virtinst: enable secure feature together with smm for UEFI

The secure feature actually enforce the secure boot if Secure Boot Mode is configured. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1387479 Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2025-03-09 08:58:27 +03:00 · 2017-06-07 20:47:59 +02:00 · 2017-06-07 20:47:59 +02:00 · b690908aa4
commit b690908aa4
parent 1c22105a54
3 changed files with 9 additions and 5 deletions
--- a/tests/cli-test-xml/compare/virt-install-boot-uefi.xml
+++ b/tests/cli-test-xml/compare/virt-install-boot-uefi.xml
@ -6,7 +6,7 @@
  <vcpu>1</vcpu>
  <os>
    <type arch="x86_64" machine="q35">hvm</type>
-    <loader readonly="yes" type="pflash">/usr/share/ovmf/OVMF_CODE.secboot.fd</loader>
+    <loader readonly="yes" type="pflash" secure="yes">/usr/share/ovmf/OVMF_CODE.secboot.fd</loader>
    <boot dev="hd"/>
  </os>
  <features>
--- a/virtManager/domain.py
+++ b/virtManager/domain.py
@ -698,7 +698,7 @@ class vmmDomain(vmmLibvirtObject):
                guest.os.loader = loader
                guest.os.loader_type = "pflash"
                guest.os.loader_ro = True
-                guest.check_uefi_smm()
+                guest.check_uefi_secure()

        if nvram != _SENTINEL:
            guest.os.nvram = nvram
--- a/virtinst/guest.py
+++ b/virtinst/guest.py
@ -561,16 +561,18 @@ class Guest(XMLBuilder):
        self.os.loader_type = "pflash"
        self.os.loader = path

-        self.check_uefi_smm()
+        self.check_uefi_secure()


-    def check_uefi_smm(self):
+    def check_uefi_secure(self):
        """
        If the firmware name contains "secboot" it is probably build
        with SMM feature required so we need to enable that feature,
        otherwise the firmware may fail to load.  True secure boot is
        currently supported only on x86 architecture and with q35 with
        SMM feature enabled so change the machine to q35 as well.
+        To actually enforce the secure boot for the guest if Secure Boot
+        Mode is configured we need to enable loader secure feature.
        """

        if not self.os.is_x86():
@ -579,10 +581,12 @@ class Guest(XMLBuilder):
        if "secboot" not in self.os.loader:
            return

-        if not self.conn.check_support(self.conn.SUPPORT_DOMAIN_FEATURE_SMM):
+        if (not self.conn.check_support(self.conn.SUPPORT_DOMAIN_FEATURE_SMM) or
+            not self.conn.check_support(self.conn.SUPPORT_DOMAIN_LOADER_SECURE)):
            return

        self.features.smm = True
+        self.os.loader_secure = True
        self.os.machine = "q35"

    ###################