From b4d6b414d9aea5a38461ebd9292aaf7db0d8ae49 Mon Sep 17 00:00:00 2001 From: Alexander Mikhalitsyn Date: Fri, 19 Jan 2024 14:15:58 +0100 Subject: [PATCH] instance/qemu: forbid security.csm for non x86_64 arches It makes no sense to set security.csm=true for arches except x86_64 as we don't have any kind of a "legacy" firmware for them. x86_64 architecture is a very special case cause we have a legacy (BIOS) and modern (UEFI) firmwares supported in LXD. Signed-off-by: Alexander Mikhalitsyn --- lxd/instance/drivers/driver_qemu.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lxd/instance/drivers/driver_qemu.go b/lxd/instance/drivers/driver_qemu.go index f9b4c6895503..c46cc7db7ad4 100644 --- a/lxd/instance/drivers/driver_qemu.go +++ b/lxd/instance/drivers/driver_qemu.go @@ -126,6 +126,7 @@ var vmSecurebootFirmwares = []vmFirmware{ {code: "OVMF_CODE.fd", vars: "qemu.nvram"}, } +// Only valid for x86_64. var vmLegacyFirmwares = []vmFirmware{ {code: "seabios.bin", vars: "seabios.bin"}, {code: "OVMF_CODE.4MB.CSM.fd", vars: "OVMF_VARS.4MB.CSM.fd"}, @@ -1120,6 +1121,11 @@ func (d *qemu) start(stateful bool, op *operationlock.InstanceOperation) error { return fmt.Errorf("The image used by this instance is incompatible with secureboot. Please set security.secureboot=false on the instance") } + // Ensure CSM is turned off for all arches except x86_64 + if shared.IsTrue(d.expandedConfig["security.csm"]) && d.architecture != osarch.ARCH_64BIT_INTEL_X86 { + return fmt.Errorf("CSM can be enabled for x86_64 architecture only. Please set security.csm=false on the instance") + } + // Ensure secureboot is turned off when CSM is on if shared.IsTrue(d.expandedConfig["security.csm"]) && shared.IsTrueOrEmpty(d.expandedConfig["security.secureboot"]) { return fmt.Errorf("Secure boot can't be enabled while CSM is turned on. Please set security.secureboot=false on the instance")