From e45acad21c9dd0c38430ee1874243d8c7b787298 Mon Sep 17 00:00:00 2001 From: BenjiReis Date: Tue, 25 Jul 2023 15:28:15 +0200 Subject: [PATCH] Add `secureboot-enforce` setting in `xapi.conf` This setting will be used by varstored to know wheter to allow the start of a VM that has no certificates when secureboot is enabled by writing in the xenstore in `/local/domain//platform/secureboot-enforce`. Default: false to keep the previous behavior. See: https://github.com/xapi-project/varstored/pull/19 Signed-off-by: BenjiReis --- ocaml/xapi/xapi_globs.ml | 8 ++++++++ ocaml/xapi/xapi_vm.ml | 12 +++++++++--- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/ocaml/xapi/xapi_globs.ml b/ocaml/xapi/xapi_globs.ml index 62e373590e9..915db22540b 100644 --- a/ocaml/xapi/xapi_globs.ml +++ b/ocaml/xapi/xapi_globs.ml @@ -15,6 +15,7 @@ (** A central location for settings related to xapi *) module String_plain = String (* For when we don't want the Xstringext version *) + open Xapi_stdext_std.Xstringext module D = Debug.Make (struct let name = "xapi_globs" end) @@ -998,6 +999,8 @@ let prefer_nbd_attach = ref false (** 1 MiB *) let max_observer_file_size = ref (1 lsl 20) +let secureboot_enforce = ref false + let xapi_globs_spec = [ ( "master_connection_reset_timeout" @@ -1470,6 +1473,11 @@ let other_options = , (fun () -> string_of_int !max_observer_file_size) , "The maximum size of log files for saving spans" ) + ; ( "secureboot-enforce" + , Arg.Set secureboot_enforce + , (fun () -> string_of_bool !secureboot_enforce) + , "Do not start a VM with no SB certificates if secureboot is set to on" + ) ] (* The options can be set with the variable xapiflags in /etc/sysconfig/xapi. diff --git a/ocaml/xapi/xapi_vm.ml b/ocaml/xapi/xapi_vm.ml index 70a0a5a0c89..246ff47a330 100644 --- a/ocaml/xapi/xapi_vm.ml +++ b/ocaml/xapi/xapi_vm.ml @@ -605,6 +605,12 @@ let create ~__context ~name_label ~name_description ~power_state ~user_version else other_config in + let _platform = + if !Xapi_globs.secureboot_enforce then + ("secureboot-enforce", "true") :: platform + else + platform + in (* NB apart from the above, parameter validation is delayed until VM.start *) let uuid = Uuidx.make () in let vm_ref = Ref.make () in @@ -664,9 +670,9 @@ let create ~__context ~name_label ~name_description ~power_state ~user_version ~memory_static_min ~vCPUs_params ~vCPUs_at_startup ~vCPUs_max ~actions_after_softreboot ~actions_after_shutdown ~actions_after_reboot ~actions_after_crash ~hVM_boot_policy ~hVM_boot_params - ~hVM_shadow_multiplier ~suspend_VDI:_suspend_VDI ~platform ~nVRAM ~pV_kernel - ~pV_ramdisk ~pV_args ~pV_bootloader ~pV_bootloader_args ~pV_legacy_args - ~pCI_bus ~other_config ~domid:(-1L) ~domarch:"" + ~hVM_shadow_multiplier ~suspend_VDI:_suspend_VDI ~platform:_platform ~nVRAM + ~pV_kernel ~pV_ramdisk ~pV_args ~pV_bootloader ~pV_bootloader_args + ~pV_legacy_args ~pCI_bus ~other_config ~domid:(-1L) ~domarch:"" ~last_boot_CPU_flags:_last_boot_CPU_flags ~is_control_domain:false ~metrics ~guest_metrics:Ref.null ~last_booted_record:_last_booted_record ~xenstore_data ~recommendations ~blobs:[] ~ha_restart_priority