vmgs: reprovision marker and guest state command line (#2126)

Adds a reprovisioned marker to the VMGS header to prevent the VMGS from
repeatedly being reset when GuestStateLifetime is set to Reprovision.
Adds HCL_DEFAULT_BOOT_ALWAYS_ATTEMPT, HCL_GUEST_STATE_LIFETIME, and
HCL_STRICT_ENCRYPTION_POLICY so that these behaviors can be controlled
on hosts without the required WMI properties. Refactors
OPENHCL_DISABLE_UEFI_FRONTPAGE to be treated similarly. Adds Hyper-V
tests for default boot and reprovision that are now possible with these
changes.

Author: tjones60

openhcl/underhill_core/src/lib.rs

@@ -328,7 +328,10 @@ async fn launch_workers(
         nvme_always_flr: opt.nvme_always_flr,
         test_configuration: opt.test_configuration,
         disable_uefi_frontpage: opt.disable_uefi_frontpage,
+        default_boot_always_attempt: opt.default_boot_always_attempt,
+        guest_state_lifetime: opt.guest_state_lifetime,
         guest_state_encryption_policy: opt.guest_state_encryption_policy,
+        strict_encryption_policy: opt.strict_encryption_policy,
         attempt_ak_cert_callback: opt.attempt_ak_cert_callback,
         enable_vpci_relay: opt.enable_vpci_relay,
     };

openhcl/underhill_core/src/loader/mod.rs

@@ -95,8 +95,6 @@ pub struct Config {
     /// A string to append to the current VTL0 command line. Currently only used
     /// when booting linux directly.
     pub cmdline_append: CString,
-    /// Disable the UEFI frontpage or not, if loading UEFI.
-    pub disable_uefi_frontpage: bool,
 }
 
 /// Load VTL0 based on measured config. Returns any VP state that should be set.
@@ -133,7 +131,6 @@ pub fn load(
                 platform_config,
                 caps,
                 isolated,
-                config.disable_uefi_frontpage,
             )?;
             uefi_info.vp_context.clone()
         }
@@ -415,7 +412,6 @@ pub fn write_uefi_config(
     platform_config: &DevicePlatformSettings,
     caps: &virt::PartitionCapabilities,
     isolated: bool,
-    disable_frontpage: bool,
 ) -> Result<(), Error> {
     use guest_emulation_transport::api::platform_settings::UefiConsoleMode;
 
@@ -626,7 +622,7 @@ pub fn write_uefi_config(
 
         // Frontpage is disabled if either the host requests it, or the openhcl
         // cmdline specifies it.
-        flags.set_disable_frontpage(disable_frontpage || platform_config.general.disable_frontpage);
+        flags.set_disable_frontpage(platform_config.general.disable_frontpage);
 
         flags.set_console(match platform_config.general.console_mode {
             UefiConsoleMode::Default => config::ConsolePort::Default,

openhcl/underhill_core/src/options.rs

@@ -12,6 +12,7 @@ use std::collections::BTreeMap;
 use std::ffi::OsStr;
 use std::ffi::OsString;
 use std::path::PathBuf;
+use std::str::FromStr;
 
 #[derive(Clone, Debug, MeshPayload)]
 pub enum TestScenarioConfig {
@@ -20,7 +21,7 @@ pub enum TestScenarioConfig {
     SaveStuck,
 }
 
-impl std::str::FromStr for TestScenarioConfig {
+impl FromStr for TestScenarioConfig {
     type Err = anyhow::Error;
 
     fn from_str(s: &str) -> Result<TestScenarioConfig, anyhow::Error> {
@@ -33,6 +34,28 @@ impl std::str::FromStr for TestScenarioConfig {
     }
 }
 
+#[derive(Clone, Debug, MeshPayload)]
+pub enum GuestStateLifetimeCli {
+    Default,
+    ReprovisionOnFailure,
+    Reprovision,
+    Ephemeral,
+}
+
+impl FromStr for GuestStateLifetimeCli {
+    type Err = anyhow::Error;
+
+    fn from_str(s: &str) -> Result<GuestStateLifetimeCli, anyhow::Error> {
+        match s {
+            "DEFAULT" | "0" => Ok(GuestStateLifetimeCli::Default),
+            "REPROVISION_ON_FAILURE" | "1" => Ok(GuestStateLifetimeCli::ReprovisionOnFailure),
+            "REPROVISION" | "2" => Ok(GuestStateLifetimeCli::Reprovision),
+            "EPHEMERAL" | "3" => Ok(GuestStateLifetimeCli::Ephemeral),
+            _ => Err(anyhow::anyhow!("Invalid lifetime: {}", s)),
+        }
+    }
+}
+
 #[derive(Clone, Debug, MeshPayload)]
 pub enum GuestStateEncryptionPolicyCli {
     Auto,
@@ -41,7 +64,7 @@ pub enum GuestStateEncryptionPolicyCli {
     GspKey,
 }
 
-impl std::str::FromStr for GuestStateEncryptionPolicyCli {
+impl FromStr for GuestStateEncryptionPolicyCli {
     type Err = anyhow::Error;
 
     fn from_str(s: &str) -> Result<GuestStateEncryptionPolicyCli, anyhow::Error> {
@@ -178,12 +201,23 @@ pub struct Options {
     /// (OPENHCL_DISABLE_UEFI_FRONTPAGE=1) Disable the frontpage in UEFI which
     /// will result in UEFI terminating, shutting down the guest instead of
     /// showing the frontpage.
-    pub disable_uefi_frontpage: bool,
+    pub disable_uefi_frontpage: Option<bool>,
+
+    /// (HCL_DEFAULT_BOOT_ALWAYS_ATTEMPT=1) Instruct UEFI to always attempt a
+    /// default boot, even if existing boot entries fail.
+    pub default_boot_always_attempt: Option<bool>,
+
+    /// (HCL_GUEST_STATE_LIFETIME=\<GuestStateLifetimeCli\>)
+    /// Specify which guest state lifetime to use.
+    pub guest_state_lifetime: Option<GuestStateLifetimeCli>,
 
     /// (HCL_GUEST_STATE_ENCRYPTION_POLICY=\<GuestStateEncryptionPolicyCli\>)
     /// Specify which guest state encryption policy to use.
     pub guest_state_encryption_policy: Option<GuestStateEncryptionPolicyCli>,
 
+    /// (HCL_STRICT_ENCRYPTION_POLICY=1) Strict guest state encryption policy.
+    pub strict_encryption_policy: Option<bool>,
+
     /// (HCL_ATTEMPT_AK_CERT_CALLBACK=1) Attempt to renew the AK cert.
     /// If not specified, use the configuration in DPSv2 ManagementVtlFeatures.
     pub attempt_ak_cert_callback: Option<bool>,
@@ -208,7 +242,7 @@ impl Options {
 
         // Reads an environment variable, falling back to a legacy variable (replacing
         // "OPENHCL_" with "UNDERHILL_") if the original is not set.
-        let legacy_openhcl_env = |name: &str| -> Option<&OsString> {
+        let read_legacy_openhcl_env = |name: &str| -> Option<&OsString> {
             env.get::<OsStr>(name.as_ref()).or_else(|| {
                 env.get::<OsStr>(
                     format!(
@@ -221,8 +255,7 @@ impl Options {
         };
 
         // Reads an environment variable strings.
-        let parse_env_string =
-            |name: &str| -> Option<&OsString> { env.get::<OsStr>(name.as_ref()) };
+        let read_env = |name: &str| -> Option<&OsString> { env.get::<OsStr>(name.as_ref()) };
 
         fn parse_bool_opt(value: Option<&OsString>) -> anyhow::Result<Option<bool>> {
             value
@@ -245,9 +278,14 @@ impl Options {
             parse_bool_opt(value).ok().flatten().unwrap_or_default()
         }
 
-        let parse_legacy_env_bool = |name| parse_bool(legacy_openhcl_env(name));
-        let parse_env_bool = |name: &str| parse_bool(parse_env_string(name));
-        let parse_env_bool_opt = |name: &str| parse_bool_opt(parse_env_string(name));
+        let parse_legacy_env_bool = |name| parse_bool(read_legacy_openhcl_env(name));
+        let parse_env_bool = |name: &str| parse_bool(read_env(name));
+        let parse_env_bool_opt = |name: &str| {
+            parse_bool_opt(read_env(name))
+                .map_err(|e| tracing::warn!("failed to parse {name}: {e:#}"))
+                .ok()
+                .flatten()
+        };
 
         fn parse_number(value: Option<&OsString>) -> anyhow::Result<Option<u64>> {
             value
@@ -260,29 +298,29 @@ impl Options {
         }
 
         let parse_legacy_env_number = |name| {
-            parse_number(legacy_openhcl_env(name))
+            parse_number(read_legacy_openhcl_env(name))
                 .context(format!("parsing legacy env number: {name}"))
         };
 
         let mut wait_for_start = parse_legacy_env_bool("OPENHCL_WAIT_FOR_START");
         let mut reformat_vmgs = parse_legacy_env_bool("OPENHCL_REFORMAT_VMGS");
-        let mut pid = legacy_openhcl_env("OPENHCL_PID_FILE_PATH")
+        let mut pid = read_legacy_openhcl_env("OPENHCL_PID_FILE_PATH")
             .map(|x| x.to_string_lossy().into_owned().into());
-        let vmbus_max_version = legacy_openhcl_env("OPENHCL_VMBUS_MAX_VERSION")
+        let vmbus_max_version = read_legacy_openhcl_env("OPENHCL_VMBUS_MAX_VERSION")
             .map(|x| {
                 vmbus_core::parse_vmbus_version(&(x.to_string_lossy()))
                     .map_err(|x| anyhow::anyhow!("Error parsing vmbus max version: {}", x))
             })
             .transpose()?;
         let vmbus_enable_mnf =
-            legacy_openhcl_env("OPENHCL_VMBUS_ENABLE_MNF").map(|v| parse_bool(Some(v)));
+            read_legacy_openhcl_env("OPENHCL_VMBUS_ENABLE_MNF").map(|v| parse_bool(Some(v)));
         let vmbus_force_confidential_external_memory =
             parse_env_bool("OPENHCL_VMBUS_FORCE_CONFIDENTIAL_EXTERNAL_MEMORY");
         let vmbus_channel_unstick_delay_ms =
             parse_legacy_env_number("OPENHCL_VMBUS_CHANNEL_UNSTICK_DELAY_MS")?;
-        let cmdline_append =
-            legacy_openhcl_env("OPENHCL_CMDLINE_APPEND").map(|x| x.to_string_lossy().into_owned());
-        let force_load_vtl0_image = legacy_openhcl_env("OPENHCL_FORCE_LOAD_VTL0_IMAGE")
+        let cmdline_append = read_legacy_openhcl_env("OPENHCL_CMDLINE_APPEND")
+            .map(|x| x.to_string_lossy().into_owned());
+        let force_load_vtl0_image = read_legacy_openhcl_env("OPENHCL_FORCE_LOAD_VTL0_IMAGE")
             .map(|x| x.to_string_lossy().into_owned());
         let mut vnc_port = parse_legacy_env_number("OPENHCL_VNC_PORT")?.map(|x| x as u32);
         let framebuffer_gpa_base = parse_legacy_env_number("OPENHCL_FRAMEBUFFER_GPA_BASE")?;
@@ -299,7 +337,7 @@ impl Options {
         let gdbstub_port = parse_legacy_env_number("OPENHCL_GDBSTUB_PORT")?.map(|x| x as u32);
         let nvme_keep_alive = parse_env_bool("OPENHCL_NVME_KEEP_ALIVE");
         let nvme_always_flr = parse_env_bool("OPENHCL_NVME_ALWAYS_FLR");
-        let test_configuration = parse_env_string("OPENHCL_TEST_CONFIG").and_then(|x| {
+        let test_configuration = read_env("OPENHCL_TEST_CONFIG").and_then(|x| {
             x.to_string_lossy()
                 .parse::<TestScenarioConfig>()
                 .map_err(|e| {
@@ -310,24 +348,27 @@ impl Options {
                 })
                 .ok()
         });
-        let disable_uefi_frontpage = parse_env_bool("OPENHCL_DISABLE_UEFI_FRONTPAGE");
+        let disable_uefi_frontpage = parse_env_bool_opt("OPENHCL_DISABLE_UEFI_FRONTPAGE");
         let signal_vtl0_started = parse_env_bool("OPENHCL_SIGNAL_VTL0_STARTED");
-        let guest_state_encryption_policy = parse_env_string("HCL_GUEST_STATE_ENCRYPTION_POLICY")
-            .and_then(|x| {
+        let default_boot_always_attempt = parse_env_bool_opt("HCL_DEFAULT_BOOT_ALWAYS_ATTEMPT");
+        let guest_state_lifetime = read_env("HCL_GUEST_STATE_LIFETIME").and_then(|x| {
+            x.to_string_lossy()
+                .parse::<GuestStateLifetimeCli>()
+                .map_err(|e| tracing::warn!("failed to parse HCL_GUEST_STATE_LIFETIME: {:#}", e))
+                .ok()
+        });
+        let guest_state_encryption_policy =
+            read_env("HCL_GUEST_STATE_ENCRYPTION_POLICY").and_then(|x| {
                 x.to_string_lossy()
                     .parse::<GuestStateEncryptionPolicyCli>()
                     .map_err(|e| {
                         tracing::warn!("failed to parse HCL_GUEST_STATE_ENCRYPTION_POLICY: {:#}", e)
                     })
                     .ok()
             });
-        let attempt_ak_cert_callback = parse_env_bool_opt("HCL_ATTEMPT_AK_CERT_CALLBACK")
-            .map_err(|e| tracing::warn!("failed to parse HCL_ATTEMPT_AK_CERT_CALLBACK: {:#}", e))
-            .ok()
-            .flatten();
-        let enable_vpci_relay = parse_env_bool_opt("OPENHCL_ENABLE_VPCI_RELAY")
-            .ok()
-            .flatten();
+        let strict_encryption_policy = parse_env_bool_opt("HCL_STRICT_ENCRYPTION_POLICY");
+        let attempt_ak_cert_callback = parse_env_bool_opt("HCL_ATTEMPT_AK_CERT_CALLBACK");
+        let enable_vpci_relay = parse_env_bool_opt("OPENHCL_ENABLE_VPCI_RELAY");
 
         let mut args = std::env::args().chain(extra_args);
         // Skip our own filename.
@@ -385,7 +426,10 @@ impl Options {
             nvme_always_flr,
             test_configuration,
             disable_uefi_frontpage,
+            default_boot_always_attempt,
+            guest_state_lifetime,
             guest_state_encryption_policy,
+            strict_encryption_policy,
             attempt_ak_cert_callback,
             enable_vpci_relay,
         })

openhcl/underhill_core/src/worker.rs

@@ -46,6 +46,7 @@ use crate::nvme_manager::manager::NvmeDiskConfig;
 use crate::nvme_manager::manager::NvmeDiskResolver;
 use crate::nvme_manager::manager::NvmeManager;
 use crate::options::GuestStateEncryptionPolicyCli;
+use crate::options::GuestStateLifetimeCli;
 use crate::options::TestScenarioConfig;
 use crate::reference_time::ReferenceTime;
 use crate::servicing;
@@ -291,9 +292,15 @@ pub struct UnderhillEnvCfg {
     /// test configuration
     pub test_configuration: Option<TestScenarioConfig>,
     /// Disable the UEFI front page.
-    pub disable_uefi_frontpage: bool,
+    pub disable_uefi_frontpage: Option<bool>,
+    /// Always attempt a default boot
+    pub default_boot_always_attempt: Option<bool>,
+    /// Guest state lifetime
+    pub guest_state_lifetime: Option<GuestStateLifetimeCli>,
     /// Guest state encryption policy
     pub guest_state_encryption_policy: Option<GuestStateEncryptionPolicyCli>,
+    /// Strict guest state encryption policy
+    pub strict_encryption_policy: Option<bool>,
     /// Attempt to renew the AK cert
     pub attempt_ak_cert_callback: Option<bool>,
     /// Enable the VPCI relay
@@ -1218,11 +1225,30 @@ async fn new_underhill_vm(
 
     // override dps values with env_cfg values as necessary
     let dps = {
-        if let Some(value) = env_cfg.attempt_ak_cert_callback {
-            tracing::info!("using HCL_ATTEMPT_AK_CERT_CALLBACK={value} from cmdline");
-            dps.general
-                .management_vtl_features
-                .set_attempt_ak_cert_callback(value);
+        if let Some(value) = env_cfg.disable_uefi_frontpage {
+            tracing::info!("using OPENHCL_DISABLE_UEFI_FRONTPAGE={value} from cmdline");
+            dps.general.disable_frontpage = value;
+        }
+
+        if let Some(value) = env_cfg.default_boot_always_attempt {
+            tracing::info!("using HCL_DEFAULT_BOOT_ALWAYS_ATTEMPT={value} from cmdline");
+            dps.general.default_boot_always_attempt = value;
+        }
+
+        if let Some(lifetime) = env_cfg.guest_state_lifetime {
+            tracing::info!("using HCL_GUEST_STATE_LIFETIME={lifetime:?} from cmdline");
+            dps.general.guest_state_lifetime = match lifetime {
+                GuestStateLifetimeCli::Default => GuestStateLifetime::Default,
+                GuestStateLifetimeCli::ReprovisionOnFailure => {
+                    GuestStateLifetime::ReprovisionOnFailure
+                }
+                GuestStateLifetimeCli::Reprovision => GuestStateLifetime::Reprovision,
+                GuestStateLifetimeCli::Ephemeral => GuestStateLifetime::Ephemeral,
+            };
+        }
+
+        if env_cfg.reformat_vmgs {
+            dps.general.guest_state_lifetime = GuestStateLifetime::Reprovision;
         }
 
         if let Some(policy) = env_cfg.guest_state_encryption_policy {
@@ -1235,6 +1261,20 @@ async fn new_underhill_vm(
             };
         }
 
+        if let Some(value) = env_cfg.strict_encryption_policy {
+            tracing::info!("using HCL_STRICT_ENCRYPTION_POLICY={value} from cmdline");
+            dps.general
+                .management_vtl_features
+                .set_strict_encryption_policy(value);
+        }
+
+        if let Some(value) = env_cfg.attempt_ak_cert_callback {
+            tracing::info!("using HCL_ATTEMPT_AK_CERT_CALLBACK={value} from cmdline");
+            dps.general
+                .management_vtl_features
+                .set_attempt_ak_cert_callback(value);
+        }
+
         dps
     };
 
@@ -1480,13 +1520,11 @@ async fn new_underhill_vm(
             let disk = Disk::new(disk).context("invalid vmgs disk")?;
             let logger = Arc::new(GetVmgsLogger::new(get_client.clone()));
 
-            let vmgs = if env_cfg.reformat_vmgs
-                || matches!(
-                    dps.general.guest_state_lifetime,
-                    GuestStateLifetime::Reprovision
-                ) {
-                tracing::info!(CVM_ALLOWED, "formatting vmgs file on request");
-                Vmgs::format_new(disk, Some(logger))
+            let vmgs = if matches!(
+                dps.general.guest_state_lifetime,
+                GuestStateLifetime::Reprovision
+            ) {
+                Vmgs::request_format(disk, Some(logger))
                     .instrument(tracing::info_span!("vmgs_format", CVM_ALLOWED))
                     .await
                     .context("failed to format vmgs")?
@@ -2572,7 +2610,8 @@ async fn new_underhill_vm(
         });
 
     if dps.general.tpm_enabled {
-        let no_persistent_secrets = dps.general.suppress_attestation.unwrap_or(false);
+        let no_persistent_secrets =
+            vmgs_client.is_none() || dps.general.suppress_attestation.unwrap_or(false);
         let (ppi_store, nvram_store) = if no_persistent_secrets {
             (
                 EphemeralNonVolatileStoreHandle.into_resource(),
@@ -3247,7 +3286,6 @@ async fn new_underhill_vm(
             load_kind,
             &dps,
             isolation.is_isolated(),
-            env_cfg.disable_uefi_frontpage,
         )
         .instrument(tracing::info_span!("load_firmware", CVM_ALLOWED))
         .await?;
@@ -3521,16 +3559,12 @@ async fn load_firmware(
     load_kind: LoadKind,
     dps: &DevicePlatformSettings,
     isolated: bool,
-    disable_uefi_frontpage: bool,
 ) -> Result<(), anyhow::Error> {
     let cmdline_append = match cmdline_append {
         Some(cmdline) => CString::new(cmdline.as_bytes()).context("bad command line")?,
         None => CString::default(),
     };
-    let loader_config = crate::loader::Config {
-        cmdline_append,
-        disable_uefi_frontpage,
-    };
+    let loader_config = crate::loader::Config { cmdline_append };
     let caps = partition.caps();
     let vtl0_vp_context = crate::loader::load(
         gm,