From 7b73e681a24fb2542e135ce4df2d540f52f1bdd2 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Mon, 18 Nov 2024 13:53:48 +0000
Subject: [PATCH] vmx: Get the VMware boolean uefi.secureBoot.enabled

Some VMware guests have a boolean uefi.secureBoot.enabled.  If found,
and it's set to "TRUE", and if it's a UEFI guest, then add this clause
into the domain XML:

  <os firmware='efi'>
    <firmware>
      <feature enabled='yes' name='enrolled-keys'/>
      <feature enabled='yes' name='secure-boot'/>
    </firmware>
  </os>

This approximates the meaning of this VMware flag.

Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Fixes: https://issues.redhat.com/browse/RHEL-67836
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/vmx/vmx.c                            | 22 ++++++++++++++++++++++
 tests/vmx2xmldata/esx-in-the-wild-12.xml |  4 ++++
 2 files changed, 26 insertions(+)

diff --git a/src/vmx/vmx.c b/src/vmx/vmx.c
index 132e54e15f..23a8a35360 100644
--- a/src/vmx/vmx.c
+++ b/src/vmx/vmx.c
@@ -1387,6 +1387,7 @@ virVMXParseConfig(virVMXContext *ctx,
     char *sched_cpu_shares = NULL;
     char *guestOS = NULL;
     bool smbios_reflecthost = false;
+    bool uefi_secureboot = false;
     int controller;
     int bus;
     int port;
@@ -1963,6 +1964,27 @@ virVMXParseConfig(virVMXContext *ctx,
         }
     }
 
+    /* vmx:uefi.secureBoot.enabled */
+    if (virVMXGetConfigBoolean(conf, "uefi.secureBoot.enabled",
+                               &uefi_secureboot, false, true) < 0) {
+        goto cleanup;
+    }
+    if (uefi_secureboot &&
+        def->os.firmware == VIR_DOMAIN_OS_DEF_FIRMWARE_EFI) {
+        int *features = def->os.firmwareFeatures;
+
+        if (!features) {
+            features = g_new0(int, VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_LAST);
+            def->os.firmwareFeatures = features;
+        }
+        /* Just set both to true, as VMware doesn't have any concept
+         * of the two features separately.
+         */
+        features[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_SECURE_BOOT] =
+            features[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_ENROLLED_KEYS] =
+            VIR_TRISTATE_BOOL_YES;
+    }
+
     if (virDomainDefPostParse(def, VIR_DOMAIN_DEF_PARSE_ABI_UPDATE,
                               xmlopt, NULL) < 0)
         goto cleanup;
diff --git a/tests/vmx2xmldata/esx-in-the-wild-12.xml b/tests/vmx2xmldata/esx-in-the-wild-12.xml
index 42184501d0..c5aad90677 100644
--- a/tests/vmx2xmldata/esx-in-the-wild-12.xml
+++ b/tests/vmx2xmldata/esx-in-the-wild-12.xml
@@ -9,6 +9,10 @@
   </cputune>
   <os firmware='efi'>
     <type arch='x86_64'>hvm</type>
+    <firmware>
+      <feature enabled='yes' name='enrolled-keys'/>
+      <feature enabled='yes' name='secure-boot'/>
+    </firmware>
   </os>
   <clock offset='utc'/>
   <on_poweroff>destroy</on_poweroff>