[v1,20/24] Add -secure-boot on|off option in QEMU command line

Commit Message

Zhuoying Cai April 8, 2025, 3:55 p.m. UTC

The `-secure-boot on|off` command line option is implemented
to enable secure IPL.

By default, -secure-boot is set to false if not specified in
the command line.

Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
---
 qemu-options.hx |  8 ++++++++
 system/vl.c     | 21 +++++++++++++++++++++
 2 files changed, 29 insertions(+)

Comments

Thomas Huth April 11, 2025, 2:50 p.m. UTC | #1

On 08/04/2025 17.55, Zhuoying Cai wrote:
> The `-secure-boot on|off` command line option is implemented
> to enable secure IPL.
> 
> By default, -secure-boot is set to false if not specified in
> the command line.
> 
> Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
> ---
>   qemu-options.hx |  8 ++++++++
>   system/vl.c     | 21 +++++++++++++++++++++
>   2 files changed, 29 insertions(+)
> 
> diff --git a/qemu-options.hx b/qemu-options.hx
> index b460c63490..02d2f4d513 100644
> --- a/qemu-options.hx
> +++ b/qemu-options.hx
> @@ -1262,6 +1262,14 @@ SRST
>       A colon may be used to delineate multiple paths.
>   ERST
>   
> +DEF("secure-boot", HAS_ARG, QEMU_OPTION_secure_boot,
> +    "-secure-boot on|off\n"
> +    "             enable/disable secure boot\n", QEMU_ARCH_S390X)
> +SRST
> +``-secure-boot on|off``
> +    Enable/disable secure boot. Default is off.
> +ERST

As with patch 1, please try to turn this into a machine option instead.

  Thanks,
   Thomas

Patch

diff --git a/qemu-options.hx b/qemu-options.hx
index b460c63490..02d2f4d513 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -1262,6 +1262,14 @@  SRST
     A colon may be used to delineate multiple paths.
 ERST
 
+DEF("secure-boot", HAS_ARG, QEMU_OPTION_secure_boot,
+    "-secure-boot on|off\n"
+    "             enable/disable secure boot\n", QEMU_ARCH_S390X)
+SRST
+``-secure-boot on|off``
+    Enable/disable secure boot. Default is off.
+ERST
+
 DEFHEADING()
 
 DEFHEADING(Block device options:)
diff --git a/system/vl.c b/system/vl.c
index bd6197c887..5bdc35516c 100644
--- a/system/vl.c
+++ b/system/vl.c
@@ -524,6 +524,19 @@  static QemuOptsList qemu_boot_certificates_opts = {
     },
 };
 
+static QemuOptsList qemu_secure_boot_opts = {
+    .name = "secure-boot",
+    .implied_opt_name = "secure-boot",
+    .head = QTAILQ_HEAD_INITIALIZER(qemu_secure_boot_opts.head),
+    .desc = {
+        {
+            .name = "secure-boot",
+            .type = QEMU_OPT_BOOL,
+        },
+        { /* end of list */ }
+    },
+};
+
 const char *qemu_get_vm_name(void)
 {
     return qemu_name;
@@ -2894,6 +2907,7 @@  void qemu_init(int argc, char **argv)
     qemu_add_opts(&qemu_fw_cfg_opts);
     qemu_add_opts(&qemu_action_opts);
     qemu_add_opts(&qemu_boot_certificates_opts);
+    qemu_add_opts(&qemu_secure_boot_opts);
     qemu_add_run_with_opts();
     module_call_init(MODULE_INIT_OPTS);
 
@@ -3046,6 +3060,13 @@  void qemu_init(int argc, char **argv)
                     exit(1);
                 }
                 break;
+            case QEMU_OPTION_secure_boot:
+                opts = qemu_opts_parse_noisily(qemu_find_opts("secure-boot"),
+                                               optarg, true);
+                if (!opts) {
+                    exit(1);
+                }
+                break;
             case QEMU_OPTION_fda:
             case QEMU_OPTION_fdb:
                 drive_add(IF_FLOPPY, popt->index - QEMU_OPTION_fda,