Changeset 103532 in vbox

Timestamp:

Feb 22, 2024 2:05:31 PM (11 months ago)

Author:

vboxsync

Message:

VBoxManage: Add subcommand for enabling UEFI secure boot (and show the status in the VM infos).
Main/NVRAMStore+UefiVariableStore: Tweaks to allow reading the UEFI secure boot state when the VM isn't mutable.
doc/manual: Update VBoxManage manpage.

Location:

trunk

Files:

• doc/manual/en_US/man_VBoxManage-modifynvram.xml (modified) (2 diffs)
• src/VBox/Frontends/VBoxManage/VBoxManageInfo.cpp (modified) (1 diff)
• src/VBox/Frontends/VBoxManage/VBoxManageModifyNvram.cpp (modified) (9 diffs)
• src/VBox/Main/include/AutoStateDep.h (modified) (3 diffs)
• src/VBox/Main/src-all/NvramStoreImpl.cpp (modified) (3 diffs)
• src/VBox/Main/src-server/UefiVariableStoreImpl.cpp (modified) (4 diffs)

trunk/doc/manual/en_US/man_VBoxManage-modifynvram.xml

@@ -91 +91 @@
       <arg>--owner-uuid=<replaceable>uuid</replaceable></arg>
     </cmdsynopsis>
+    <cmdsynopsis id="synopsis-vboxmanage-modifynvram-secureboot">
+      <command>VBoxManage modifynvram</command>
+      <group choice="req">
+        <arg choice="plain"><replaceable>uuid</replaceable></arg>
+        <arg choice="plain"><replaceable>vmname</replaceable></arg>
+      </group>
+      <arg choice="plain">secureboot</arg>
+      <group choice="req">
+        <arg choice="plain">--enable</arg>
+        <arg choice="plain">--disable</arg>
+      </group>
+    </cmdsynopsis>
     <cmdsynopsis id="synopsis-vboxmanage-modifynvram-listvars">
       <command>VBoxManage modifynvram</command>
@@ -194 +206 @@
           <term><option>--owner-uuid=<replaceable>uuid</replaceable></option></term>
           <listitem><para>The UUID identifying the owner of the platform key.</para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </refsect2>
+
+    <refsect2 id="vboxmanage-modifynvram-secureboot">
+      <title>modifynvram secureboot</title>
+      <remark role="help-copy-synopsis"/>
+      <para>
+        Enables or disables UEFI secure boot.
+      </para>
+      <variablelist>
+        <varlistentry>
+          <term><option>--enable></option></term>
+          <listitem><para>Enables UEFI secure boot if the state of the key
+            enrolment permits.</para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><option>--disable></option></term>
+          <listitem><para>Disables UEFI secure boot.</para>
           </listitem>
         </varlistentry>

trunk/src/VBox/Frontends/VBoxManage/VBoxManageInfo.cpp

@@ -1414 +1414 @@
     if (bstrNVRAMFile.isNotEmpty())
         SHOW_BSTR_STRING("BIOS NVRAM File", Info::tr("BIOS NVRAM File:"), bstrNVRAMFile);
+    if (   firmwareType == FirmwareType_EFI || firmwareType == FirmwareType_EFI32
+        || firmwareType == FirmwareType_EFI64 || firmwareType == FirmwareType_EFIDUAL)
+    {
+        ComPtr<IUefiVariableStore> uefiVarStore;
+        CHECK_ERROR_RET(nvramStore, COMGETTER(UefiVariableStore)(uefiVarStore.asOutParam()), hrc);
+        SHOW_BOOLEAN_PROP(uefiVarStore, SecureBootEnabled, "SecureBoot", Info::tr("UEFI Secure Boot:"));
+    }
     SHOW_BOOLEAN_PROP_EX(platform,   RTCUseUTC, "rtcuseutc", Info::tr("RTC:"), "UTC", Info::tr("local time"));
 

trunk/src/VBox/Frontends/VBoxManage/VBoxManageModifyNvram.cpp

@@ -64 +64 @@
 static RTEXITCODE handleModifyNvramInitUefiVarStore(HandlerArg *a, ComPtr<INvramStore> &nvramStore)
 {
-    RT_NOREF(a);
+    if (a->argc != 2)
+        return errorTooManyParameters(&a->argv[1]);
 
     CHECK_ERROR2I_RET(nvramStore, InitUefiVariableStore(0 /*aSize*/), RTEXITCODE_FAILURE);
@@ -79 +80 @@
 static RTEXITCODE handleModifyNvramEnrollMsSignatures(HandlerArg *a, ComPtr<INvramStore> &nvramStore)
 {
-    RT_NOREF(a);
+    if (a->argc != 2)
+        return errorTooManyParameters(&a->argv[1]);
 
     ComPtr<IUefiVariableStore> uefiVarStore;
@@ -252 +254 @@
 static RTEXITCODE handleModifyNvramEnrollOraclePlatformKey(HandlerArg *a, ComPtr<INvramStore> &nvramStore)
 {
-    RT_NOREF(a);
+    if (a->argc != 2)
+        return errorTooManyParameters(&a->argv[1]);
 
     ComPtr<IUefiVariableStore> uefiVarStore;
@@ -263 +266 @@
 
 /**
+ * Handles the 'modifynvram myvm secureboot' sub-command.
+ * @returns Exit code.
+ * @param   a               The handler argument package.
+ * @param   nvram           Reference to the NVRAM store interface.
+ */
+static RTEXITCODE handleModifyNvramSecureBoot(HandlerArg *a, ComPtr<INvramStore> &nvramStore)
+{
+    static const RTGETOPTDEF s_aOptions[] =
+    {
+        /* common options */
+        { "--enable",       'e', RTGETOPT_REQ_NOTHING },
+        { "--disable",      'd', RTGETOPT_REQ_NOTHING }
+    };
+
+    int enable = -1;
+
+    RTGETOPTSTATE GetState;
+    int vrc = RTGetOptInit(&GetState, a->argc - 2, &a->argv[2], s_aOptions, RT_ELEMENTS(s_aOptions), 0, 0);
+    AssertRCReturn(vrc, RTEXITCODE_FAILURE);
+
+    int c;
+    RTGETOPTUNION ValueUnion;
+    while ((c = RTGetOpt(&GetState, &ValueUnion)) != 0)
+    {
+        switch (c)
+        {
+            case 'e':   // --enable
+                if (enable >= 0)
+                    return errorSyntax(Nvram::tr("You can specify either --enable or --disable once."));
+                enable = 1;
+                break;
+
+            case 'd':   // --disable
+                if (enable >= 0)
+                    return errorSyntax(Nvram::tr("You can specify either --enable or --disable once."));
+                enable = 0;
+                break;
+
+            default:
+                return errorGetOpt(c, &ValueUnion);
+        }
+    }
+
+    if (enable < 0)
+        return errorSyntax(Nvram::tr("You have to specify either --enable or --disable."));
+
+    ComPtr<IUefiVariableStore> uefiVarStore;
+    CHECK_ERROR2I_RET(nvramStore, COMGETTER(UefiVariableStore)(uefiVarStore.asOutParam()), RTEXITCODE_FAILURE);
+
+    CHECK_ERROR2I_RET(uefiVarStore, COMSETTER(SecureBootEnabled((BOOL)enable)), RTEXITCODE_FAILURE);
+    return RTEXITCODE_SUCCESS;
+}
+
+
+/**
  * Handles the 'modifynvram myvm listvars' sub-command.
  * @returns Exit code.
@@ -270 +328 @@
 static RTEXITCODE handleModifyNvramListUefiVars(HandlerArg *a, ComPtr<INvramStore> &nvramStore)
 {
-    RT_NOREF(a);
+    if (a->argc != 2)
+        return errorTooManyParameters(&a->argv[1]);
 
     ComPtr<IUefiVariableStore> uefiVarStore;
@@ -362 +421 @@
         }
         else
-           rcExit = RTMsgErrorExitFailure(Nvram::tr("Error opening '%s': %Rrc"), pszVarDataFilename, vrc);
+            rcExit = RTMsgErrorExitFailure(Nvram::tr("Error opening '%s': %Rrc"), pszVarDataFilename, vrc);
     }
 
@@ -491 +550 @@
     }
     else
-       rcExit = RTMsgErrorExitFailure(Nvram::tr("Error opening '%s': %Rrc"), pszVarDataFilename, vrc);
+        rcExit = RTMsgErrorExitFailure(Nvram::tr("Error opening '%s': %Rrc"), pszVarDataFilename, vrc);
 
     return rcExit;
@@ -548 +607 @@
         hrc = handleModifyNvramEnrollOraclePlatformKey(a, nvramStore) == RTEXITCODE_SUCCESS ? S_OK : E_FAIL;
     }
+    else if (!strcmp(a->argv[1], "secureboot"))
+    {
+        setCurrentSubcommand(HELP_SCOPE_MODIFYNVRAM_SECUREBOOT);
+        hrc = handleModifyNvramSecureBoot(a, nvramStore) == RTEXITCODE_SUCCESS ? S_OK : E_FAIL;
+    }
     else if (!strcmp(a->argv[1], "listvars"))
     {
@@ -569 +633 @@
     }
     else
-        return errorUnknownSubcommand(a->argv[0]);
+        return errorUnknownSubcommand(a->argv[1]);
 
     /* commit changes */

trunk/src/VBox/Main/include/AutoStateDep.h

@@ -73 +73 @@
               mRegistered(FALSE)
         {
-            Assert(aThat);
-            mRC = aThat->i_addStateDependency(taDepType, &mMachineState,
-                                            &mRegistered);
+            if (RT_VALID_PTR(aThat))
+                mRC = aThat->i_addStateDependency(taDepType, &mMachineState,
+                                                  &mRegistered);
         }
         ~AutoStateDependency()
         {
-            if (SUCCEEDED(mRC))
+            if (RT_VALID_PTR(mThat) && SUCCEEDED(mRC))
                 mThat->i_releaseStateDependency();
         }
@@ -88 +88 @@
         {
             AssertReturnVoid(SUCCEEDED(mRC));
-            mThat->i_releaseStateDependency();
+            if (RT_VALID_PTR(mThat))
+                mThat->i_releaseStateDependency();
             mRC = E_FAIL;
         }
@@ -98 +99 @@
         {
             AssertReturnVoid(!SUCCEEDED(mRC));
-            mRC = mThat->i_addStateDependency(taDepType, &mMachineState,
-                                            &mRegistered);
+            if (RT_VALID_PTR(mThat))
+                mRC = mThat->i_addStateDependency(taDepType, &mMachineState,
+                                                  &mRegistered);
+            else
+                mRC = S_OK;
         }
 

trunk/src/VBox/Main/src-all/NvramStoreImpl.cpp

@@ -380 +380 @@
 {
 #ifndef VBOX_COM_INPROC
-    /* the machine needs to be mutable */
-    AutoMutableStateDependency adep(m->pParent);
-    if (FAILED(adep.hrc())) return adep.hrc();
-
     Utf8Str strPath;
     NvramStore::getNonVolatileStorageFile(strPath);
@@ -418 +414 @@
     {
         m->pUefiVarStore.queryInterfaceTo(aUefiVarStore.asOutParam());
-
-        /* Mark the NVRAM store as potentially modified. */
-        m->pParent->i_setModified(Machine::IsModified_NvramStore);
+        /* The "modified" state is handled by i_retainUefiVarStore. */
     }
 
@@ -1066 +1060 @@
 HRESULT NvramStore::i_retainUefiVarStore(PRTVFS phVfs, bool fReadonly)
 {
-    /* the machine needs to be mutable */
-    AutoMutableStateDependency adep(m->pParent);
+    /* the machine needs to be mutable unless fReadonly is set */
+    AutoMutableStateDependency adep(fReadonly ? NULL : m->pParent);
     if (FAILED(adep.hrc())) return adep.hrc();
 

trunk/src/VBox/Main/src-server/UefiVariableStoreImpl.cpp

@@ -152 +152 @@
 HRESULT UefiVariableStore::getSecureBootEnabled(BOOL *pfEnabled)
 {
-    /* the machine needs to be mutable */
-    AutoMutableStateDependency adep(m->pMachine);
-    if (FAILED(adep.hrc())) return adep.hrc();
-
     HRESULT hrc = i_retainUefiVariableStore(true /*fReadonly*/);
     if (FAILED(hrc)) return hrc;
@@ -324 +320 @@
                                                std::vector<BYTE> &aData)
 {
-    /* the machine needs to be mutable */
-    AutoMutableStateDependency adep(m->pMachine);
-    if (FAILED(adep.hrc())) return adep.hrc();
-
     HRESULT hrc = i_retainUefiVariableStore(true /*fReadonly*/);
     if (FAILED(hrc)) return hrc;
@@ -370 +362 @@
                                           std::vector<com::Guid> &aOwnerUuids)
 {
-    /* the machine needs to be mutable */
-    AutoMutableStateDependency adep(m->pMachine);
-    if (FAILED(adep.hrc())) return adep.hrc();
-
     HRESULT hrc = i_retainUefiVariableStore(true /*fReadonly*/);
     if (FAILED(hrc)) return hrc;
@@ -522 +510 @@
 HRESULT UefiVariableStore::enrollDefaultMsSignatures(void)
 {
+    /* the machine needs to be mutable */
     AutoMutableStateDependency adep(m->pMachine);
     if (FAILED(adep.hrc())) return adep.hrc();