Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2223136/?format=api
{ "id": 2223136, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2223136/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260414141111.2471509-1-eashurov@redhat.com/", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/1.1/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "" }, "msgid": "<20260414141111.2471509-1-eashurov@redhat.com>", "date": "2026-04-14T14:11:11", "name": "[v3] qga: add security info to guest-get-osinfo", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "403b309e916fc2fd81bd84a712111b8814f3c22b", "submitter": { "id": 91084, "url": "http://patchwork.ozlabs.org/api/1.1/people/91084/?format=api", "name": "Elizabeth Ashurov", "email": "eashurov@redhat.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260414141111.2471509-1-eashurov@redhat.com/mbox/", "series": [ { "id": 499853, "url": "http://patchwork.ozlabs.org/api/1.1/series/499853/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=499853", "date": "2026-04-14T14:11:11", "name": "[v3] qga: add security info to guest-get-osinfo", "version": 3, "mbox": "http://patchwork.ozlabs.org/series/499853/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2223136/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2223136/checks/", "tags": {}, "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=VlTaJUrs;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fw5py2cgfz1xtJ\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 15 Apr 2026 00:13:30 +1000 (AEST)", "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wCeVv-0000GE-EZ; Tue, 14 Apr 2026 10:13:15 -0400", "from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <eashurov@redhat.com>)\n id 1wCeVt-0000G0-S9\n for qemu-devel@nongnu.org; Tue, 14 Apr 2026 10:13:13 -0400", "from us-smtp-delivery-124.mimecast.com ([170.10.133.124])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <eashurov@redhat.com>)\n id 1wCeVq-0004wN-7N\n for qemu-devel@nongnu.org; Tue, 14 Apr 2026 10:13:13 -0400", "from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-504-C6yv_4h6OLasXnoPj_dtbw-1; Tue,\n 14 Apr 2026 10:13:04 -0400", "from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id 3F34419560B2\n for <qemu-devel@nongnu.org>; Tue, 14 Apr 2026 14:13:02 +0000 (UTC)", "from eashurov-thinkpadx1carbongen12.raanaii.csb (unknown\n [10.47.238.36])\n by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with\n ESMTPS\n id E1813180049F; Tue, 14 Apr 2026 14:12:59 +0000 (UTC)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1776175988;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:\n content-transfer-encoding:content-transfer-encoding;\n bh=Z4cAyYjhB1JL75emTOEhz758wY9XkPfXmhQM2nLHomA=;\n b=VlTaJUrshjT2OVItWQC6qqQFWOmevMPHet6I1rf4rk6u39uQN8tXDV0tZxzZEC8IkuFepV\n hdFZ8PbbQnEcU+NARwhPjeiXSfYy3EoNHOZuXgcp4TjUis0YdlP+aQTiYmLr+dVwi4HAsr\n npowzt3EnHNHDm7woQW9N+RV+PCPORo=", "X-MC-Unique": "C6yv_4h6OLasXnoPj_dtbw-1", "X-Mimecast-MFC-AGG-ID": "C6yv_4h6OLasXnoPj_dtbw_1776175982", "From": "Elizabeth Ashurov <eashurov@redhat.com>", "To": "qemu-devel@nongnu.org", "Cc": "kkostiuk@redhat.com, berrange@redhat.com, armbru@redhat.com,\n yvugenfi@redhat.com, Elizabeth Ashurov <eashurov@redhat.com>", "Subject": "[PATCH v3] qga: add security info to guest-get-osinfo", "Date": "Tue, 14 Apr 2026 17:11:11 +0300", "Message-ID": "<20260414141111.2471509-1-eashurov@redhat.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "X-Scanned-By": "MIMEDefang 3.4.1 on 10.30.177.93", "Received-SPF": "pass client-ip=170.10.133.124;\n envelope-from=eashurov@redhat.com;\n helo=us-smtp-delivery-124.mimecast.com", "X-Spam_score_int": "27", "X-Spam_score": "2.7", "X-Spam_bar": "++", "X-Spam_report": "(2.7 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.54,\n DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_SBL_CSS=3.335,\n RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,\n SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,\n URI_TRY_3LD=1.997 autolearn=no autolearn_force=no", "X-Spam_action": "no action", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "qemu development <qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org" }, "content": "Extend guest-get-osinfo to include security features status\n(VBS, Secure Boot, TPM) in a nested 'security' field.\nOS-specific data (e.g. Windows DeviceGuard) is separated\nusing a union to allow future per-OS extensions.\n\nTPM and Secure Boot information are represented as dedicated\nstructs (GuestSecurityTPMInfo and GuestSecuritySecureBootInfo).\n\nThe implementation queries Win32_DeviceGuard and Win32_Tpm via\nWMI, and reads UEFI variables (SecureBoot, SetupMode, AuditMode,\nDeployedMode) through GetFirmwareEnvironmentVariable().\n\nSigned-off-by: Elizabeth Ashurov <eashurov@redhat.com>\n---\n qga/commands-win32.c | 437 +++++++++++++++++++++++++++++++++++++++++++\n qga/qapi-schema.json | 134 ++++++++++++-\n 2 files changed, 570 insertions(+), 1 deletion(-)", "diff": "diff --git a/qga/commands-win32.c b/qga/commands-win32.c\nindex c0bf3467bd..0c8ab5af1b 100644\n--- a/qga/commands-win32.c\n+++ b/qga/commands-win32.c\n@@ -28,6 +28,7 @@\n #include <wtsapi32.h>\n #include <wininet.h>\n #include <pdh.h>\n+#include <wbemidl.h>\n \n #include \"guest-agent-core.h\"\n #include \"vss-win32.h\"\n@@ -2252,6 +2253,8 @@ static char *ga_get_current_arch(void)\n return result;\n }\n \n+static void populate_security_info(GuestOSInfo *osinfo);\n+\n GuestOSInfo *qmp_guest_get_osinfo(Error **errp)\n {\n Error *local_err = NULL;\n@@ -2289,6 +2292,8 @@ GuestOSInfo *qmp_guest_get_osinfo(Error **errp)\n info->variant = g_strdup(server ? \"server\" : \"client\");\n info->variant_id = g_strdup(server ? \"server\" : \"client\");\n \n+ populate_security_info(info);\n+\n return info;\n }\n \n@@ -2764,3 +2769,435 @@ GuestNetworkRouteList *qmp_guest_network_get_route(Error **errp)\n g_hash_table_destroy(interface_metric_cache);\n return head;\n }\n+\n+/*\n+ * WMI GUIDs\n+ */\n+static const GUID qga_CLSID_WbemLocator = {\n+ 0x4590f811, 0x1d3a, 0x11d0,\n+ {0x89, 0x1f, 0x00, 0xaa, 0x00, 0x4b, 0x2e, 0x24}\n+};\n+static const GUID qga_IID_IWbemLocator = {\n+ 0xdc12a687, 0x737f, 0x11cf,\n+ {0x88, 0x4d, 0x00, 0xaa, 0x00, 0x4b, 0x2e, 0x24}\n+};\n+\n+static IWbemServices *wmi_connect_to_namespace(const wchar_t *namespace_path,\n+ Error **errp)\n+{\n+ HRESULT hr;\n+ IWbemLocator *locator = NULL;\n+ IWbemServices *services = NULL;\n+ BSTR bstr_ns = SysAllocString(namespace_path);\n+\n+ if (!bstr_ns) {\n+ error_setg(errp, \"failed to allocate WMI namespace string\");\n+ return NULL;\n+ }\n+\n+ hr = CoCreateInstance(&qga_CLSID_WbemLocator, NULL, CLSCTX_INPROC_SERVER,\n+ &qga_IID_IWbemLocator, (LPVOID *)&locator);\n+ if (FAILED(hr)) {\n+ error_setg_win32(errp, hr, \"failed to create IWbemLocator\");\n+ goto out;\n+ }\n+\n+ hr = locator->lpVtbl->ConnectServer(locator, bstr_ns, NULL, NULL, NULL,\n+ 0, NULL, NULL, &services);\n+ if (FAILED(hr)) {\n+ error_setg_win32(errp, hr, \"failed to connect to WMI namespace\");\n+ goto out;\n+ }\n+\n+ hr = CoSetProxyBlanket((IUnknown *)services,\n+ RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE, NULL,\n+ RPC_C_AUTHN_LEVEL_CALL,\n+ RPC_C_IMP_LEVEL_IMPERSONATE,\n+ NULL, EOAC_NONE);\n+ if (FAILED(hr)) {\n+ error_setg_win32(errp, hr, \"failed to set WMI proxy blanket\");\n+ services->lpVtbl->Release(services);\n+ services = NULL;\n+ }\n+\n+out:\n+ SysFreeString(bstr_ns);\n+ if (locator) {\n+ locator->lpVtbl->Release(locator);\n+ }\n+ return services;\n+}\n+\n+static IEnumWbemClassObject *wmi_exec_query(IWbemServices *services,\n+ const wchar_t *query,\n+ Error **errp)\n+{\n+ HRESULT hr;\n+ IEnumWbemClassObject *enumerator = NULL;\n+ BSTR bstr_wql = SysAllocString(L\"WQL\");\n+ BSTR bstr_query = SysAllocString(query);\n+\n+ if (!bstr_wql || !bstr_query) {\n+ error_setg(errp, \"failed to allocate WMI query strings\");\n+ goto out;\n+ }\n+\n+ hr = services->lpVtbl->ExecQuery(services, bstr_wql, bstr_query,\n+ WBEM_FLAG_RETURN_IMMEDIATELY |\n+ WBEM_FLAG_FORWARD_ONLY,\n+ NULL, &enumerator);\n+ if (FAILED(hr)) {\n+ error_setg_win32(errp, hr, \"WMI query failed\");\n+ }\n+\n+out:\n+ SysFreeString(bstr_wql);\n+ SysFreeString(bstr_query);\n+ return enumerator;\n+}\n+\n+static HRESULT wmi_get_property(IWbemClassObject *obj, const wchar_t *name,\n+ VARIANT *var)\n+{\n+ return obj->lpVtbl->Get(obj, name, 0, var, NULL, NULL);\n+}\n+\n+/* Read a WMI integer property (VT_I4 or VT_UI4). */\n+static bool wmi_get_int_property(IWbemClassObject *obj,\n+ const wchar_t *name,\n+ int64_t *out)\n+{\n+ VARIANT var;\n+ bool ret = false;\n+\n+ VariantInit(&var);\n+ if (SUCCEEDED(wmi_get_property(obj, name, &var))) {\n+ if (V_VT(&var) == VT_I4) {\n+ *out = V_I4(&var);\n+ ret = true;\n+ } else if (V_VT(&var) == VT_UI4) {\n+ *out = V_UI4(&var);\n+ ret = true;\n+ }\n+ }\n+ VariantClear(&var);\n+ return ret;\n+}\n+\n+/* Read an integer SAFEARRAY WMI property into a QAPI intList. */\n+static bool wmi_safearray_to_int_list(IWbemClassObject *obj,\n+ const wchar_t *prop_name,\n+ intList **list)\n+{\n+ VARIANT var;\n+ HRESULT hr;\n+ LONG lb, ub, i;\n+ uint32_t *data = NULL;\n+\n+ VariantInit(&var);\n+ hr = wmi_get_property(obj, prop_name, &var);\n+ if (FAILED(hr) || V_VT(&var) == VT_NULL) {\n+ VariantClear(&var);\n+ return false;\n+ }\n+\n+ if (!(V_VT(&var) & VT_ARRAY)) {\n+ VariantClear(&var);\n+ return false;\n+ }\n+\n+ SAFEARRAY *sa = V_ARRAY(&var);\n+ if (FAILED(SafeArrayGetLBound(sa, 1, &lb)) ||\n+ FAILED(SafeArrayGetUBound(sa, 1, &ub))) {\n+ VariantClear(&var);\n+ return false;\n+ }\n+\n+ if (FAILED(SafeArrayAccessData(sa, (void **)&data))) {\n+ VariantClear(&var);\n+ return false;\n+ }\n+\n+ intList **tail = list;\n+ for (i = 0; i <= ub - lb; i++) {\n+ QAPI_LIST_APPEND(tail, (int64_t)data[i]);\n+ }\n+\n+ SafeArrayUnaccessData(sa);\n+ VariantClear(&var);\n+ return true;\n+}\n+\n+/*\n+ * Query Win32_DeviceGuard WMI class for VBS and related properties.\n+ */\n+static void get_device_guard_info(GuestSecurityInfoWindows *info,\n+ Error **errp)\n+{\n+ Error *local_err = NULL;\n+ IWbemServices *services = NULL;\n+ IEnumWbemClassObject *enumerator = NULL;\n+ IWbemClassObject *obj = NULL;\n+ ULONG count = 0;\n+ HRESULT hr;\n+ int64_t val;\n+\n+ services = wmi_connect_to_namespace(\n+ L\"ROOT\\\\Microsoft\\\\Windows\\\\DeviceGuard\", &local_err);\n+ if (!services) {\n+ error_propagate(errp, local_err);\n+ return;\n+ }\n+\n+ enumerator = wmi_exec_query(services,\n+ L\"SELECT * FROM Win32_DeviceGuard\", &local_err);\n+ if (!enumerator) {\n+ error_propagate(errp, local_err);\n+ goto out;\n+ }\n+\n+ hr = enumerator->lpVtbl->Next(enumerator, WBEM_INFINITE, 1,\n+ &obj, &count);\n+ if (FAILED(hr)) {\n+ error_setg_win32(errp, hr, \"failed to enumerate Win32_DeviceGuard\");\n+ goto out;\n+ }\n+ if (count == 0) {\n+ error_setg(errp, \"no Win32_DeviceGuard instance found\");\n+ goto out;\n+ }\n+\n+ if (wmi_get_int_property(obj, L\"VirtualizationBasedSecurityStatus\",\n+ &val)) {\n+ info->has_vbs_status = true;\n+ info->vbs_status = val;\n+ }\n+\n+ if (wmi_get_int_property(obj, L\"CodeIntegrityPolicyEnforcementStatus\",\n+ &val)) {\n+ info->has_code_integrity_policy_enforcement_status = true;\n+ info->code_integrity_policy_enforcement_status = val;\n+ }\n+\n+ if (wmi_get_int_property(obj,\n+ L\"UsermodeCodeIntegrityPolicyEnforcementStatus\",\n+ &val)) {\n+ info->has_usr_cfg_code_integrity_policy_enforcement_status = true;\n+ info->usr_cfg_code_integrity_policy_enforcement_status = val;\n+ }\n+\n+ if (wmi_safearray_to_int_list(obj, L\"AvailableSecurityProperties\",\n+ &info->available_security_properties)) {\n+ info->has_available_security_properties = true;\n+ }\n+\n+ if (wmi_safearray_to_int_list(obj, L\"RequiredSecurityProperties\",\n+ &info->required_security_properties)) {\n+ info->has_required_security_properties = true;\n+ }\n+\n+ if (wmi_safearray_to_int_list(obj, L\"SecurityServicesConfigured\",\n+ &info->security_services_configured)) {\n+ info->has_security_services_configured = true;\n+ }\n+\n+ if (wmi_safearray_to_int_list(obj, L\"SecurityServicesRunning\",\n+ &info->security_services_running)) {\n+ info->has_security_services_running = true;\n+ }\n+\n+ obj->lpVtbl->Release(obj);\n+ obj = NULL;\n+\n+ /* Drain remaining results */\n+ while (true) {\n+ hr = enumerator->lpVtbl->Next(enumerator, WBEM_INFINITE, 1,\n+ &obj, &count);\n+ if (FAILED(hr) || count == 0) {\n+ break;\n+ }\n+ obj->lpVtbl->Release(obj);\n+ obj = NULL;\n+ }\n+\n+out:\n+ if (obj) {\n+ obj->lpVtbl->Release(obj);\n+ }\n+ if (enumerator) {\n+ enumerator->lpVtbl->Release(enumerator);\n+ }\n+ if (services) {\n+ services->lpVtbl->Release(services);\n+ }\n+}\n+\n+#define EFI_GLOBAL_VARIABLE_GUID \\\n+ \"{8be4df61-93ca-11d2-aa0d-00e098032b8c}\"\n+\n+/*\n+ * Read a single-byte UEFI variable. Returns true on success and\n+ * stores the value in *out. Returns false on failure.\n+ */\n+static bool read_efi_var(const char *name, BYTE *out)\n+{\n+ DWORD ret = GetFirmwareEnvironmentVariableA(\n+ name, EFI_GLOBAL_VARIABLE_GUID, out, sizeof(*out));\n+ return ret != 0;\n+}\n+\n+/*\n+ * Read UEFI Secure Boot variables. Returns NULL on legacy BIOS\n+ * systems or when the information is unavailable.\n+ */\n+static GuestSecuritySecureBootInfo *get_secure_boot_info(void)\n+{\n+ Error *local_err = NULL;\n+ GuestSecuritySecureBootInfo *sb;\n+ BYTE value = 0;\n+\n+ acquire_privilege(SE_SYSTEM_ENVIRONMENT_NAME, &local_err);\n+ if (local_err) {\n+ g_warning(\"SecureBoot privilege failed: %s\",\n+ error_get_pretty(local_err));\n+ error_free(local_err);\n+ return NULL;\n+ }\n+\n+ if (!read_efi_var(\"SecureBoot\", &value)) {\n+ DWORD err = GetLastError();\n+ if (err == ERROR_INVALID_FUNCTION) {\n+ return NULL;\n+ }\n+ if (err == ERROR_ENVVAR_NOT_FOUND) {\n+ sb = g_new0(GuestSecuritySecureBootInfo, 1);\n+ sb->enabled = false;\n+ return sb;\n+ }\n+ g_warning(\"failed to read SecureBoot UEFI variable: 0x%lx\", err);\n+ return NULL;\n+ }\n+\n+ sb = g_new0(GuestSecuritySecureBootInfo, 1);\n+ sb->enabled = (value == 1);\n+\n+ if (read_efi_var(\"SetupMode\", &value)) {\n+ sb->has_setup_mode = true;\n+ sb->setup_mode = (value == 1);\n+ }\n+\n+ if (read_efi_var(\"AuditMode\", &value)) {\n+ sb->has_audit_mode = true;\n+ sb->audit_mode = (value == 1);\n+ }\n+\n+ if (read_efi_var(\"DeployedMode\", &value)) {\n+ sb->has_deployed_mode = true;\n+ sb->deployed_mode = (value == 1);\n+ }\n+\n+ return sb;\n+}\n+\n+/*\n+ * Query Win32_Tpm WMI class for TPM presence and version.\n+ * Returns a GuestSecurityTPMInfo on success, or NULL if no TPM\n+ * is found or the namespace is unavailable.\n+ */\n+static GuestSecurityTPMInfo *get_tpm_info(void)\n+{\n+ Error *local_err = NULL;\n+ IWbemServices *services = NULL;\n+ IEnumWbemClassObject *enumerator = NULL;\n+ IWbemClassObject *obj = NULL;\n+ ULONG count = 0;\n+ HRESULT hr;\n+ VARIANT var;\n+ GuestSecurityTPMInfo *tpm = NULL;\n+\n+ services = wmi_connect_to_namespace(\n+ L\"ROOT\\\\CIMV2\\\\Security\\\\MicrosoftTpm\", &local_err);\n+ if (!services) {\n+ error_free(local_err);\n+ return NULL;\n+ }\n+\n+ enumerator = wmi_exec_query(services,\n+ L\"SELECT * FROM Win32_Tpm\", &local_err);\n+ if (!enumerator) {\n+ error_free(local_err);\n+ goto out;\n+ }\n+\n+ hr = enumerator->lpVtbl->Next(enumerator, WBEM_INFINITE, 1,\n+ &obj, &count);\n+ if (FAILED(hr) || count == 0) {\n+ goto out;\n+ }\n+\n+ tpm = g_new0(GuestSecurityTPMInfo, 1);\n+\n+ /* SpecVersion is \"major.minor, revision, errata\" e.g. \"2.0, 0, 1.59\" */\n+ VariantInit(&var);\n+ if (SUCCEEDED(wmi_get_property(obj, L\"SpecVersion\", &var)) &&\n+ V_VT(&var) == VT_BSTR && V_BSTR(&var)) {\n+ g_autofree char *version = g_utf16_to_utf8(\n+ (const gunichar2 *)V_BSTR(&var), -1, NULL, NULL, NULL);\n+ if (version) {\n+ char *dot = strchr(version, '.');\n+ if (dot) {\n+ *dot = '\\0';\n+ }\n+ tpm->major_version = g_ascii_strtoll(version, NULL, 10);\n+ }\n+ }\n+ VariantClear(&var);\n+\n+ obj->lpVtbl->Release(obj);\n+ obj = NULL;\n+\n+ /* Drain remaining results */\n+ while (true) {\n+ hr = enumerator->lpVtbl->Next(enumerator, WBEM_INFINITE, 1,\n+ &obj, &count);\n+ if (FAILED(hr) || count == 0) {\n+ break;\n+ }\n+ obj->lpVtbl->Release(obj);\n+ obj = NULL;\n+ }\n+\n+out:\n+ if (obj) {\n+ obj->lpVtbl->Release(obj);\n+ }\n+ if (enumerator) {\n+ enumerator->lpVtbl->Release(enumerator);\n+ }\n+ if (services) {\n+ services->lpVtbl->Release(services);\n+ }\n+ return tpm;\n+}\n+\n+static void populate_security_info(GuestOSInfo *osinfo)\n+{\n+ Error *local_err = NULL;\n+ GuestSecurityInfo *info = g_new0(GuestSecurityInfo, 1);\n+\n+ info->os = g_new0(GuestSecurityInfoOs, 1);\n+ info->os->type = GUEST_SECURITY_INFO_TYPE_WINDOWS;\n+\n+ get_device_guard_info(&info->os->u.windows, &local_err);\n+ if (local_err) {\n+ g_warning(\"DeviceGuard query failed: %s\",\n+ error_get_pretty(local_err));\n+ error_free(local_err);\n+ local_err = NULL;\n+ }\n+\n+ info->secure_boot = get_secure_boot_info();\n+ info->tpm = get_tpm_info();\n+\n+ osinfo->security = info;\n+}\ndiff --git a/qga/qapi-schema.json b/qga/qapi-schema.json\nindex c57bc9a02f..6f4b61355b 100644\n--- a/qga/qapi-schema.json\n+++ b/qga/qapi-schema.json\n@@ -1490,6 +1490,10 @@\n # * POSIX: as defined by os-release(5)\n # * Windows: contains string \"server\" or \"client\"\n #\n+# @security: Security features status. Present if any security\n+# information (TPM, Secure Boot, etc.) could be retrieved.\n+# Currently populated on Windows guests only (since 11.1)\n+#\n # .. note:: On POSIX systems the fields @id, @name, @pretty-name,\n # @version, @version-id, @variant and @variant-id follow the\n # definition specified in os-release(5). Refer to the manual page\n@@ -1508,7 +1512,8 @@\n '*kernel-release': 'str', '*kernel-version': 'str',\n '*machine': 'str', '*id': 'str', '*name': 'str',\n '*pretty-name': 'str', '*version': 'str', '*version-id': 'str',\n- '*variant': 'str', '*variant-id': 'str' } }\n+ '*variant': 'str', '*variant-id': 'str',\n+ '*security': 'GuestSecurityInfo' } }\n \n ##\n # @guest-get-osinfo:\n@@ -1952,3 +1957,130 @@\n 'returns': ['GuestNetworkRoute'],\n 'if': { 'any': ['CONFIG_LINUX', 'CONFIG_WIN32'] }\n }\n+\n+##\n+# @GuestSecurityInfoWindows:\n+#\n+# Windows-specific security features from the Win32_DeviceGuard\n+# WMI class. All values are raw integers as provided by the\n+# Windows API. See\n+# https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity\n+# for the meaning of each value.\n+#\n+# @vbs-status: Whether VBS is enabled and running.\n+#\n+# @available-security-properties: Relevant security properties\n+# available for VBS and memory integrity.\n+#\n+# @code-integrity-policy-enforcement-status: Code integrity\n+# policy enforcement status.\n+#\n+# @required-security-properties: Required security properties\n+# to enable VBS.\n+#\n+# @security-services-configured: Whether Credential Guard or\n+# memory integrity is configured.\n+#\n+# @security-services-running: Whether Credential Guard or\n+# memory integrity is running.\n+#\n+# @usr-cfg-code-integrity-policy-enforcement-status: User-mode\n+# code integrity policy enforcement status.\n+#\n+# Since: 11.1\n+##\n+{ 'struct': 'GuestSecurityInfoWindows',\n+ 'data': {\n+ '*vbs-status': 'int',\n+ '*available-security-properties': ['int'],\n+ '*code-integrity-policy-enforcement-status': 'int',\n+ '*required-security-properties': ['int'],\n+ '*security-services-configured': ['int'],\n+ '*security-services-running': ['int'],\n+ '*usr-cfg-code-integrity-policy-enforcement-status': 'int' } }\n+\n+##\n+# @GuestSecurityInfoType:\n+#\n+# Guest operating system type for security info.\n+#\n+# @windows: Microsoft Windows\n+#\n+# Since: 11.1\n+##\n+{ 'enum': 'GuestSecurityInfoType',\n+ 'data': ['windows'] }\n+\n+##\n+# @GuestSecurityInfoOs:\n+#\n+# OS-specific security information.\n+#\n+# @type: guest operating system type\n+#\n+# Since: 11.1\n+##\n+{ 'union': 'GuestSecurityInfoOs',\n+ 'base': { 'type': 'GuestSecurityInfoType' },\n+ 'discriminator': 'type',\n+ 'data': {\n+ 'windows': 'GuestSecurityInfoWindows' } }\n+\n+##\n+# @GuestSecurityTPMInfo:\n+#\n+# TPM device information. The presence of this struct indicates\n+# that a TPM device exists on the guest.\n+#\n+# @major-version: TPM specification major version (e.g. 1 or 2)\n+#\n+# Since: 11.1\n+##\n+{ 'struct': 'GuestSecurityTPMInfo',\n+ 'data': {\n+ 'major-version': 'int' } }\n+\n+##\n+# @GuestSecuritySecureBootInfo:\n+#\n+# UEFI Secure Boot information. The presence of this struct\n+# indicates that the guest supports UEFI Secure Boot.\n+#\n+# @enabled: Whether Secure Boot is currently enabled\n+#\n+# @audit-mode: Whether Secure Boot is in audit mode\n+#\n+# @deployed-mode: Whether Secure Boot is in deployed mode\n+#\n+# @setup-mode: Whether Secure Boot is in setup mode\n+#\n+# Since: 11.1\n+##\n+{ 'struct': 'GuestSecuritySecureBootInfo',\n+ 'data': {\n+ 'enabled': 'bool',\n+ '*audit-mode': 'bool',\n+ '*deployed-mode': 'bool',\n+ '*setup-mode': 'bool' } }\n+\n+##\n+# @GuestSecurityInfo:\n+#\n+# Guest security features status. Fields are optional; a missing\n+# field means the information is not available on this guest OS.\n+#\n+# @tpm: TPM device information. Absent if no TPM is present\n+# or the information is unavailable.\n+#\n+# @secure-boot: UEFI Secure Boot information. Absent on\n+# legacy BIOS systems or if unavailable.\n+#\n+# @os: OS-specific security information\n+#\n+# Since: 11.1\n+##\n+{ 'struct': 'GuestSecurityInfo',\n+ 'data': {\n+ '*tpm': 'GuestSecurityTPMInfo',\n+ '*secure-boot': 'GuestSecuritySecureBootInfo',\n+ '*os': 'GuestSecurityInfoOs' } }\n", "prefixes": [ "v3" ] }