Skip to content

Commit

Permalink
Add secureboot-enforce setting in xapi.conf
Browse files Browse the repository at this point in the history
This setting will be used by varstored to know
wheter to allow the start of a VM that has no certificates
when secureboot is enabled by writing in the xenstore in
`/local/domain/<domid>/platform/secureboot-enforce`.

Default: false to keep the previous behavior.

See: xapi-project/varstored#19

Signed-off-by: BenjiReis <[email protected]>
  • Loading branch information
benjamreis committed Jul 25, 2023
1 parent 9fce1a2 commit e45acad
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 3 deletions.
8 changes: 8 additions & 0 deletions ocaml/xapi/xapi_globs.ml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
(** A central location for settings related to xapi *)

module String_plain = String (* For when we don't want the Xstringext version *)

open Xapi_stdext_std.Xstringext

module D = Debug.Make (struct let name = "xapi_globs" end)
Expand Down Expand Up @@ -998,6 +999,8 @@ let prefer_nbd_attach = ref false
(** 1 MiB *)
let max_observer_file_size = ref (1 lsl 20)

let secureboot_enforce = ref false

let xapi_globs_spec =
[
( "master_connection_reset_timeout"
Expand Down Expand Up @@ -1470,6 +1473,11 @@ let other_options =
, (fun () -> string_of_int !max_observer_file_size)
, "The maximum size of log files for saving spans"
)
; ( "secureboot-enforce"
, Arg.Set secureboot_enforce
, (fun () -> string_of_bool !secureboot_enforce)
, "Do not start a VM with no SB certificates if secureboot is set to on"
)
]

(* The options can be set with the variable xapiflags in /etc/sysconfig/xapi.
Expand Down
12 changes: 9 additions & 3 deletions ocaml/xapi/xapi_vm.ml
Original file line number Diff line number Diff line change
Expand Up @@ -605,6 +605,12 @@ let create ~__context ~name_label ~name_description ~power_state ~user_version
else
other_config
in
let _platform =
if !Xapi_globs.secureboot_enforce then
("secureboot-enforce", "true") :: platform
else
platform
in
(* NB apart from the above, parameter validation is delayed until VM.start *)
let uuid = Uuidx.make () in
let vm_ref = Ref.make () in
Expand Down Expand Up @@ -664,9 +670,9 @@ let create ~__context ~name_label ~name_description ~power_state ~user_version
~memory_static_min ~vCPUs_params ~vCPUs_at_startup ~vCPUs_max
~actions_after_softreboot ~actions_after_shutdown ~actions_after_reboot
~actions_after_crash ~hVM_boot_policy ~hVM_boot_params
~hVM_shadow_multiplier ~suspend_VDI:_suspend_VDI ~platform ~nVRAM ~pV_kernel
~pV_ramdisk ~pV_args ~pV_bootloader ~pV_bootloader_args ~pV_legacy_args
~pCI_bus ~other_config ~domid:(-1L) ~domarch:""
~hVM_shadow_multiplier ~suspend_VDI:_suspend_VDI ~platform:_platform ~nVRAM
~pV_kernel ~pV_ramdisk ~pV_args ~pV_bootloader ~pV_bootloader_args
~pV_legacy_args ~pCI_bus ~other_config ~domid:(-1L) ~domarch:""
~last_boot_CPU_flags:_last_boot_CPU_flags ~is_control_domain:false ~metrics
~guest_metrics:Ref.null ~last_booted_record:_last_booted_record
~xenstore_data ~recommendations ~blobs:[] ~ha_restart_priority
Expand Down

0 comments on commit e45acad

Please sign in to comment.