Even when the user is not taking advantage of firmware
autoselection and instead manually providing all the necessary
information, in most cases they're still going to use firmware
builds that are provided by the OS vendor, are installed in
standard paths and come with a corresponding firmware
descriptor.
Similarly, even when the user is not guiding the autoselection
process by specifying the desired status of certain features
and instead is relying on the system-level descriptor priority
being set up correctly, libvirt will still ultimately decide to
use a specific descriptor, which includes information about the
firmware's features.
In both these cases, take the additional information that were
obtained from the firmware descriptor and reflect them back into
the domain XML, where they can be conveniently inspected by the
user and management applications alike.
Signed-off-by: Andrea Bolognani <abologna@xxxxxxxxxx>
---
src/qemu/qemu_firmware.c | 86 ++++++++++++++++++-
...ware-auto-bios-stateless.x86_64-latest.xml | 4 +
.../firmware-auto-bios.x86_64-latest.xml | 4 +
...rmware-auto-efi-aarch64.aarch64-latest.xml | 4 +
...-efi-format-loader-qcow2.x86_64-latest.xml | 4 +
...o-efi-format-loader-raw.aarch64-latest.xml | 4 +
...-nvram-qcow2-network-nbd.x86_64-latest.xml | 3 +
...-format-nvram-qcow2-path.x86_64-latest.xml | 4 +
...o-efi-format-nvram-qcow2.x86_64-latest.xml | 4 +
...auto-efi-loader-insecure.x86_64-latest.xml | 4 +
...are-auto-efi-loader-path.x86_64-latest.xml | 4 +
...e-auto-efi-loader-secure.x86_64-latest.xml | 4 +
...uto-efi-no-enrolled-keys.x86_64-latest.xml | 1 +
...ware-auto-efi-no-secboot.x86_64-latest.xml | 1 +
...ware-auto-efi-nvram-file.x86_64-latest.xml | 4 +
...-efi-nvram-network-iscsi.x86_64-latest.xml | 3 +
...to-efi-nvram-network-nbd.x86_64-latest.xml | 3 +
.../firmware-auto-efi-nvram.x86_64-latest.xml | 4 +
...irmware-auto-efi-secboot.x86_64-latest.xml | 1 +
...irmware-auto-efi-smm-off.x86_64-latest.xml | 4 +
...mware-auto-efi-stateless.x86_64-latest.xml | 4 +
.../firmware-auto-efi.x86_64-latest.xml | 4 +
...manual-efi-acpi-aarch64.aarch64-latest.xml | 6 +-
...ware-manual-efi-acpi-q35.x86_64-latest.xml | 6 +-
...manual-efi-loader-secure.x86_64-latest.xml | 6 +-
...ual-efi-no-enrolled-keys.x86_64-latest.xml | 6 +-
...re-manual-efi-no-secboot.x86_64-latest.xml | 6 +-
...nual-efi-noacpi-aarch64.aarch64-latest.xml | 6 +-
...re-manual-efi-nvram-file.x86_64-latest.xml | 6 +-
...-efi-nvram-network-iscsi.x86_64-latest.xml | 5 +-
...al-efi-nvram-network-nbd.x86_64-latest.xml | 5 +-
...anual-efi-nvram-template.x86_64-latest.xml | 6 +-
...mware-manual-efi-secboot.x86_64-latest.xml | 6 +-
.../firmware-manual-efi.x86_64-latest.xml | 6 +-
.../pvpanic-pci-aarch64.aarch64-latest.xml | 4 +
...-pci-no-address-aarch64.aarch64-latest.xml | 4 +
.../virtio-iommu-aarch64.aarch64-latest.xml | 4 +
37 files changed, 225 insertions(+), 15 deletions(-)
diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index d906d8bc86..7a0b04eb1a 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -1011,6 +1011,25 @@ qemuFirmwareOSInterfaceTypeFromOsDefFirmware(virDomainOsDefFirmware fw)
}
+static virDomainOsDefFirmware
+qemuFirmwareOSInterfaceTypeToOsDefFirmware(qemuFirmwareOSInterface interface)
+{
+ switch (interface) {
+ case QEMU_FIRMWARE_OS_INTERFACE_BIOS:
+ return VIR_DOMAIN_OS_DEF_FIRMWARE_BIOS;
+ case QEMU_FIRMWARE_OS_INTERFACE_UEFI:
+ return VIR_DOMAIN_OS_DEF_FIRMWARE_EFI;
+ case QEMU_FIRMWARE_OS_INTERFACE_UBOOT:
+ case QEMU_FIRMWARE_OS_INTERFACE_OPENFIRMWARE:
+ case QEMU_FIRMWARE_OS_INTERFACE_NONE:
+ case QEMU_FIRMWARE_OS_INTERFACE_LAST:
+ break;
+ }
+
+ return VIR_DOMAIN_OS_DEF_FIRMWARE_NONE;
+}
+
+
static qemuFirmwareOSInterface
qemuFirmwareOSInterfaceTypeFromOsDefLoaderType(virDomainLoader type)
{
@@ -1071,6 +1090,46 @@ qemuFirmwareEnsureNVRAM(virDomainDef *def,
}
+
+/**
+ * qemuFirmwareSetOsFeatures:
+ * @def: domain definition
+ * @secureBoot: whether the 'secure-boot' feature is enabled
+ * @enrolledKeys: whether the 'enrolled-keys' feature is enabled
+ *
+ * Set firmware features for @def to match those declared by the JSON
+ * descriptor that was found to match autoselection requirements.
+ */
+static void
+qemuFirmwareSetOsFeatures(virDomainDef *def,
+ bool secureBoot,
+ bool enrolledKeys)
+{
+ int *features = def->os.firmwareFeatures;
+ virDomainLoaderDef *loader = def->os.loader;
+
+ if (!features) {
+ features = g_new0(int, VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_LAST);
+ def->os.firmwareFeatures = features;
+ }
+
+ features[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_SECURE_BOOT] = virTristateBoolFromBool(secureBoot);
+ features[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_ENROLLED_KEYS] = virTristateBoolFromBool(enrolledKeys);
+
+ /* If the NVRAM template is blank at this point and we're not dealing
+ * with a stateless firmware image, then it means that the NVRAM file
+ * is not local. In this scenario we can't really make any assumptions
+ * about its contents, so it's preferable to leave the state of the
+ * enrolled-keys feature unspecified */
+ if (loader &&
+ loader->type == VIR_DOMAIN_LOADER_TYPE_PFLASH &&
+ loader->stateless != VIR_TRISTATE_BOOL_YES &&
+ !loader->nvramTemplate) {
+ features[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_ENROLLED_KEYS] = VIR_TRISTATE_BOOL_ABSENT;
+ }
+}
+
+
#define VIR_QEMU_FIRMWARE_AMD_SEV_ES_POLICY (1 << 2)
@@ -1294,6 +1353,8 @@ qemuFirmwareEnableFeaturesModern(virQEMUDriverConfig *cfg,
const qemuFirmwareMappingMemory *memory = &fw->mapping.data.memory;
virDomainLoaderDef *loader = NULL;
virStorageFileFormat format;
+ bool hasSecureBoot = false;
+ bool hasEnrolledKeys = false;
size_t i;
switch (fw->mapping.device) {
@@ -1366,20 +1427,39 @@ qemuFirmwareEnableFeaturesModern(virQEMUDriverConfig *cfg,
def->os.loader->secure = VIR_TRISTATE_BOOL_YES;
break;
- case QEMU_FIRMWARE_FEATURE_NONE:
+ case QEMU_FIRMWARE_FEATURE_SECURE_BOOT:
+ hasSecureBoot = true;
+ break;
+
+ case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS:
+ hasEnrolledKeys = true;
+ break;
+
case QEMU_FIRMWARE_FEATURE_ACPI_S3:
case QEMU_FIRMWARE_FEATURE_ACPI_S4:
case QEMU_FIRMWARE_FEATURE_AMD_SEV:
case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
- case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS:
- case QEMU_FIRMWARE_FEATURE_SECURE_BOOT:
case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
+ case QEMU_FIRMWARE_FEATURE_NONE:
case QEMU_FIRMWARE_FEATURE_LAST:
break;
}
}
+ if (!def->os.firmware) {
+ /* If a firmware type for autoselection was not already present,
+ * pick the first reasonable one from the descriptor list */
+ for (i = 0; i < fw->ninterfaces; i++) {
+ def->os.firmware = qemuFirmwareOSInterfaceTypeToOsDefFirmware(fw->interfaces[i]);
+ if (def->os.firmware)
+ break;
+ }
+ }
+ if (def->os.firmware) {
+ qemuFirmwareSetOsFeatures(def, hasSecureBoot, hasEnrolledKeys);
+ }
+
return 0;
}
diff --git a/tests/qemuxml2xmloutdata/firmware-auto-bios-stateless.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-bios-stateless.x86_64-latest.xml
index d1ecd8593f..e69f8c01d0 100644
--- a/tests/qemuxml2xmloutdata/firmware-auto-bios-stateless.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-auto-bios-stateless.x86_64-latest.xml
@@ -6,6 +6,10 @@
<vcpu placement='static'>1</vcpu>
<os firmware='bios'>
<type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='enrolled-keys'/>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader type='rom' stateless='yes'>/usr/share/seabios/bios-256k.bin</loader>
<boot dev='hd'/>
</os>
diff --git a/tests/qemuxml2xmloutdata/firmware-auto-bios.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-bios.x86_64-latest.xml
index 68e14d3e4b..ffff5a79e2 100644
--- a/tests/qemuxml2xmloutdata/firmware-auto-bios.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-auto-bios.x86_64-latest.xml
@@ -6,6 +6,10 @@
<vcpu placement='static'>1</vcpu>
<os firmware='bios'>
<type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='enrolled-keys'/>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader type='rom'>/usr/share/seabios/bios-256k.bin</loader>
<boot dev='hd'/>
</os>
diff --git a/tests/qemuxml2xmloutdata/firmware-auto-efi-aarch64.aarch64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-efi-aarch64.aarch64-latest.xml
index 6da924793b..5779eca7a0 100644
--- a/tests/qemuxml2xmloutdata/firmware-auto-efi-aarch64.aarch64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-auto-efi-aarch64.aarch64-latest.xml
@@ -6,6 +6,10 @@
<vcpu placement='static'>1</vcpu>
<os firmware='efi'>
<type arch='aarch64' machine='virt-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='enrolled-keys'/>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' type='pflash' format='qcow2'>/usr/share/AAVMF/AAVMF_CODE.qcow2</loader>
<nvram template='/usr/share/AAVMF/AAVMF_VARS.qcow2' format='qcow2'>/var/lib/libvirt/qemu/nvram/guest_VARS.qcow2</nvram>
<boot dev='hd'/>
diff --git a/tests/qemuxml2xmloutdata/firmware-auto-efi-format-loader-qcow2.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-efi-format-loader-qcow2.x86_64-latest.xml
index 9f0f3509f2..310ee6ec73 100644
--- a/tests/qemuxml2xmloutdata/firmware-auto-efi-format-loader-qcow2.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-auto-efi-format-loader-qcow2.x86_64-latest.xml
@@ -6,6 +6,10 @@
<vcpu placement='static'>1</vcpu>
<os firmware='efi'>
<type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='enrolled-keys'/>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' type='pflash' format='qcow2'>/usr/share/OVMF/OVMF_CODE.qcow2</loader>
<nvram template='/usr/share/OVMF/OVMF_VARS.qcow2' format='qcow2'>/var/lib/libvirt/qemu/nvram/guest_VARS.qcow2</nvram>
<boot dev='hd'/>
diff --git a/tests/qemuxml2xmloutdata/firmware-auto-efi-format-loader-raw.aarch64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-efi-format-loader-raw.aarch64-latest.xml
index 8ab29edf42..8eb6086e40 100644
--- a/tests/qemuxml2xmloutdata/firmware-auto-efi-format-loader-raw.aarch64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-auto-efi-format-loader-raw.aarch64-latest.xml
@@ -6,6 +6,10 @@
<vcpu placement='static'>1</vcpu>
<os firmware='efi'>
<type arch='aarch64' machine='virt-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='enrolled-keys'/>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' type='pflash'>/usr/share/AAVMF/AAVMF_CODE.fd</loader>
<nvram template='/usr/share/AAVMF/AAVMF_VARS.fd'>/var/lib/libvirt/qemu/nvram/guest_VARS.fd</nvram>
<boot dev='hd'/>
diff --git a/tests/qemuxml2xmloutdata/firmware-auto-efi-format-nvram-qcow2-network-nbd.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-efi-format-nvram-qcow2-network-nbd.x86_64-latest.xml
index 42b044d83f..7ea870bbcd 100644
--- a/tests/qemuxml2xmloutdata/firmware-auto-efi-format-nvram-qcow2-network-nbd.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-auto-efi-format-nvram-qcow2-network-nbd.x86_64-latest.xml
@@ -6,6 +6,9 @@
<vcpu placement='static'>1</vcpu>
<os firmware='efi'>
<type arch='x86_64' machine='pc-i440fx-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' type='pflash' format='qcow2'>/usr/share/OVMF/OVMF_CODE.qcow2</loader>
<nvram type='network' format='qcow2'>
<source protocol='nbd' name='bar'>
diff --git a/tests/qemuxml2xmloutdata/firmware-auto-efi-format-nvram-qcow2-path.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-efi-format-nvram-qcow2-path.x86_64-latest.xml
index 6b53262dc7..6cf33b0c76 100644
--- a/tests/qemuxml2xmloutdata/firmware-auto-efi-format-nvram-qcow2-path.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-auto-efi-format-nvram-qcow2-path.x86_64-latest.xml
@@ -6,6 +6,10 @@
<vcpu placement='static'>1</vcpu>
<os firmware='efi'>
<type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='enrolled-keys'/>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' type='pflash' format='qcow2'>/usr/share/OVMF/OVMF_CODE.qcow2</loader>
<nvram template='/usr/share/OVMF/OVMF_VARS.qcow2' format='qcow2'>/path/to/guest_VARS.qcow2</nvram>
<boot dev='hd'/>
diff --git a/tests/qemuxml2xmloutdata/firmware-auto-efi-format-nvram-qcow2.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-efi-format-nvram-qcow2.x86_64-latest.xml
index 9f0f3509f2..310ee6ec73 100644
--- a/tests/qemuxml2xmloutdata/firmware-auto-efi-format-nvram-qcow2.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-auto-efi-format-nvram-qcow2.x86_64-latest.xml
@@ -6,6 +6,10 @@
<vcpu placement='static'>1</vcpu>
<os firmware='efi'>
<type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='enrolled-keys'/>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' type='pflash' format='qcow2'>/usr/share/OVMF/OVMF_CODE.qcow2</loader>
<nvram template='/usr/share/OVMF/OVMF_VARS.qcow2' format='qcow2'>/var/lib/libvirt/qemu/nvram/guest_VARS.qcow2</nvram>
<boot dev='hd'/>
diff --git a/tests/qemuxml2xmloutdata/firmware-auto-efi-loader-insecure.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-efi-loader-insecure.x86_64-latest.xml
index 55da8ee12f..7717677c4b 100644
--- a/tests/qemuxml2xmloutdata/firmware-auto-efi-loader-insecure.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-auto-efi-loader-insecure.x86_64-latest.xml
@@ -6,6 +6,10 @@
<vcpu placement='static'>1</vcpu>
<os firmware='efi'>
<type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='enrolled-keys'/>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' secure='no' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>
<nvram template='/usr/share/OVMF/OVMF_VARS.fd'>/var/lib/libvirt/qemu/nvram/guest_VARS.fd</nvram>
<boot dev='hd'/>
diff --git a/tests/qemuxml2xmloutdata/firmware-auto-efi-loader-path.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-efi-loader-path.x86_64-latest.xml
index 3977ddc0c7..6f4bf4b5bb 100644
--- a/tests/qemuxml2xmloutdata/firmware-auto-efi-loader-path.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-auto-efi-loader-path.x86_64-latest.xml
@@ -6,6 +6,10 @@
<vcpu placement='static'>1</vcpu>
<os firmware='efi'>
<type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='enrolled-keys'/>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>
<nvram template='/usr/share/OVMF/OVMF_VARS.fd'>/var/lib/libvirt/qemu/nvram/guest_VARS.fd</nvram>
<boot dev='hd'/>
diff --git a/tests/qemuxml2xmloutdata/firmware-auto-efi-loader-secure.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-efi-loader-secure.x86_64-latest.xml
index 1b1b9352c1..90c5040ca6 100644
--- a/tests/qemuxml2xmloutdata/firmware-auto-efi-loader-secure.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-auto-efi-loader-secure.x86_64-latest.xml
@@ -6,6 +6,10 @@
<vcpu placement='static'>1</vcpu>
<os firmware='efi'>
<type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='yes' name='enrolled-keys'/>
+ <feature enabled='yes' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd</loader>
<nvram template='/usr/share/OVMF/OVMF_VARS.secboot.fd'>/var/lib/libvirt/qemu/nvram/guest_VARS.fd</nvram>
<boot dev='hd'/>
diff --git a/tests/qemuxml2xmloutdata/firmware-auto-efi-no-enrolled-keys.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-efi-no-enrolled-keys.x86_64-latest.xml
index 78b3b81506..e5caf31c4e 100644
--- a/tests/qemuxml2xmloutdata/firmware-auto-efi-no-enrolled-keys.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-auto-efi-no-enrolled-keys.x86_64-latest.xml
@@ -8,6 +8,7 @@
<type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
<firmware>
<feature enabled='no' name='enrolled-keys'/>
+ <feature enabled='yes' name='secure-boot'/>
</firmware>
<loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd</loader>
<nvram template='/usr/share/OVMF/OVMF_VARS.fd'>/var/lib/libvirt/qemu/nvram/guest_VARS.fd</nvram>
diff --git a/tests/qemuxml2xmloutdata/firmware-auto-efi-no-secboot.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-efi-no-secboot.x86_64-latest.xml
index 57e63a079c..6f4bf4b5bb 100644
--- a/tests/qemuxml2xmloutdata/firmware-auto-efi-no-secboot.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-auto-efi-no-secboot.x86_64-latest.xml
@@ -7,6 +7,7 @@
<os firmware='efi'>
<type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
<firmware>
+ <feature enabled='no' name='enrolled-keys'/>
<feature enabled='no' name='secure-boot'/>
</firmware>
<loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>
diff --git a/tests/qemuxml2xmloutdata/firmware-auto-efi-nvram-file.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-efi-nvram-file.x86_64-latest.xml
index 8117f02f15..1418ddbfcd 100644
--- a/tests/qemuxml2xmloutdata/firmware-auto-efi-nvram-file.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-auto-efi-nvram-file.x86_64-latest.xml
@@ -6,6 +6,10 @@
<vcpu placement='static'>1</vcpu>
<os firmware='efi'>
<type arch='x86_64' machine='pc-i440fx-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='enrolled-keys'/>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>
<nvram template='/usr/share/OVMF/OVMF_VARS.fd' type='file'>
<source file='/path/to/guest_VARS.fd'/>
diff --git a/tests/qemuxml2xmloutdata/firmware-auto-efi-nvram-network-iscsi.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-efi-nvram-network-iscsi.x86_64-latest.xml
index d3ef57f682..ec672780bb 100644
--- a/tests/qemuxml2xmloutdata/firmware-auto-efi-nvram-network-iscsi.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-auto-efi-nvram-network-iscsi.x86_64-latest.xml
@@ -6,6 +6,9 @@
<vcpu placement='static'>1</vcpu>
<os firmware='efi'>
<type arch='x86_64' machine='pc-i440fx-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>
<nvram type='network'>
<source protocol='iscsi' name='iqn.2013-07.com.example:iscsi-nopool'>
diff --git a/tests/qemuxml2xmloutdata/firmware-auto-efi-nvram-network-nbd.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-efi-nvram-network-nbd.x86_64-latest.xml
index 6d0d112dd1..3f59dc4d61 100644
--- a/tests/qemuxml2xmloutdata/firmware-auto-efi-nvram-network-nbd.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-auto-efi-nvram-network-nbd.x86_64-latest.xml
@@ -6,6 +6,9 @@
<vcpu placement='static'>1</vcpu>
<os firmware='efi'>
<type arch='x86_64' machine='pc-i440fx-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>
<nvram type='network'>
<source protocol='nbd' name='bar'>
diff --git a/tests/qemuxml2xmloutdata/firmware-auto-efi-nvram.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-efi-nvram.x86_64-latest.xml
index d293cd3371..b7dc8fa140 100644
--- a/tests/qemuxml2xmloutdata/firmware-auto-efi-nvram.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-auto-efi-nvram.x86_64-latest.xml
@@ -6,6 +6,10 @@
<vcpu placement='static'>1</vcpu>
<os firmware='efi'>
<type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='yes' name='enrolled-keys'/>
+ <feature enabled='yes' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd</loader>
<nvram template='/usr/share/OVMF/OVMF_VARS.secboot.fd'>/path/to/guest_VARS.fd</nvram>
<boot dev='hd'/>
diff --git a/tests/qemuxml2xmloutdata/firmware-auto-efi-secboot.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-efi-secboot.x86_64-latest.xml
index 6dcc5ea88d..90c5040ca6 100644
--- a/tests/qemuxml2xmloutdata/firmware-auto-efi-secboot.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-auto-efi-secboot.x86_64-latest.xml
@@ -7,6 +7,7 @@
<os firmware='efi'>
<type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
<firmware>
+ <feature enabled='yes' name='enrolled-keys'/>
<feature enabled='yes' name='secure-boot'/>
</firmware>
<loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd</loader>
diff --git a/tests/qemuxml2xmloutdata/firmware-auto-efi-smm-off.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-efi-smm-off.x86_64-latest.xml
index 40d8b8815b..4ab4d9587c 100644
--- a/tests/qemuxml2xmloutdata/firmware-auto-efi-smm-off.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-auto-efi-smm-off.x86_64-latest.xml
@@ -6,6 +6,10 @@
<vcpu placement='static'>1</vcpu>
<os firmware='efi'>
<type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='enrolled-keys'/>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>
<nvram template='/usr/share/OVMF/OVMF_VARS.fd'>/var/lib/libvirt/qemu/nvram/guest_VARS.fd</nvram>
<boot dev='hd'/>
diff --git a/tests/qemuxml2xmloutdata/firmware-auto-efi-stateless.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-efi-stateless.x86_64-latest.xml
index 7939dc666b..b1aa817a56 100644
--- a/tests/qemuxml2xmloutdata/firmware-auto-efi-stateless.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-auto-efi-stateless.x86_64-latest.xml
@@ -6,6 +6,10 @@
<vcpu placement='static'>1</vcpu>
<os firmware='efi'>
<type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='enrolled-keys'/>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' type='pflash' stateless='yes'>/usr/share/OVMF/OVMF.sev.fd</loader>
<boot dev='hd'/>
</os>
diff --git a/tests/qemuxml2xmloutdata/firmware-auto-efi.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-efi.x86_64-latest.xml
index 1b1b9352c1..90c5040ca6 100644
--- a/tests/qemuxml2xmloutdata/firmware-auto-efi.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-auto-efi.x86_64-latest.xml
@@ -6,6 +6,10 @@
<vcpu placement='static'>1</vcpu>
<os firmware='efi'>
<type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='yes' name='enrolled-keys'/>
+ <feature enabled='yes' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd</loader>
<nvram template='/usr/share/OVMF/OVMF_VARS.secboot.fd'>/var/lib/libvirt/qemu/nvram/guest_VARS.fd</nvram>
<boot dev='hd'/>
diff --git a/tests/qemuxml2xmloutdata/firmware-manual-efi-acpi-aarch64.aarch64-latest.xml b/tests/qemuxml2xmloutdata/firmware-manual-efi-acpi-aarch64.aarch64-latest.xml
index 34257e4f80..318ffdf93c 100644
--- a/tests/qemuxml2xmloutdata/firmware-manual-efi-acpi-aarch64.aarch64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-manual-efi-acpi-aarch64.aarch64-latest.xml
@@ -4,8 +4,12 @@
<memory unit='KiB'>1048576</memory>
<currentMemory unit='KiB'>1048576</currentMemory>
<vcpu placement='static'>1</vcpu>
- <os>
+ <os firmware='efi'>
<type arch='aarch64' machine='virt-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='enrolled-keys'/>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' type='pflash'>/usr/share/AAVMF/AAVMF_CODE.fd</loader>
<nvram template='/usr/share/AAVMF/AAVMF_VARS.fd'>/path/to/guest_VARS.fd</nvram>
<boot dev='hd'/>
diff --git a/tests/qemuxml2xmloutdata/firmware-manual-efi-acpi-q35.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-manual-efi-acpi-q35.x86_64-latest.xml
index ff7793a377..ac58a278f9 100644
--- a/tests/qemuxml2xmloutdata/firmware-manual-efi-acpi-q35.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-manual-efi-acpi-q35.x86_64-latest.xml
@@ -4,8 +4,12 @@
<memory unit='KiB'>1048576</memory>
<currentMemory unit='KiB'>1048576</currentMemory>
<vcpu placement='static'>1</vcpu>
- <os>
+ <os firmware='efi'>
<type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='enrolled-keys'/>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>
<nvram template='/usr/share/OVMF/OVMF_VARS.fd'>/path/to/guest_VARS.fd</nvram>
<boot dev='hd'/>
diff --git a/tests/qemuxml2xmloutdata/firmware-manual-efi-loader-secure.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-manual-efi-loader-secure.x86_64-latest.xml
index aa90d3e2f2..69b6d91e99 100644
--- a/tests/qemuxml2xmloutdata/firmware-manual-efi-loader-secure.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-manual-efi-loader-secure.x86_64-latest.xml
@@ -4,8 +4,12 @@
<memory unit='KiB'>1048576</memory>
<currentMemory unit='KiB'>1048576</currentMemory>
<vcpu placement='static'>1</vcpu>
- <os>
+ <os firmware='efi'>
<type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='yes' name='enrolled-keys'/>
+ <feature enabled='yes' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd</loader>
<nvram template='/usr/share/OVMF/OVMF_VARS.secboot.fd'>/path/to/guest_VARS.fd</nvram>
<boot dev='hd'/>
diff --git a/tests/qemuxml2xmloutdata/firmware-manual-efi-no-enrolled-keys.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-manual-efi-no-enrolled-keys.x86_64-latest.xml
index 4caa7950ce..2e287b8cd1 100644
--- a/tests/qemuxml2xmloutdata/firmware-manual-efi-no-enrolled-keys.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-manual-efi-no-enrolled-keys.x86_64-latest.xml
@@ -4,8 +4,12 @@
<memory unit='KiB'>1048576</memory>
<currentMemory unit='KiB'>1048576</currentMemory>
<vcpu placement='static'>1</vcpu>
- <os>
+ <os firmware='efi'>
<type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='enrolled-keys'/>
+ <feature enabled='yes' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd</loader>
<nvram template='/usr/share/OVMF/OVMF_VARS.fd'>/path/to/guest_VARS.fd</nvram>
<boot dev='hd'/>
diff --git a/tests/qemuxml2xmloutdata/firmware-manual-efi-no-secboot.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-manual-efi-no-secboot.x86_64-latest.xml
index ff7793a377..ac58a278f9 100644
--- a/tests/qemuxml2xmloutdata/firmware-manual-efi-no-secboot.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-manual-efi-no-secboot.x86_64-latest.xml
@@ -4,8 +4,12 @@
<memory unit='KiB'>1048576</memory>
<currentMemory unit='KiB'>1048576</currentMemory>
<vcpu placement='static'>1</vcpu>
- <os>
+ <os firmware='efi'>
<type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='enrolled-keys'/>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>
<nvram template='/usr/share/OVMF/OVMF_VARS.fd'>/path/to/guest_VARS.fd</nvram>
<boot dev='hd'/>
diff --git a/tests/qemuxml2xmloutdata/firmware-manual-efi-noacpi-aarch64.aarch64-latest.xml b/tests/qemuxml2xmloutdata/firmware-manual-efi-noacpi-aarch64.aarch64-latest.xml
index 1f642cd179..2b4dff8800 100644
--- a/tests/qemuxml2xmloutdata/firmware-manual-efi-noacpi-aarch64.aarch64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-manual-efi-noacpi-aarch64.aarch64-latest.xml
@@ -4,8 +4,12 @@
<memory unit='KiB'>1048576</memory>
<currentMemory unit='KiB'>1048576</currentMemory>
<vcpu placement='static'>1</vcpu>
- <os>
+ <os firmware='efi'>
<type arch='aarch64' machine='virt-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='enrolled-keys'/>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' type='pflash'>/usr/share/AAVMF/AAVMF_CODE.fd</loader>
<nvram template='/usr/share/AAVMF/AAVMF_VARS.fd'>/path/to/guest_VARS.fd</nvram>
<boot dev='hd'/>
diff --git a/tests/qemuxml2xmloutdata/firmware-manual-efi-nvram-file.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-manual-efi-nvram-file.x86_64-latest.xml
index cdb5d2b31a..1418ddbfcd 100644
--- a/tests/qemuxml2xmloutdata/firmware-manual-efi-nvram-file.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-manual-efi-nvram-file.x86_64-latest.xml
@@ -4,8 +4,12 @@
<memory unit='KiB'>1048576</memory>
<currentMemory unit='KiB'>1048576</currentMemory>
<vcpu placement='static'>1</vcpu>
- <os>
+ <os firmware='efi'>
<type arch='x86_64' machine='pc-i440fx-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='enrolled-keys'/>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>
<nvram template='/usr/share/OVMF/OVMF_VARS.fd' type='file'>
<source file='/path/to/guest_VARS.fd'/>
diff --git a/tests/qemuxml2xmloutdata/firmware-manual-efi-nvram-network-iscsi.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-manual-efi-nvram-network-iscsi.x86_64-latest.xml
index 5a2e8715a0..ec672780bb 100644
--- a/tests/qemuxml2xmloutdata/firmware-manual-efi-nvram-network-iscsi.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-manual-efi-nvram-network-iscsi.x86_64-latest.xml
@@ -4,8 +4,11 @@
<memory unit='KiB'>1048576</memory>
<currentMemory unit='KiB'>1048576</currentMemory>
<vcpu placement='static'>1</vcpu>
- <os>
+ <os firmware='efi'>
<type arch='x86_64' machine='pc-i440fx-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>
<nvram type='network'>
<source protocol='iscsi' name='iqn.2013-07.com.example:iscsi-nopool'>
diff --git a/tests/qemuxml2xmloutdata/firmware-manual-efi-nvram-network-nbd.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-manual-efi-nvram-network-nbd.x86_64-latest.xml
index 208257bb5b..3f59dc4d61 100644
--- a/tests/qemuxml2xmloutdata/firmware-manual-efi-nvram-network-nbd.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-manual-efi-nvram-network-nbd.x86_64-latest.xml
@@ -4,8 +4,11 @@
<memory unit='KiB'>1048576</memory>
<currentMemory unit='KiB'>1048576</currentMemory>
<vcpu placement='static'>1</vcpu>
- <os>
+ <os firmware='efi'>
<type arch='x86_64' machine='pc-i440fx-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>
<nvram type='network'>
<source protocol='nbd' name='bar'>
diff --git a/tests/qemuxml2xmloutdata/firmware-manual-efi-nvram-template.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-manual-efi-nvram-template.x86_64-latest.xml
index 3b79af418a..dc4b8bb97f 100644
--- a/tests/qemuxml2xmloutdata/firmware-manual-efi-nvram-template.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-manual-efi-nvram-template.x86_64-latest.xml
@@ -4,8 +4,12 @@
<memory unit='KiB'>1048576</memory>
<currentMemory unit='KiB'>1048576</currentMemory>
<vcpu placement='static'>1</vcpu>
- <os>
+ <os firmware='efi'>
<type arch='x86_64' machine='pc-i440fx-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='enrolled-keys'/>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>
<nvram template='/usr/share/OVMF/OVMF_VARS.fd'>/var/lib/libvirt/qemu/nvram/guest_VARS.fd</nvram>
<boot dev='hd'/>
diff --git a/tests/qemuxml2xmloutdata/firmware-manual-efi-secboot.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-manual-efi-secboot.x86_64-latest.xml
index aa90d3e2f2..69b6d91e99 100644
--- a/tests/qemuxml2xmloutdata/firmware-manual-efi-secboot.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-manual-efi-secboot.x86_64-latest.xml
@@ -4,8 +4,12 @@
<memory unit='KiB'>1048576</memory>
<currentMemory unit='KiB'>1048576</currentMemory>
<vcpu placement='static'>1</vcpu>
- <os>
+ <os firmware='efi'>
<type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='yes' name='enrolled-keys'/>
+ <feature enabled='yes' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd</loader>
<nvram template='/usr/share/OVMF/OVMF_VARS.secboot.fd'>/path/to/guest_VARS.fd</nvram>
<boot dev='hd'/>
diff --git a/tests/qemuxml2xmloutdata/firmware-manual-efi.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-manual-efi.x86_64-latest.xml
index ff6460d7b0..11d7623e7c 100644
--- a/tests/qemuxml2xmloutdata/firmware-manual-efi.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-manual-efi.x86_64-latest.xml
@@ -4,8 +4,12 @@
<memory unit='KiB'>1048576</memory>
<currentMemory unit='KiB'>1048576</currentMemory>
<vcpu placement='static'>1</vcpu>
- <os>
+ <os firmware='efi'>
<type arch='x86_64' machine='pc-i440fx-4.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='enrolled-keys'/>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>
<nvram template='/usr/share/OVMF/OVMF_VARS.fd'>/path/to/guest_VARS.fd</nvram>
<boot dev='hd'/>
diff --git a/tests/qemuxml2xmloutdata/pvpanic-pci-aarch64.aarch64-latest.xml b/tests/qemuxml2xmloutdata/pvpanic-pci-aarch64.aarch64-latest.xml
index 50321aedd6..2a83ace748 100644
--- a/tests/qemuxml2xmloutdata/pvpanic-pci-aarch64.aarch64-latest.xml
+++ b/tests/qemuxml2xmloutdata/pvpanic-pci-aarch64.aarch64-latest.xml
@@ -6,6 +6,10 @@
<vcpu placement='static'>1</vcpu>
<os firmware='efi'>
<type arch='aarch64' machine='virt-6.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='enrolled-keys'/>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' type='pflash' format='qcow2'>/usr/share/AAVMF/AAVMF_CODE.qcow2</loader>
<nvram template='/usr/share/AAVMF/AAVMF_VARS.qcow2' format='qcow2'>/var/lib/libvirt/qemu/nvram/guest_VARS.qcow2</nvram>
<boot dev='hd'/>
diff --git a/tests/qemuxml2xmloutdata/pvpanic-pci-no-address-aarch64.aarch64-latest.xml b/tests/qemuxml2xmloutdata/pvpanic-pci-no-address-aarch64.aarch64-latest.xml
index 9a25573614..d5ed9b23fe 100644
--- a/tests/qemuxml2xmloutdata/pvpanic-pci-no-address-aarch64.aarch64-latest.xml
+++ b/tests/qemuxml2xmloutdata/pvpanic-pci-no-address-aarch64.aarch64-latest.xml
@@ -6,6 +6,10 @@
<vcpu placement='static'>1</vcpu>
<os firmware='efi'>
<type arch='aarch64' machine='virt-6.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='enrolled-keys'/>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' type='pflash' format='qcow2'>/usr/share/AAVMF/AAVMF_CODE.qcow2</loader>
<nvram template='/usr/share/AAVMF/AAVMF_VARS.qcow2' format='qcow2'>/var/lib/libvirt/qemu/nvram/guest_VARS.qcow2</nvram>
<boot dev='hd'/>
diff --git a/tests/qemuxml2xmloutdata/virtio-iommu-aarch64.aarch64-latest.xml b/tests/qemuxml2xmloutdata/virtio-iommu-aarch64.aarch64-latest.xml
index d560259d87..589295e602 100644
--- a/tests/qemuxml2xmloutdata/virtio-iommu-aarch64.aarch64-latest.xml
+++ b/tests/qemuxml2xmloutdata/virtio-iommu-aarch64.aarch64-latest.xml
@@ -6,6 +6,10 @@
<vcpu placement='static'>1</vcpu>
<os firmware='efi'>
<type arch='aarch64' machine='virt-6.0'>hvm</type>
+ <firmware>
+ <feature enabled='no' name='enrolled-keys'/>
+ <feature enabled='no' name='secure-boot'/>
+ </firmware>
<loader readonly='yes' type='pflash' format='qcow2'>/usr/share/AAVMF/AAVMF_CODE.qcow2</loader>
<nvram template='/usr/share/AAVMF/AAVMF_VARS.qcow2' format='qcow2'>/var/lib/libvirt/qemu/nvram/guest_VARS.qcow2</nvram>
<boot dev='hd'/>
--
2.39.2
