New API methods for status about SecureBoot and UEFI certs #5566
Conversation
benjamreis
force-pushed
the
sb-state-api
branch
2 times, most recently
from
a0e8fa2
to
2efb70f
Compare
benjamreis
force-pushed
the
sb-state-api
branch
from
2efb70f
to
62b8a61
Compare
|
Can this be changed from the CLI? It looks like it can't but I think it should be observable and update-able from the CLI. |
Working on it as we speak. We will need the CLI implem for our tests. :) Edit: Done 👍 |
benjamreis
force-pushed
the
sb-state-api
branch
6 times, most recently
from
afc5343
to
41cd758
Compare
ocaml/xapi/xapi_pool.ml
Outdated
| let tmp_auth_file = Filename.concat tmp_dir filename in | ||
| Helpers.touch_file tmp_auth_file ; tmp_auth_file | ||
|
|
||
| let get_guest_secureboot_readiness ~__context ~self = |
There was a problem hiding this comment.
This method is a bit complex as it needs to extract the tarball in a pool (custom)_uefi_certificates db field in a temp directory and then list them before removing the extracted files...
Another (simpler) solution would be to list auth files in varstore_dir as it's supposed to always be in sync with the XAPI DB field unless a user would have manually modified it which wouldn't be supported.
What do you guys think?
There was a problem hiding this comment.
As long as its limitations are documented, I don't mind using the method that doesn't rely on creating files
benjamreis
force-pushed
the
sb-state-api
branch
3 times, most recently
from
f9180a8
to
1f84bd0
Compare
|
Hi! Any update on this? It's really important for us to have in our next XCP-ng release and we'd like to start implementing the tests and clients side once we're assured the API won't move too much. Thx |
ocaml/idl/datamodel_vm.ml
Outdated
| variables" | ||
| ) | ||
| ; ( "certs_incomplete" | ||
| , "Secured boot is enabled on this VM and the certificates defines in \ |
ocaml/idl/datamodel_vm.ml
Outdated
| ("not_supported", "VM's firmware is not UEFI") | ||
| ; ("disabled", "Secureboot is disabled on this VM") | ||
| ; ( "first_boot" | ||
| , "Secured boot is enabled on this VM and its NVRAM.EFI-variables is \ |
| , { | ||
| reqd= ["uuid"; "mode"] | ||
| ; optn= [] | ||
| ; help= "Set a VM in UEFI setup or user mode." |
There was a problem hiding this comment.
Maybe indicate that either "setup" or "user" is expected by putting them in (single) quotes.
| | "user" -> | ||
| `user | ||
| | s -> | ||
| raise (Record_failure ("Expected 'user','setup', got " ^ s)) |
There was a problem hiding this comment.
"Expected one of 'user', 'record' but got '%s'"
There was a problem hiding this comment.
I'm replicating how other Record_failure are written, I think it's better to keep the message standarize.
ocaml/xapi/xapi_pool.ml
Outdated
|
|
||
| let get_auth_filename tmp_dir tarpath = | ||
| let filename = | ||
| if String.contains tarpath '/' then |
There was a problem hiding this comment.
Filename.basename can be called unconditionally.
ocaml/xapi/xapi_pool.ml
Outdated
| else | ||
| tarpath | ||
| in | ||
| let tmp_auth_file = Filename.concat tmp_dir filename in |
There was a problem hiding this comment.
This is risky because there could be clashes over this path if tmp_dir is some public temp dir.
There was a problem hiding this comment.
https://ocaml.org/manual/5.1/api/Filename.html#VALtemp_file should be used here
ocaml/xapi/xapi_pool.ml
Outdated
| (fun () -> Sys.remove filename) ; | ||
| let tmp_auth_files = Sys.readdir tmp_dir in | ||
| Array.iter (fun file -> debug "*** BRS: auth file %s" file) tmp_auth_files ; | ||
| let pk_present = Array.mem "PK.auth" tmp_auth_files in |
There was a problem hiding this comment.
what happens when Array.mem fails?
There was a problem hiding this comment.
I don't see how it can fail in the doc.
| @@ -3037,6 +3037,12 @@ functor | |||
| let restart_device_models ~__context ~self = | |||
| info "VM.restart_device_models: self = '%s'" (vm_uuid ~__context self) ; | |||
| Local.VM.restart_device_models ~__context ~self | |||
|
|
|||
| let set_uefi_mode ~__context ~self ~mode = | |||
There was a problem hiding this comment.
The call is not being forwarded to the host that hosts the vm, Is the command meant to be run on the coordinator ever time?
There was a problem hiding this comment.
This method eventually calls varstore-sb-state which can be called on any host of the pool as the call will be redirected where the VM is located. I did not want to add another redirection before that.
There was a problem hiding this comment.
the call will be redirected where the VM is located
Which layer is doing this redirection? In xapi this is exactly the place that must do the redirection, if at all.
There was a problem hiding this comment.
IIUC varstored-tools call XAPI from within the scripts when running to dispatch to the relevent.
| defined in its EFI variables" | ||
| ) | ||
| ; ( "setup_mode" | ||
| , "Secured boot is enabled on this VM and PK is not defined in its EFI \ |
There was a problem hiding this comment.
In which use cases does this state interact with set_uefi_mode call? And how? The latter doesn't affect the database value directly, while this is db-only
There was a problem hiding this comment.
set_uefi_mode calls varstore-sb-state which will affect the VM's NVRAM's EFI-variables.
This method only deduct the state of the VM EFI variables.
| `first_boot (* TO BE VERIFIED *) | ||
| | Some _ -> ( | ||
| let varstore_ls = | ||
| Helpers.call_script !Xapi_globs.varstore_ls |
There was a problem hiding this comment.
What host does this need to be run on? Always on the coordinator?
There was a problem hiding this comment.
Same as above, varstore-ls will redirect the call when relevant.
| List.assoc_opt "EFI-variables" (Db.VM.get_NVRAM ~__context ~self) | ||
| with | ||
| | None -> | ||
| `first_boot (* TO BE VERIFIED *) |
There was a problem hiding this comment.
It's been tested and verified, I'll retest it after the latest changes and remove the comment after revalidation.
ocaml/xapi/xapi_pool.ml
Outdated
| else | ||
| tarpath | ||
| in | ||
| let tmp_auth_file = Filename.concat tmp_dir filename in |
There was a problem hiding this comment.
https://ocaml.org/manual/5.1/api/Filename.html#VALtemp_file should be used here
Calls `varstore-sb-state` to edit the uefi mode of a VM Takes in input the uuid of a VM and a mode (`setup` or `user`) Returns the output of the script calls Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
Returns the SecureBoot status of a VM: - `not_supported`: VM's firmware is not UEFI - `disabled`: Secureboot is disabled on this VM - `first_boot`: Secured boot is enabled on this VM and its NVRAM.EFI-variables is empty - `ready`: Secured boot is enabled on this VM and PK, KEK, db and dbx are defined in its EFI variables - `ready_no_dbx`: Secured boot is enabled on this VM and PK, KEK, db but not dbx are defined in its EFI variables - `setup_mode`: Secured boot is enabled on this VM and PK is not defined in its EFI variables - `certs_incomplete`: Secured boot is enabled on this VM and the certificates defines in its EFI variables are incomplete Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
Returns a pool's state for guest SecureBoot: - `ready`: the active pool UEFI certificates (custom ones first, default ones if no custom ones) contain PK, KEK, db and dbx - `ready_no_dbx`: the active pool UEFI certificates contain PK, KEK and db but not dbx - `not_ready`: otherwise Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
benjamreis
force-pushed
the
sb-state-api
branch
2 times, most recently
from
5a0e802
to
9746d6d
Compare
Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
See: xapi-project/xen-api#5566 Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
See: xapi-project/xen-api#5566 Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
See: xapi-project/xen-api#5566 Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
See: xapi-project/xen-api#5566 Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
See: xapi-project/xen-api#5566 Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
| (fun elem -> | ||
| (* Lines follow this pattern: <GUID> <KEY>*) | ||
| let splitted = String.split_on_char ' ' elem in | ||
| List.nth splitted 1 |
There was a problem hiding this comment.
Nth can raise with a pretty nasty error that's difficult to find where it originated. Please use nth_opt and deal with the option by replacing List.map with List.filter_map
Implement what's discussed here: #5548
New API calls:
VM.set_uefi_mode: callsvarstore-sb-stateto edit the uefi mode of a VMTakes in input the uuid of a VM and a mode (
setuporuser)Returns the output of the script calls
VM.get_secureboot_readinessAPI callReturns the SecureBoot status of a VM:
not_supported: VM's firmware is not UEFIdisabled: Secureboot is disabled on this VMfirst_boot: Secured boot is enabled on this VM and its NVRAM.EFI-variables is emptyready: Secured boot is enabled on this VM and PK, KEK, db and dbx are defined in its EFI variablesready_no_dbx: Secured boot is enabled on this VM and PK, KEK, db but not dbx are defined in its EFI variablessetup_mode: Secured boot is enabled on this VM and PK is not defined in its EFI variablescerts_incomplete: Secured boot is enabled on this VM and the certificates defines in its EFI variables are incompletePool.get_guest_secureboot_readinessAPI callReturns a pool's state for guest SecureBoot:
ready: the active pool UEFI certificates (custom ones first, default ones if no custom ones) contain PK, KEK, db and dbxready_no_dbx: the active pool UEFI certificates contain PK, KEK and db but not dbxnot_ready: otherwise