From: Mike Yuan Date: Thu, 12 Feb 2026 01:58:35 +0000 (+0100) Subject: vmspawn: clean up OVMF secure boot support check a bit X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f04023d35f3ec9931563088d5309087472041260;p=thirdparty%2Fsystemd.git vmspawn: clean up OVMF secure boot support check a bit find_ovmf_config() would do filtering based on arg_secure_boot already, hence the mismatch can only occur if we're using user-specified firmware. So be explicit about this in log. --- diff --git a/src/vmspawn/vmspawn.c b/src/vmspawn/vmspawn.c index e26e8244004..d328bd2cb43 100644 --- a/src/vmspawn/vmspawn.c +++ b/src/vmspawn/vmspawn.c @@ -1915,6 +1915,16 @@ static int run_virtual_machine(int kvm_device_fd, int vhost_device_fd) { if (r < 0) return log_error_errno(r, "Failed to find OVMF config: %m"); + if (arg_secure_boot > 0 && !ovmf_config->supports_sb) { + assert(arg_firmware); + + return log_error_errno(SYNTHETIC_ERRNO(EMEDIUMTYPE), + "Secure Boot requested, but supplied OVMF firmware blob doesn't support it."); + } + + if (arg_secure_boot < 0) + log_debug("Using OVMF firmware %s Secure Boot support.", ovmf_config->supports_sb ? "with" : "without"); + _cleanup_(machine_bind_user_context_freep) MachineBindUserContext *bind_user_context = NULL; r = machine_bind_user_prepare( /* directory= */ NULL, @@ -1931,11 +1941,6 @@ static int run_virtual_machine(int kvm_device_fd, int vhost_device_fd) { if (r < 0) return r; - /* only warn if the user hasn't disabled secureboot */ - if (!ovmf_config->supports_sb && arg_secure_boot) - log_warning("Couldn't find OVMF firmware blob with Secure Boot support, " - "falling back to OVMF firmware blobs without Secure Boot support."); - _cleanup_free_ char *machine = NULL; const char *shm = arg_directory || arg_runtime_mounts.n_mounts != 0 ? ",memory-backend=mem" : ""; const char *hpet = ARCHITECTURE_SUPPORTS_HPET ? ",hpet=off" : "";