File 062-cli-add--boot-secure-boot-option.patch of Package virt-manager
Subject: cli: add --boot secure-boot option
From: Pavel Hrdina phrdina@redhat.com Fri Feb 6 11:11:10 2026 +0100
Date: Fri Feb 6 17:06:41 2026 +0100:
Git: 23dd48ae94430cb77dfd6fb718578dc91036fa42
The new option can be used to enable/disable secure boot verification
of UEFI firmware.
If virt-xml is used to change secure-boot print warning that resetting
NVRAM is required to make the change effective.
Fixes: https://github.com/virt-manager/virt-manager/issues/495
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
diff --git a/man/virt-install.rst b/man/virt-install.rst
index fddf84f2c..8ccac382d 100644
--- a/man/virt-install.rst
+++ b/man/virt-install.rst
@@ -973,6 +973,12 @@ Some examples:
``--boot uefi=off``
Do not use UEFI if the VM would normally default to it.
+``--boot uefi=on,secure-boot=off``
+ Configure the VM to boot from UEFI with secure-boot enabled and enforced.
+ This requires libvirt with firmware auto-selection. Setting ``secure-boot``
+ to off ensures the firmware can boot unsigned binaries.
+ This is a convenience option to control the enrolled-keys firmware feature.
+
``--boot uefi,firmware.feature0.name=secure-boot,firmware.feature0.enabled=yes,firmware.feature1.name=enrolled-keys,firmware.feature1.enabled=yes``
Configure the VM to boot from UEFI with Secure Boot support enabled.
Only signed operating systems will be able to boot with this configuration.
diff --git a/virtinst/cli.py b/virtinst/cli.py
index c6001644c..05b09d431 100644
--- a/virtinst/cli.py
+++ b/virtinst/cli.py
@@ -3237,6 +3237,7 @@ class ParserBoot(VirtCLIParser):
cls.add_arg("domain_type", None, lookup_cb=None, cb=cls.set_domain_type_cb)
cls.add_arg("emulator", None, lookup_cb=None, cb=cls.set_emulator_cb)
cls.add_arg("uefi", None, lookup_cb=None, cb=cls.set_uefi_cb)
+ cls.add_arg("secure-boot", "secure_boot", is_onoff=True)
# Common/Shared boot options
cls.add_arg("loader", "loader")
diff --git a/virtinst/domain/os.py b/virtinst/domain/os.py
index 95285fdd3..a797f141b 100644
--- a/virtinst/domain/os.py
+++ b/virtinst/domain/os.py
@@ -5,6 +5,7 @@
# See the COPYING file in the top-level directory.
from ..xmlbuilder import XMLBuilder, XMLProperty, XMLChildProperty
+from ..logger import log
class _InitArg(XMLBuilder):
@@ -195,6 +196,54 @@ class DomainOs(XMLBuilder):
obj = self.initargs.add_new()
obj.val = val
+ @property
+ def secure_boot(self):
+ for feature in self.firmware_features:
+ if feature.name == "enrolled-keys":
+ return feature.enabled
+ return None
+
+ @secure_boot.setter
+ def secure_boot(self, val):
+ """
+ Enable or disable secure boot by setting enrolled-keys firmware feature.
+ Currently there are two features controlling how secure boot works:
+
+ - secure-boot=enabled + enrolled-keys=enabled
+ This enables secure boot and verifies signature on boot.
+
+ - secure-boot=enabled + enrolled-keys=disabled
+ This enables secure boot but there are no keys to verify signature
+ so it will boot also unsigned binaries.
+
+ - secure-boot=disabled + enrolled-keys=disabled
+ This disables secure boot feature completely.
+
+ Effectively we only need to use firmware with nvram that doesn't have
+ any keys to boot unsigned binaries.
+ """
+ if val is None or self.secure_boot == val:
+ return
+
+ if self.nvram:
+ log.warning(
+ _(
+ "Changing secure-boot requires resetting NVRAM."
+ " This can be done using `virsh start VM --reset-nvram`."
+ )
+ )
+
+ for feature in self.firmware_features:
+ if feature.name in ["secure-boot", "enrolled-keys"]:
+ self.remove_child(feature)
+
+ self._xmlstate.xmlapi.node_force_remove("./os/loader")
+ self._xmlstate.xmlapi.node_force_remove("./os/nvram")
+
+ enrolled_keys = self.firmware_features.add_new()
+ enrolled_keys.name = "enrolled-keys"
+ enrolled_keys.enabled = val
+
##################
# Default config #
##################
