Bug 1217422

Summary: Firmware descriptor files do not advertise secure-boot
Product: [openSUSE] openSUSE Tumbleweed Reporter: James Fehlig <jfehlig>
Component: Virtualization:ToolsAssignee: Joey Lee <jlee>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P5 - None CC: rtsvetkov
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description James Fehlig 2023-11-22 23:30:09 UTC 
According to the qemu documentation [1], firmwares with enrolled-keys also have secure-boot enabled. However, the qemu-ovmf-x86_64 package contains several firmware descriptor files with 'enrolled-keys' feature advertised but not 'secure-boot'

/usr/share/qemu/firmware/60-ovmf-x86_64-2m-ms.json
/usr/share/qemu/firmware/60-ovmf-x86_64-2m-opensuse.json
/usr/share/qemu/firmware/60-ovmf-x86_64-2m-suse.json
/usr/share/qemu/firmware/60-ovmf-x86_64-ms.json
/usr/share/qemu/firmware/60-ovmf-x86_64-opensuse.json
/usr/share/qemu/firmware/60-ovmf-x86_64-suse.json

This confuses the libvirt firmware autoselection logic, causing it to select a firmware with secure-boot enabled even when the user has requested a firmware with it disabled. E.g. the following virt-install command causes libvirt to select a firmware with secure boot enabled

virt-install --virt-type kvm  --name hpc-node-01 --memory 4096 --network bridge=br0 --graphics vnc --disk none --osinfo sle15sp5 --boot firmware=efi,firmware.feature0.name=secure-boot,firmware.feature0.enabled=no

Adding 'secure-boot' to the 'features' list of the above firmware descriptor files causes libvirt to select an appropriate firmware.

[1] https://gitlab.com/qemu-project/qemu/-/blob/master/docs/interop/firmware.json?ref_type=heads
Comment 1 James Fehlig 2023-11-22 23:32:55 UTC 
Joey, what is your opinion on adding 'secure-boot' to the 'features' list of the firmware descriptor files that also contain 'enrolled-keys'?
Comment 2 Joey Lee 2024-03-06 07:09:17 UTC 
(In reply to James Fehlig from comment #1)
> Joey, what is your opinion on adding 'secure-boot' to the 'features' list of
> the firmware descriptor files that also contain 'enrolled-keys'?

I can run non-smm ovmf by the following libvirt xml setting after adding secure-boot feature:

  <os firmware='efi'>
    <type arch='x86_64' machine='pc-q35-7.1'>hvm</type>
    <firmware>
      <feature enabled='yes' name='enrolled-keys'/>
      <feature enabled='yes' name='secure-boot'/>
    </firmware>
    <loader readonly='yes' secure='no' type='pflash'>/usr/share/qemu/ovmf-x86_64-ms-code.bin</loader> 
    <nvram template='/usr/share/qemu/ovmf-x86_64-ms-vars.bin'>/var/lib/libvirt/qemu/nvram/opensuseTW_VARS.fd</nvram>
    <boot dev='hd'/>
  </os>

As the above xml, the secure is set to 'no' because no requires-smm feature.

I will add 'secure-boot' feature to json for those non-smm ovmf. But user should aware that the secure-boot is NOT real _secure_ without SMM support.
Comment 3 Joey Lee 2024-03-07 12:41:15 UTC 
The change is waiting to be merged to openSUSE:Factory:

https://build.opensuse.org/request/show/1155808
Comment 4 Joey Lee 2024-03-12 14:08:07 UTC 
(In reply to Joey Lee from comment #3)
> The change is waiting to be merged to openSUSE:Factory:
> 
> https://build.opensuse.org/request/show/1155808

The change be sent to 15-SP6 for waiting to be merged:
https://build.suse.de/request/show/323715
Comment 5 James Fehlig 2024-03-13 19:41:41 UTC 
(In reply to Joey Lee from comment #2)
> I will add 'secure-boot' feature to json for those non-smm ovmf. But user
> should aware that the secure-boot is NOT real _secure_ without SMM support.

Yes, agree. The firmware interop doc also makes note of it

# @secure-boot: The firmware implements the software interfaces for UEFI
#               Secure Boot, as defined in the UEFI specification. Note
#               that without @requires-smm, guest code running with
#               kernel privileges can undermine the security of Secure
#               Boot.
Comment 6 Joey Lee 2024-03-21 06:26:16 UTC 
(In reply to Joey Lee from comment #4)
> (In reply to Joey Lee from comment #3)
> > The change is waiting to be merged to openSUSE:Factory:
> > 
> > https://build.opensuse.org/request/show/1155808
> 
> The change be sent to 15-SP6 for waiting to be merged:
> https://build.suse.de/request/show/323715

The change also be merged to 15-SP6. Set fixed.