vmx: Get the VMware boolean uefi.secureBoot.enabled

Some VMware guests have a boolean uefi.secureBoot.enabled.  If found,
and it's set to "TRUE", and if it's a UEFI guest, then add this clause
into the domain XML:

  <os firmware='efi'>
    <firmware>
      <feature enabled='yes' name='enrolled-keys'/>
      <feature enabled='yes' name='secure-boot'/>
    </firmware>
  </os>

This approximates the meaning of this VMware flag.

Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Fixes: https://issues.redhat.com/browse/RHEL-67836
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
Richard W.M. Jones 2024-11-18 13:53:48 +00:00 committed by Michal Privoznik
parent ec8be9aceb
commit 7b73e681a2
2 changed files with 26 additions and 0 deletions

View File

@ -1387,6 +1387,7 @@ virVMXParseConfig(virVMXContext *ctx,
char *sched_cpu_shares = NULL;
char *guestOS = NULL;
bool smbios_reflecthost = false;
bool uefi_secureboot = false;
int controller;
int bus;
int port;
@ -1963,6 +1964,27 @@ virVMXParseConfig(virVMXContext *ctx,
}
}
/* vmx:uefi.secureBoot.enabled */
if (virVMXGetConfigBoolean(conf, "uefi.secureBoot.enabled",
&uefi_secureboot, false, true) < 0) {
goto cleanup;
}
if (uefi_secureboot &&
def->os.firmware == VIR_DOMAIN_OS_DEF_FIRMWARE_EFI) {
int *features = def->os.firmwareFeatures;
if (!features) {
features = g_new0(int, VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_LAST);
def->os.firmwareFeatures = features;
}
/* Just set both to true, as VMware doesn't have any concept
* of the two features separately.
*/
features[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_SECURE_BOOT] =
features[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_ENROLLED_KEYS] =
VIR_TRISTATE_BOOL_YES;
}
if (virDomainDefPostParse(def, VIR_DOMAIN_DEF_PARSE_ABI_UPDATE,
xmlopt, NULL) < 0)
goto cleanup;

View File

@ -9,6 +9,10 @@
</cputune>
<os firmware='efi'>
<type arch='x86_64'>hvm</type>
<firmware>
<feature enabled='yes' name='enrolled-keys'/>
<feature enabled='yes' name='secure-boot'/>
</firmware>
</os>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>