Some VMware guests have a boolean uefi.secureBoot.enabled. If found,
and it's set to "TRUE", and if it's a UEFI guest, then add this clause
into the domain XML:
<os firmware='efi'>
<firmware>
<feature enabled='yes' name='enrolled-keys'/>
<feature enabled='yes' name='secure-boot'/>
</firmware>
</os>
This approximates the meaning of this VMware flag.
Signed-off-by: Richard W.M. Jones <rjones(a)redhat.com>
Fixes:
https://issues.redhat.com/browse/RHEL-67836
---
src/vmx/vmx.c | 22 ++++++++++++++++++++++
tests/vmx2xmldata/esx-in-the-wild-12.xml | 4 ++++
2 files changed, 26 insertions(+)
diff --git a/src/vmx/vmx.c b/src/vmx/vmx.c
index 132e54e15f..23a8a35360 100644
--- a/src/vmx/vmx.c
+++ b/src/vmx/vmx.c
@@ -1387,6 +1387,7 @@ virVMXParseConfig(virVMXContext *ctx,
char *sched_cpu_shares = NULL;
char *guestOS = NULL;
bool smbios_reflecthost = false;
+ bool uefi_secureboot = false;
int controller;
int bus;
int port;
@@ -1963,6 +1964,27 @@ virVMXParseConfig(virVMXContext *ctx,
}
}
+ /* vmx:uefi.secureBoot.enabled */
+ if (virVMXGetConfigBoolean(conf, "uefi.secureBoot.enabled",
+ &uefi_secureboot, false, true) < 0) {
+ goto cleanup;
+ }
+ if (uefi_secureboot &&
+ def->os.firmware == VIR_DOMAIN_OS_DEF_FIRMWARE_EFI) {
+ int *features = def->os.firmwareFeatures;
+
+ if (!features) {
+ features = g_new0(int, VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_LAST);
+ def->os.firmwareFeatures = features;
+ }
+ /* Just set both to true, as VMware doesn't have any concept
+ * of the two features separately.
+ */
+ features[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_SECURE_BOOT] =
+ features[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_ENROLLED_KEYS] =
+ VIR_TRISTATE_BOOL_YES;
+ }
+
if (virDomainDefPostParse(def, VIR_DOMAIN_DEF_PARSE_ABI_UPDATE,
xmlopt, NULL) < 0)
goto cleanup;
diff --git a/tests/vmx2xmldata/esx-in-the-wild-12.xml
b/tests/vmx2xmldata/esx-in-the-wild-12.xml
index 42184501d0..c5aad90677 100644
--- a/tests/vmx2xmldata/esx-in-the-wild-12.xml
+++ b/tests/vmx2xmldata/esx-in-the-wild-12.xml
@@ -9,6 +9,10 @@
</cputune>
<os firmware='efi'>
<type arch='x86_64'>hvm</type>
+ <firmware>
+ <feature enabled='yes' name='enrolled-keys'/>
+ <feature enabled='yes' name='secure-boot'/>
+ </firmware>
</os>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
--
2.46.0