Add support for EFI SecureBoot.

When SecureBoot is enabled: - Pass the option to libvirt - Use the SecureBoot-enabled OVMF roms (/usr/share/OVMF/OVMF_*.secboot.fd) Signed-off-by: Jed Lejosne <[email protected]>
alicefr · May 13, 2020 · 9b5616c · 9b5616c
1 parent 1b1045f
commit 9b5616c
Show file tree

Hide file tree

Showing 6 changed files with 54 additions and 12 deletions.
diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json
@@ -4818,7 +4818,13 @@
    },
    "v1.EFI": {
     "description": "If set, EFI will be used instead of BIOS.",
-    "type": "object"
+    "type": "object",
+    "properties": {
+     "secureBoot": {
+      "description": "If set, SecureBoot will be enabled and the OVMF roms will be swapped for SecureBoot-enabled ones. Requires SMM to be enabled. Defaults to false",
+      "type": "boolean"
+     }
+    }
    },
    "v1.EmptyDiskSource": {
     "description": "EmptyDisk represents a temporary disk which shares the vmis lifecycle.",

diff --git a/pkg/virt-launcher/virtwrap/api/converter.go b/pkg/virt-launcher/virtwrap/api/converter.go
@@ -54,6 +54,8 @@ const (
 	defaultIOThread        = uint(1)
 	EFIPath                = "/usr/share/OVMF/OVMF_CODE.fd"
 	EFIVarsPath            = "/usr/share/OVMF/OVMF_VARS.fd"
+	EFIPathSecureBoot      = "/usr/share/OVMF/OVMF_CODE.secboot.fd"
+	EFIVarsPathSecureBoot  = "/usr/share/OVMF/OVMF_VARS.secboot.fd"
 )
 
 // +k8s:deepcopy-gen=false
@@ -702,17 +704,30 @@ func Convert_v1_VirtualMachine_To_api_Domain(vmi *v1.VirtualMachineInstance, dom
 		}
 
 		if vmi.Spec.Domain.Firmware.Bootloader != nil && vmi.Spec.Domain.Firmware.Bootloader.EFI != nil {
+			if vmi.Spec.Domain.Firmware.Bootloader.EFI.SecureBoot != nil && *vmi.Spec.Domain.Firmware.Bootloader.EFI.SecureBoot {
+				domain.Spec.OS.BootLoader = &Loader{
+					Path:     EFIPathSecureBoot,
+					ReadOnly: "yes",
+					Secure:   "yes",
+					Type:     "pflash",
+				}
 
-			domain.Spec.OS.BootLoader = &Loader{
-				Path:     EFIPath,
-				ReadOnly: "yes",
-				Secure:   "no",
-				Type:     "pflash",
-			}
+				domain.Spec.OS.NVRam = &NVRam{
+					NVRam:    filepath.Join("/tmp", domain.Spec.Name),
+					Template: EFIVarsPathSecureBoot,
+				}
+			} else {
+				domain.Spec.OS.BootLoader = &Loader{
+					Path:     EFIPath,
+					ReadOnly: "yes",
+					Secure:   "no",
+					Type:     "pflash",
+				}
 
-			domain.Spec.OS.NVRam = &NVRam{
-				NVRam:    filepath.Join("/tmp", domain.Spec.Name),
-				Template: EFIVarsPath,
+				domain.Spec.OS.NVRam = &NVRam{
+					NVRam:    filepath.Join("/tmp", domain.Spec.Name),
+					Template: EFIVarsPath,
+				}
 			}
 		}
 

diff --git a/staging/src/kubevirt.io/client-go/api/v1/deepcopy_generated.go b/staging/src/kubevirt.io/client-go/api/v1/deepcopy_generated.go
diff --git a/staging/src/kubevirt.io/client-go/api/v1/openapi_generated.go b/staging/src/kubevirt.io/client-go/api/v1/openapi_generated.go
diff --git a/staging/src/kubevirt.io/client-go/api/v1/schema.go b/staging/src/kubevirt.io/client-go/api/v1/schema.go
@@ -219,6 +219,12 @@ type BIOS struct {
 //
 // +k8s:openapi-gen=true
 type EFI struct {
+	// If set, SecureBoot will be enabled and the OVMF roms will be swapped for
+	// SecureBoot-enabled ones.
+	// Requires SMM to be enabled.
+	// Defaults to false
+	// +optional
+	SecureBoot *bool `json:"secureBoot,omitempty"`
 }
 
 //

diff --git a/staging/src/kubevirt.io/client-go/api/v1/schema_swagger_generated.go b/staging/src/kubevirt.io/client-go/api/v1/schema_swagger_generated.go