instance/qemu: forbid security.csm for non x86_64 arches

It makes no sense to set security.csm=true for arches except x86_64 as we don't have any kind of a "legacy" firmware for them. x86_64 architecture is a very special case cause we have a legacy (BIOS) and modern (UEFI) firmwares supported in LXD. Signed-off-by: Alexander Mikhalitsyn <[email protected]>
canonical · Jan 19, 2024 · b4d6b41 · b4d6b41
1 parent c828779
commit b4d6b41
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/lxd/instance/drivers/driver_qemu.go b/lxd/instance/drivers/driver_qemu.go
@@ -126,6 +126,7 @@ var vmSecurebootFirmwares = []vmFirmware{
 	{code: "OVMF_CODE.fd", vars: "qemu.nvram"},
 }
 
+// Only valid for x86_64.
 var vmLegacyFirmwares = []vmFirmware{
 	{code: "seabios.bin", vars: "seabios.bin"},
 	{code: "OVMF_CODE.4MB.CSM.fd", vars: "OVMF_VARS.4MB.CSM.fd"},
@@ -1120,6 +1121,11 @@ func (d *qemu) start(stateful bool, op *operationlock.InstanceOperation) error {
 		return fmt.Errorf("The image used by this instance is incompatible with secureboot. Please set security.secureboot=false on the instance")
 	}
 
+	// Ensure CSM is turned off for all arches except x86_64
+	if shared.IsTrue(d.expandedConfig["security.csm"]) && d.architecture != osarch.ARCH_64BIT_INTEL_X86 {
+		return fmt.Errorf("CSM can be enabled for x86_64 architecture only. Please set security.csm=false on the instance")
+	}
+
 	// Ensure secureboot is turned off when CSM is on
 	if shared.IsTrue(d.expandedConfig["security.csm"]) && shared.IsTrueOrEmpty(d.expandedConfig["security.secureboot"]) {
 		return fmt.Errorf("Secure boot can't be enabled while CSM is turned on. Please set security.secureboot=false on the instance")