The secure feature actually enforce the secure boot if Secure Boot Mode is configured. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1387479 Signed-off-by: Pavel Hrdina <phrdina@xxxxxxxxxx> --- tests/cli-test-xml/compare/virt-install-boot-uefi.xml | 2 +- virtManager/domain.py | 2 +- virtinst/guest.py | 10 +++++++--- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/tests/cli-test-xml/compare/virt-install-boot-uefi.xml b/tests/cli-test-xml/compare/virt-install-boot-uefi.xml index e0f2089f..06f83056 100644 --- a/tests/cli-test-xml/compare/virt-install-boot-uefi.xml +++ b/tests/cli-test-xml/compare/virt-install-boot-uefi.xml @@ -6,7 +6,7 @@ <vcpu>1</vcpu> <os> <type arch="x86_64" machine="q35">hvm</type> - <loader readonly="yes" type="pflash">/usr/share/ovmf/OVMF_CODE.secboot.fd</loader> + <loader readonly="yes" type="pflash" secure="yes">/usr/share/ovmf/OVMF_CODE.secboot.fd</loader> <boot dev="hd"/> </os> <features> diff --git a/virtManager/domain.py b/virtManager/domain.py index 6fb10266..db64b201 100644 --- a/virtManager/domain.py +++ b/virtManager/domain.py @@ -698,7 +698,7 @@ class vmmDomain(vmmLibvirtObject): guest.os.loader = loader guest.os.loader_type = "pflash" guest.os.loader_ro = True - guest.check_uefi_smm() + guest.check_uefi_secure() if nvram != _SENTINEL: guest.os.nvram = nvram diff --git a/virtinst/guest.py b/virtinst/guest.py index d6dd5aa6..2a268465 100644 --- a/virtinst/guest.py +++ b/virtinst/guest.py @@ -561,16 +561,18 @@ class Guest(XMLBuilder): self.os.loader_type = "pflash" self.os.loader = path - self.check_uefi_smm() + self.check_uefi_secure() - def check_uefi_smm(self): + def check_uefi_secure(self): """ If the firmware name contains "secboot" it is probably build with SMM feature required so we need to enable that feature, otherwise the firmware may fail to load. True secure boot is currently supported only on x86 architecture and with q35 with SMM feature enabled so change the machine to q35 as well. + To actually enforce the secure boot for the guest if Secure Boot + Mode is configured we need to enable loader secure feature. """ if not self.os.is_x86(): @@ -579,10 +581,12 @@ class Guest(XMLBuilder): if "secboot" not in self.os.loader: return - if not self.conn.check_support(self.conn.SUPPORT_DOMAIN_FEATURE_SMM): + if (not self.conn.check_support(self.conn.SUPPORT_DOMAIN_FEATURE_SMM) or + not self.conn.check_support(self.conn.SUPPORT_DOMAIN_LOADER_SECURE)): return self.features.smm = True + self.os.loader_secure = True self.os.machine = "q35" ################### -- 2.13.0 _______________________________________________ virt-tools-list mailing list virt-tools-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/virt-tools-list
