The reason why it was in postparse in the first place was so
that we could could automatically enable the secure-boot feature
in some cases, but that no longer happens so we can finally move
it to the proper location.
Signed-off-by: Andrea Bolognani <abologna@xxxxxxxxxx>
---
src/conf/domain_postparse.c | 10 ----------
src/conf/domain_validate.c | 8 ++++++++
2 files changed, 8 insertions(+), 10 deletions(-)
diff --git a/src/conf/domain_postparse.c b/src/conf/domain_postparse.c
index 79862a72cd..2832705d0f 100644
--- a/src/conf/domain_postparse.c
+++ b/src/conf/domain_postparse.c
@@ -93,16 +93,6 @@ virDomainDefPostParseMemory(virDomainDef *def,
static int
virDomainDefPostParseOs(virDomainDef *def)
{
- if (def->os.firmwareFeatures &&
- def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_ENROLLED_KEYS] == VIR_TRISTATE_BOOL_YES) {
-
- if (def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_SECURE_BOOT] == VIR_TRISTATE_BOOL_NO) {
- virReportError(VIR_ERR_XML_DETAIL, "%s",
- _("firmware feature 'enrolled-keys' cannot be enabled when firmware feature 'secure-boot' is disabled"));
- return -1;
- }
- }
-
if (!def->os.loader)
return 0;
diff --git a/src/conf/domain_validate.c b/src/conf/domain_validate.c
index 6991cf1dd3..f208c0c531 100644
--- a/src/conf/domain_validate.c
+++ b/src/conf/domain_validate.c
@@ -1606,6 +1606,14 @@ virDomainDefOSValidate(const virDomainDef *def,
return -1;
}
+ if (def->os.firmwareFeatures &&
+ def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_ENROLLED_KEYS] == VIR_TRISTATE_BOOL_YES &&
+ def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_SECURE_BOOT] == VIR_TRISTATE_BOOL_NO) {
+ virReportError(VIR_ERR_XML_DETAIL, "%s",
+ _("firmware feature 'enrolled-keys' cannot be enabled when firmware feature 'secure-boot' is disabled"));
+ return -1;
+ }
+
if (!loader)
return 0;
--
2.39.2
