Introduce @secure attribute to os loader element

This element will control secure boot implemented by some
firmwares. If the firmware used in <loader/> does support the
feature we must tell it to the underlying hypervisor. However, we
can't know whether loader does support it or not just by looking
at the file. Therefore we have to have an attribute to the
element where users can tell us whether the firmware is secure
boot enabled or not.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>

docs/formatdomain.html.in

@@ -102,7 +102,7 @@
   ...
   <os>
     <type>hvm</type>
-    <loader readonly='yes' type='rom'>/usr/lib/xen/boot/hvmloader</loader>
+    <loader readonly='yes' secure='no' type='rom'>/usr/lib/xen/boot/hvmloader</loader>
     <nvram template='/usr/share/OVMF/OVMF_VARS.fd'>/var/lib/libvirt/nvram/guest_VARS.fd</nvram>
     <boot dev='hd'/>
     <boot dev='cdrom'/>
@@ -140,7 +140,10 @@
         <code>pflash</code>. It tells the hypervisor where in the guest
         memory the file should be mapped.  For instance, if the loader
         path points to an UEFI image, <code>type</code> should be
-        <code>pflash</code>.</dd>
+        <code>pflash</code>. Moreover, some firmwares may
+        implement the Secure boot feature. Attribute
+        <code>secure</code> can be used then to control it.
+        <span class="since">Since 2.1.0</span></dd>
       <dt><code>nvram</code></dt>
       <dd>Some UEFI firmwares may want to use a non-volatile memory to store
         some variables. In the host, this is represented as a file and the

docs/schemas/domaincommon.rng

@@ -259,6 +259,14 @@
                 </choice>
               </attribute>
             </optional>
+            <optional>
+              <attribute name="secure">
+                <choice>
+                  <value>yes</value>
+                  <value>no</value>
+                </choice>
+              </attribute>
+            </optional>
             <optional>
               <attribute name="type">
                 <choice>

src/conf/domain_conf.c

@@ -15325,9 +15325,11 @@ virDomainLoaderDefParseXML(xmlNodePtr node,
 {
     int ret = -1;
     char *readonly_str = NULL;
+    char *secure_str = NULL;
     char *type_str = NULL;
 
     readonly_str = virXMLPropString(node, "readonly");
+    secure_str = virXMLPropString(node, "secure");
     type_str = virXMLPropString(node, "type");
     loader->path = (char *) xmlNodeGetContent(node);
 
@@ -15338,6 +15340,13 @@ virDomainLoaderDefParseXML(xmlNodePtr node,
         goto cleanup;
     }
 
+    if (secure_str &&
+        (loader->secure = virTristateBoolTypeFromString(secure_str)) <= 0) {
+        virReportError(VIR_ERR_XML_DETAIL,
+                       _("unknown secure value: %s"), secure_str);
+        goto cleanup;
+    }
+
     if (type_str) {
         int type;
         if ((type = virDomainLoaderTypeFromString(type_str)) < 0) {
@@ -15351,6 +15360,7 @@ virDomainLoaderDefParseXML(xmlNodePtr node,
     ret = 0;
  cleanup:
     VIR_FREE(readonly_str);
+    VIR_FREE(secure_str);
     VIR_FREE(type_str);
     return ret;
 }
@@ -22551,6 +22561,7 @@ virDomainLoaderDefFormat(virBufferPtr buf,
                          virDomainLoaderDefPtr loader)
 {
     const char *readonly = virTristateBoolTypeToString(loader->readonly);
+    const char *secure = virTristateBoolTypeToString(loader->secure);
     const char *type = virDomainLoaderTypeToString(loader->type);
 
     virBufferAddLit(buf, "<loader");
@@ -22558,6 +22569,9 @@ virDomainLoaderDefFormat(virBufferPtr buf,
     if (loader->readonly)
         virBufferAsprintf(buf, " readonly='%s'", readonly);
 
+    if (loader->secure)
+        virBufferAsprintf(buf, " secure='%s'", secure);
+
     virBufferAsprintf(buf, " type='%s'>", type);
 
     virBufferEscapeString(buf, "%s</loader>\n", loader->path);

src/conf/domain_conf.h

@@ -1735,6 +1735,7 @@ struct _virDomainLoaderDef {
     char *path;
     int readonly;   /* enum virTristateBool */
     virDomainLoader type;
+    int secure;     /* enum virTristateBool */
     char *nvram;    /* path to non-volatile RAM */
     char *templt;   /* user override of path to master nvram */
 };

tests/qemuxml2argvdata/qemuxml2argv-bios-nvram-secure.xml

@@ -0,0 +1,41 @@
+<domain type='qemu'>
+  <name>test-bios</name>
+  <uuid>362d1fc1-df7d-193e-5c18-49a71bd1da66</uuid>
+  <memory unit='KiB'>1048576</memory>
+  <currentMemory unit='KiB'>1048576</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc-q35-2.5'>hvm</type>
+    <loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd</loader>
+    <nvram>/usr/share/OVMF/OVMF_VARS.fd</nvram>
+    <boot dev='hd'/>
+    <bootmenu enable='yes'/>
+  </os>
+  <features>
+    <acpi/>
+    <smm state='on'/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu</emulator>
+    <disk type='block' device='disk'>
+      <source dev='/dev/HostVG/QEMUGuest1'/>
+      <target dev='sda' bus='scsi'/>
+      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+    </disk>
+    <controller type='scsi' index='0'/>
+    <controller type='pci' index='0' model='pcie-root'/>
+    <serial type='pty'>
+      <target port='0'/>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='mouse' bus='ps2'/>
+    <input type='keyboard' bus='ps2'/>
+    <memballoon model='virtio'/>
+  </devices>
+</domain>