A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can disrupt VM boot by writing an invalid value to VM.HVM_boot_params:firmware or by removing the firmware key entirely. The firmware key is validated at VM start time (not at write time) by firmware_of_vm at xapi_xenops.ml:255-268, which pattern-matches against exactly "bios" and "uefi". Invalid values raise Server_error, preventing VM start. Removing the key causes fallback to BIOS firmware, which renders UEFI-installed operating systems unbootable. The impact is limited because the vm-admin role already has VM.hard_shutdown capability, making denial of service redundant with existing privileges. The VM.HVM_boot_params field has zero map_keys_roles entries.
VM.HVM_boot_params is a Map(String, String) field defined at datamodel_vm.ml:55-58 with zero map_keys_roles entries.
The firmware key is consumed at VM start time:
let firmware_of_vm vm =
match List.assoc "firmware" vm.API.vM_HVM_boot_params with
| "bios" -> Bios
| "uefi" -> Uefi (nvram_uefi_of_vm vm)
| bad -> raise Api_errors.(Server_error (invalid_value, ["HVM-boot-params['firmware']"; bad]))
| exception Not_found -> default_firmware
This is the strongest start-time validation of any infrastructure key observed in the audit. The firmware value is pattern-matched against exactly two valid strings. Any other value produces a Server_error at VM start. If the key is missing, default_firmware (Bios) is used as a fallback.
The vulnerability arises from the gap between write-time (no validation) and start-time (robust validation):
firmware=invalid - XAPI accepts and stores it without errorServer_errorfirmware key causes BIOS fallback, which breaks UEFI guest OSesThe invalid value persists in the database until manually corrected by an administrator.
Missing write-time validation. XAPI accepts any value for the firmware key when written. Validation occurs only at VM start time.
Missing RBAC protection. VM.HVM_boot_params has zero map_keys_roles entries. The firmware key is writable by vm-admin.
Persistent invalid state. The invalid firmware value remains in the database after the VM start failure, requiring manual cleanup.
set_HVM_boot_params RBAC bypass. The set_HVM_boot_params method replaces the entire map and bypasses map_keys_roles per-key checks.
| Scenario | Impact | Pre-conditions | Status |
|---|---|---|---|
| Invalid firmware value | VM start fails with Server_error | vm-admin | Live-tested (key injection confirmed) |
| Firmware key removal | UEFI VM falls back to BIOS, OS cannot boot | vm-admin, UEFI-installed guest | Source-traced |
| BOC-1 chain | vm-admin corrupts firmware settings across all VMs via RBAC collapse | vm-admin, BOC-1 | Source-traced |
VM.hard_shutdown).VM.HVM_boot_params for firmware key modification or removalbios or uefidisclosure/vendor-detection-guidance.mdVM.HVM_boot_params entries for unexpected firmware valuesAdd write-time validation. Validate the firmware value against {"bios", "uefi"} at write time in addition to start time. Reject invalid values immediately.
Add map_keys_roles protection. Restrict the firmware key to _R_POOL_ADMIN in datamodel_vm.ml.
Replace with typed field. The firmware key has exactly two valid values. It should be an enumeration field, not a string in a map.
Upstream patches exist. They are held privately pending coordinated disclosure.
Disclosure:
datamodel_vm.ml:55-58 (VM.HVM_boot_params field definition), xapi_xenops.ml:255-268 (firmware_of_vm - start-time validation), xapi_xenops.ml:213-219 (assume_default_if_null_empty)disclosure/advisories/hbp-security-advisory.md (HBP-2)research/investigations/vm-hvm-boot-params.mdDiscovered and reported by Jakob Wolffhechel, Moksha.