Re: [PATCH v3] hw/misc/vmfwupdate: Introduce hypervisor fw-cfg interface

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3] hw/misc/vmfwupdate: Introduce hypervisor fw-cfg interface

From:	Ani Sinha
Subject:	Re: [PATCH v3] hw/misc/vmfwupdate: Introduce hypervisor fw-cfg interface support
Date:	Thu, 19 Dec 2024 15:25:44 +0530


> On 19 Dec 2024, at 3:07 PM, Ani Sinha <anisinha@redhat.com> wrote:
> 
> VM firmware update is a mechanism where the virtual machines can use their
> preferred and trusted firmware image in their execution environment without
> having to depend on a untrusted party to provide the firmware bundle. This is
> particularly useful for confidential virtual machines that are deployed in the
> cloud where the tenant and the cloud provider are two different entities. In
> this scenario, virtual machines can bring their own trusted firmware image
> bundled as a part of their filesystem (using UKIs for example[1]) and then use
> this hypervisor interface to update to their trusted firmware image. This also
> allows the guests to have a consistent measurements on the firmware image.
> 
> This change introduces basic support for the fw-cfg based hypervisor interface
> and the corresponding device. The change also includes the
> specification document for this interface. The interface is made generic
> enough so that guests are free to use their own ABI to pass required
> information between initial and trusted execution contexts (where they are
> running their own trusted firmware image) without the hypervisor getting
> involved in between. In subsequent patches, we will introduce other minimal
> changes on the hypervisor that are required to make the mechanism work.
> 
> A functional test has been added to test basic device creation and failure 
> mode
> in cases where the user tries to create more than one device.
> 
> [1] See systemd pull requests https://github.com/systemd/systemd/pull/35091
> and https://github.com/systemd/systemd/pull/35281 for some discussions on
> how we can bundle firmware image within an UKI.
> 
> CC: Alex Graf <graf@amazon.com>
> CC: Paolo Bonzini <pbonzini@redhat.com>
> CC: Gerd Hoffman <kraxel@redhat.com>
> CC: Igor Mammedov <imammedo@redhat.com>
> CC: Vitaly Kuznetsov <vkuznets@redhat.com>
> Signed-off-by: Ani Sinha <anisinha@redhat.com>
> ---
> MAINTAINERS                         |   9 ++
> docs/specs/index.rst                |   1 +
> docs/specs/vmfwupdate.rst           | 119 +++++++++++++++++++++
> hw/misc/meson

<snip>

> #endif
> diff --git a/tests/functional/meson.build b/tests/functional/meson.build
> index 758145d1e5..ac495fd026 100644
> --- a/tests/functional/meson.build
> +++ b/tests/functional/meson.build
> @@ -201,6 +201,7 @@ tests_x86_64_system_quick = [
>   'pc_cpu_hotplug_props',
>   'virtio_version',
>   'x86_cpu_model_versions',
> +  'vmfwupdate',
> ]
> 
> tests_x86_64_system_thorough = [
> diff --git a/tests/functional/test_vmfwupdate.py 
> b/tests/functional/test_vmfwupdate.py
> new file mode 100644
> index 0000000000..4ca203d53f
> --- /dev/null
> +++ b/tests/functional/test_vmfwupdate.py
> @@ -0,0 +1,36 @@
> +#!/usr/bin/env python3
> +#
> +# Check for vmfwupdate device.
> +#
> +# Copyright (c) 2024 Red Hat, Inc.
> +#
> +# Author:
> +#  Ani Sinha <anisinha@redhat.com>
> +#
> +# SPDX-License-Identifier: GPL-2.0-or-later
> +
> +from qemu_test import QemuSystemTest
> +
> +class VmFwUpdateDeviceCheck(QemuSystemTest):
> +    # after launch, in order to generate the logs from QEMU we need to
> +    # wait for some time. Launching and then immediately shutting down
> +    # the VM generates empty logs. A delay of 1 second is added for
> +    # this reason.
> +    DELAY_Q35_BOOT_SEQUENCE = 1

Sorry, sent too soon. This is not needed yet. Will remove in v4.

> +
> +    def test_multiple_device_fail(self):
> +        """
> +        Only one vmfwdevice can be instantiated. Ensure failure if
> +        user tries to create more than one device.
> +        """
> +        self.vm.add_args('-device', 'vmfwupdate,id=fwupd1',
> +                         '-device', 'vmfwupdate,id=fwupd2')
> +        self.vm.set_qmp_monitor(enabled=False)
> +        self.vm.launch()
> +        self.vm.wait()
> +        self.assertEqual(self.vm.exitcode(), 1, "QEMU exit code should be 1")
> +        self.assertRegex(self.vm.get_log(),
> +                         r'at most one vmfwupdate device is permitted')
> +
> +if __name__ == '__main__':
> +    QemuSystemTest.main()
> -- 
> 2.42.0
>

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v3] hw/misc/vmfwupdate: Introduce hypervisor fw-cfg interface support, Ani Sinha, 2024/12/19
- Re: [PATCH v3] hw/misc/vmfwupdate: Introduce hypervisor fw-cfg interface support, Ani Sinha <=

Prev by Date: Re: [PULL 12/40] rust: build integration test for the qemu_api crate
Next by Date: Re: [PULL 2/6] linux-user: Use unique error messages for cmsg parsing
Previous by thread: [PATCH v3] hw/misc/vmfwupdate: Introduce hypervisor fw-cfg interface support
Next by thread: Re: [PATCH v8 1/2] ppc: Enable 2nd DAWR support on Power10 PowerNV machine
Index(es):
- Date
- Thread