mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 17:34:18 +03:00
conf: Reject enrolled-keys=yes with secure-boot=no
This combination doesn't make sense and so the firmware autoselection logic will not be able to find a suitable firmware, but it's more user-friendly to report a detailed error upfront. Note that this check would ideally happen in the validate phase, but if we moved it there we would no longer be able to automatically enable secure-boot when enrolled-keys=yes. Since the combination never resulted in a working configuration, the chances of this causing real-world VMs to disappear are extremely low. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
parent
c98910d011
commit
161b31f958
@ -4879,6 +4879,13 @@ virDomainDefPostParseOs(virDomainDef *def)
|
||||
if (def->os.firmwareFeatures &&
|
||||
def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_ENROLLED_KEYS] == VIR_TRISTATE_BOOL_YES) {
|
||||
|
||||
if (def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_SECURE_BOOT] == VIR_TRISTATE_BOOL_NO) {
|
||||
virReportError(VIR_ERR_XML_DETAIL, "%s",
|
||||
_("firmware feature 'enrolled-keys' cannot be enabled when "
|
||||
"firmware feature 'secure-boot' is disabled"));
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* For all non-broken firmware builds, enrolled-keys implies
|
||||
* secure-boot, and having the Secure Boot keys in the NVRAM file
|
||||
* when the firmware doesn't support the Secure Boot feature doesn't
|
||||
|
@ -0,0 +1 @@
|
||||
firmware feature 'enrolled-keys' cannot be enabled when firmware feature 'secure-boot' is disabled
|
@ -0,0 +1,21 @@
|
||||
<domain type='kvm'>
|
||||
<name>fedora</name>
|
||||
<uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid>
|
||||
<memory unit='KiB'>8192</memory>
|
||||
<vcpu placement='static'>1</vcpu>
|
||||
<os firmware='efi'>
|
||||
<type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
|
||||
<firmware>
|
||||
<feature enabled='yes' name='enrolled-keys'/>
|
||||
<feature enabled='no' name='secure-boot'/>
|
||||
</firmware>
|
||||
</os>
|
||||
<features>
|
||||
<acpi/>
|
||||
</features>
|
||||
<devices>
|
||||
<emulator>/usr/bin/qemu-system-x86_64</emulator>
|
||||
<controller type='usb' model='none'/>
|
||||
<memballoon model='none'/>
|
||||
</devices>
|
||||
</domain>
|
@ -1224,6 +1224,7 @@ mymain(void)
|
||||
DO_TEST_CAPS_LATEST("firmware-auto-efi-no-secboot");
|
||||
DO_TEST_CAPS_LATEST("firmware-auto-efi-enrolled-keys");
|
||||
DO_TEST_CAPS_LATEST("firmware-auto-efi-no-enrolled-keys");
|
||||
DO_TEST_CAPS_LATEST_PARSE_ERROR("firmware-auto-efi-enrolled-keys-no-secboot");
|
||||
DO_TEST_CAPS_ARCH_LATEST("firmware-auto-efi-aarch64", "aarch64");
|
||||
|
||||
DO_TEST_NOCAPS("clock-utc");
|
||||
|
Loading…
Reference in New Issue
Block a user