1*2bc10b15SGerd Hoffmann============== 2*2bc10b15SGerd HoffmannUEFI variables 3*2bc10b15SGerd Hoffmann============== 4*2bc10b15SGerd Hoffmann 5*2bc10b15SGerd HoffmannGuest UEFI variable management 6*2bc10b15SGerd Hoffmann============================== 7*2bc10b15SGerd Hoffmann 8*2bc10b15SGerd HoffmannThe traditional approach for UEFI Variable storage in qemu guests is 9*2bc10b15SGerd Hoffmannto work as close as possible to physical hardware. That means 10*2bc10b15SGerd Hoffmannproviding pflash as storage and leaving the management of variables 11*2bc10b15SGerd Hoffmannand flash to the guest. 12*2bc10b15SGerd Hoffmann 13*2bc10b15SGerd HoffmannSecure boot support comes with the requirement that the UEFI variable 14*2bc10b15SGerd Hoffmannstorage must be protected against direct access by the OS. All update 15*2bc10b15SGerd Hoffmannrequests must pass the sanity checks. (Parts of) the firmware must 16*2bc10b15SGerd Hoffmannrun with a higher privilege level than the OS so this can be enforced 17*2bc10b15SGerd Hoffmannby the firmware. On x86 this has been implemented using System 18*2bc10b15SGerd HoffmannManagement Mode (SMM) in qemu and kvm, which again is the same 19*2bc10b15SGerd Hoffmannapproach taken by physical hardware. Only privileged code running in 20*2bc10b15SGerd HoffmannSMM mode is allowed to access flash storage. 21*2bc10b15SGerd Hoffmann 22*2bc10b15SGerd HoffmannCommunication with the firmware code running in SMM mode works by 23*2bc10b15SGerd Hoffmannserializing the requests to a shared buffer, then trapping into SMM 24*2bc10b15SGerd Hoffmannmode via SMI. The SMM code processes the request, stores the reply in 25*2bc10b15SGerd Hoffmannthe same buffer and returns. 26*2bc10b15SGerd Hoffmann 27*2bc10b15SGerd HoffmannHost UEFI variable service 28*2bc10b15SGerd Hoffmann========================== 29*2bc10b15SGerd Hoffmann 30*2bc10b15SGerd HoffmannInstead of running the privileged code inside the guest we can run it 31*2bc10b15SGerd Hoffmannon the host. The serialization protocol can be reused. The 32*2bc10b15SGerd Hoffmanncommunication with the host uses a virtual device, which essentially 33*2bc10b15SGerd Hoffmannconfigures the shared buffer location and size, and traps to the host 34*2bc10b15SGerd Hoffmannto process the requests. 35*2bc10b15SGerd Hoffmann 36*2bc10b15SGerd HoffmannThe ``uefi-vars`` device implements the UEFI virtual device. It comes 37*2bc10b15SGerd Hoffmannin ``uefi-vars-x86`` and ``uefi-vars-sysbus`` flavours. The device 38*2bc10b15SGerd Hoffmannreimplements the handlers needed, specifically 39*2bc10b15SGerd Hoffmann``EfiSmmVariableProtocol`` and ``VarCheckPolicyLibMmiHandler``. It 40*2bc10b15SGerd Hoffmannalso consumes events (``EfiEndOfDxeEventGroup``, 41*2bc10b15SGerd Hoffmann``EfiEventReadyToBoot`` and ``EfiEventExitBootServices``). 42*2bc10b15SGerd Hoffmann 43*2bc10b15SGerd HoffmannThe advantage of the approach is that we do not need a special 44*2bc10b15SGerd Hoffmannprivilege level for the firmware to protect itself, i.e. it does not 45*2bc10b15SGerd Hoffmanndepend on SMM emulation on x64, which allows the removal of a bunch of 46*2bc10b15SGerd Hoffmanncomplex code for SMM emulation from the linux kernel 47*2bc10b15SGerd Hoffmann(CONFIG_KVM_SMM=n). It also allows support for secure boot on arm 48*2bc10b15SGerd Hoffmannwithout implementing secure world (el3) emulation in kvm. 49*2bc10b15SGerd Hoffmann 50*2bc10b15SGerd HoffmannOf course there are also downsides. The added device increases the 51*2bc10b15SGerd Hoffmannattack surface of the host, and we are adding some code duplication 52*2bc10b15SGerd Hoffmannbecause we have to reimplement some edk2 functionality in qemu. 53*2bc10b15SGerd Hoffmann 54*2bc10b15SGerd Hoffmannusage on x86_64 55*2bc10b15SGerd Hoffmann--------------- 56*2bc10b15SGerd Hoffmann 57*2bc10b15SGerd Hoffmann.. code:: 58*2bc10b15SGerd Hoffmann 59*2bc10b15SGerd Hoffmann qemu-system-x86_64 \ 60*2bc10b15SGerd Hoffmann -device uefi-vars-x86,jsonfile=/path/to/vars.json 61*2bc10b15SGerd Hoffmann 62*2bc10b15SGerd Hoffmannusage on aarch64 63*2bc10b15SGerd Hoffmann---------------- 64*2bc10b15SGerd Hoffmann 65*2bc10b15SGerd Hoffmann.. code:: 66*2bc10b15SGerd Hoffmann 67*2bc10b15SGerd Hoffmann qemu-system-aarch64 -M virt \ 68*2bc10b15SGerd Hoffmann -device uefi-vars-sysbus,jsonfile=/path/to/vars.json 69