This combination doesn't make sense and so the firmware
autoselection logic will not be able to find a suitable firmware,
but it's more user-friendly to report a detailed error upfront.
Note that this check would ideally happen in the validate phase,
but if we moved it there we would no longer be able to
automatically enable secure-boot when enrolled-keys=yes. Since
the combination never resulted in a working configuration, the
chances of this causing real-world VMs to disappear are
extremely low.
Signed-off-by: Andrea Bolognani <abologna@xxxxxxxxxx>
---
src/conf/domain_conf.c | 7 +++++++
...enrolled-keys-no-secboot.x86_64-latest.err | 1 +
...ware-auto-efi-enrolled-keys-no-secboot.xml | 21 +++++++++++++++++++
tests/qemuxml2argvtest.c | 1 +
4 files changed, 30 insertions(+)
create mode 100644 tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys-no-secboot.x86_64-latest.err
create mode 100644 tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys-no-secboot.xml
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index d88d352fb6..0c6504348c 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -4879,6 +4879,13 @@ virDomainDefPostParseOs(virDomainDef *def)
if (def->os.firmwareFeatures &&
def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_ENROLLED_KEYS] == VIR_TRISTATE_BOOL_YES) {
+ if (def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_SECURE_BOOT] == VIR_TRISTATE_BOOL_NO) {
+ virReportError(VIR_ERR_XML_DETAIL, "%s",
+ _("firmware feature 'enrolled-keys' cannot be enabled when "
+ "firmware feature 'secure-boot' is disabled"));
+ return -1;
+ }
+
/* For all non-broken firmware builds, enrolled-keys implies
* secure-boot, and having the Secure Boot keys in the NVRAM file
* when the firmware doesn't support the Secure Boot feature doesn't
diff --git a/tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys-no-secboot.x86_64-latest.err b/tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys-no-secboot.x86_64-latest.err
new file mode 100644
index 0000000000..989d3dbf5a
--- /dev/null
+++ b/tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys-no-secboot.x86_64-latest.err
@@ -0,0 +1 @@
+firmware feature 'enrolled-keys' cannot be enabled when firmware feature 'secure-boot' is disabled
diff --git a/tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys-no-secboot.xml b/tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys-no-secboot.xml
new file mode 100644
index 0000000000..722793684c
--- /dev/null
+++ b/tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys-no-secboot.xml
@@ -0,0 +1,21 @@
+<domain type='kvm'>
+ <name>fedora</name>
+ <uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid>
+ <memory unit='KiB'>8192</memory>
+ <vcpu placement='static'>1</vcpu>
+ <os firmware='efi'>
+ <type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='yes' name='enrolled-keys'/>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
+ </os>
+ <features>
+ <acpi/>
+ </features>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <controller type='usb' model='none'/>
+ <memballoon model='none'/>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index d21b2d9154..b01ad8d4e9 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -1224,6 +1224,7 @@ mymain(void)
DO_TEST_CAPS_LATEST("firmware-auto-efi-no-secboot");
DO_TEST_CAPS_LATEST("firmware-auto-efi-enrolled-keys");
DO_TEST_CAPS_LATEST("firmware-auto-efi-no-enrolled-keys");
+ DO_TEST_CAPS_LATEST_PARSE_ERROR("firmware-auto-efi-enrolled-keys-no-secboot");
DO_TEST_CAPS_ARCH_LATEST("firmware-auto-efi-aarch64", "aarch64");
DO_TEST_NOCAPS("clock-utc");
--
2.35.3
