Skip to content

Commit

Permalink
Add secureboot-enforce setting in xapi.conf
Browse files Browse the repository at this point in the history
This setting will be used by varstored to know
wheter to allow the start of a VM that has no certificates
when secureboot is enabled by writing in the xenstore in
`/local/domain/<domid>/platform/secureboot-enforce`.

Default: false to keep the previous behavior.

See: xapi-project/varstored#19

Signed-off-by: BenjiReis <[email protected]>
  • Loading branch information
benjamreis committed Jul 27, 2023
1 parent 9fce1a2 commit 3b7b0cb
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 4 deletions.
7 changes: 7 additions & 0 deletions ocaml/xapi/xapi_globs.ml
Original file line number Diff line number Diff line change
Expand Up @@ -998,6 +998,8 @@ let prefer_nbd_attach = ref false
(** 1 MiB *)
let max_observer_file_size = ref (1 lsl 20)

let secureboot_enforce = ref false

let xapi_globs_spec =
[
( "master_connection_reset_timeout"
Expand Down Expand Up @@ -1470,6 +1472,11 @@ let other_options =
, (fun () -> string_of_int !max_observer_file_size)
, "The maximum size of log files for saving spans"
)
; ( "secureboot-enforce"
, Arg.Set secureboot_enforce
, (fun () -> string_of_bool !secureboot_enforce)
, "Do not start a VM with no SB certificates if secureboot is set to on"
)
]

(* The options can be set with the variable xapiflags in /etc/sysconfig/xapi.
Expand Down
13 changes: 9 additions & 4 deletions ocaml/xapi/xapi_vm.ml
Original file line number Diff line number Diff line change
Expand Up @@ -286,7 +286,7 @@ let assert_memory_constraints ~__context ~vm platformdata =
*)

let update_platform_secureboot ~__context ~self platform =
match List.assoc "secureboot" platform with
let platform = match List.assoc "secureboot" platform with
| exception Not_found ->
platform
| "auto" ->
Expand All @@ -296,6 +296,11 @@ let update_platform_secureboot ~__context ~self platform =
:: List.remove_assoc "secureboot" platform
| _ ->
platform
in
if !Xapi_globs.secureboot_enforce then
("secureboot-enforce", "true") :: List.remove_assoc "secureboot-enforce" platform
else
platform

let start ~__context ~vm ~start_paused ~force =
let vmr = Db.VM.get_record ~__context ~self:vm in
Expand Down Expand Up @@ -664,9 +669,9 @@ let create ~__context ~name_label ~name_description ~power_state ~user_version
~memory_static_min ~vCPUs_params ~vCPUs_at_startup ~vCPUs_max
~actions_after_softreboot ~actions_after_shutdown ~actions_after_reboot
~actions_after_crash ~hVM_boot_policy ~hVM_boot_params
~hVM_shadow_multiplier ~suspend_VDI:_suspend_VDI ~platform ~nVRAM ~pV_kernel
~pV_ramdisk ~pV_args ~pV_bootloader ~pV_bootloader_args ~pV_legacy_args
~pCI_bus ~other_config ~domid:(-1L) ~domarch:""
~hVM_shadow_multiplier ~suspend_VDI:_suspend_VDI ~platform:_platform ~nVRAM
~pV_kernel ~pV_ramdisk ~pV_args ~pV_bootloader ~pV_bootloader_args
~pV_legacy_args ~pCI_bus ~other_config ~domid:(-1L) ~domarch:""
~last_boot_CPU_flags:_last_boot_CPU_flags ~is_control_domain:false ~metrics
~guest_metrics:Ref.null ~last_booted_record:_last_booted_record
~xenstore_data ~recommendations ~blobs:[] ~ha_restart_priority
Expand Down

0 comments on commit 3b7b0cb

Please sign in to comment.