DRAFT: -o kubevirt: format secureBoot

[crobinso]

XXX: this is a draft. it doesn't handle setting smm. my reading of kubevirt code is it might fill in smm for us, despite what docs say. I'm going to use test it tomorrow

Turn internal s_uefi_secureboot flag into vmi field

spec:
firmware:
bootloader:
efi:
secureBoot: true

Example config:
https://github.com/kubevirt/kubevirt/blob/main/examples/vmi-secureboot.yaml

Add test coverage for yaml output

Fixes: https://issues.redhat.com/browse/RHEL-70145

[crobinso]

I came around to this via the different issue where RHEL7 and older RHEL8 secureboot don't boot after conversion: https://issues.redhat.com/browse/RHEL-69482

That bug was reported with the following setup:

• rhel7 VM
• libvirt 10.10.0 which has the commit for vmware secureboot output (libvirt/libvirt@7b73e681a24fb
• virt-v2v 2.7.1 which lacks the commit to disable secureboot if guest doesn't advertise it (3f66551)

However from the logs the VM was not reporting it supported secureboot. So the VM was not configured with secureboot, but virt-v2v was still requesting plain <boot firmware='efi'> from libvirt, which defaults to secureboot. VM is old, secureboot validation fails, VM doesn't boot.

So I think the main issue there was that libvirt output and virt-v2v changes were out of sync. Nowadays with similar config (VM has secureboot disabled) I do not think it would reproduce.

But maybe vmware secureboot is less strict than our stack, and if enabled would accept old OS where we don't? Not clear, probably needs to be tested. If that's true though we need a plan before we commit kubevirt secureBoot support IMO.

[rwmjones]

It's probably impossible but I wonder if there's any way to tell from the guest itself if SB is enabled.