Add secureboot-enforce setting in xapi.conf

benjamreis · benjamreis · commit 5d25e0bb74c4 · 2023-07-25T15:28:15.000+02:00
This setting will be used by varstored to know wheter to allow the start of a VM that has no certificates when secureboot is enabled. Default: false to keep the previous behavior. See: xapi-project/varstored#19 Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
diff --git a/ocaml/xapi/xapi_globs.ml b/ocaml/xapi/xapi_globs.ml
@@ -998,6 +998,8 @@ let prefer_nbd_attach = ref false
 (** 1 MiB *)
 let max_observer_file_size = ref (1 lsl 20)
 
+let secureboot_enforce = ref false
+
 let xapi_globs_spec =
   [
     ( "master_connection_reset_timeout"
@@ -1470,6 +1472,11 @@ let other_options =
     , (fun () -> string_of_int !max_observer_file_size)
     , "The maximum size of log files for saving spans"
     )
+  ; ( "secureboot-enforce"
+    , Arg.Set secureboot_enforce
+    , (fun () -> string_of_bool !secureboot_enforce)
+    , "Do not start a VM with no SB certificates if secureboot is set to on"
+    )
   ]
 
 (* The options can be set with the variable xapiflags in /etc/sysconfig/xapi.
diff --git a/ocaml/xapi/xapi_vm.ml b/ocaml/xapi/xapi_vm.ml
@@ -605,6 +605,10 @@ let create ~__context ~name_label ~name_description ~power_state ~user_version
     else
       other_config
   in
+  let _platform = if !Xapi_globs.secureboot_enforce
+    then ("secureboot-enforce", "true") :: platform
+    else platform
+  in
   (* NB apart from the above, parameter validation is delayed until VM.start *)
   let uuid = Uuidx.make () in
   let vm_ref = Ref.make () in
@@ -664,7 +668,7 @@ let create ~__context ~name_label ~name_description ~power_state ~user_version
     ~memory_static_min ~vCPUs_params ~vCPUs_at_startup ~vCPUs_max
     ~actions_after_softreboot ~actions_after_shutdown ~actions_after_reboot
     ~actions_after_crash ~hVM_boot_policy ~hVM_boot_params
-    ~hVM_shadow_multiplier ~suspend_VDI:_suspend_VDI ~platform ~nVRAM ~pV_kernel
+    ~hVM_shadow_multiplier ~suspend_VDI:_suspend_VDI ~platform:_platform ~nVRAM ~pV_kernel
     ~pV_ramdisk ~pV_args ~pV_bootloader ~pV_bootloader_args ~pV_legacy_args
     ~pCI_bus ~other_config ~domid:(-1L) ~domarch:""
     ~last_boot_CPU_flags:_last_boot_CPU_flags ~is_control_domain:false ~metrics

Original file line number	Diff line number	Diff line change
`@@ -998,6 +998,8 @@ let prefer_nbd_attach = ref false`
`998`	`998`	`(** 1 MiB *)`
`999`	`999`	`let max_observer_file_size = ref (1 lsl 20)`
`1000`	`1000`
	`1001`	`+let secureboot_enforce = ref false`
	`1002`	`+`
`1001`	`1003`	`let xapi_globs_spec =`
`1002`	`1004`	`[`
`1003`	`1005`	`( "master_connection_reset_timeout"`
`@@ -1470,6 +1472,11 @@ let other_options =`
`1470`	`1472`	`, (fun () -> string_of_int !max_observer_file_size)`
`1471`	`1473`	`, "The maximum size of log files for saving spans"`
`1472`	`1474`	`)`
	`1475`	`+ ; ( "secureboot-enforce"`
	`1476`	`+ , Arg.Set secureboot_enforce`
	`1477`	`+ , (fun () -> string_of_bool !secureboot_enforce)`
	`1478`	`+ , "Do not start a VM with no SB certificates if secureboot is set to on"`
	`1479`	`+ )`
`1473`	`1480`	`]`
`1474`	`1481`
`1475`	`1482`	`(* The options can be set with the variable xapiflags in /etc/sysconfig/xapi.`