Add VMI admitter to reject SEV with SecureBoot

This is currently not supported.

Signed-off-by: Vasiliy Ulyanov <[email protected]>

pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter.go

@@ -787,19 +787,27 @@ func validateSoundDevices(field *k8sfield.Path, spec *v1.VirtualMachineInstanceS
 
 func validateLaunchSecurity(field *k8sfield.Path, spec *v1.VirtualMachineInstanceSpec, config *virtconfig.ClusterConfig) (causes []metav1.StatusCause) {
 	launchSecurity := spec.Domain.LaunchSecurity
-	firmware := spec.Domain.Firmware
 	if launchSecurity != nil && !config.LaunchSecurityEnabled() {
 		causes = append(causes, metav1.StatusCause{
 			Type:    metav1.CauseTypeFieldValueInvalid,
 			Message: fmt.Sprintf("LaunchSecurity feature gate is not enabled in kubevirt-config"),
 			Field:   field.Child("launchSecurity").String(),
 		})
-	} else if launchSecurity != nil && launchSecurity.SEV != nil && (firmware == nil || firmware.Bootloader == nil || firmware.Bootloader.EFI == nil) {
-		causes = append(causes, metav1.StatusCause{
-			Type:    metav1.CauseTypeFieldValueInvalid,
-			Message: fmt.Sprintf("SEV requires OVMF (UEFI)"),
-			Field:   field.Child("launchSecurity").String(),
-		})
+	} else if launchSecurity != nil && launchSecurity.SEV != nil {
+		firmware := spec.Domain.Firmware
+		if firmware == nil || firmware.Bootloader == nil || firmware.Bootloader.EFI == nil {
+			causes = append(causes, metav1.StatusCause{
+				Type:    metav1.CauseTypeFieldValueInvalid,
+				Message: fmt.Sprintf("SEV requires OVMF (UEFI)"),
+				Field:   field.Child("launchSecurity").String(),
+			})
+		} else if firmware.Bootloader.EFI.SecureBoot == nil || *firmware.Bootloader.EFI.SecureBoot {
+			causes = append(causes, metav1.StatusCause{
+				Type:    metav1.CauseTypeFieldValueInvalid,
+				Message: fmt.Sprintf("SEV does not work along with SecureBoot"),
+				Field:   field.Child("launchSecurity").String(),
+			})
+		}
 	}
 	return causes
 }

pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter_test.go

@@ -3529,15 +3529,14 @@ var _ = Describe("Validating VMICreate Admitter", func() {
 		var vmi *v1.VirtualMachineInstance
 
 		BeforeEach(func() {
-			secureBoot := false
 			vmi = api.NewMinimalVMI("testvmi")
 			vmi.Spec.Domain.LaunchSecurity = &v1.LaunchSecurity{
 				SEV: &v1.SEV{},
 			}
 			vmi.Spec.Domain.Firmware = &v1.Firmware{
 				Bootloader: &v1.Bootloader{
 					EFI: &v1.EFI{
-						SecureBoot: &secureBoot,
+						SecureBoot: pointer.BoolPtr(false),
 					},
 				},
 			}
@@ -3570,6 +3569,22 @@ var _ = Describe("Validating VMICreate Admitter", func() {
 			Expect(causes).To(HaveLen(1))
 			Expect(causes[0].Message).To(ContainSubstring("SEV requires OVMF"))
 		})
+
+		It("should reject when SecureBoot is enabled", func() {
+			vmi.Spec.Domain.Features = &v1.Features{
+				SMM: &v1.FeatureState{
+					Enabled: pointer.BoolPtr(true),
+				},
+			}
+			vmi.Spec.Domain.Firmware.Bootloader.EFI.SecureBoot = pointer.BoolPtr(true)
+			causes := ValidateVirtualMachineInstanceSpec(k8sfield.NewPath("fake"), &vmi.Spec, config)
+			Expect(causes).To(HaveLen(1))
+			Expect(causes[0].Message).To(ContainSubstring("SEV does not work along with SecureBoot"))
+			vmi.Spec.Domain.Firmware.Bootloader.EFI.SecureBoot = nil
+			causes = ValidateVirtualMachineInstanceSpec(k8sfield.NewPath("fake"), &vmi.Spec, config)
+			Expect(causes).To(HaveLen(1))
+			Expect(causes[0].Message).To(ContainSubstring("SEV does not work along with SecureBoot"))
+		})
 	})
 })