From 5d9dd9b3f277f7c1386d7670daebc8fd38171f1b Mon Sep 17 00:00:00 2001
From: Pavel Hrdina <phrdina@redhat.com>
Date: Wed, 7 Jun 2017 20:47:59 +0200
Subject: virtinst: enable secure feature together with smm for UEFI

The secure feature actually enforce the secure boot if Secure Boot
Mode is configured.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1387479

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
(cherry picked from commit b690908aa47ea4040a0b232328a7b79ff99ceabc)
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
---
 tests/cli-test-xml/compare/virt-install-boot-uefi.xml |  2 +-
 virtManager/domain.py                                 |  2 +-
 virtinst/guest.py                                     | 10 +++++++---
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/tests/cli-test-xml/compare/virt-install-boot-uefi.xml b/tests/cli-test-xml/compare/virt-install-boot-uefi.xml
index e0f2089f..06f83056 100644
--- a/tests/cli-test-xml/compare/virt-install-boot-uefi.xml
+++ b/tests/cli-test-xml/compare/virt-install-boot-uefi.xml
@@ -6,7 +6,7 @@
   <vcpu>1</vcpu>
   <os>
     <type arch="x86_64" machine="q35">hvm</type>
-    <loader readonly="yes" type="pflash">/usr/share/ovmf/OVMF_CODE.secboot.fd</loader>
+    <loader readonly="yes" type="pflash" secure="yes">/usr/share/ovmf/OVMF_CODE.secboot.fd</loader>
     <boot dev="hd"/>
   </os>
   <features>
diff --git a/virtManager/domain.py b/virtManager/domain.py
index 483848a6..ee898e4b 100644
--- a/virtManager/domain.py
+++ b/virtManager/domain.py
@@ -698,7 +698,7 @@ class vmmDomain(vmmLibvirtObject):
                 guest.os.loader = loader
                 guest.os.loader_type = "pflash"
                 guest.os.loader_ro = True
-                guest.check_uefi_smm()
+                guest.check_uefi_secure()
 
         if nvram != _SENTINEL:
             guest.os.nvram = nvram
diff --git a/virtinst/guest.py b/virtinst/guest.py
index 3f4d8b34..b4336470 100644
--- a/virtinst/guest.py
+++ b/virtinst/guest.py
@@ -561,16 +561,18 @@ class Guest(XMLBuilder):
         self.os.loader_type = "pflash"
         self.os.loader = path
 
-        self.check_uefi_smm()
+        self.check_uefi_secure()
 
 
-    def check_uefi_smm(self):
+    def check_uefi_secure(self):
         """
         If the firmware name contains "secboot" it is probably build
         with SMM feature required so we need to enable that feature,
         otherwise the firmware may fail to load.  True secure boot is
         currently supported only on x86 architecture and with q35 with
         SMM feature enabled so change the machine to q35 as well.
+        To actually enforce the secure boot for the guest if Secure Boot
+        Mode is configured we need to enable loader secure feature.
         """
 
         if not self.os.is_x86():
@@ -579,10 +581,12 @@ class Guest(XMLBuilder):
         if "secboot" not in self.os.loader:
             return
 
-        if not self.conn.check_support(self.conn.SUPPORT_DOMAIN_FEATURE_SMM):
+        if (not self.conn.check_support(self.conn.SUPPORT_DOMAIN_FEATURE_SMM) or
+            not self.conn.check_support(self.conn.SUPPORT_DOMAIN_LOADER_SECURE)):
             return
 
         self.features.smm = True
+        self.os.loader_secure = True
         self.os.machine = "q35"
 
     ###################
-- 
2.13.0