Feature UEFI expiry: Implement VM.secureboot_certificates_state tracking#7015
Conversation
Add a new DynamicRO field to track Secure Boot certificate status per VM. The field indicates whether UEFI Secure Boot certificates need updating. - Define enum (ok, update_available, update_on_boot) and field in datamodel - Check certificate state via varstore-nvram-certcheck on import and DB upgrade for UEFI Secure Boot VMs - Skip control domains, default templates, and non-Secure Boot VMs in the DB upgrade rule Signed-off-by: Stephen Cheng <stephen.cheng@citrix.com>
…eter Add a new versioned parameter 'update' to VM.set_NVRAM_EFI_variables, allowing varstored to indicate whether Secure Boot certificates were changed during an NVRAM write. This enables xapi to maintain the VM.secureboot_certificates_state field accurately. The 'update' parameter is an enum with three values: - 'yes': certificates were updated, set state to 'ok' - 'no': certificates unchanged, keep current state as-is - 'unspecified': (default for v1 callers) run certcheck to determine state Signed-off-by: Stephen Cheng <stephen.cheng@citrix.com>
Signed-off-by: Chunjie Zhu <chunjie.zhu@cloud.com>
Signed-off-by: Stephen Cheng <stephen.cheng@citrix.com>
stephenchengCloud
requested review from
chunjiez,
lindig,
minglumlu and
robhoes
| ; { | ||
| param_type= | ||
| Enum | ||
| ( "update_status" |
There was a problem hiding this comment.
I understand these 3 are actually the actions (action) to be performed:
- set_state_ok
- noop
- check_state
| ) | ||
| (fun () -> Xapi_stdext_unix.Unixext.unlink_safe tmp_path) | ||
| in | ||
| match result with |
There was a problem hiding this comment.
We could just let the Forkhelpers exceptions handled within function check_secureboot_certificates_state so that we could expect a clean output type of this function, like using result.
| in | ||
| match result with | ||
| | "update_required" -> | ||
| `update_available |
There was a problem hiding this comment.
May be better to make it explicit that this function will never return update_on_boot by using an explicit typing annotation or a variant instead of polymorphic variant.
I'm not convinced that copying the field is the right thing to do, I've commented in the design about the possibility of the field becoming stale after a VM has been exported |
4 participants
Background
Microsoft Secure Boot certificates from 2011 are reaching end-of-life, and legacy VMs may still contain only the old certificate set. This PR implements the xapi side of the out-of-band mechanism to track and update per-VM UEFI Secure Boot variables safely, as described in the design doc.
Changes
Sorry for the large PR, but the changes form a single feature.
The two main commits are:
1. CP-311907: Add
VM.secureboot_certificates_statefieldAdd a new
DynamicROfield to track Secure Boot certificate status per VM. The field indicates whether UEFI Secure Boot certificates need updating.varstore-nvram-certcheckto determine certificate state from the NVRAM EFI-variables blob2. CP-311908: Add versioned
updateparameter toVM.set_NVRAM_EFI_variablesAdd a versioned
updateparameter (enum:yes/no/unspecified) so varstored can report whether certificates were changed during an NVRAM write. This avoids invoking the certcheck binary on every NVRAM write.update=yes: certificates were updated → set state tookupdate=no: certificates not changed → preserve current stateupdate=unspecified(default for legacy v1 callers): run certcheck to determine stateset_NVRAM_v2RPC in xapi-guard, mapping the string parameter to the enumTesting
Tested the following scenarios with the updated varstored:
ok→update_available→update_on_boot→okverified correctupdate=yes, state transitions tookupdate=no, state is preservedsecureboot_certificates_stateis correctly preserved