From 161b31f9584eeba17cf29d38289c3a8a03e9e858 Mon Sep 17 00:00:00 2001 From: Andrea Bolognani Date: Wed, 15 Jun 2022 11:30:48 +0200 Subject: [PATCH] conf: Reject enrolled-keys=yes with secure-boot=no This combination doesn't make sense and so the firmware autoselection logic will not be able to find a suitable firmware, but it's more user-friendly to report a detailed error upfront. Note that this check would ideally happen in the validate phase, but if we moved it there we would no longer be able to automatically enable secure-boot when enrolled-keys=yes. Since the combination never resulted in a working configuration, the chances of this causing real-world VMs to disappear are extremely low. Signed-off-by: Andrea Bolognani Reviewed-by: Michal Privoznik --- src/conf/domain_conf.c | 7 +++++++ ...enrolled-keys-no-secboot.x86_64-latest.err | 1 + ...ware-auto-efi-enrolled-keys-no-secboot.xml | 21 +++++++++++++++++++ tests/qemuxml2argvtest.c | 1 + 4 files changed, 30 insertions(+) create mode 100644 tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys-no-secboot.x86_64-latest.err create mode 100644 tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys-no-secboot.xml diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index d88d352fb6..0c6504348c 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -4879,6 +4879,13 @@ virDomainDefPostParseOs(virDomainDef *def) if (def->os.firmwareFeatures && def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_ENROLLED_KEYS] == VIR_TRISTATE_BOOL_YES) { + if (def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_SECURE_BOOT] == VIR_TRISTATE_BOOL_NO) { + virReportError(VIR_ERR_XML_DETAIL, "%s", + _("firmware feature 'enrolled-keys' cannot be enabled when " + "firmware feature 'secure-boot' is disabled")); + return -1; + } + /* For all non-broken firmware builds, enrolled-keys implies * secure-boot, and having the Secure Boot keys in the NVRAM file * when the firmware doesn't support the Secure Boot feature doesn't diff --git a/tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys-no-secboot.x86_64-latest.err b/tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys-no-secboot.x86_64-latest.err new file mode 100644 index 0000000000..989d3dbf5a --- /dev/null +++ b/tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys-no-secboot.x86_64-latest.err @@ -0,0 +1 @@ +firmware feature 'enrolled-keys' cannot be enabled when firmware feature 'secure-boot' is disabled diff --git a/tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys-no-secboot.xml b/tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys-no-secboot.xml new file mode 100644 index 0000000000..722793684c --- /dev/null +++ b/tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys-no-secboot.xml @@ -0,0 +1,21 @@ + + fedora + 63840878-0deb-4095-97e6-fc444d9bc9fa + 8192 + 1 + + hvm + + + + + + + + + + /usr/bin/qemu-system-x86_64 + + + + diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index d21b2d9154..b01ad8d4e9 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -1224,6 +1224,7 @@ mymain(void) DO_TEST_CAPS_LATEST("firmware-auto-efi-no-secboot"); DO_TEST_CAPS_LATEST("firmware-auto-efi-enrolled-keys"); DO_TEST_CAPS_LATEST("firmware-auto-efi-no-enrolled-keys"); + DO_TEST_CAPS_LATEST_PARSE_ERROR("firmware-auto-efi-enrolled-keys-no-secboot"); DO_TEST_CAPS_ARCH_LATEST("firmware-auto-efi-aarch64", "aarch64"); DO_TEST_NOCAPS("clock-utc");