The latter doesn't make sense without the former, so make that visible in the XML.
Signed-off-by: Andrea Bolognani <abolo...@redhat.com> --- src/conf/domain_conf.c | 10 ++++++++++ .../firmware-auto-efi-enrolled-keys.x86_64-latest.xml | 1 + 2 files changed, 11 insertions(+) diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 9b82f391c4..3977b5040f 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -4876,6 +4876,16 @@ virDomainDefPostParseMemory(virDomainDef *def, static void virDomainDefPostParseOs(virDomainDef *def) { + if (def->os.firmwareFeatures && + def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_ENROLLED_KEYS] == VIR_TRISTATE_BOOL_YES) { + + /* For all non-broken firmware builds, enrolled-keys implies + * secure-boot, and having the Secure Boot keys in the NVRAM file + * when the firmware doesn't support the Secure Boot feature doesn't + * make sense anyway. Reflect this fact explicitly in the XML */ + def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_SECURE_BOOT] = VIR_TRISTATE_BOOL_YES; + } + if (!def->os.loader) return; diff --git a/tests/qemuxml2xmloutdata/firmware-auto-efi-enrolled-keys.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-efi-enrolled-keys.x86_64-latest.xml index aa08caa4f7..8dcc741c1e 100644 --- a/tests/qemuxml2xmloutdata/firmware-auto-efi-enrolled-keys.x86_64-latest.xml +++ b/tests/qemuxml2xmloutdata/firmware-auto-efi-enrolled-keys.x86_64-latest.xml @@ -8,6 +8,7 @@ <type arch='x86_64' machine='pc-q35-4.0'>hvm</type> <firmware> <feature enabled='yes' name='enrolled-keys'/> + <feature enabled='yes' name='secure-boot'/> </firmware> <boot dev='hd'/> </os> -- 2.35.3