conf: Reject enrolled-keys=yes with secure-boot=no

This combination doesn't make sense and so the firmware autoselection logic will not be able to find a suitable firmware, but it's more user-friendly to report a detailed error upfront. Note that this check would ideally happen in the validate phase, but if we moved it there we would no longer be able to automatically enable secure-boot when enrolled-keys=yes. Since the combination never resulted in a working configuration, the chances of this causing real-world VMs to disappear are extremely low. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2024-09-30 11:25:47 +00:00 · 2022-06-15 11:30:48 +02:00 · 2022-06-15 11:30:48 +02:00 · 161b31f958
commit 161b31f958
parent c98910d011
4 changed files with 30 additions and 0 deletions
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@ -4879,6 +4879,13 @@ virDomainDefPostParseOs(virDomainDef *def)
    if (def->os.firmwareFeatures &&
        def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_ENROLLED_KEYS] == VIR_TRISTATE_BOOL_YES) {

+        if (def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_SECURE_BOOT] == VIR_TRISTATE_BOOL_NO) {
+            virReportError(VIR_ERR_XML_DETAIL, "%s",
+                           _("firmware feature 'enrolled-keys' cannot be enabled when "
+                             "firmware feature 'secure-boot' is disabled"));
+            return -1;
+        }
+
        /* For all non-broken firmware builds, enrolled-keys implies
         * secure-boot, and having the Secure Boot keys in the NVRAM file
         * when the firmware doesn't support the Secure Boot feature doesn't
--- a/tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys-no-secboot.x86_64-latest.err
+++ b/tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys-no-secboot.x86_64-latest.err
@ -0,0 +1 @@
+firmware feature 'enrolled-keys' cannot be enabled when firmware feature 'secure-boot' is disabled
--- a/tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys-no-secboot.xml
+++ b/tests/qemuxml2argvdata/firmware-auto-efi-enrolled-keys-no-secboot.xml
@ -0,0 +1,21 @@
+<domain type='kvm'>
+  <name>fedora</name>
+  <uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid>
+  <memory unit='KiB'>8192</memory>
+  <vcpu placement='static'>1</vcpu>
+  <os firmware='efi'>
+    <type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
+    <firmware>
+      <feature enabled='yes' name='enrolled-keys'/>
+      <feature enabled='no' name='secure-boot'/>
+    </firmware>
+  </os>
+  <features>
+    <acpi/>
+  </features>
+  <devices>
+    <emulator>/usr/bin/qemu-system-x86_64</emulator>
+    <controller type='usb' model='none'/>
+    <memballoon model='none'/>
+  </devices>
+</domain>
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@ -1224,6 +1224,7 @@ mymain(void)
    DO_TEST_CAPS_LATEST("firmware-auto-efi-no-secboot");
    DO_TEST_CAPS_LATEST("firmware-auto-efi-enrolled-keys");
    DO_TEST_CAPS_LATEST("firmware-auto-efi-no-enrolled-keys");
+    DO_TEST_CAPS_LATEST_PARSE_ERROR("firmware-auto-efi-enrolled-keys-no-secboot");
    DO_TEST_CAPS_ARCH_LATEST("firmware-auto-efi-aarch64", "aarch64");

    DO_TEST_NOCAPS("clock-utc");
				`@ -0,0 +1 @@`
				`firmware feature 'enrolled-keys' cannot be enabled when firmware feature 'secure-boot' is disabled`