Closed stormi closed 3 months ago
I've started a draft PR for this RFC, feedback is welcomed regarding the design. :)
I believe this has been finished by merging https://github.com/xapi-project/xen-api/pull/5566
Please reopen if this is not the case
Context
vm.platform.secureboot
totrue
, but in fact their demand was silently ignored.varstore-sb-state $VMUUID user
).Needs
Strategy
We need to act at several levels:
PK.auth
on a VM started on a pool without UEFI certs (and being able to fix that afterwards), rather than having the VM be without any certs and thus considered being in UEFI setup mode.(We will also add a first boot systemd service to XCP-ng which will attempt to download the UEFI certificates from Microsoft and uefi.org, but nothing guarantees that the host will be able to reach the necessary websites, so we can't rely on it as a complete solution.)
Changes planned in Xen Orchestra
API changes in XAPI
New methods:
VM.set_uefi_mode
. Accepted parameters:setup
anduser
. This delegates actions tovarstore-sb-state $VM_UUID $ACTION
.VM.get_secureboot_readiness
. Returns one of:NOT_SUPPORTED
if the VM's firmware is not UEFIDISABLED
ifvm.platform.secureboot
isfalse
or not set.FIRST_BOOT
ifvm.platform.secureboot
istrue
andvm.NVRAM.EFI-variables
is empty (TO BE CONFIRMED).READY
ifvm.platform.secureboot
istrue
andPK
,KEK
,db
anddbx
are defined in the VM's EFI variables.READY_NO_DBX
ifvm.platform.secureboot
istrue
andPK
,KEK
,db
are defined butdbx
isn't defined.SETUP_MODE
ifvm.platform.secureboot
istrue
andPK
isn't defined.CERTS_INCOMPLETE
in any other case (this would be for example aPK
withoutKEK
nordb
)if wanted, addition of
vm-get-secureboot-readiness
toxe
.pool.list_uefi_cert_variables
. Returns a list of enum values that can be composed of any ofPK
,KEK
,db
anddbx
, based on certificates present either inpool.custom_uefi_certificates
(when nonempty) orpool.uefi_certificates
(when custom certificates are empty), to make it easier for clients to know what certificates are present, without having to extract the tarballs stored by XAPI. Used by clients to determine whether a pool is ready for guest SecureBoot, and possibly give details about what exact certificates are missing. OR, INSTEAD:pool.get_guest_secureboot_readiness
. Returns one of:READY
if the active pool UEFI certificates (custom ones first, default ones if no custom ones) contain PK, KEK, db and dbxREADY_NO_DBX
if the active pool UEFI certificates contain PK, KEK and db but not dbxNOT_READY
otherwise.if wanted, addition of
pool-get-secureboot-readiness
toxe
.