Merge pull request #155 from nofaralfasi/sb_libvirt

EFI & Secure Boot
fog · Nov 7, 2024 · 273feae · 273feae
2 parents 11f3821 + a561fed
commit 273feae
Show file tree

Hide file tree

Showing 4 changed files with 91 additions and 2 deletions.
diff --git a/.rubocop.yml b/.rubocop.yml
@@ -17,3 +17,7 @@ Style/SignalException:
 
 Metrics/ClassLength:
   Enabled: false
+
+Metrics/BlockLength:
+  Exclude:
+    - tests/**/*.rb
diff --git a/lib/fog/libvirt/models/compute/server.rb b/lib/fog/libvirt/models/compute/server.rb
@@ -13,6 +13,10 @@ class Server < Fog::Compute::Server
 
         attribute :cpus
         attribute :cputime
+        attribute :firmware
+        attribute :firmware_features
+        attribute :secure_boot
+        attribute :loader_attributes
         attribute :os_type
         attribute :memory_size
         attribute :max_memory_size
@@ -287,14 +291,31 @@ def to_xml
               end
 
               xml.vcpu(cpus)
-              xml.os do
+              os_tags = {}
+
+              os_tags[:firmware] = firmware if firmware == 'efi'
+
+              xml.os(**os_tags) do
                 type = xml.type(os_type, :arch => arch)
                 type[:machine] = "q35" if ["i686", "x86_64"].include?(arch)
 
                 boot_order.each do |dev|
                   xml.boot(:dev => dev)
                 end
+
+                loader_attributes&.each do |key, value|
+                  xml.loader(key => value)
+                end
+
+                if firmware == "efi" && firmware_features&.any?
+                  xml.firmware do
+                    firmware_features.each_pair do |key, value|
+                      xml.feature(:name => key, :enabled => value)
+                    end
+                  end
+                end
               end
+
               xml.features do
                 xml.acpi
                 xml.apic
@@ -539,6 +560,7 @@ def defaults
             :guest_agent            => true,
             :video                  => {:type => "cirrus", :vram => 9216, :heads => 1},
             :virtio_rng             => {},
+            :firmware_features      => { "secure-boot" => "no" },
           }
         end
 

diff --git a/lib/fog/libvirt/requests/compute/list_domains.rb b/lib/fog/libvirt/requests/compute/list_domains.rb
@@ -46,6 +46,24 @@ def boot_order xml
           xml_elements(xml, "domain/os/boot", "dev")
         end
 
+        def firmware(xml)
+          firmware_from_loader = xml_elements(xml, "domain/os/loader", "type").first
+
+          case firmware_from_loader
+          when 'pflash'
+            'efi'
+          when 'rom'
+            'bios'
+          else
+            xml_elements(xml, "domain/os", "firmware").first || 'bios'
+          end
+        end
+
+        # we rely on the fact that the secure attribute is only present when secure boot is enabled
+        def secure_boot_enabled?(xml)
+          xml_elements(xml, "domain/os/loader", "secure").first == 'yes'
+        end
+
         def domain_interfaces xml
           ifs = xml_elements(xml, "domain/devices/interface")
           ifs.map { |i|
@@ -78,7 +96,9 @@ def domain_to_attributes(dom)
               :boot_order      => boot_order(dom.xml_desc),
               :nics            => domain_interfaces(dom.xml_desc),
               :volumes_path    => domain_volumes(dom.xml_desc),
-              :state           => states[dom.info.state]
+              :state           => states[dom.info.state],
+              :firmware        => firmware(dom.xml_desc),
+              :secure_boot     => secure_boot_enabled?(dom.xml_desc),
             }
           rescue ::Libvirt::RetrieveError, ::Libvirt::Error
             # Catch libvirt exceptions to avoid race conditions involving

diff --git a/tests/libvirt/models/compute/server_tests.rb b/tests/libvirt/models/compute/server_tests.rb
@@ -32,6 +32,10 @@
       attributes = [ :id,
         :cpus,
         :cputime,
+        :firmware,
+        :firmware_features,
+        :secure_boot,
+        :loader_attributes,
         :os_type,
         :memory_size,
         :max_memory_size,
@@ -67,6 +71,7 @@
 
     test('be a kind of Fog::Libvirt::Compute::Server') { server.kind_of? Fog::Libvirt::Compute::Server }
     tests("serializes to xml") do
+      test("without firmware") { server.to_xml.include?("<os>") }
       test("with memory") { server.to_xml.match?(%r{<memory>\d+</memory>}) }
       test("with disk of type file") do
         xml = server.to_xml
@@ -86,5 +91,43 @@
       end
       test("with q35 machine type on x86_64") { server.to_xml.match?(%r{<type arch="x86_64" machine="q35">hvm</type>}) }
     end
+    test("with efi firmware") do
+      server = Fog::Libvirt::Compute::Server.new(
+        {
+          :firmware => "efi",
+          :nics => [],
+          :volumes => []
+        }
+      )
+      xml = server.to_xml
+
+      os_firmware = xml.include?('<os firmware="efi">')
+      secure_boot = xml.include?('<feature name="secure-boot" enabled="no"/>')
+      loader_attributes = !xml.include?('<loader secure="yes"/>')
+
+      os_firmware && secure_boot && loader_attributes
+    end
+    test("with secure boot enabled") do
+      server = Fog::Libvirt::Compute::Server.new(
+        {
+          :firmware => "efi",
+          :firmware_features => {
+            "secure-boot" => "yes",
+            "enrolled-keys" => "yes"
+          },
+          :loader_attributes => { "secure" => "yes" },
+          :nics => [],
+          :volumes => []
+        }
+      )
+      xml = server.to_xml
+
+      os_firmware = xml.include?('<os firmware="efi">')
+      secure_boot = xml.include?('<feature name="secure-boot" enabled="yes"/>')
+      enrolled_keys = xml.include?('<feature name="enrolled-keys" enabled="yes"/>')
+      loader_attributes = xml.include?('<loader secure="yes"/>')
+
+      os_firmware && secure_boot && enrolled_keys && loader_attributes
+    end
   end
 end