vmspawn: clean up OVMF secure boot support check a bit

find_ovmf_config() would do filtering based on arg_secure_boot
already, hence the mismatch can only occur if we're using
user-specified firmware. So be explicit about this in log.

diff --git a/src/vmspawn/vmspawn.c b/src/vmspawn/vmspawn.c
index e26e82440047b9cb791c026d03cc288858aa355e..d328bd2cb43277f07ee347e7dca2b74be4179116 100644 (file)
--- a/src/vmspawn/vmspawn.c
+++ b/src/vmspawn/vmspawn.c
@@ -1915,6 +1915,16 @@ static int run_virtual_machine(int kvm_device_fd, int vhost_device_fd) {
         if (r < 0)
                 return log_error_errno(r, "Failed to find OVMF config: %m");
 
+        if (arg_secure_boot > 0 && !ovmf_config->supports_sb) {
+                assert(arg_firmware);
+
+                return log_error_errno(SYNTHETIC_ERRNO(EMEDIUMTYPE),
+                                       "Secure Boot requested, but supplied OVMF firmware blob doesn't support it.");
+        }
+
+        if (arg_secure_boot < 0)
+                log_debug("Using OVMF firmware %s Secure Boot support.", ovmf_config->supports_sb ? "with" : "without");
+
         _cleanup_(machine_bind_user_context_freep) MachineBindUserContext *bind_user_context = NULL;
         r = machine_bind_user_prepare(
                         /* directory= */ NULL,
@@ -1931,11 +1941,6 @@ static int run_virtual_machine(int kvm_device_fd, int vhost_device_fd) {
         if (r < 0)
                 return r;
 
-        /* only warn if the user hasn't disabled secureboot */
-        if (!ovmf_config->supports_sb && arg_secure_boot)
-                log_warning("Couldn't find OVMF firmware blob with Secure Boot support, "
-                            "falling back to OVMF firmware blobs without Secure Boot support.");
-
         _cleanup_free_ char *machine = NULL;
         const char *shm = arg_directory || arg_runtime_mounts.n_mounts != 0 ? ",memory-backend=mem" : "";
         const char *hpet = ARCHITECTURE_SUPPORTS_HPET ? ",hpet=off" : "";