Add secureboot-enforce setting in xapi.conf

benjamreis · benjamreis · commit 3b7b0cba2f40 · 2023-07-27T09:35:10.000+02:00
This setting will be used by varstored to know wheter to allow the start of a VM that has no certificates when secureboot is enabled by writing in the xenstore in `/local/domain/<domid>/platform/secureboot-enforce`. Default: false to keep the previous behavior. See: xapi-project/varstored#19 Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
diff --git a/ocaml/xapi/xapi_globs.ml b/ocaml/xapi/xapi_globs.ml
@@ -998,6 +998,8 @@ let prefer_nbd_attach = ref false
 (** 1 MiB *)
 let max_observer_file_size = ref (1 lsl 20)
 
+let secureboot_enforce = ref false
+
 let xapi_globs_spec =
   [
     ( "master_connection_reset_timeout"
@@ -1470,6 +1472,11 @@ let other_options =
     , (fun () -> string_of_int !max_observer_file_size)
     , "The maximum size of log files for saving spans"
     )
+  ; ( "secureboot-enforce"
+    , Arg.Set secureboot_enforce
+    , (fun () -> string_of_bool !secureboot_enforce)
+    , "Do not start a VM with no SB certificates if secureboot is set to on"
+    )
   ]
 
 (* The options can be set with the variable xapiflags in /etc/sysconfig/xapi.
diff --git a/ocaml/xapi/xapi_vm.ml b/ocaml/xapi/xapi_vm.ml
@@ -286,7 +286,7 @@ let assert_memory_constraints ~__context ~vm platformdata =
 *)
 
 let update_platform_secureboot ~__context ~self platform =
-  match List.assoc "secureboot" platform with
+  let platform = match List.assoc "secureboot" platform with
   | exception Not_found ->
       platform
   | "auto" ->
@@ -296,6 +296,11 @@ let update_platform_secureboot ~__context ~self platform =
       :: List.remove_assoc "secureboot" platform
   | _ ->
       platform
+  in
+  if !Xapi_globs.secureboot_enforce then
+    ("secureboot-enforce", "true") :: List.remove_assoc "secureboot-enforce" platform
+  else
+    platform
 
 let start ~__context ~vm ~start_paused ~force =
   let vmr = Db.VM.get_record ~__context ~self:vm in
@@ -664,9 +669,9 @@ let create ~__context ~name_label ~name_description ~power_state ~user_version
     ~memory_static_min ~vCPUs_params ~vCPUs_at_startup ~vCPUs_max
     ~actions_after_softreboot ~actions_after_shutdown ~actions_after_reboot
     ~actions_after_crash ~hVM_boot_policy ~hVM_boot_params
-    ~hVM_shadow_multiplier ~suspend_VDI:_suspend_VDI ~platform ~nVRAM ~pV_kernel
-    ~pV_ramdisk ~pV_args ~pV_bootloader ~pV_bootloader_args ~pV_legacy_args
-    ~pCI_bus ~other_config ~domid:(-1L) ~domarch:""
+    ~hVM_shadow_multiplier ~suspend_VDI:_suspend_VDI ~platform:_platform ~nVRAM
+    ~pV_kernel ~pV_ramdisk ~pV_args ~pV_bootloader ~pV_bootloader_args
+    ~pV_legacy_args ~pCI_bus ~other_config ~domid:(-1L) ~domarch:""
     ~last_boot_CPU_flags:_last_boot_CPU_flags ~is_control_domain:false ~metrics
     ~guest_metrics:Ref.null ~last_booted_record:_last_booted_record
     ~xenstore_data ~recommendations ~blobs:[] ~ha_restart_priority

Original file line number	Diff line number	Diff line change
`@@ -998,6 +998,8 @@ let prefer_nbd_attach = ref false`
`998`	`998`	`(** 1 MiB *)`
`999`	`999`	`let max_observer_file_size = ref (1 lsl 20)`
`1000`	`1000`
	`1001`	`+let secureboot_enforce = ref false`
	`1002`	`+`
`1001`	`1003`	`let xapi_globs_spec =`
`1002`	`1004`	`[`
`1003`	`1005`	`( "master_connection_reset_timeout"`
`@@ -1470,6 +1472,11 @@ let other_options =`
`1470`	`1472`	`, (fun () -> string_of_int !max_observer_file_size)`
`1471`	`1473`	`, "The maximum size of log files for saving spans"`
`1472`	`1474`	`)`
	`1475`	`+ ; ( "secureboot-enforce"`
	`1476`	`+ , Arg.Set secureboot_enforce`
	`1477`	`+ , (fun () -> string_of_bool !secureboot_enforce)`
	`1478`	`+ , "Do not start a VM with no SB certificates if secureboot is set to on"`
	`1479`	`+ )`
`1473`	`1480`	`]`
`1474`	`1481`
`1475`	`1482`	`(* The options can be set with the variable xapiflags in /etc/sysconfig/xapi.`