt_xml_network(self): ) def test_611_libvirt_xml_audiovm(self): + my_uuid = "7db78950-c467-4863-94d1-af59806384ea" expected = """ test-inst-test 7db78950-c467-4863-94d1-af59806384ea @@ -1905,7 +1909,6 @@ def test_611_libvirt_xml_audiovm(self): """ - my_uuid = "7db78950-c467-4863-94d1-af59806384ea" netvm = self.get_vm(qid=2, name="netvm", provides_network=True) audiovm = self.get_vm(qid=3, name="sys-audio", provides_network=False) audiovm._qubesprop_xid = audiovm.qid @@ -1923,6 +1926,7 @@ def test_611_libvirt_xml_audiovm(self): ) def test_615_libvirt_xml_block_devices(self): + my_uuid = "7db78950-c467-4863-94d1-af59806384ea" expected = """ test-inst-test 7db78950-c467-4863-94d1-af59806384ea @@ -2020,7 +2024,6 @@ def test_615_libvirt_xml_block_devices(self): """ - my_uuid = "7db78950-c467-4863-94d1-af59806384ea" vm = self.get_vm(uuid=my_uuid) vm.netvm = None vm.virt_mode = "hvm" diff --git a/qubes/vm/qubesvm.py b/qubes/vm/qubesvm.py index 195b28510..140781ff6 100644 --- a/qubes/vm/qubesvm.py +++ b/qubes/vm/qubesvm.py @@ -2533,6 +2533,10 @@ def kernelopts_common(self): """ if not self.kernel: return "" + if self.features.check_with_template("os", None) == "Linux": + base_kernelopts = "systemd.machine_id=" + self.uuid.hex + " " + else: + base_kernelopts = "" kernels_dir = self.storage.kernels_dir kernelopts_path = os.path.join( @@ -2540,9 +2544,9 @@ def kernelopts_common(self): ) if os.path.exists(kernelopts_path): with open(kernelopts_path, encoding="ascii") as f_kernelopts: - return f_kernelopts.read().rstrip("\n\r") + return base_kernelopts + f_kernelopts.read().rstrip("\n\r") else: - return qubes.config.defaults["kernelopts_common"] + return base_kernelopts + qubes.config.defaults["kernelopts_common"] # # helper methods