1
0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-12-22 17:34:18 +03:00

conf: Reject enrolled-keys=yes with secure-boot=no

This combination doesn't make sense and so the firmware
autoselection logic will not be able to find a suitable firmware,
but it's more user-friendly to report a detailed error upfront.

Note that this check would ideally happen in the validate phase,
but if we moved it there we would no longer be able to
automatically enable secure-boot when enrolled-keys=yes. Since
the combination never resulted in a working configuration, the
chances of this causing real-world VMs to disappear are
extremely low.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
Andrea Bolognani 2022-06-15 11:30:48 +02:00
parent c98910d011
commit 161b31f958
4 changed files with 30 additions and 0 deletions

View File

@ -4879,6 +4879,13 @@ virDomainDefPostParseOs(virDomainDef *def)
if (def->os.firmwareFeatures &&
def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_ENROLLED_KEYS] == VIR_TRISTATE_BOOL_YES) {
if (def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_SECURE_BOOT] == VIR_TRISTATE_BOOL_NO) {
virReportError(VIR_ERR_XML_DETAIL, "%s",
_("firmware feature 'enrolled-keys' cannot be enabled when "
"firmware feature 'secure-boot' is disabled"));
return -1;
}
/* For all non-broken firmware builds, enrolled-keys implies
* secure-boot, and having the Secure Boot keys in the NVRAM file
* when the firmware doesn't support the Secure Boot feature doesn't

View File

@ -0,0 +1 @@
firmware feature 'enrolled-keys' cannot be enabled when firmware feature 'secure-boot' is disabled

View File

@ -0,0 +1,21 @@
<domain type='kvm'>
<name>fedora</name>
<uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid>
<memory unit='KiB'>8192</memory>
<vcpu placement='static'>1</vcpu>
<os firmware='efi'>
<type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
<firmware>
<feature enabled='yes' name='enrolled-keys'/>
<feature enabled='no' name='secure-boot'/>
</firmware>
</os>
<features>
<acpi/>
</features>
<devices>
<emulator>/usr/bin/qemu-system-x86_64</emulator>
<controller type='usb' model='none'/>
<memballoon model='none'/>
</devices>
</domain>

View File

@ -1224,6 +1224,7 @@ mymain(void)
DO_TEST_CAPS_LATEST("firmware-auto-efi-no-secboot");
DO_TEST_CAPS_LATEST("firmware-auto-efi-enrolled-keys");
DO_TEST_CAPS_LATEST("firmware-auto-efi-no-enrolled-keys");
DO_TEST_CAPS_LATEST_PARSE_ERROR("firmware-auto-efi-enrolled-keys-no-secboot");
DO_TEST_CAPS_ARCH_LATEST("firmware-auto-efi-aarch64", "aarch64");
DO_TEST_NOCAPS("clock-utc");