conf: Enable secure-boot when enrolled-keys is enabled

The latter doesn't make sense without the former, so make that
visible in the XML.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 9b82f391c477c7b7ef3401e15f95dce64d5d16d1..3977b5040f67cbdb09fd900d5af611542d8d1201 100644 (file)
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -4876,6 +4876,16 @@ virDomainDefPostParseMemory(virDomainDef *def,
 static void
 virDomainDefPostParseOs(virDomainDef *def)
 {
+    if (def->os.firmwareFeatures &&
+        def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_ENROLLED_KEYS] == VIR_TRISTATE_BOOL_YES) {
+
+        /* For all non-broken firmware builds, enrolled-keys implies
+         * secure-boot, and having the Secure Boot keys in the NVRAM file
+         * when the firmware doesn't support the Secure Boot feature doesn't
+         * make sense anyway. Reflect this fact explicitly in the XML */
+        def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_SECURE_BOOT] = VIR_TRISTATE_BOOL_YES;
+    }
+
     if (!def->os.loader)
         return;
 

diff --git a/tests/qemuxml2xmloutdata/firmware-auto-efi-enrolled-keys.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-efi-enrolled-keys.x86_64-latest.xml
index aa08caa4f701dca86e5849aeb9f172c19fa86592..8dcc741c1e1f65a8a2c9f098a9ad1d0414c3ed1e 100644 (file)
--- a/tests/qemuxml2xmloutdata/firmware-auto-efi-enrolled-keys.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-auto-efi-enrolled-keys.x86_64-latest.xml
@@ -8,6 +8,7 @@
     <type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
     <firmware>
       <feature enabled='yes' name='enrolled-keys'/>
+      <feature enabled='yes' name='secure-boot'/>
     </firmware>
     <boot dev='hd'/>
   </os>