libvirt/tests/qemuxml2argvdata/firmware-manual-efi-secure.x86_64-latest.args

LC_ALL=C \
PATH=/bin \
HOME=/tmp/lib/domain--1-guest \
USER=test \
LOGNAME=test \
XDG_DATA_HOME=/tmp/lib/domain--1-guest/.local/share \
XDG_CACHE_HOME=/tmp/lib/domain--1-guest/.cache \
XDG_CONFIG_HOME=/tmp/lib/domain--1-guest/.config \
/usr/bin/qemu-system-x86_64 \
-name guest=guest,debug-threads=on \
-S \
-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/tmp/lib/domain--1-guest/master-key.aes"}' \
-blockdev '{"driver":"file","filename":"/usr/share/OVMF/OVMF_CODE.secboot.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \
-blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}' \
-blockdev '{"driver":"file","filename":"/path/to/guest_VARS.fd","node-name":"libvirt-pflash1-storage","auto-read-only":true,"discard":"unmap"}' \
-blockdev '{"node-name":"libvirt-pflash1-format","read-only":false,"driver":"raw","file":"libvirt-pflash1-storage"}' \
-machine pc-q35-4.0,usb=off,smm=on,dump-guest-core=off,memory-backend=pc.ram,pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format \
-accel tcg \
-cpu qemu64 \
-global driver=cfi.pflash01,property=secure,value=on \
-m 1024 \
-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":1073741824}' \
-overcommit mem-lock=off \
-smp 1,sockets=1,cores=1,threads=1 \
-uuid 63840878-0deb-4095-97e6-fc444d9bc9fa \
-display none \
-no-user-config \
-nodefaults \
-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \
-mon chardev=charmonitor,id=monitor,mode=control \
-rtc base=utc \
-no-shutdown \
-boot strict=on \
-audiodev '{"id":"audio1","driver":"none"}' \
-global ICH9-LPC.noreboot=off \
-watchdog-action reset \
-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
-msg timestamp=on
qemu: Enable secure boot In qemu, enabling this feature boils down to adding the following onto the command line: -global driver=cfi.pflash01,property=secure,value=on However, there are some constraints resulting from the implementation. For instance, System Management Mode (SMM) is required to be enabled, the machine type must be q35-2.4 or later, and the guest should be x86_64. While technically it is possible to have 32 bit guests with secure boot, some non-trivial CPU flags tuning is required (for instance lm and nx flags must be prohibited). Given complexity of our CPU driver, this is not trivial. Therefore I've chosen to forbid 32 bit guests for now. If there's ever need, we can refine the check later. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> 2016-07-13 12:33:52 +03:00			`LC_ALL=C \`
			`PATH=/bin \`
tests: Unify input files for firmware tests Most of the differences, such as those in the domain name or amount of memory, are fairly harmless, but they still make it more cumbersome than necessary to directly compare different input (and output) files. More importantly, the use of unversioned machine types in some of the test cases results in the descriptor-based autoselection logic being effectively skipped, because the compatible machine types as listed in them are only the versioned variants. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> 2023-02-08 21:28:05 +03:00			`HOME=/tmp/lib/domain--1-guest \`
qemu: Enable secure boot In qemu, enabling this feature boils down to adding the following onto the command line: -global driver=cfi.pflash01,property=secure,value=on However, there are some constraints resulting from the implementation. For instance, System Management Mode (SMM) is required to be enabled, the machine type must be q35-2.4 or later, and the guest should be x86_64. While technically it is possible to have 32 bit guests with secure boot, some non-trivial CPU flags tuning is required (for instance lm and nx flags must be prohibited). Given complexity of our CPU driver, this is not trivial. Therefore I've chosen to forbid 32 bit guests for now. If there's ever need, we can refine the check later. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> 2016-07-13 12:33:52 +03:00			`USER=test \`
			`LOGNAME=test \`
tests: Unify input files for firmware tests Most of the differences, such as those in the domain name or amount of memory, are fairly harmless, but they still make it more cumbersome than necessary to directly compare different input (and output) files. More importantly, the use of unversioned machine types in some of the test cases results in the descriptor-based autoselection logic being effectively skipped, because the compatible machine types as listed in them are only the versioned variants. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> 2023-02-08 21:28:05 +03:00			`XDG_DATA_HOME=/tmp/lib/domain--1-guest/.local/share \`
			`XDG_CACHE_HOME=/tmp/lib/domain--1-guest/.cache \`
			`XDG_CONFIG_HOME=/tmp/lib/domain--1-guest/.config \`
tests: unify qemu binary paths for all qemu related tests Our test data used a lot of different qemu binary paths and some of them were based on downstream systems. Note that there is one file where I had to add "accel=kvm" because the qemuargv2xml code parses "/usr/bin/kvm" as virt type="kvm". Signed-off-by: Pavel Hrdina <phrdina@redhat.com> 2017-04-06 19:19:48 +03:00			`/usr/bin/qemu-system-x86_64 \`
tests: Unify input files for firmware tests Most of the differences, such as those in the domain name or amount of memory, are fairly harmless, but they still make it more cumbersome than necessary to directly compare different input (and output) files. More importantly, the use of unversioned machine types in some of the test cases results in the descriptor-based autoselection logic being effectively skipped, because the compatible machine types as listed in them are only the versioned variants. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> 2023-02-08 21:28:05 +03:00			`-name guest=guest,debug-threads=on \`
qemu: Enable secure boot In qemu, enabling this feature boils down to adding the following onto the command line: -global driver=cfi.pflash01,property=secure,value=on However, there are some constraints resulting from the implementation. For instance, System Management Mode (SMM) is required to be enabled, the machine type must be q35-2.4 or later, and the guest should be x86_64. While technically it is possible to have 32 bit guests with secure boot, some non-trivial CPU flags tuning is required (for instance lm and nx flags must be prohibited). Given complexity of our CPU driver, this is not trivial. Therefore I've chosen to forbid 32 bit guests for now. If there's ever need, we can refine the check later. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> 2016-07-13 12:33:52 +03:00			`-S \`
tests: Unify input files for firmware tests Most of the differences, such as those in the domain name or amount of memory, are fairly harmless, but they still make it more cumbersome than necessary to directly compare different input (and output) files. More importantly, the use of unversioned machine types in some of the test cases results in the descriptor-based autoselection logic being effectively skipped, because the compatible machine types as listed in them are only the versioned variants. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> 2023-02-08 21:28:05 +03:00			`-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/tmp/lib/domain--1-guest/master-key.aes"}' \`
tests: Force QEMU_CAPS_BLOCKDEV(_HOSTDEV_SCSI) in fake caps tests Until we finish removing the capabilities we need to force them in the tests so that it's obvious that the code changes have no impact. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> 2022-07-20 16:37:19 +03:00			`-blockdev '{"driver":"file","filename":"/usr/share/OVMF/OVMF_CODE.secboot.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \`
			`-blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}' \`
tests: Unify input files for firmware tests Most of the differences, such as those in the domain name or amount of memory, are fairly harmless, but they still make it more cumbersome than necessary to directly compare different input (and output) files. More importantly, the use of unversioned machine types in some of the test cases results in the descriptor-based autoselection logic being effectively skipped, because the compatible machine types as listed in them are only the versioned variants. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> 2023-02-08 21:28:05 +03:00			`-blockdev '{"driver":"file","filename":"/path/to/guest_VARS.fd","node-name":"libvirt-pflash1-storage","auto-read-only":true,"discard":"unmap"}' \`
tests: Force QEMU_CAPS_BLOCKDEV(_HOSTDEV_SCSI) in fake caps tests Until we finish removing the capabilities we need to force them in the tests so that it's obvious that the code changes have no impact. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> 2022-07-20 16:37:19 +03:00			`-blockdev '{"node-name":"libvirt-pflash1-format","read-only":false,"driver":"raw","file":"libvirt-pflash1-storage"}' \`
tests: Unify input files for firmware tests Most of the differences, such as those in the domain name or amount of memory, are fairly harmless, but they still make it more cumbersome than necessary to directly compare different input (and output) files. More importantly, the use of unversioned machine types in some of the test cases results in the descriptor-based autoselection logic being effectively skipped, because the compatible machine types as listed in them are only the versioned variants. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> 2023-02-08 21:28:05 +03:00			`-machine pc-q35-4.0,usb=off,smm=on,dump-guest-core=off,memory-backend=pc.ram,pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format \`
qemu: Switch to -accel We currently use -machine accel=XXX which is just a syntax sugar for -accel XXX. The former doesn't allow specifying arguments for accelerator, because all arguments passed to -machine are treated as arguments of machine itself. The -accel argument was introduced in QEMU commit v2.9.0-rc0~70^2~19 and since our minimum required version is newer (2.11.0) we can safely assume its existence and use it without any capability. Resolves: https://gitlab.com/libvirt/libvirt/-/issues/233 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Tested-by: Kashyap Chamarthy <kchamart@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com> 2021-11-05 11:38:10 +03:00			`-accel tcg \`
tests: Move firmware tests to CAPS_LATEST This is already the case for the vast majority, but a few are using explicit capabilities lists. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> 2023-02-08 21:10:48 +03:00			`-cpu qemu64 \`
qemu: Enable secure boot In qemu, enabling this feature boils down to adding the following onto the command line: -global driver=cfi.pflash01,property=secure,value=on However, there are some constraints resulting from the implementation. For instance, System Management Mode (SMM) is required to be enabled, the machine type must be q35-2.4 or later, and the guest should be x86_64. While technically it is possible to have 32 bit guests with secure boot, some non-trivial CPU flags tuning is required (for instance lm and nx flags must be prohibited). Given complexity of our CPU driver, this is not trivial. Therefore I've chosen to forbid 32 bit guests for now. If there's ever need, we can refine the check later. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> 2016-07-13 12:33:52 +03:00			`-global driver=cfi.pflash01,property=secure,value=on \`
			`-m 1024 \`
tests: Move firmware tests to CAPS_LATEST This is already the case for the vast majority, but a few are using explicit capabilities lists. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> 2023-02-08 21:10:48 +03:00			`-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":1073741824}' \`
qemu: command: Always assume QEMU_CAPS_OVERCOMMIT Starting with qemu-3.1 we always have the '-overcommit' argument and use it instead of '-realtime'. Remove the capability check and fix all fake-caps tests. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> 2022-02-10 14:57:26 +03:00			`-overcommit mem-lock=off \`
qemu: Enable secure boot In qemu, enabling this feature boils down to adding the following onto the command line: -global driver=cfi.pflash01,property=secure,value=on However, there are some constraints resulting from the implementation. For instance, System Management Mode (SMM) is required to be enabled, the machine type must be q35-2.4 or later, and the guest should be x86_64. While technically it is possible to have 32 bit guests with secure boot, some non-trivial CPU flags tuning is required (for instance lm and nx flags must be prohibited). Given complexity of our CPU driver, this is not trivial. Therefore I've chosen to forbid 32 bit guests for now. If there's ever need, we can refine the check later. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> 2016-07-13 12:33:52 +03:00			`-smp 1,sockets=1,cores=1,threads=1 \`
tests: Unify input files for firmware tests Most of the differences, such as those in the domain name or amount of memory, are fairly harmless, but they still make it more cumbersome than necessary to directly compare different input (and output) files. More importantly, the use of unversioned machine types in some of the test cases results in the descriptor-based autoselection logic being effectively skipped, because the compatible machine types as listed in them are only the versioned variants. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> 2023-02-08 21:28:05 +03:00			`-uuid 63840878-0deb-4095-97e6-fc444d9bc9fa \`
qemu: deprecate QEMU_CAPS_DISPLAY Implied by QEMU >= 1.2.0. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com> 2018-03-29 13:51:55 +03:00			`-display none \`
qemu: deprecate QEMU_CAPS_NO_USER_CONFIG Implied by QEMU >= 1.2.0. Delete this one first, because QEMU_CAPS_NODEFCONFIG is only used when QEMU_CAPS_NO_USER_CONFIG is unsupported. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com> 2018-03-29 13:51:55 +03:00			`-no-user-config \`
qemu: Enable secure boot In qemu, enabling this feature boils down to adding the following onto the command line: -global driver=cfi.pflash01,property=secure,value=on However, there are some constraints resulting from the implementation. For instance, System Management Mode (SMM) is required to be enabled, the machine type must be q35-2.4 or later, and the guest should be x86_64. While technically it is possible to have 32 bit guests with secure boot, some non-trivial CPU flags tuning is required (for instance lm and nx flags must be prohibited). Given complexity of our CPU driver, this is not trivial. Therefore I've chosen to forbid 32 bit guests for now. If there's ever need, we can refine the check later. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> 2016-07-13 12:33:52 +03:00			`-nodefaults \`
qemu: Always assume QEMU_CAPS_CHARDEV_FD_PASS_COMMANDLINE All qemu versions now support FD passing either directly or via FDset. Assume that we always have this capability so that we can simplify chardev handling in many cases. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> 2022-02-03 15:31:28 +03:00			`-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \`
qemu: deprecate QEMU_CAPS_MONITOR_JSON We require QEMU >= 1.5.0, assume every QEMU supports it. Sadly that does not let us trivially drop qemuMonitor's priv->monJSON bool, because of qemuDomainQemuAttach. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com> 2018-03-29 01:04:58 +03:00			`-mon chardev=charmonitor,id=monitor,mode=control \`
qemu: deprecate QEMU_CAPS_RTC Implied by QEMU >= 1.2.0. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com> 2018-03-29 13:51:55 +03:00			`-rtc base=utc \`
qemu: deprecate QEMU_CAPS_NO_SHUTDOWN Implied by QEMU >= 1.2.0. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com> 2018-03-29 13:51:55 +03:00			`-no-shutdown \`
tests: Use minimal hardware for firmware tests When testing firmware selection, we don't really care about any of the hardware assigned to the VM, and in fact it's better to keep it as minimal as possible to make sure that the focus remains on the firmware bits. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> 2022-06-09 16:02:19 +03:00			`-boot strict=on \`
qemu: command: Always assume QEMU_CAPS_AUDIODEV Generate only new version of the '-audiodev' commandline. The leftover old code and validation will be removed in subsequent patches. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> 2022-06-22 16:36:23 +03:00			`-audiodev '{"id":"audio1","driver":"none"}' \`
qemu: Add implicit watchdog for q35 machine types The iTCO watchdog is part of the q35 machine type since its inception, we just did not add it implicitly. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2137346 Signed-off-by: Martin Kletzander <mkletzan@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> 2023-01-20 13:22:22 +03:00			`-global ICH9-LPC.noreboot=off \`
			`-watchdog-action reset \`
tests: Move firmware tests to CAPS_LATEST This is already the case for the vast majority, but a few are using explicit capabilities lists. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> 2023-02-08 21:10:48 +03:00			`-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \`
qemu: command: Always assume support for '-msg timestamp=on' All supported QEMU versions have this option so there's no need for us to base it on the capability. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> 2021-08-10 18:07:10 +03:00			`-msg timestamp=on`