Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Force SeaBIOS instead of OVMF-based firmware & some firmware lookup logic changes #12750

Merged
merged 5 commits into from
Jan 19, 2024
Merged

Force SeaBIOS instead of OVMF-based firmware & some firmware lookup logic changes #12750

merged 5 commits into from
Jan 19, 2024

Conversation

mihalicyn
Copy link
Member

@mihalicyn mihalicyn commented Jan 19, 2024
edited by simondeziel
Loading

  • We want our users to step out from EDK2-based CSM firmwares to SeaBIOS as these firmwares were removed from upstream (see https://bugzilla.tianocore.org/show_bug.cgi?id=4588).

  • @tomponline suggested to extend firmware lookup algorithm to handle multiple paths specified in the LXD_OVMF_PATH.

  • Do some renaming

  • Forbid security.csm for arches except x86_64

  • Forbid boot.debug_edk2 when security.csm=true

  • Forbid security.secureboot when security.csm=true

Fixes ##12730

@mihalicyn
lxd/instance/drivers/driver_qemu: force SeaBIOS CSM firmware instead …
1441e59 
…of OVMF

EDKII CSM module was removed (https://bugzilla.tianocore.org/show_bug.cgi?id=4588),
we want to force all existing VMs those are using a OVMF-based CSM firmware
to step on the SeaBIOS.

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
@github-actions github-actions bot added the Documentation Documentation needs updating label Jan 19, 2024
@mihalicyn mihalicyn marked this pull request as ready for review January 19, 2024 12:54
@mihalicyn
Copy link
Member Author

I have tested this with a VM which was created on the LXD 5.19 and then upgraded to the LXD version with these patches. It works without any problems.

simondeziel
simondeziel previously approved these changes Jan 19, 2024
View reviewed changes
Copy link
Member

@simondeziel simondeziel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with only tiny suggestions.

doc/environment.md Outdated Show resolved Hide resolved
doc/environment.md Outdated Show resolved Hide resolved
@mihalicyn mihalicyn mentioned this pull request Jan 19, 2024
Merged
simondeziel
simondeziel previously approved these changes Jan 19, 2024
View reviewed changes
doc/environment.md Outdated Show resolved Hide resolved
@mihalicyn mihalicyn force-pushed the force_seabios_for_csm branch 2 times, most recently from e451116 to 2fe9d31 Compare January 19, 2024 14:10
tomponline
tomponline reviewed Jan 19, 2024
View reviewed changes
lxd/apparmor/instance.go Outdated Show resolved Hide resolved
lxd/instance/drivers/driver_qemu.go Outdated Show resolved Hide resolved
lxd/instance/drivers/driver_qemu.go Outdated Show resolved Hide resolved
lxd/instance/drivers/driver_qemu.go Show resolved Hide resolved
@mihalicyn
instance/qemu: support extended firmware search algorithm
8f8f17f 
- introduce new env variable LXD_QEMU_FW_PATH in addition to LXD_OVMF_PATH
as this name is more correct. OVMF is a specific firmware name, while we
can use SeaBIOS or, for example, ArmVirt.
- make support of array of paths in the LXD_QEMU_FW_PATH/LXD_OVMF_PATH separated by ":"
like PATH/LD_LIBRARY_PATH/etc.

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
@mihalicyn
instance/qemu: rename ovmf mentions
7e61b93 
Let's rename ovmf mentions to vmf (virtual machine firmware) depending on the context.
As OVMF is a specific name of the EDK2-based firmware for x86_64. For arm64 we also
use edk2-based firmware called ArmVirtQemu (from ArmVirtPkg).

No functional changes here.

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
@mihalicyn
instance/qemu: do some sanity checks around enabling security.csm
be48904 
1. It makes no sense to set security.csm=true for arches except
x86_64 as we don't have any kind of a "legacy" firmware for them.
x86_64 architecture is a very special case cause we have a
legacy (BIOS) and modern (UEFI) firmwares supported in LXD.

2. Same about having CSM enabled together with boot.debug_edk2,
cause the last one means that EDK2 is used.

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
@mihalicyn
lxd/instance/drivers/driver_qemu: use bios-256k.bin instead of seabio…
62ee9ff 
…s.bin

bios-256k.bin is a standard name for SeaBIOS firmware, while seabios.bin
is a specific one.

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
tomponline
tomponline approved these changes Jan 19, 2024
View reviewed changes
Copy link
Member

@tomponline tomponline left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks!

@tomponline tomponline merged commit a7735a9 into canonical:main Jan 19, 2024
25 checks passed
@simondeziel
Copy link
Member

@mihalicyn I took the liberty to edit the PR description for posterity to reflect the incompatibility with boot.debug_edk2 and security.secureboot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomponline tomponline tomponline approved these changes

@MusicDin MusicDin Awaiting requested review from MusicDin

@simondeziel simondeziel Awaiting requested review from simondeziel

Assignees
No one assigned
Labels
Documentation Documentation needs updating
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mihalicyn @simondeziel @tomponline