[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH] qemu: use 'bochs' video type by default for UEFI domains



The 'bochs' video device doesn't have any legacy vga emulation so the
attack surface is much lower. It works with OVMF, so UEFI guests should
not see any functional difference to VGA.

https://bugzilla.redhat.com/show_bug.cgi?id=1707119

Signed-off-by: Jonathon Jongsma <jjongsma redhat com>
---
NOTE:
You may run into an error when trying to use the bochs video device. For
example:

    error: internal error: process exited while connecting to monitor:
    2019-08-28T21:32:20.134546Z qemu-system-x86_64: -device
    bochs-display,id=video0,vgamem=16384k,bus=pcie.0,addr=0x1: failed to find
    romfile "vgabios-bochs-display.bin"

This should be solved in e.g. Fedora 31 with newer releases of seabios/qemu. As
a temporary workaround, you can symlink the appropriate vgabios file under
/usr/share/qemu/.


 src/qemu/qemu_domain.c                        | 19 +++++----
 src/qemu/qemu_domain.h                        |  1 +
 .../video-default-nouefi.x86_64-latest.args   | 36 +++++++++++++++++
 .../qemuxml2argvdata/video-default-nouefi.xml | 20 ++++++++++
 .../video-default-uefi.x86_64-latest.args     | 40 +++++++++++++++++++
 tests/qemuxml2argvdata/video-default-uefi.xml | 22 ++++++++++
 tests/qemuxml2argvtest.c                      |  2 +
 7 files changed, 133 insertions(+), 7 deletions(-)
 create mode 100644 tests/qemuxml2argvdata/video-default-nouefi.x86_64-latest.args
 create mode 100644 tests/qemuxml2argvdata/video-default-nouefi.xml
 create mode 100644 tests/qemuxml2argvdata/video-default-uefi.x86_64-latest.args
 create mode 100644 tests/qemuxml2argvdata/video-default-uefi.xml

diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 4998474dc9..7ecb89ac84 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -4584,6 +4584,14 @@ qemuDomainValidateCpuCount(const virDomainDef *def,
 }
 
 
+static bool
+qemuDomainDefIsUEFI(const virDomainDef *def)
+{
+    return ((def->os.firmware == VIR_DOMAIN_OS_DEF_FIRMWARE_EFI ||
+             (def->os.loader && def->os.loader->type ==
+              VIR_DOMAIN_LOADER_TYPE_PFLASH)));
+}
+
 static int
 qemuDomainDefValidate(const virDomainDef *def,
                       virCapsPtr caps ATTRIBUTE_UNUSED,
@@ -4606,10 +4614,7 @@ qemuDomainDefValidate(const virDomainDef *def,
     }
 
     /* On x86, UEFI requires ACPI */
-    if ((def->os.firmware == VIR_DOMAIN_OS_DEF_FIRMWARE_EFI ||
-         (def->os.loader &&
-          def->os.loader->type == VIR_DOMAIN_LOADER_TYPE_PFLASH)) &&
-        ARCH_IS_X86(def->os.arch) &&
+    if (qemuDomainDefIsUEFI(def) && ARCH_IS_X86(def->os.arch) &&
         def->features[VIR_DOMAIN_FEATURE_ACPI] != VIR_TRISTATE_SWITCH_ON) {
         virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
                        _("UEFI requires ACPI on this architecture"));
@@ -4619,9 +4624,7 @@ qemuDomainDefValidate(const virDomainDef *def,
     /* On aarch64, ACPI requires UEFI */
     if (def->features[VIR_DOMAIN_FEATURE_ACPI] == VIR_TRISTATE_SWITCH_ON &&
         def->os.arch == VIR_ARCH_AARCH64 &&
-        (def->os.firmware != VIR_DOMAIN_OS_DEF_FIRMWARE_EFI &&
-         (!def->os.loader ||
-          def->os.loader->type != VIR_DOMAIN_LOADER_TYPE_PFLASH))) {
+        !qemuDomainDefIsUEFI(def)) {
         virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
                        _("ACPI requires UEFI on this architecture"));
         goto cleanup;
@@ -7452,6 +7455,8 @@ qemuDomainDeviceVideoDefPostParse(virDomainVideoDefPtr video,
                  qemuDomainIsRISCVVirt(def) ||
                  ARCH_IS_S390(def->os.arch))
             video->type = VIR_DOMAIN_VIDEO_TYPE_VIRTIO;
+        else if (qemuDomainDefIsUEFI(def))
+            video->type = VIR_DOMAIN_VIDEO_TYPE_BOCHS;
         else
             video->type = VIR_DOMAIN_VIDEO_TYPE_CIRRUS;
     }
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index 37a00323a7..c6deab1c52 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -923,6 +923,7 @@ bool qemuDomainHasBuiltinIDE(const virDomainDef *def);
 bool qemuDomainNeedsFDC(const virDomainDef *def);
 bool qemuDomainSupportsPCI(virDomainDefPtr def,
                            virQEMUCapsPtr qemuCaps);
+bool qemuDomainIsUEFI(const virDomainDef *def);
 
 void qemuDomainUpdateCurrentMemorySize(virDomainObjPtr vm);
 
diff --git a/tests/qemuxml2argvdata/video-default-nouefi.x86_64-latest.args b/tests/qemuxml2argvdata/video-default-nouefi.x86_64-latest.args
new file mode 100644
index 0000000000..f0c9e36594
--- /dev/null
+++ b/tests/qemuxml2argvdata/video-default-nouefi.x86_64-latest.args
@@ -0,0 +1,36 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/tmp/lib/domain--1-guest \
+USER=test \
+LOGNAME=test \
+XDG_DATA_HOME=/tmp/lib/domain--1-guest/.local/share \
+XDG_CACHE_HOME=/tmp/lib/domain--1-guest/.cache \
+XDG_CONFIG_HOME=/tmp/lib/domain--1-guest/.config \
+QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-x86_64 \
+-name guest=guest,debug-threads=on \
+-S \
+-object secret,id=masterKey0,format=raw,\
+file=/tmp/lib/domain--1-guest/master-key.aes \
+-machine q35,accel=tcg,usb=off,dump-guest-core=off \
+-cpu Haswell \
+-m 1024 \
+-overcommit mem-lock=off \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid 26b73eb7-f8c4-4541-ae6f-06607a1b21c3 \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=charmonitor,fd=1729,server,nowait \
+-mon chardev=charmonitor,id=monitor,mode=control \
+-rtc base=utc \
+-no-shutdown \
+-boot strict=on \
+-device pcie-root-port,port=0x10,chassis=1,id=pci.1,bus=pcie.0,\
+multifunction=on,addr=0x2 \
+-device pcie-root-port,port=0x11,chassis=2,id=pci.2,bus=pcie.0,addr=0x2.0x1 \
+-device qemu-xhci,id=usb,bus=pci.1,addr=0x0 \
+-device cirrus-vga,id=video0,bus=pcie.0,addr=0x1 \
+-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\
+resourcecontrol=deny \
+-msg timestamp=on
diff --git a/tests/qemuxml2argvdata/video-default-nouefi.xml b/tests/qemuxml2argvdata/video-default-nouefi.xml
new file mode 100644
index 0000000000..7db2bedf6c
--- /dev/null
+++ b/tests/qemuxml2argvdata/video-default-nouefi.xml
@@ -0,0 +1,20 @@
+<domain type='qemu'>
+  <name>guest</name>
+  <uuid>26b73eb7-f8c4-4541-ae6f-06607a1b21c3</uuid>
+  <memory unit='KiB'>1048576</memory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='q35'>hvm</type>
+  </os>
+  <features>
+    <acpi/>
+  </features>
+  <cpu mode='custom'>
+    <model>Haswell</model>
+  </cpu>
+  <devices>
+    <emulator>/usr/bin/qemu-system-x86_64</emulator>
+    <memballoon model='none'/>
+    <video/>
+  </devices>
+</domain>
diff --git a/tests/qemuxml2argvdata/video-default-uefi.x86_64-latest.args b/tests/qemuxml2argvdata/video-default-uefi.x86_64-latest.args
new file mode 100644
index 0000000000..75c599f321
--- /dev/null
+++ b/tests/qemuxml2argvdata/video-default-uefi.x86_64-latest.args
@@ -0,0 +1,40 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/tmp/lib/domain--1-guest \
+USER=test \
+LOGNAME=test \
+XDG_DATA_HOME=/tmp/lib/domain--1-guest/.local/share \
+XDG_CACHE_HOME=/tmp/lib/domain--1-guest/.cache \
+XDG_CONFIG_HOME=/tmp/lib/domain--1-guest/.config \
+QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-x86_64 \
+-name guest=guest,debug-threads=on \
+-S \
+-object secret,id=masterKey0,format=raw,\
+file=/tmp/lib/domain--1-guest/master-key.aes \
+-machine q35,accel=tcg,usb=off,dump-guest-core=off \
+-cpu Haswell \
+-drive file=/usr/share/OVMF/OVMF_CODE.fd,if=pflash,format=raw,unit=0,\
+readonly=on \
+-drive file=/var/lib/libvirt/qemu/nvram/guest_VARS.fd,if=pflash,format=raw,\
+unit=1 \
+-m 1024 \
+-overcommit mem-lock=off \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid 26b73eb7-f8c4-4541-ae6f-06607a1b21c3 \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=charmonitor,fd=1729,server,nowait \
+-mon chardev=charmonitor,id=monitor,mode=control \
+-rtc base=utc \
+-no-shutdown \
+-boot strict=on \
+-device pcie-root-port,port=0x10,chassis=1,id=pci.1,bus=pcie.0,\
+multifunction=on,addr=0x2 \
+-device pcie-root-port,port=0x11,chassis=2,id=pci.2,bus=pcie.0,addr=0x2.0x1 \
+-device qemu-xhci,id=usb,bus=pci.1,addr=0x0 \
+-device bochs-display,id=video0,vgamem=16384k,bus=pcie.0,addr=0x1 \
+-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\
+resourcecontrol=deny \
+-msg timestamp=on
diff --git a/tests/qemuxml2argvdata/video-default-uefi.xml b/tests/qemuxml2argvdata/video-default-uefi.xml
new file mode 100644
index 0000000000..59e880c78c
--- /dev/null
+++ b/tests/qemuxml2argvdata/video-default-uefi.xml
@@ -0,0 +1,22 @@
+<domain type='qemu'>
+  <name>guest</name>
+  <uuid>26b73eb7-f8c4-4541-ae6f-06607a1b21c3</uuid>
+  <memory unit='KiB'>1048576</memory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='q35'>hvm</type>
+    <loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>
+    <nvram>/var/lib/libvirt/qemu/nvram/guest_VARS.fd</nvram>
+  </os>
+  <features>
+    <acpi/>
+  </features>
+  <cpu mode='custom'>
+    <model>Haswell</model>
+  </cpu>
+  <devices>
+    <emulator>/usr/bin/qemu-system-x86_64</emulator>
+    <memballoon model='none'/>
+    <video/>
+  </devices>
+</domain>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 9395cc19a2..671e79e631 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -2045,6 +2045,8 @@ mymain(void)
     DO_TEST("video-none-device",
             QEMU_CAPS_VNC);
     DO_TEST_PARSE_ERROR("video-invalid-multiple-devices", NONE);
+    DO_TEST_CAPS_LATEST("video-default-uefi");
+    DO_TEST_CAPS_LATEST("video-default-nouefi");
 
     DO_TEST("virtio-rng-default",
             QEMU_CAPS_DEVICE_VIRTIO_RNG,
-- 
2.21.0


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]