From 0af56157a9ca6bb94e1a21bce1d054613282c991 Mon Sep 17 00:00:00 2001 From: BenjiReis Date: Tue, 25 Jul 2023 15:28:15 +0200 Subject: [PATCH] Add `secureboot-enforce` setting in `xapi.conf` This setting will be used by varstored to know wheter to allow the start of a VM that has no certificates when secureboot is enabled by writing in the xenstore in `/local/domain//platform/secureboot-enforce`. Default: false to keep the previous behavior. See: https://github.com/xapi-project/varstored/pull/19 Signed-off-by: BenjiReis --- ocaml/xapi/xapi_globs.ml | 7 +++++++ ocaml/xapi/xapi_vm.ml | 13 +++++++++---- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/ocaml/xapi/xapi_globs.ml b/ocaml/xapi/xapi_globs.ml index 62e373590e9..56ba357b219 100644 --- a/ocaml/xapi/xapi_globs.ml +++ b/ocaml/xapi/xapi_globs.ml @@ -998,6 +998,8 @@ let prefer_nbd_attach = ref false (** 1 MiB *) let max_observer_file_size = ref (1 lsl 20) +let secureboot_enforce = ref false + let xapi_globs_spec = [ ( "master_connection_reset_timeout" @@ -1470,6 +1472,11 @@ let other_options = , (fun () -> string_of_int !max_observer_file_size) , "The maximum size of log files for saving spans" ) + ; ( "secureboot-enforce" + , Arg.Set secureboot_enforce + , (fun () -> string_of_bool !secureboot_enforce) + , "Do not start a VM with no SB certificates if secureboot is set to on" + ) ] (* The options can be set with the variable xapiflags in /etc/sysconfig/xapi. diff --git a/ocaml/xapi/xapi_vm.ml b/ocaml/xapi/xapi_vm.ml index 70a0a5a0c89..15ad5860579 100644 --- a/ocaml/xapi/xapi_vm.ml +++ b/ocaml/xapi/xapi_vm.ml @@ -286,7 +286,7 @@ let assert_memory_constraints ~__context ~vm platformdata = *) let update_platform_secureboot ~__context ~self platform = - match List.assoc "secureboot" platform with + let platform = match List.assoc "secureboot" platform with | exception Not_found -> platform | "auto" -> @@ -296,6 +296,11 @@ let update_platform_secureboot ~__context ~self platform = :: List.remove_assoc "secureboot" platform | _ -> platform + in + if !Xapi_globs.secureboot_enforce then + ("secureboot-enforce", "true") :: List.remove_assoc "secureboot-enforce" platform + else + platform let start ~__context ~vm ~start_paused ~force = let vmr = Db.VM.get_record ~__context ~self:vm in @@ -664,9 +669,9 @@ let create ~__context ~name_label ~name_description ~power_state ~user_version ~memory_static_min ~vCPUs_params ~vCPUs_at_startup ~vCPUs_max ~actions_after_softreboot ~actions_after_shutdown ~actions_after_reboot ~actions_after_crash ~hVM_boot_policy ~hVM_boot_params - ~hVM_shadow_multiplier ~suspend_VDI:_suspend_VDI ~platform ~nVRAM ~pV_kernel - ~pV_ramdisk ~pV_args ~pV_bootloader ~pV_bootloader_args ~pV_legacy_args - ~pCI_bus ~other_config ~domid:(-1L) ~domarch:"" + ~hVM_shadow_multiplier ~suspend_VDI:_suspend_VDI ~platform ~nVRAM + ~pV_kernel ~pV_ramdisk ~pV_args ~pV_bootloader ~pV_bootloader_args + ~pV_legacy_args ~pCI_bus ~other_config ~domid:(-1L) ~domarch:"" ~last_boot_CPU_flags:_last_boot_CPU_flags ~is_control_domain:false ~metrics ~guest_metrics:Ref.null ~last_booted_record:_last_booted_record ~xenstore_data ~recommendations ~blobs:[] ~ha_restart_priority