Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New API methods for status about SecureBoot and UEFI certs #5566

Merged
merged 3 commits into from
May 31, 2024
Merged

New API methods for status about SecureBoot and UEFI certs #5566

merged 3 commits into from
May 31, 2024

Conversation

benjamreis
Copy link
Contributor

@benjamreis benjamreis commented Apr 17, 2024
edited
Loading

Implement what's discussed here: #5548

New API calls:

  • VM.set_uefi_mode: calls varstore-sb-state to edit the uefi mode of a VM
    Takes in input the uuid of a VM and a mode (setup or user)
    Returns the output of the script calls

  • VM.get_secureboot_readiness API call

    Returns the SecureBoot status of a VM:

    • not_supported: VM's firmware is not UEFI
    • disabled: Secureboot is disabled on this VM
    • first_boot: Secured boot is enabled on this VM and its NVRAM.EFI-variables is empty
    • ready: Secured boot is enabled on this VM and PK, KEK, db and dbx are defined in its EFI variables
    • ready_no_dbx: Secured boot is enabled on this VM and PK, KEK, db but not dbx are defined in its EFI variables
    • setup_mode: Secured boot is enabled on this VM and PK is not defined in its EFI variables
    • certs_incomplete: Secured boot is enabled on this VM and the certificates defines in its EFI variables are incomplete

  • Pool.get_guest_secureboot_readiness API call

    Returns a pool's state for guest SecureBoot:

    • ready: the active pool UEFI certificates (custom ones first, default ones if no custom ones) contain PK, KEK, db and dbx
    • ready_no_dbx: the active pool UEFI certificates contain PK, KEK and db but not dbx
    • not_ready: otherwise

@benjamreis benjamreis force-pushed the sb-state-api branch 2 times, most recently from a0e8fa2 to 2efb70f Compare April 17, 2024 11:28
lindig
lindig reviewed Apr 18, 2024
View reviewed changes
Copy link
Contributor

@lindig lindig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks ok otherwise.

ocaml/idl/datamodel_vm.ml Show resolved Hide resolved
@lindig
Copy link
Contributor

lindig commented Apr 18, 2024

Can this be changed from the CLI? It looks like it can't but I think it should be observable and update-able from the CLI.

@benjamreis
Copy link
Contributor Author

benjamreis commented Apr 18, 2024
edited
Loading

Can this be changed from the CLI? It looks like it can't but I think it should be observable and update-able from the CLI.

Working on it as we speak. We will need the CLI implem for our tests. :)

Edit: Done 👍

@benjamreis benjamreis force-pushed the sb-state-api branch 6 times, most recently from afc5343 to 41cd758 Compare April 19, 2024 09:11
benjamreis
benjamreis commented Apr 22, 2024
View reviewed changes
ocaml/xapi/xapi_pool.ml Outdated Show resolved Hide resolved
@benjamreis benjamreis force-pushed the sb-state-api branch 3 times, most recently from f9180a8 to 1f84bd0 Compare April 22, 2024 08:46
@benjamreis benjamreis marked this pull request as ready for review April 22, 2024 09:13
@benjamreis benjamreis requested a review from lindig April 22, 2024 13:24
@benjamreis
Copy link
Contributor Author

Hi!

Any update on this? It's really important for us to have in our next XCP-ng release and we'd like to start implementing the tests and clients side once we're assured the API won't move too much.

Thx

lindig
lindig reviewed May 7, 2024
View reviewed changes
ocaml/idl/datamodel_vm.ml Outdated Show resolved Hide resolved
ocaml/idl/datamodel_vm.ml Outdated Show resolved Hide resolved
ocaml/xapi-cli-server/cli_frontend.ml Outdated Show resolved Hide resolved
ocaml/xapi-cli-server/record_util.ml Show resolved Hide resolved
ocaml/xapi/xapi_pool.ml Outdated Show resolved Hide resolved
ocaml/xapi/xapi_pool.ml Outdated Show resolved Hide resolved
ocaml/xapi/xapi_pool.ml Outdated Show resolved Hide resolved
psafont
psafont reviewed May 8, 2024
View reviewed changes
ocaml/xapi/message_forwarding.ml Show resolved Hide resolved
ocaml/idl/datamodel_vm.ml Show resolved Hide resolved
ocaml/xapi/xapi_vm.ml Show resolved Hide resolved
ocaml/xapi/xapi_vm.ml Outdated Show resolved Hide resolved
ocaml/xapi/xapi_vm.ml Outdated Show resolved Hide resolved
ocaml/xapi/xapi_pool.ml Outdated Show resolved Hide resolved
psafont
psafont requested changes May 8, 2024
View reviewed changes
Copy link
Member

@psafont psafont left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aside from the comments that need to be addressed, you should rebase the PR on top of the latest master, it will make the strange python errors go away

@benjamreis benjamreis force-pushed the sb-state-api branch 4 times, most recently from 5a0e802 to 9746d6d Compare May 14, 2024 07:11
@benjamreis benjamreis force-pushed the sb-state-api branch 2 times, most recently from c1fc346 to 1c111b0 Compare May 14, 2024 12:06
benjamreis added a commit to xcp-ng/xcp-ng-tests that referenced this pull request May 15, 2024
@benjamreis
Test Secureboot state API
586b6b6 
See: xapi-project/xen-api#5566

Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
benjamreis added a commit to xcp-ng-rpms/xapi that referenced this pull request May 15, 2024
@benjamreis
New API methods for status about SecureBoot and UEFI certs
c5720ef 
See: xapi-project/xen-api#5566

Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
benjamreis added a commit to xcp-ng-rpms/xapi that referenced this pull request May 15, 2024
@benjamreis
New API methods for status about SecureBoot and UEFI certs
63e7151 
See: xapi-project/xen-api#5566

Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
benjamreis added a commit to xcp-ng-rpms/xapi that referenced this pull request May 15, 2024
@benjamreis
New API methods for status about SecureBoot and UEFI certs
0efce96 
See: xapi-project/xen-api#5566

Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
@benjamreis benjamreis mentioned this pull request May 15, 2024
Merged
benjamreis added a commit to xcp-ng/xcp-ng-tests that referenced this pull request May 15, 2024
@benjamreis
Test Secureboot state API
3d594e4 
See: xapi-project/xen-api#5566

Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
@benjamreis benjamreis requested a review from psafont May 16, 2024 07:02
psafont
psafont reviewed May 16, 2024
View reviewed changes
ocaml/xapi/xapi_vm.ml Outdated Show resolved Hide resolved
@benjamreis benjamreis requested a review from psafont May 16, 2024 15:35
benjamreis added a commit to xcp-ng/xcp-ng-tests that referenced this pull request May 17, 2024
@benjamreis
Test Secureboot state API
eb292f0 
See: xapi-project/xen-api#5566

Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
benjamreis added a commit to xcp-ng/xcp-ng-tests that referenced this pull request May 17, 2024
@benjamreis
Test Secureboot state API
c3db152 
See: xapi-project/xen-api#5566

Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
benjamreis added a commit to xcp-ng-rpms/xapi that referenced this pull request May 17, 2024
@benjamreis
New API methods for status about SecureBoot and UEFI certs
1c289d5 
See: xapi-project/xen-api#5566

Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
benjamreis added a commit to xcp-ng-rpms/xapi that referenced this pull request May 17, 2024
@benjamreis
New API methods for status about SecureBoot and UEFI certs
8e57276 
See: xapi-project/xen-api#5566

Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
benjamreis added a commit to xcp-ng-rpms/xapi that referenced this pull request May 17, 2024
@benjamreis
New API methods for status about SecureBoot and UEFI certs
da6b7d2 
See: xapi-project/xen-api#5566

Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
benjamreis added a commit to xcp-ng/xcp-ng-tests that referenced this pull request May 21, 2024
@benjamreis
Test Secureboot state API
027dc1f 
See: xapi-project/xen-api#5566

Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
@benjamreis
Add VM.set_uefi_mode API call
808a9c2 
Calls `varstore-sb-state` to edit the uefi mode of a VM
Takes in input the uuid of a VM and a mode (`setup` or `user`)

Returns the output of the script calls

Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
@codecov Codecov
Copy link

codecov bot commented May 31, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Additional details and impacted files 
@@           Coverage Diff            @@
##           master   #5566     +/-   ##
========================================
- Coverage    51.3%   44.7%   -6.6%     
========================================
  Files          13      16      +3     
  Lines        1927    2206    +279     
========================================
- Hits          990     988      -2     
- Misses        937    1218    +281

see 5 files with indirect coverage changes

Flag Coverage Δ
python2.7 45.5% <ø> (?)
python3.11 51.3% <ø> (-0.1%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@benjamreis
Copy link
Contributor Author

Comments addressed, commits squashed, rebased on master! 👍

@benjamreis
Add VM.get_secureboot_readiness API call
f6aad9b 
Returns the SecureBoot status of a VM:
- `not_supported`: VM's firmware is not UEFI
- `disabled`: Secureboot is disabled on this VM
- `first_boot`: Secured boot is enabled on this VM and its NVRAM.EFI-variables is empty
- `ready`: Secured boot is enabled on this VM and PK, KEK, db and dbx are defined in its EFI variables
- `ready_no_dbx`: Secured boot is enabled on this VM and PK, KEK, db but not dbx are defined in its EFI variables
- `setup_mode`: Secured boot is enabled on this VM and PK is not defined in its EFI variables
- `certs_incomplete`: Secured boot is enabled on this VM and the certificates defines in its EFI variables are incomplete

Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
@benjamreis
Add Pool.get_guest_secureboot_readiness API call
a7b9220 
Returns a pool's state for guest SecureBoot:
- `ready`: the active pool UEFI certificates (custom ones first, default ones if no custom ones) contain PK, KEK, db and dbx
- `ready_no_dbx`: the active pool UEFI certificates contain PK, KEK and db but not dbx
- `not_ready`: otherwise

Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
@psafont psafont merged commit 7a14d45 into xapi-project:master May 31, 2024
14 checks passed
@psafont psafont deleted the sb-state-api branch May 31, 2024 12:11
benjamreis added a commit to xcp-ng-rpms/xapi that referenced this pull request May 31, 2024
@benjamreis
New API methods for status about SecureBoot and UEFI certs
1555dc3 
See: xapi-project/xen-api#5566

Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
benjamreis added a commit to xcp-ng-rpms/xapi that referenced this pull request Jun 3, 2024
@benjamreis
New API methods for status about SecureBoot and UEFI certs
b21f94b 
See: xapi-project/xen-api#5566

Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
benjamreis added a commit to xcp-ng/xcp-ng-tests that referenced this pull request Jun 3, 2024
@benjamreis
Test Secureboot state API
112cf43 
See: xapi-project/xen-api#5566

Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
@psafont psafont mentioned this pull request Jun 11, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@psafont psafont psafont approved these changes

@lindig lindig lindig approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@benjamreis @lindig @psafont