Add test and validation for EFI SecureBoot

Signed-off-by: Jed Lejosne <[email protected]>
alicefr · May 13, 2020 · d77e932 · d77e932
1 parent 9b5616c
commit d77e932
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 0 deletions.
diff --git a/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter.go b/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter.go
@@ -1139,8 +1139,20 @@ func validateFirmware(field *k8sfield.Path, firmware *v1.Firmware) []metav1.Stat
 
 func validateDomainSpec(field *k8sfield.Path, spec *v1.DomainSpec) []metav1.StatusCause {
 	var causes []metav1.StatusCause
+
 	causes = append(causes, validateDevices(field.Child("devices"), &spec.Devices)...)
 	causes = append(causes, validateFirmware(field.Child("firmware"), spec.Firmware)...)
+
+	if spec.Firmware != nil && spec.Firmware.Bootloader != nil && spec.Firmware.Bootloader.EFI != nil &&
+		spec.Firmware.Bootloader.EFI.SecureBoot != nil && *spec.Firmware.Bootloader.EFI.SecureBoot &&
+		(spec.Features == nil || spec.Features.SMM == nil || !*spec.Features.SMM.Enabled) {
+		causes = append(causes, metav1.StatusCause{
+			Type:    metav1.CauseTypeFieldValueInvalid,
+			Message: fmt.Sprintf("%s has EFI SecureBoot enabled. SecureBoot requires SMM, which is currently disabled.", field.String()),
+			Field:   field.String(),
+		})
+	}
+
 	return causes
 }
 

diff --git a/pkg/virt-launcher/virtwrap/api/converter_test.go b/pkg/virt-launcher/virtwrap/api/converter_test.go
@@ -2176,10 +2176,28 @@ var _ = Describe("Converter", func() {
 				domainSpec := vmiToDomainXMLToDomainSpec(vmi, c)
 				Expect(domainSpec.OS.BootLoader.ReadOnly).To(Equal("yes"))
 				Expect(domainSpec.OS.BootLoader.Type).To(Equal("pflash"))
+				Expect(domainSpec.OS.BootLoader.Secure).To(Equal("no"))
 				Expect(domainSpec.OS.BootLoader.Path).To(Equal(EFIPath))
 				Expect(domainSpec.OS.NVRam.Template).To(Equal(EFIVarsPath))
 				Expect(domainSpec.OS.NVRam.NVRam).To(Equal("/tmp/mynamespace_testvmi"))
 			})
+
+			It("should configure the EFI bootloader if EFI secure option", func() {
+				vmi.Spec.Domain.Firmware = &v1.Firmware{
+					Bootloader: &v1.Bootloader{
+						EFI: &v1.EFI{
+							SecureBoot: True(),
+						},
+					},
+				}
+				domainSpec := vmiToDomainXMLToDomainSpec(vmi, c)
+				Expect(domainSpec.OS.BootLoader.ReadOnly).To(Equal("yes"))
+				Expect(domainSpec.OS.BootLoader.Type).To(Equal("pflash"))
+				Expect(domainSpec.OS.BootLoader.Secure).To(Equal("yes"))
+				Expect(domainSpec.OS.BootLoader.Path).To(Equal(EFIPathSecureBoot))
+				Expect(domainSpec.OS.NVRam.Template).To(Equal(EFIVarsPathSecureBoot))
+				Expect(domainSpec.OS.NVRam.NVRam).To(Equal("/tmp/mynamespace_testvmi"))
+			})
 		})
 	})