References: rbz#1387479

Subject: virtinst: if required by UEFI enable SMM feature and set q35 machine type
From: Pavel Hrdina phrdina@redhat.com Mon Feb 6 13:46:06 2017 +0100
Date: Thu Jun 1 09:58:46 2017 +0200:
Git: 4f8e795c6a7158b3da48f65322cabfae1d110cae

If we detect that the UEFI image is build to require SMM feature we
should configure the guest to enable SMM feature and set q35 machine
type.  Without this user wouldn't be able to boot the guest.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1387479

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>

Index: virt-manager-1.4.1/tests/capabilities-xml/kvm-x86_64-domcaps-q35.xml
===================================================================
--- /dev/null
+++ virt-manager-1.4.1/tests/capabilities-xml/kvm-x86_64-domcaps-q35.xml
@@ -0,0 +1,126 @@
+<domainCapabilities>
+  <path>/home/phrdina/work/qemu/x86_64-softmmu/qemu-system-x86_64</path>
+  <domain>kvm</domain>
+  <machine>pc-q35-2.9</machine>
+  <arch>x86_64</arch>
+  <vcpu max='288'/>
+  <os supported='yes'>
+    <loader supported='yes'>
+      <value>/usr/share/ovmf/OVMF_CODE.secboot.fd</value>
+      <enum name='type'>
+        <value>rom</value>
+        <value>pflash</value>
+      </enum>
+      <enum name='readonly'>
+        <value>yes</value>
+        <value>no</value>
+      </enum>
+    </loader>
+  </os>
+  <cpu>
+    <mode name='host-passthrough' supported='yes'/>
+    <mode name='host-model' supported='yes'>
+      <model fallback='forbid'>Skylake-Client</model>
+      <vendor>Intel</vendor>
+      <feature policy='require' name='ss'/>
+      <feature policy='require' name='vmx'/>
+      <feature policy='require' name='hypervisor'/>
+      <feature policy='require' name='tsc_adjust'/>
+      <feature policy='require' name='clflushopt'/>
+      <feature policy='require' name='xsaves'/>
+      <feature policy='require' name='pdpe1gb'/>
+      <feature policy='require' name='invtsc'/>
+    </mode>
+    <mode name='custom' supported='yes'>
+      <model usable='yes'>qemu64</model>
+      <model usable='yes'>qemu32</model>
+      <model usable='no'>phenom</model>
+      <model usable='yes'>pentium3</model>
+      <model usable='yes'>pentium2</model>
+      <model usable='yes'>pentium</model>
+      <model usable='yes'>n270</model>
+      <model usable='yes'>kvm64</model>
+      <model usable='yes'>kvm32</model>
+      <model usable='yes'>coreduo</model>
+      <model usable='yes'>core2duo</model>
+      <model usable='no'>athlon</model>
+      <model usable='yes'>Westmere</model>
+      <model usable='yes'>Skylake-Client</model>
+      <model usable='yes'>SandyBridge</model>
+      <model usable='yes'>Penryn</model>
+      <model usable='no'>Opteron_G5</model>
+      <model usable='no'>Opteron_G4</model>
+      <model usable='no'>Opteron_G3</model>
+      <model usable='yes'>Opteron_G2</model>
+      <model usable='yes'>Opteron_G1</model>
+      <model usable='yes'>Nehalem</model>
+      <model usable='yes'>IvyBridge</model>
+      <model usable='yes'>Haswell</model>
+      <model usable='yes'>Haswell-noTSX</model>
+      <model usable='yes'>Conroe</model>
+      <model usable='yes'>Broadwell</model>
+      <model usable='yes'>Broadwell-noTSX</model>
+      <model usable='yes'>486</model>
+    </mode>
+  </cpu>
+  <devices>
+    <disk supported='yes'>
+      <enum name='diskDevice'>
+        <value>disk</value>
+        <value>cdrom</value>
+        <value>floppy</value>
+        <value>lun</value>
+      </enum>
+      <enum name='bus'>
+        <value>fdc</value>
+        <value>scsi</value>
+        <value>virtio</value>
+        <value>usb</value>
+        <value>sata</value>
+      </enum>
+    </disk>
+    <graphics supported='yes'>
+      <enum name='type'>
+        <value>sdl</value>
+        <value>vnc</value>
+        <value>spice</value>
+      </enum>
+    </graphics>
+    <video supported='yes'>
+      <enum name='modelType'>
+        <value>vga</value>
+        <value>cirrus</value>
+        <value>vmvga</value>
+        <value>qxl</value>
+        <value>virtio</value>
+      </enum>
+    </video>
+    <hostdev supported='yes'>
+      <enum name='mode'>
+        <value>subsystem</value>
+      </enum>
+      <enum name='startupPolicy'>
+        <value>default</value>
+        <value>mandatory</value>
+        <value>requisite</value>
+        <value>optional</value>
+      </enum>
+      <enum name='subsysType'>
+        <value>usb</value>
+        <value>pci</value>
+        <value>scsi</value>
+      </enum>
+      <enum name='capsType'/>
+      <enum name='pciBackend'>
+        <value>default</value>
+        <value>kvm</value>
+        <value>vfio</value>
+      </enum>
+    </hostdev>
+  </devices>
+  <features>
+    <gic supported='no'/>
+  </features>
+</domainCapabilities>
+
+
Index: virt-manager-1.4.1/tests/cli-test-xml/compare/virt-install-boot-uefi.xml
===================================================================
--- /dev/null
+++ virt-manager-1.4.1/tests/cli-test-xml/compare/virt-install-boot-uefi.xml
@@ -0,0 +1,61 @@
+<domain type="kvm">
+  <name>foobar</name>
+  <uuid>00000000-1111-2222-3333-444444444444</uuid>
+  <memory>65536</memory>
+  <currentMemory>65536</currentMemory>
+  <vcpu>1</vcpu>
+  <os>
+    <type arch="x86_64" machine="q35">hvm</type>
+    <loader readonly="yes" type="pflash">/usr/share/ovmf/OVMF_CODE.secboot.fd</loader>
+    <boot dev="hd"/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <smm state="on"/>
+    <vmport state="off"/>
+  </features>
+  <cpu mode="custom" match="exact">
+    <model>Opteron_G4</model>
+  </cpu>
+  <clock offset="utc">
+    <timer name="rtc" tickpolicy="catchup"/>
+    <timer name="pit" tickpolicy="delay"/>
+    <timer name="hpet" present="no"/>
+  </clock>
+  <pm>
+    <suspend-to-mem enabled="no"/>
+    <suspend-to-disk enabled="no"/>
+  </pm>
+  <devices>
+    <emulator>/usr/bin/qemu-kvm</emulator>
+    <controller type="usb" index="0" model="ich9-ehci1"/>
+    <controller type="usb" index="0" model="ich9-uhci1">
+      <master startport="0"/>
+    </controller>
+    <controller type="usb" index="0" model="ich9-uhci2">
+      <master startport="2"/>
+    </controller>
+    <controller type="usb" index="0" model="ich9-uhci3">
+      <master startport="4"/>
+    </controller>
+    <interface type="bridge">
+      <source bridge="eth0"/>
+      <mac address="00:11:22:33:44:55"/>
+    </interface>
+    <input type="mouse" bus="ps2"/>
+    <graphics type="spice" port="-1" tlsPort="-1" autoport="yes">
+      <image compression="off"/>
+    </graphics>
+    <console type="pty"/>
+    <channel type="spicevmc">
+      <target type="virtio" name="com.redhat.spice.0"/>
+    </channel>
+    <sound model="ich6"/>
+    <video>
+      <model type="qxl"/>
+    </video>
+    <redirdev bus="usb" type="spicevmc"/>
+    <redirdev bus="usb" type="spicevmc"/>
+  </devices>
+</domain>
Index: virt-manager-1.4.1/tests/clitest.py
===================================================================
--- virt-manager-1.4.1.orig/tests/clitest.py
+++ virt-manager-1.4.1/tests/clitest.py
@@ -71,6 +71,7 @@ test_files = {
     'URI-TEST-DEFAULT': utils.uri_test_default,
     'URI-TEST-REMOTE': utils.uri_test_remote,
     'URI-KVM': utils.uri_kvm,
+    'URI-KVM-Q35': utils.uri_kvm_q35,
     'URI-KVM-SESSION': utils.uri_kvm_session,
     'URI-KVM-REMOTE': utils.uri_kvm + ",remote",
     'URI-KVM-NODOMCAPS': utils.uri_kvm_nodomcaps,
@@ -771,6 +772,9 @@ c.add_invalid("--disk none --boot networ
 c.add_invalid("--nodisks --boot network --arch mips --virt-type kvm")  # Invalid domain type for arch
 c.add_invalid("--nodisks --boot network --paravirt --arch mips")  # Invalid arch/virt combo
 
+c = vinst.add_category("kvm-q35", "--connect %(URI-KVM-Q35)s --noautoconsole", compare_check=support.SUPPORT_CONN_VMPORT)
+c.add_compare("--boot uefi --disk none", "boot-uefi")
+
 
 ######################
 # LXC specific tests #
Index: virt-manager-1.4.1/tests/utils.py
===================================================================
--- virt-manager-1.4.1.orig/tests/utils.py
+++ virt-manager-1.4.1/tests/utils.py
@@ -37,10 +37,12 @@ uri_test_remote = uri_test + ",remote"
 
 _uri_qemu = "%s,qemu" % uri_test
 _uri_kvm_domcaps = (_uri_qemu + _domcapsprefix + "kvm-x86_64-domcaps.xml")
+_uri_kvm_domcaps_q35 = (_uri_qemu + _domcapsprefix + "kvm-x86_64-domcaps-q35.xml")
 _uri_kvm_aarch64_domcaps = (_uri_qemu + _domcapsprefix + "kvm-aarch64-domcaps.xml")
 uri_kvm_nodomcaps = (_uri_qemu + _capsprefix + "kvm-x86_64.xml")
 uri_kvm_rhel = (_uri_kvm_domcaps + _capsprefix + "kvm-x86_64-rhel7.xml")
 uri_kvm = (_uri_kvm_domcaps + _capsprefix + "kvm-x86_64.xml")
+uri_kvm_q35 = (_uri_kvm_domcaps_q35 + _capsprefix + "kvm-x86_64.xml")
 uri_kvm_session = uri_kvm + ",session"
 
 uri_kvm_armv7l = (_uri_kvm_domcaps + _capsprefix + "kvm-armv7l.xml")
Index: virt-manager-1.4.1/virtManager/domain.py
===================================================================
--- virt-manager-1.4.1.orig/virtManager/domain.py
+++ virt-manager-1.4.1/virtManager/domain.py
@@ -698,6 +698,7 @@ class vmmDomain(vmmLibvirtObject):
                 guest.os.loader = loader
                 guest.os.loader_type = "pflash"
                 guest.os.loader_ro = True
+                guest.check_uefi_smm()
 
         if nvram != _SENTINEL:
             guest.os.nvram = nvram
Index: virt-manager-1.4.1/virtinst/guest.py
===================================================================
--- virt-manager-1.4.1.orig/virtinst/guest.py
+++ virt-manager-1.4.1/virtinst/guest.py
@@ -542,6 +542,29 @@ class Guest(XMLBuilder):
         self.os.loader_type = "pflash"
         self.os.loader = path
 
+        self.check_uefi_smm()
+
+
+    def check_uefi_smm(self):
+        """
+        If the firmware name contains "secboot" it is probably build
+        with SMM feature required so we need to enable that feature,
+        otherwise the firmware may fail to load.  True secure boot is
+        currently supported only on x86 architecture and with q35 with
+        SMM feature enabled so change the machine to q35 as well.
+        """
+
+        if not self.os.is_x86():
+            return
+
+        if "secboot" not in self.os.loader:
+            return
+
+        if not self.conn.check_support(self.conn.SUPPORT_DOMAIN_FEATURE_SMM):
+            return
+
+        self.features.smm = True
+        self.os.machine = "q35"
 
     ###################
     # Device defaults #