From e77c809537024af13bc0c7225c1e4863067fc8db Mon Sep 17 00:00:00 2001
From: Pavel Hrdina <phrdina@redhat.com>
Date: Thu, 26 Jan 2017 16:11:31 +0100
Subject: virt-install: add support for loader secure attribute

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
(cherry picked from commit 24f9d05329a485c21325fc2e93a283b832359d05)

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1387479

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
---
 man/virt-install.pod                               |  5 ++--
 .../compare/virt-install-boot-loader-secure.xml    | 29 ++++++++++++++++++++++
 tests/clitest.py                                   |  8 ++++++
 virtinst/cli.py                                    |  9 +++++++
 virtinst/osxml.py                                  |  1 +
 virtinst/support.py                                |  1 +
 6 files changed, 51 insertions(+), 2 deletions(-)
 create mode 100644 tests/cli-test-xml/compare/virt-install-boot-loader-secure.xml

diff --git a/man/virt-install.pod b/man/virt-install.pod
index 7ed69031..177bcbcb 100644
--- a/man/virt-install.pod
+++ b/man/virt-install.pod
@@ -519,13 +519,14 @@ correct UEFI parameters, libvirt needs to be advertising known UEFI binaries
 via domcapabilities XML, so this will likely only work if using properly
 configured distro packages.
 
-=item B<--boot loader=/.../OVMF_CODE.fd,loader_ro=yes,loader_type=pflash,nvram_template=/.../OVMF_VARS.fd>
+=item B<--boot loader=/.../OVMF_CODE.fd,loader_ro=yes,loader_type=pflash,nvram_template=/.../OVMF_VARS.fd,loader_secure=no>
 
 Specify that the virtual machine use the custom OVMF binary as boot firmware,
 mapped as a virtual flash chip. In addition, request that libvirt instantiate
 the VM-specific UEFI varstore from the custom "/.../OVMF_VARS.fd" varstore
 template. This is the recommended UEFI setup, and should be used if
---boot uefi doesn't know about your UEFI binaries.
+--boot uefi doesn't know about your UEFI binaries. If your UEFI firmware
+supports Secure boot feature you can enable it via loader_secure.
 
 =back
 
diff --git a/tests/cli-test-xml/compare/virt-install-boot-loader-secure.xml b/tests/cli-test-xml/compare/virt-install-boot-loader-secure.xml
new file mode 100644
index 00000000..67053c19
--- /dev/null
+++ b/tests/cli-test-xml/compare/virt-install-boot-loader-secure.xml
@@ -0,0 +1,29 @@
+<domain type="test">
+  <name>foobar</name>
+  <uuid>00000000-1111-2222-3333-444444444444</uuid>
+  <memory>65536</memory>
+  <currentMemory>65536</currentMemory>
+  <vcpu>1</vcpu>
+  <os>
+    <type arch="i686">hvm</type>
+    <loader secure="yes">/path/to/loader</loader>
+    <boot dev="hd"/>
+  </os>
+  <features>
+    <pae/>
+  </features>
+  <clock offset="utc"/>
+  <pm>
+    <suspend-to-mem enabled="no"/>
+    <suspend-to-disk enabled="no"/>
+  </pm>
+  <devices>
+    <emulator>/usr/bin/test-hv</emulator>
+    <controller type="usb" index="0" model="none"/>
+    <interface type="user">
+      <mac address="00:11:22:33:44:55"/>
+    </interface>
+    <input type="mouse" bus="ps2"/>
+    <console type="pty"/>
+  </devices>
+</domain>
diff --git a/tests/clitest.py b/tests/clitest.py
index e5fcc6d8..1c9fe73d 100644
--- a/tests/clitest.py
+++ b/tests/clitest.py
@@ -561,6 +561,14 @@ c.add_compare("--features smm=on", "features-smm")
 c.add_invalid("--features smm=on --machine pc")
 
 
+########################
+# Boot install options #
+########################
+
+c = vinst.add_category("boot", "--nographics --noautoconsole --import --disk none --controller usb,model=none")
+c.add_compare("--boot loader=/path/to/loader,loader_secure=yes", "boot-loader-secure")
+
+
 ######################################
 # Memory hot(un)plug install options #
 ######################################
diff --git a/virtinst/cli.py b/virtinst/cli.py
index 1abf5fc1..fcd14984 100644
--- a/virtinst/cli.py
+++ b/virtinst/cli.py
@@ -1585,6 +1585,13 @@ class ParserBoot(VirtCLIParser):
         inst.os.smbios_mode = val
         self.optdict["smbios_mode"] = val
 
+    def set_loader_secure_cb(self, inst, val, virtarg):
+        if not inst.conn.check_support(inst.conn.SUPPORT_DOMAIN_LOADER_SECURE):
+            raise RuntimeError("secure attribute for loader is not supported "
+                               "by libvirt.")
+        inst.os.loader_secure = val
+        return val
+
     def noset_cb(self, inst, val, virtarg):
         pass
 
@@ -1621,6 +1628,8 @@ ParserBoot.add_arg("os.dtb", "dtb")
 ParserBoot.add_arg("os.loader", "loader")
 ParserBoot.add_arg("os.loader_ro", "loader_ro", is_onoff=True)
 ParserBoot.add_arg("os.loader_type", "loader_type")
+ParserBoot.add_arg("os.loader_secure", "loader_secure", is_onoff=True,
+                   cb=ParserBoot.set_loader_secure_cb)
 ParserBoot.add_arg("os.nvram", "nvram")
 ParserBoot.add_arg("os.nvram_template", "nvram_template")
 ParserBoot.add_arg("os.kernel_args", "kernel_args",
diff --git a/virtinst/osxml.py b/virtinst/osxml.py
index 54e118b4..368ef57a 100644
--- a/virtinst/osxml.py
+++ b/virtinst/osxml.py
@@ -116,6 +116,7 @@ class OSXML(XMLBuilder):
     loader = XMLProperty("./loader")
     loader_ro = XMLProperty("./loader/@readonly", is_yesno=True)
     loader_type = XMLProperty("./loader/@type")
+    loader_secure = XMLProperty("./loader/@secure", is_yesno=True)
     smbios_mode = XMLProperty("./smbios/@mode")
     nvram = XMLProperty("./nvram")
     nvram_template = XMLProperty("./nvram/@template")
diff --git a/virtinst/support.py b/virtinst/support.py
index e71b4403..2104b613 100644
--- a/virtinst/support.py
+++ b/virtinst/support.py
@@ -362,6 +362,7 @@ SUPPORT_DOMAIN_STATE = _make(function="virDomain.state", run_args=())
 SUPPORT_DOMAIN_OPEN_GRAPHICS = _make(function="virDomain.openGraphicsFD",
     version="1.2.8", hv_version={"qemu": 0})
 SUPPORT_DOMAIN_FEATURE_SMM = _make(version="2.1.0")
+SUPPORT_DOMAIN_LOADER_SECURE = _make(version="2.1.0")
 
 
 ###############
-- 
2.13.0