feat(xo-web/VM): display accurate Secure Boot status

CHANGELOG.unreleased.md

@@ -7,6 +7,8 @@
 
 > Users must be able to say: “Nice enhancement, I'm eager to test it”
 
+- [VM/Advanced] Display an accurate secure boot status and allow user to propagate certificates from pool to VM [#7495](https://github.com/vatesfr/xen-orchestra/issues/7495) (PR [#7751](https://github.com/vatesfr/xen-orchestra/pull/7751))
+
 ### Bug fixes
 
 > Users must be able to say: “I had this issue, happy to know it's fixed”
@@ -27,4 +29,7 @@
 
 <!--packages-start-->
 
+- xo-server
+- xo-web
+
 <!--packages-end-->

packages/xo-server/src/api/pool.mjs

@@ -334,6 +334,22 @@ getLicenseState.resolve = {
 
 // -------------------------------------------------------------------
 
+export async function getGuestSecureBootReadiness({ pool }) {
+  return this.getXapi(pool).call('pool.get_guest_secureboot_readiness', pool._xapiRef)
+}
+
+getGuestSecureBootReadiness.params = {
+  id: {
+    type: 'string',
+  },
+}
+
+getGuestSecureBootReadiness.resolve = {
+  pool: ['id', 'pool', 'view'],
+}
+
+// -------------------------------------------------------------------
+
 async function handleInstallSupplementalPack(req, res, { poolId }) {
   const xapi = this.getXapi(poolId)
 

packages/xo-server/src/api/vm.mjs

@@ -540,6 +540,20 @@ insertCd.resolve = {
 
 // -------------------------------------------------------------------
 
+export function getSecurebootReadiness({ vm }) {
+  return this.getXapi(vm).call('VM.get_secureboot_readiness', vm._xapiRef)
+}
+
+getSecurebootReadiness.params = {
+  id: { type: 'string' },
+}
+
+getSecurebootReadiness.resolve = {
+  vm: ['id', 'VM', 'view'],
+}
+
+// -------------------------------------------------------------------
+
 export async function migrate({
   bypassAssert = false,
   force,
@@ -662,6 +676,11 @@ export const set = defer(async function ($defer, params) {
     await xapi.call('VM.set_suspend_SR', VM._xapiRef, suspendSr === null ? Ref.EMPTY : suspendSr._xapiRef)
   }
 
+  const uefiMode = extract(params, 'uefiMode')
+  if (uefiMode !== undefined) {
+    await xapi.call('VM.set_uefi_mode', VM._xapiRef, uefiMode)
+  }
+
   const xenStoreData = extract(params, 'xenStoreData')
   if (xenStoreData !== undefined) {
     await this.getXapiObject(VM).update_xenstore_data(mapKeys(xenStoreData, (v, k) => autoPrefix('vm-data/', k)))
@@ -785,6 +804,8 @@ set.params = {
 
   suspendSr: { type: ['string', 'null'], optional: true },
 
+  uefiMode: { enum: ['setup', 'user'], optional: true },
+
   xenStoreData: {
     description: 'properties that should be set or deleted (if null) in the VM XenStore',
     optional: true,

packages/xo-web/src/common/intl/messages.js

@@ -1230,8 +1230,16 @@ const messages = {
   managementAgentNotDetected: 'Management agent not detected',
   noIpv4Record: 'No IPv4 record',
   noIpRecord: 'No IP record',
+  secureBootEnforced: 'Secure boot enforced',
+  secureBootEnforcedPendingBoot: 'Secure boot enforced, pending first boot',
+  secureBootNotEnforced: 'Secure boot not enforced',
+  secureBootNoDbx: 'Secure boot enforced, but no dbx present',
+  secureBootStatus: 'Secure boot status',
+  secureBootWantedButCertificatesMissing: 'Secure boot wanted, but some EFI certificates are missing',
+  secureBootWantedButDisabled: 'Secure boot wanted, but disabled due to the VM being in UEFI setup mode',
   started: 'Started {ago}',
   paraVirtualizedMode: 'Paravirtualization (PV)',
+  propagateCertificatesButtonDisabled: 'This feature is only available for UEFI VMs.',
   hardwareVirtualizedMode: 'Hardware virtualization (HVM)',
   hvmModeWithPvDriversEnabled: 'Hardware virtualization with paravirtualization drivers enabled (PVHVM)',
   pvInPvhMode: 'PV inside a PVH container (PV in PVH)',
@@ -1446,6 +1454,13 @@ const messages = {
     'If the VTPM is in use, removing it will result in a dangerous data loss. Are you sure you want to remove the VTPM?',
   infoUnknownPciOnNonRunningVm:
     "When a VM is offline, it's not attached to any host, and therefore, it's impossible to determine the associated PCI devices, as it depends on the hardware environment in which it would be deployed.",
+  noSecureBoot: 'This pool was not setup for Guest UEFI SecureBoot yet',
+  notSetupForSecureBoot: 'This pool was not setup for Guest UEFI SecureBoot yet',
+  propagateCertificatesTitle: 'Propagate certificates',
+  propagateCertificatesConfirm:
+    "This will overwrite the VM's UEFI certificates with certificates defined at the pool level. Continue?",
+  propagateCertificates: "Copy the pool's default UEFI certificates to the VM",
+  propagateCertificatesSuccessful: 'Certificates propagated successfully',
   poolAutoPoweronDisabled: 'Auto power on is disabled at pool level, click to fix automatically.',
   vmRemoveButton: 'Remove',
   vmConvertToTemplateButton: 'Convert to template',

packages/xo-web/src/common/xo/index.js

@@ -732,6 +732,50 @@ subscribeXostorInterfaces.forceRefresh = sr => {
   subscription?.forceRefresh()
 }
 
+const subscribeVmSecurebootReadiness = {}
+export const subscribeSecurebootReadiness = id => {
+  const vmId = resolveId(id)
+
+  if (subscribeVmSecurebootReadiness[vmId] === undefined) {
+    subscribeVmSecurebootReadiness[vmId] = createSubscription(() => _call('vm.getSecurebootReadiness', { id: vmId }), {
+      polling: 3e4,
+    })
+  }
+
+  return subscribeVmSecurebootReadiness[vmId]
+}
+subscribeSecurebootReadiness.forceRefresh = vm => {
+  if (vm === undefined) {
+    forEach(subscribeVmSecurebootReadiness, subscription => subscription.forceRefresh())
+    return
+  }
+
+  const subscription = subscribeVmSecurebootReadiness[resolveId(vm)]
+  subscription?.forceRefresh()
+}
+
+const subscribePoolGuestSecurebootReadiness = {}
+export const subscribeGetGuestSecurebootReadiness = pool => {
+  const poolId = resolveId(pool)
+
+  if (subscribePoolGuestSecurebootReadiness[poolId] === undefined) {
+    subscribePoolGuestSecurebootReadiness[poolId] = createSubscription(() =>
+      _call('pool.getGuestSecureBootReadiness', { id: poolId })
+    )
+  }
+
+  return subscribePoolGuestSecurebootReadiness[poolId]
+}
+subscribePoolGuestSecurebootReadiness.forceRefresh = pool => {
+  if (pool === undefined) {
+    forEach(subscribePoolGuestSecurebootReadiness, subscription => subscription.forceRefresh())
+    return
+  }
+
+  const subscription = subscribePoolGuestSecurebootReadiness[resolveId(pool)]
+  subscription?.forceRefresh()
+}
+
 // System ============================================================
 
 export const apiMethods = _call('system.getMethodsInfo')
@@ -1408,6 +1452,9 @@ export const vmAttachPcis = (vm, pcis) => _call('vm.attachPcis', { id: resolveId
 
 export const vmDetachPcis = (vm, pciIds) => _call('vm.detachPcis', { id: resolveId(vm), pciIds })
 
+export const vmSetUefiMode = (vm, mode) =>
+  _call('vm.set', { id: resolveId(vm), uefiMode: mode })::tap(() => subscribeSecurebootReadiness.forceRefresh(vm))
+
 // Containers --------------------------------------------------------
 
 export const pauseContainer = (vm, container) => _call('docker.pause', { vm: resolveId(vm), container })

packages/xo-web/src/xo-app/vm/tab-advanced.js

@@ -11,11 +11,12 @@ import React from 'react'
 import renderXoItem from 'render-xo-item'
 import SelectBootFirmware from 'select-boot-firmware'
 import SelectCoresPerSocket from 'select-cores-per-socket'
+import semver from 'semver'
 import SortedTable from 'sorted-table'
 import StateButton from 'state-button'
 import TabButton from 'tab-button'
 import Tooltip from 'tooltip'
-import { error } from 'notification'
+import { error, success } from 'notification'
 import { confirm } from 'modal'
 import { Container, Row, Col } from 'grid'
 import { CustomFields } from 'custom-fields'
@@ -56,6 +57,7 @@ import {
   unplugVusb,
   vmAttachPcis,
   vmDetachPcis,
+  vmSetUefiMode,
   vmWarmMigration,
   XEN_DEFAULT_CPU_CAP,
   XEN_DEFAULT_CPU_WEIGHT,
@@ -68,6 +70,7 @@ import { SelectSuspendSr } from 'select-suspend-sr'
 import BootOrder from './boot-order'
 import VusbCreateModal from './vusb-create-modal'
 import PciAttachModal from './pci-attach-modal'
+import { subscribeSecurebootReadiness, subscribeGetGuestSecurebootReadiness } from '../../common/xo'
 
 // Button's height = react-select's height(36 px) + react-select's border-width(1 px) * 2
 // https://github.com/JedWatson/react-select/blob/916ab0e62fc7394be8e24f22251c399a68de8b1c/less/select.less#L21, L22
@@ -189,6 +192,15 @@ const PCI_ACTIONS = [
   },
 ]
 
+const SECUREBOOT_STATUS_MESSAGES = {
+  disabled: _('secureBootNotEnforced'),
+  first_boot: _('secureBootEnforcedPendingBoot'),
+  ready: _('secureBootEnforced'),
+  ready_no_dbx: _('secureBootNoDbx'),
+  setup_mode: _('secureBootWantedButDisabled'),
+  certs_incomplete: _('secureBootWantedButCertificatesMissing'),
+}
+
 const forceReboot = vm => restartVm(vm, true)
 const forceShutdown = vm => stopVm(vm, true)
 const fullCopy = vm => cloneVm(vm, true)
@@ -508,6 +520,10 @@ const NIC_TYPE_OPTIONS = [
   },
 ]
 
+@addSubscriptions(({ vm }) => ({
+  vmSecurebootReadiness: subscribeSecurebootReadiness(vm),
+  poolGuestSecurebootReadiness: subscribeGetGuestSecurebootReadiness(vm.$pool),
+}))
 @connectStore(() => {
   const getVgpus = createGetObjectsOfType('vgpu').pick((_, { vm }) => vm.$VGPUs)
   const getGpuGroup = createGetObjectsOfType('gpuGroup').pick(createSelector(getVgpus, vgpus => map(vgpus, 'gpuGroup')))
@@ -669,15 +685,46 @@ export default class TabAdvanced extends Component {
     return isPciPassthroughAvailable(host) ? undefined : _('onlyAvailableXcp8.3OrHigher')
   }
 
+  _confirmUefiMode = async () => {
+    const { vm, vmSecurebootReadiness } = this.props
+    const confirmNeeded =
+      vmSecurebootReadiness === 'disabled' ||
+      vmSecurebootReadiness === 'ready' ||
+      vmSecurebootReadiness === 'ready_no_dbx'
+
+    if (confirmNeeded) {
+      await confirm({
+        title: _('propagateCertificatesTitle'),
+        body: <p>{_('propagateCertificatesConfirm')}</p>,
+      })
+    }
+
+    await vmSetUefiMode(vm, 'user')
+    success(_('propagateCertificatesTitle'), _('propagateCertificatesSuccessful'))
+  }
+
   render() {
-    const { container, isAdmin, pusbByUsbGroup, vgpus, vm, vmPool, vusbs } = this.props
+    const {
+      container,
+      isAdmin,
+      poolGuestSecurebootReadiness,
+      pusbByUsbGroup,
+      vgpus,
+      vm,
+      vmPool,
+      vmSecurebootReadiness,
+      vusbs,
+    } = this.props
     const isWarmMigrationAvailable = getXoaPlan().value >= PREMIUM.value
     const addVtpmTooltip = this._getDisabledAddVtpmReason()
     const deleteVtpmTooltip = this._getDisabledDeleteVtpmReason()
+    const host = this.props.vmHosts[vm.$container]
     const isAddVtpmAvailable = addVtpmTooltip === undefined
     const isDeleteVtpmAvailable = deleteVtpmTooltip === undefined
+    const isDisabled = poolGuestSecurebootReadiness === 'not_ready' || vm.boot.firmware !== 'uefi'
     const vtpmId = vm.VTPMs[0]
     const pciAttachButtonTooltip = this._getPciAttachButtonTooltip()
+
     return (
       <Container>
         <Row>
@@ -1042,6 +1089,76 @@ export default class TabAdvanced extends Component {
                     </td>
                   </tr>
                 )}
+                {vm.boot.firmware === 'uefi' && (
+                  <tr>
+                    <th>{_('secureBoot')}</th>
+                    <td>
+                      <Toggle value={vm.secureBoot} onChange={value => editVm(vm, { secureBoot: value })} />
+                      <a
+                        className='text-muted'
+                        href='https://xcp-ng.org/docs/guides.html#guest-uefi-secure-boot'
+                        rel='noreferrer'
+                        style={{ display: 'block' }}
+                        target='_blank'
+                      >
+                        <Icon icon='info' /> {_('secureBootLinkToDocumentationMessage')}
+                      </a>
+                    </td>
+                  </tr>
+                )}
+                {vm.boot.firmware === 'uefi' &&
+                  semver.satisfies(host?.version, '>=8.3.0') && [
+                    <tr key='secureBootStatus'>
+                      <th>{_('secureBootStatus')}</th>
+                      <td>
+                        {SECUREBOOT_STATUS_MESSAGES[vmSecurebootReadiness]}
+                        {(vmSecurebootReadiness === 'setup_mode' ||
+                          vmSecurebootReadiness === 'certs_incomplete' ||
+                          vmSecurebootReadiness === 'ready_no_dbx') &&
+                          host?.productBrand === 'XCP-ng' && (
+                            <a
+                              className='text-warning'
+                              href='https://docs.xcp-ng.org/guides/guest-UEFI-Secure-Boot/#troubleshoot-guest-secure-boot-issues'
+                              rel='noreferrer'
+                              style={{ display: 'block' }}
+                              target='_blank'
+                            >
+                              <Icon icon='alarm' /> {_('secureBootLinkToDocumentationMessage')}
+                            </a>
+                          )}
+                      </td>
+                    </tr>,
+                    <tr key='propagateCertificatesButton'>
+                      <th>{_('propagateCertificatesTitle')} </th>
+                      <td>
+                        <ActionButton
+                          btnStyle='primary'
+                          disabled={isDisabled}
+                          handler={this._confirmUefiMode}
+                          icon='vm-clone'
+                        >
+                          {_('propagateCertificates')}
+                        </ActionButton>
+                        {isDisabled && vm.boot.firmware !== 'uefi' && (
+                          <div className='text-warning'>
+                            <Icon icon='alarm' />
+                            {_('propagateCertificatesButtonDisabled')}
+                          </div>
+                        )}
+                        {poolGuestSecurebootReadiness === 'not_ready' && (
+                          <a
+                            className='text-warning'
+                            href='https://docs.xcp-ng.org/guides/guest-UEFI-Secure-Boot/#configure-the-pool'
+                            rel='noreferrer'
+                            style={{ display: 'block' }}
+                            target='_blank'
+                          >
+                            <Icon icon='alarm' /> {_('noSecureBoot')}
+                          </a>
+                        )}
+                      </td>
+                    </tr>,
+                  ]}
                 <tr>
                   <th>{_('vtpm')}</th>
                   <td>
@@ -1095,23 +1212,6 @@ export default class TabAdvanced extends Component {
                     )}
                   </td>
                 </tr>
-                {vm.boot.firmware === 'uefi' && (
-                  <tr>
-                    <th>{_('secureBoot')}</th>
-                    <td>
-                      <Toggle value={vm.secureBoot} onChange={value => editVm(vm, { secureBoot: value })} />
-                      <a
-                        className='text-muted'
-                        href='https://xcp-ng.org/docs/guides.html#guest-uefi-secure-boot'
-                        rel='noopener noreferrer'
-                        style={{ display: 'block' }}
-                        target='_blank'
-                      >
-                        <Icon icon='info' /> {_('secureBootLinkToDocumentationMessage')}
-                      </a>
-                    </td>
-                  </tr>
-                )}
                 <tr>
                   <th>{_('customFields')}</th>
                   <td>