Patch Detail

HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2217790,
    "url": "http://patchwork.ozlabs.org/api/patches/2217790/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260330151941.2207789-1-eashurov@redhat.com/",
    "project": {
        "id": 14,
        "url": "http://patchwork.ozlabs.org/api/projects/14/?format=api",
        "name": "QEMU Development",
        "link_name": "qemu-devel",
        "list_id": "qemu-devel.nongnu.org",
        "list_email": "qemu-devel@nongnu.org",
        "web_url": "",
        "scm_url": "",
        "webscm_url": "",
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20260330151941.2207789-1-eashurov@redhat.com>",
    "list_archive_url": null,
    "date": "2026-03-30T15:19:41",
    "name": "[v2] qga: add security info to guest-get-osinfo",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "0a8429947350b13883d04a9eafac99fb480198d4",
    "submitter": {
        "id": 91084,
        "url": "http://patchwork.ozlabs.org/api/people/91084/?format=api",
        "name": "Elizabeth Ashurov",
        "email": "eashurov@redhat.com"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260330151941.2207789-1-eashurov@redhat.com/mbox/",
    "series": [
        {
            "id": 498052,
            "url": "http://patchwork.ozlabs.org/api/series/498052/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=498052",
            "date": "2026-03-30T15:19:41",
            "name": "[v2] qga: add security info to guest-get-osinfo",
            "version": 2,
            "mbox": "http://patchwork.ozlabs.org/series/498052/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2217790/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2217790/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>",
        "X-Original-To": "incoming@patchwork.ozlabs.org",
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=VlBiZFeF;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"
        ],
        "Received": [
            "from lists.gnu.org (lists.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fkw1l4h9Dz1xtJ\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 31 Mar 2026 02:20:59 +1100 (AEDT)",
            "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1w7EPS-0007gi-50; Mon, 30 Mar 2026 11:20:10 -0400",
            "from eggs.gnu.org ([2001:470:142:3::10])\n by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <eashurov@redhat.com>)\n id 1w7EPQ-0007gU-8o\n for qemu-devel@nongnu.org; Mon, 30 Mar 2026 11:20:08 -0400",
            "from us-smtp-delivery-124.mimecast.com ([170.10.129.124])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <eashurov@redhat.com>)\n id 1w7EPM-0003Ff-PG\n for qemu-devel@nongnu.org; Mon, 30 Mar 2026 11:20:08 -0400",
            "from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-577-hbHCwq6gOVyMMlcWG1Rlsw-1; Mon,\n 30 Mar 2026 11:20:00 -0400",
            "from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id C1DF21956046\n for <qemu-devel@nongnu.org>; Mon, 30 Mar 2026 15:19:59 +0000 (UTC)",
            "from eashurov-thinkpadx1carbongen12.raanaii.csb (unknown\n [10.44.33.212])\n by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with\n ESMTPS\n id 77C291800351; Mon, 30 Mar 2026 15:19:57 +0000 (UTC)"
        ],
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1774884002;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:\n content-transfer-encoding:content-transfer-encoding;\n bh=SyxU+VB3YJH6Jla/Pk3XIMOej61g24pSm81zr1vN4xk=;\n b=VlBiZFeF9+OIis4cOHjFiONui6n1sn7V3w/Xv8xJfLdRygoFtEP5rUFWDY1w7g78Ig+VDG\n HuUfqd9MV9aXYMTybwrmOtn6cVkV357R2j+I1OEdQ7Wus/ZPEcQSlTS519gY2+De/r8X0U\n he0e21Rbpjc239a+cTKU42W/pFmR7ms=",
        "X-MC-Unique": "hbHCwq6gOVyMMlcWG1Rlsw-1",
        "X-Mimecast-MFC-AGG-ID": "hbHCwq6gOVyMMlcWG1Rlsw_1774884000",
        "From": "Elizabeth Ashurov <eashurov@redhat.com>",
        "To": "qemu-devel@nongnu.org",
        "Cc": "kkostiuk@redhat.com, yvugenfi@redhat.com, berrange@redhat.com,\n Elizabeth Ashurov <eashurov@redhat.com>",
        "Subject": "[PATCH v2] qga: add security info to guest-get-osinfo",
        "Date": "Mon, 30 Mar 2026 18:19:41 +0300",
        "Message-ID": "<20260330151941.2207789-1-eashurov@redhat.com>",
        "MIME-Version": "1.0",
        "Content-Transfer-Encoding": "8bit",
        "X-Scanned-By": "MIMEDefang 3.4.1 on 10.30.177.111",
        "Received-SPF": "pass client-ip=170.10.129.124;\n envelope-from=eashurov@redhat.com;\n helo=us-smtp-delivery-124.mimecast.com",
        "X-Spam_score_int": "27",
        "X-Spam_score": "2.7",
        "X-Spam_bar": "++",
        "X-Spam_report": "(2.7 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.54,\n DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SBL_CSS=3.335,\n RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=1, RCVD_IN_VALIDITY_RPBL_BLOCKED=1,\n SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no",
        "X-Spam_action": "no action",
        "X-BeenThere": "qemu-devel@nongnu.org",
        "X-Mailman-Version": "2.1.29",
        "Precedence": "list",
        "List-Id": "qemu development <qemu-devel.nongnu.org>",
        "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>",
        "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>",
        "List-Post": "<mailto:qemu-devel@nongnu.org>",
        "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>",
        "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>",
        "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org",
        "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"
    },
    "content": "Extend guest-get-osinfo to include security features status\n(VBS, Secure Boot, TPM) in a nested 'security' field.\nOS-specific data (e.g. Windows DeviceGuard) is separated\nusing a union to allow future per-OS extensions.\n\nThe implementation queries Win32_DeviceGuard and Win32_Tpm via\nWMI, and reads the SecureBoot UEFI variable through\nGetFirmwareEnvironmentVariable().\n\nSigned-off-by: Elizabeth Ashurov <eashurov@redhat.com>\n---\n qga/commands-win32.c | 421 +++++++++++++++++++++++++++++++++++++++++++\n qga/qapi-schema.json |  91 +++++++++-\n 2 files changed, 511 insertions(+), 1 deletion(-)",
    "diff": "diff --git a/qga/commands-win32.c b/qga/commands-win32.c\nindex c0bf3467bd..39ebdcf2cd 100644\n--- a/qga/commands-win32.c\n+++ b/qga/commands-win32.c\n@@ -28,6 +28,7 @@\n #include <wtsapi32.h>\n #include <wininet.h>\n #include <pdh.h>\n+#include <wbemidl.h>\n \n #include \"guest-agent-core.h\"\n #include \"vss-win32.h\"\n@@ -2252,6 +2253,8 @@ static char *ga_get_current_arch(void)\n     return result;\n }\n \n+static void populate_security_info(GuestOSInfo *osinfo);\n+\n GuestOSInfo *qmp_guest_get_osinfo(Error **errp)\n {\n     Error *local_err = NULL;\n@@ -2289,6 +2292,8 @@ GuestOSInfo *qmp_guest_get_osinfo(Error **errp)\n     info->variant = g_strdup(server ? \"server\" : \"client\");\n     info->variant_id = g_strdup(server ? \"server\" : \"client\");\n \n+    populate_security_info(info);\n+\n     return info;\n }\n \n@@ -2764,3 +2769,419 @@ GuestNetworkRouteList *qmp_guest_network_get_route(Error **errp)\n     g_hash_table_destroy(interface_metric_cache);\n     return head;\n }\n+\n+/*\n+ * WMI GUIDs\n+ */\n+static const GUID qga_CLSID_WbemLocator = {\n+    0x4590f811, 0x1d3a, 0x11d0,\n+    {0x89, 0x1f, 0x00, 0xaa, 0x00, 0x4b, 0x2e, 0x24}\n+};\n+static const GUID qga_IID_IWbemLocator = {\n+    0xdc12a687, 0x737f, 0x11cf,\n+    {0x88, 0x4d, 0x00, 0xaa, 0x00, 0x4b, 0x2e, 0x24}\n+};\n+\n+static IWbemServices *wmi_connect_to_namespace(const wchar_t *namespace_path,\n+                                               Error **errp)\n+{\n+    HRESULT hr;\n+    IWbemLocator *locator = NULL;\n+    IWbemServices *services = NULL;\n+    BSTR bstr_ns = SysAllocString(namespace_path);\n+\n+    if (!bstr_ns) {\n+        error_setg(errp, \"failed to allocate WMI namespace string\");\n+        return NULL;\n+    }\n+\n+    hr = CoCreateInstance(&qga_CLSID_WbemLocator, NULL, CLSCTX_INPROC_SERVER,\n+                          &qga_IID_IWbemLocator, (LPVOID *)&locator);\n+    if (FAILED(hr)) {\n+        error_setg_win32(errp, hr, \"failed to create IWbemLocator\");\n+        goto out;\n+    }\n+\n+    hr = locator->lpVtbl->ConnectServer(locator, bstr_ns, NULL, NULL, NULL,\n+                                        0, NULL, NULL, &services);\n+    if (FAILED(hr)) {\n+        error_setg_win32(errp, hr, \"failed to connect to WMI namespace\");\n+        goto out;\n+    }\n+\n+    hr = CoSetProxyBlanket((IUnknown *)services,\n+                           RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE, NULL,\n+                           RPC_C_AUTHN_LEVEL_CALL,\n+                           RPC_C_IMP_LEVEL_IMPERSONATE,\n+                           NULL, EOAC_NONE);\n+    if (FAILED(hr)) {\n+        error_setg_win32(errp, hr, \"failed to set WMI proxy blanket\");\n+        services->lpVtbl->Release(services);\n+        services = NULL;\n+    }\n+\n+out:\n+    SysFreeString(bstr_ns);\n+    if (locator) {\n+        locator->lpVtbl->Release(locator);\n+    }\n+    return services;\n+}\n+\n+static IEnumWbemClassObject *wmi_exec_query(IWbemServices *services,\n+                                            const wchar_t *query,\n+                                            Error **errp)\n+{\n+    HRESULT hr;\n+    IEnumWbemClassObject *enumerator = NULL;\n+    BSTR bstr_wql = SysAllocString(L\"WQL\");\n+    BSTR bstr_query = SysAllocString(query);\n+\n+    if (!bstr_wql || !bstr_query) {\n+        error_setg(errp, \"failed to allocate WMI query strings\");\n+        goto out;\n+    }\n+\n+    hr = services->lpVtbl->ExecQuery(services, bstr_wql, bstr_query,\n+                                     WBEM_FLAG_RETURN_IMMEDIATELY |\n+                                     WBEM_FLAG_FORWARD_ONLY,\n+                                     NULL, &enumerator);\n+    if (FAILED(hr)) {\n+        error_setg_win32(errp, hr, \"WMI query failed\");\n+    }\n+\n+out:\n+    SysFreeString(bstr_wql);\n+    SysFreeString(bstr_query);\n+    return enumerator;\n+}\n+\n+static HRESULT wmi_get_property(IWbemClassObject *obj, const wchar_t *name,\n+                                VARIANT *var)\n+{\n+    return obj->lpVtbl->Get(obj, name, 0, var, NULL, NULL);\n+}\n+\n+/* Read a WMI integer property (VT_I4 or VT_UI4). */\n+static bool wmi_get_int_property(IWbemClassObject *obj,\n+                                 const wchar_t *name,\n+                                 int64_t *out)\n+{\n+    VARIANT var;\n+    bool ret = false;\n+\n+    VariantInit(&var);\n+    if (SUCCEEDED(wmi_get_property(obj, name, &var))) {\n+        if (V_VT(&var) == VT_I4) {\n+            *out = V_I4(&var);\n+            ret = true;\n+        } else if (V_VT(&var) == VT_UI4) {\n+            *out = V_UI4(&var);\n+            ret = true;\n+        }\n+    }\n+    VariantClear(&var);\n+    return ret;\n+}\n+\n+/* Read an integer SAFEARRAY WMI property into a QAPI intList. */\n+static bool wmi_safearray_to_int_list(IWbemClassObject *obj,\n+                                      const wchar_t *prop_name,\n+                                      intList **list)\n+{\n+    VARIANT var;\n+    HRESULT hr;\n+    LONG lb, ub, i;\n+    uint32_t *data = NULL;\n+\n+    VariantInit(&var);\n+    hr = wmi_get_property(obj, prop_name, &var);\n+    if (FAILED(hr) || V_VT(&var) == VT_NULL) {\n+        VariantClear(&var);\n+        return false;\n+    }\n+\n+    if (!(V_VT(&var) & VT_ARRAY)) {\n+        VariantClear(&var);\n+        return false;\n+    }\n+\n+    SAFEARRAY *sa = V_ARRAY(&var);\n+    if (FAILED(SafeArrayGetLBound(sa, 1, &lb)) ||\n+        FAILED(SafeArrayGetUBound(sa, 1, &ub))) {\n+        VariantClear(&var);\n+        return false;\n+    }\n+\n+    if (FAILED(SafeArrayAccessData(sa, (void **)&data))) {\n+        VariantClear(&var);\n+        return false;\n+    }\n+\n+    intList **tail = list;\n+    for (i = 0; i <= ub - lb; i++) {\n+        QAPI_LIST_APPEND(tail, (int64_t)data[i]);\n+    }\n+\n+    SafeArrayUnaccessData(sa);\n+    VariantClear(&var);\n+    return true;\n+}\n+\n+/*\n+ * Query Win32_DeviceGuard WMI class for VBS and related properties.\n+ */\n+static void get_device_guard_info(GuestSecurityInfoWindows *info,\n+                                  Error **errp)\n+{\n+    Error *local_err = NULL;\n+    IWbemServices *services = NULL;\n+    IEnumWbemClassObject *enumerator = NULL;\n+    IWbemClassObject *obj = NULL;\n+    ULONG count = 0;\n+    HRESULT hr;\n+    int64_t val;\n+\n+    services = wmi_connect_to_namespace(\n+        L\"ROOT\\\\Microsoft\\\\Windows\\\\DeviceGuard\", &local_err);\n+    if (!services) {\n+        error_propagate(errp, local_err);\n+        return;\n+    }\n+\n+    enumerator = wmi_exec_query(services,\n+        L\"SELECT * FROM Win32_DeviceGuard\", &local_err);\n+    if (!enumerator) {\n+        error_propagate(errp, local_err);\n+        goto out;\n+    }\n+\n+    hr = enumerator->lpVtbl->Next(enumerator, WBEM_INFINITE, 1,\n+                                   &obj, &count);\n+    if (FAILED(hr)) {\n+        error_setg_win32(errp, hr, \"failed to enumerate Win32_DeviceGuard\");\n+        goto out;\n+    }\n+    if (count == 0) {\n+        error_setg(errp, \"no Win32_DeviceGuard instance found\");\n+        goto out;\n+    }\n+\n+    if (wmi_get_int_property(obj, L\"VirtualizationBasedSecurityStatus\",\n+                             &val)) {\n+        info->has_vbs_status = true;\n+        info->vbs_status = val;\n+    }\n+\n+    if (wmi_get_int_property(obj, L\"CodeIntegrityPolicyEnforcementStatus\",\n+                             &val)) {\n+        info->has_code_integrity_policy_enforcement_status = true;\n+        info->code_integrity_policy_enforcement_status = val;\n+    }\n+\n+    if (wmi_get_int_property(obj,\n+                             L\"UsermodeCodeIntegrityPolicyEnforcementStatus\",\n+                             &val)) {\n+        info->has_usr_cfg_code_integrity_policy_enforcement_status = true;\n+        info->usr_cfg_code_integrity_policy_enforcement_status = val;\n+    }\n+\n+    if (wmi_safearray_to_int_list(obj, L\"AvailableSecurityProperties\",\n+                                  &info->available_security_properties)) {\n+        info->has_available_security_properties = true;\n+    }\n+\n+    if (wmi_safearray_to_int_list(obj, L\"RequiredSecurityProperties\",\n+                                  &info->required_security_properties)) {\n+        info->has_required_security_properties = true;\n+    }\n+\n+    if (wmi_safearray_to_int_list(obj, L\"SecurityServicesConfigured\",\n+                                  &info->security_services_configured)) {\n+        info->has_security_services_configured = true;\n+    }\n+\n+    if (wmi_safearray_to_int_list(obj, L\"SecurityServicesRunning\",\n+                                  &info->security_services_running)) {\n+        info->has_security_services_running = true;\n+    }\n+\n+    obj->lpVtbl->Release(obj);\n+    obj = NULL;\n+\n+    /* Drain remaining results */\n+    while (true) {\n+        hr = enumerator->lpVtbl->Next(enumerator, WBEM_INFINITE, 1,\n+                                      &obj, &count);\n+        if (FAILED(hr) || count == 0) {\n+            break;\n+        }\n+        obj->lpVtbl->Release(obj);\n+        obj = NULL;\n+    }\n+\n+out:\n+    if (obj) {\n+        obj->lpVtbl->Release(obj);\n+    }\n+    if (enumerator) {\n+        enumerator->lpVtbl->Release(enumerator);\n+    }\n+    if (services) {\n+        services->lpVtbl->Release(services);\n+    }\n+}\n+\n+/*\n+ * Read the SecureBoot UEFI variable.  On legacy BIOS systems the field\n+ * is omitted (not applicable).\n+ */\n+static void get_secure_boot_status(GuestSecurityInfo *info,\n+                                   Error **errp)\n+{\n+    Error *local_err = NULL;\n+    BYTE value = 0;\n+    DWORD ret;\n+\n+    acquire_privilege(SE_SYSTEM_ENVIRONMENT_NAME, &local_err);\n+    if (local_err) {\n+        error_propagate(errp, local_err);\n+        return;\n+    }\n+\n+    ret = GetFirmwareEnvironmentVariableA(\"SecureBoot\",\n+        \"{8be4df61-93ca-11d2-aa0d-00e098032b8c}\", &value, sizeof(value));\n+\n+    if (ret == 0) {\n+        DWORD err = GetLastError();\n+        if (err == ERROR_INVALID_FUNCTION) {\n+            return;\n+        }\n+        if (err == ERROR_ENVVAR_NOT_FOUND) {\n+            info->has_secure_boot = true;\n+            info->secure_boot = false;\n+            return;\n+        }\n+        error_setg_win32(errp, err,\n+                         \"failed to read SecureBoot UEFI variable\");\n+        return;\n+    }\n+\n+    info->has_secure_boot = true;\n+    info->secure_boot = (value == 1);\n+}\n+\n+/*\n+ * Query Win32_Tpm WMI class for TPM presence and version.\n+ */\n+static void get_tpm_info(GuestSecurityInfo *info, Error **errp)\n+{\n+    Error *local_err = NULL;\n+    IWbemServices *services = NULL;\n+    IEnumWbemClassObject *enumerator = NULL;\n+    IWbemClassObject *obj = NULL;\n+    ULONG count = 0;\n+    HRESULT hr;\n+    VARIANT var;\n+\n+    services = wmi_connect_to_namespace(\n+        L\"ROOT\\\\CIMV2\\\\Security\\\\MicrosoftTpm\", &local_err);\n+    if (!services) {\n+        /* TPM namespace may not exist -- field omitted (unknown) */\n+        error_free(local_err);\n+        return;\n+    }\n+\n+    enumerator = wmi_exec_query(services,\n+        L\"SELECT * FROM Win32_Tpm\", &local_err);\n+    if (!enumerator) {\n+        error_free(local_err);\n+        goto out;\n+    }\n+\n+    hr = enumerator->lpVtbl->Next(enumerator, WBEM_INFINITE, 1,\n+                                   &obj, &count);\n+    if (FAILED(hr) || count == 0) {\n+        info->has_tpm_present = true;\n+        info->tpm_present = false;\n+        goto out;\n+    }\n+\n+    info->has_tpm_present = true;\n+    info->tpm_present = true;\n+\n+    VariantInit(&var);\n+    if (SUCCEEDED(wmi_get_property(obj, L\"SpecVersion\", &var)) &&\n+        V_VT(&var) == VT_BSTR && V_BSTR(&var)) {\n+        info->tpm_version = g_utf16_to_utf8(\n+            (const gunichar2 *)V_BSTR(&var), -1, NULL, NULL, NULL);\n+        if (info->tpm_version) {\n+            /* keep only the part before the first comma */\n+            char *comma = strchr(info->tpm_version, ',');\n+            if (comma) {\n+                *comma = '\\0';\n+            }\n+        }\n+    }\n+    VariantClear(&var);\n+\n+    obj->lpVtbl->Release(obj);\n+    obj = NULL;\n+\n+    /* Drain remaining results */\n+    while (true) {\n+        hr = enumerator->lpVtbl->Next(enumerator, WBEM_INFINITE, 1,\n+                                      &obj, &count);\n+        if (FAILED(hr) || count == 0) {\n+            break;\n+        }\n+        obj->lpVtbl->Release(obj);\n+        obj = NULL;\n+    }\n+\n+out:\n+    if (obj) {\n+        obj->lpVtbl->Release(obj);\n+    }\n+    if (enumerator) {\n+        enumerator->lpVtbl->Release(enumerator);\n+    }\n+    if (services) {\n+        services->lpVtbl->Release(services);\n+    }\n+}\n+\n+static void populate_security_info(GuestOSInfo *osinfo)\n+{\n+    Error *local_err = NULL;\n+    GuestSecurityInfo *info = g_new0(GuestSecurityInfo, 1);\n+\n+    info->os = g_new0(GuestSecurityInfoOs, 1);\n+    info->os->type = GUEST_SECURITY_INFO_TYPE_WINDOWS;\n+\n+    get_device_guard_info(&info->os->u.windows, &local_err);\n+    if (local_err) {\n+        g_warning(\"DeviceGuard query failed: %s\",\n+                  error_get_pretty(local_err));\n+        error_free(local_err);\n+        local_err = NULL;\n+    }\n+\n+    get_secure_boot_status(info, &local_err);\n+    if (local_err) {\n+        g_warning(\"SecureBoot query failed: %s\",\n+                  error_get_pretty(local_err));\n+        error_free(local_err);\n+        local_err = NULL;\n+    }\n+\n+    get_tpm_info(info, &local_err);\n+    if (local_err) {\n+        g_warning(\"TPM query failed: %s\",\n+                  error_get_pretty(local_err));\n+        error_free(local_err);\n+        local_err = NULL;\n+    }\n+\n+    osinfo->security = info;\n+}\ndiff --git a/qga/qapi-schema.json b/qga/qapi-schema.json\nindex c57bc9a02f..2247f77cff 100644\n--- a/qga/qapi-schema.json\n+++ b/qga/qapi-schema.json\n@@ -1490,6 +1490,8 @@\n #     * POSIX: as defined by os-release(5)\n #     * Windows: contains string \"server\" or \"client\"\n #\n+# @security: Security features status (since 10.3)\n+#\n # .. note:: On POSIX systems the fields @id, @name, @pretty-name,\n #    @version, @version-id, @variant and @variant-id follow the\n #    definition specified in os-release(5).  Refer to the manual page\n@@ -1508,7 +1510,8 @@\n       '*kernel-release': 'str', '*kernel-version': 'str',\n       '*machine': 'str', '*id': 'str', '*name': 'str',\n       '*pretty-name': 'str', '*version': 'str', '*version-id': 'str',\n-      '*variant': 'str', '*variant-id': 'str' } }\n+      '*variant': 'str', '*variant-id': 'str',\n+      '*security': 'GuestSecurityInfo' } }\n \n ##\n # @guest-get-osinfo:\n@@ -1952,3 +1955,89 @@\n   'returns': ['GuestNetworkRoute'],\n   'if': { 'any': ['CONFIG_LINUX', 'CONFIG_WIN32'] }\n }\n+\n+##\n+# @GuestSecurityInfoWindows:\n+#\n+# Windows-specific security features from Win32_DeviceGuard.\n+#\n+# @vbs-status: VirtualizationBasedSecurityStatus\n+#\n+# @available-security-properties:\n+#     AvailableSecurityProperties\n+#\n+# @code-integrity-policy-enforcement-status:\n+#     CodeIntegrityPolicyEnforcementStatus\n+#\n+# @required-security-properties: RequiredSecurityProperties\n+#\n+# @security-services-configured:\n+#     SecurityServicesConfigured\n+#\n+# @security-services-running: SecurityServicesRunning\n+#\n+# @usr-cfg-code-integrity-policy-enforcement-status:\n+#     UsermodeCodeIntegrityPolicyEnforcementStatus\n+#\n+# Since: 10.3\n+##\n+{ 'struct': 'GuestSecurityInfoWindows',\n+  'data': {\n+      '*vbs-status': 'int',\n+      '*available-security-properties': ['int'],\n+      '*code-integrity-policy-enforcement-status': 'int',\n+      '*required-security-properties': ['int'],\n+      '*security-services-configured': ['int'],\n+      '*security-services-running': ['int'],\n+      '*usr-cfg-code-integrity-policy-enforcement-status':\n+          'int' } }\n+\n+##\n+# @GuestSecurityInfoType:\n+#\n+# Guest operating system type for security info.\n+#\n+# @windows: Microsoft Windows\n+#\n+# Since: 10.3\n+##\n+{ 'enum': 'GuestSecurityInfoType',\n+  'data': ['windows'] }\n+\n+##\n+# @GuestSecurityInfoOs:\n+#\n+# OS-specific security information.\n+#\n+# @type: guest operating system type\n+#\n+# Since: 10.3\n+##\n+{ 'union': 'GuestSecurityInfoOs',\n+  'base': { 'type': 'GuestSecurityInfoType' },\n+  'discriminator': 'type',\n+  'data': {\n+      'windows': 'GuestSecurityInfoWindows' } }\n+\n+##\n+# @GuestSecurityInfo:\n+#\n+# Guest security features status.  Fields are optional; a missing\n+# field means the information is not available on this platform.\n+#\n+# @tpm-present: Whether a TPM device is present\n+#\n+# @tpm-version: TPM specification version (e.g. \"2.0\")\n+#\n+# @secure-boot: Whether UEFI Secure Boot is enabled\n+#\n+# @os: OS-specific security information\n+#\n+# Since: 10.3\n+##\n+{ 'struct': 'GuestSecurityInfo',\n+  'data': {\n+      '*tpm-present': 'bool',\n+      '*tpm-version': 'str',\n+      '*secure-boot': 'bool',\n+      '*os': 'GuestSecurityInfoOs' } }\n",
    "prefixes": [
        "v2"
    ]
}