From a4fb77c1def9a06852ebf9b7856d388bbe1f2af0 Mon Sep 17 00:00:00 2001
From: Leos Stejskal <lstejska@redhat.com>
Date: Tue, 18 Jun 2024 13:06:21 +0200
Subject: [PATCH] EFI & Secure Boot

Co-authored-by: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
---
 .rubocop.yml                                 |  4 ++
 lib/fog/libvirt/models/compute/server.rb     | 18 +++++++-
 tests/libvirt/models/compute/server_tests.rb | 43 ++++++++++++++++++++
 3 files changed, 64 insertions(+), 1 deletion(-)

diff --git a/.rubocop.yml b/.rubocop.yml
index 50cf087..050ba09 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -21,3 +21,7 @@ SignalException:
 
 Metrics/ClassLength:
   Enabled: false
+
+Metrics/BlockLength:
+  Exclude:
+    - tests/**/*.rb
diff --git a/lib/fog/libvirt/models/compute/server.rb b/lib/fog/libvirt/models/compute/server.rb
index 55241f2..8b299c4 100644
--- a/lib/fog/libvirt/models/compute/server.rb
+++ b/lib/fog/libvirt/models/compute/server.rb
@@ -13,6 +13,8 @@ class Server < Fog::Compute::Server
 
         attribute :cpus
         attribute :cputime
+        attribute :os_firmware
+        attribute :os_firmware_features
         attribute :os_type
         attribute :memory_size
         attribute :max_memory_size
@@ -281,14 +283,28 @@ def to_xml
               end
 
               xml.vcpu(cpus)
-              xml.os do
+              os_tags = {}
+
+              # Set firmware only if it's EFI, BIOS don't need to be set
+              os_tags[:firmware] = "efi" if os_firmware == "efi"
+
+              xml.os(**os_tags) do
                 type = xml.type(os_type, :arch => arch)
                 type[:machine] = "q35" if ["i686", "x86_64"].include?(arch)
 
                 boot_order.each do |dev|
                   xml.boot(:dev => dev)
                 end
+
+                if os_firmware == "efi"
+                  xml.firmware do
+                    os_firmware_features.each_pair do |key, value|
+                      xml.feature(:name => key, :enabled => value)
+                    end
+                  end
+                end
               end
+
               xml.features do
                 xml.acpi
                 xml.apic
diff --git a/tests/libvirt/models/compute/server_tests.rb b/tests/libvirt/models/compute/server_tests.rb
index 6983cbb..9128203 100644
--- a/tests/libvirt/models/compute/server_tests.rb
+++ b/tests/libvirt/models/compute/server_tests.rb
@@ -30,6 +30,8 @@
       attributes = [ :id,
         :cpus,
         :cputime,
+        :os_firmware,
+        :os_firmware_features,
         :os_type,
         :memory_size,
         :max_memory_size,
@@ -60,6 +62,7 @@
     end
     test('be a kind of Fog::Libvirt::Compute::Server') { server.kind_of? Fog::Libvirt::Compute::Server }
     tests("serializes to xml") do
+      test("without firmware") { server.to_xml.include?("<os>") }
       test("with memory") { server.to_xml.match?(%r{<memory>\d+</memory>}) }
       test("with disk of type file") do
         xml = server.to_xml
@@ -79,5 +82,45 @@
       end
       test("with q35 machine type on x86_64") { server.to_xml.match?(%r{<type arch="x86_64" machine="q35">hvm</type>}) }
     end
+    test("with efi firmware") do
+      server = Fog::Libvirt::Compute::Server.new(
+        {
+          :os_firmware => "efi",
+          :os_firmware_features => {
+            "secure-boot" => "no",
+            "enrolled-keys" => "no"
+          },
+          :nics => [],
+          :volumes => []
+        }
+      )
+      xml = server.to_xml
+
+      os_firmware = xml.include?('<os firmware="efi">')
+      secure_boot = !xml.include?('<feature name="secure-boot" enabled="no" />')
+      enrolled_keys = !xml.include?('<feature name="enrolled-keys" enabled="no" />')
+
+      os_firmware && secure_boot && enrolled_keys
+    end
+    test("with secure boot") do
+      server = Fog::Libvirt::Compute::Server.new(
+        {
+          :os_firmware => "efi",
+          :os_firmware_features => {
+            "secure-boot" => "yes",
+            "enrolled-keys" => "yes"
+          },
+          :nics => [],
+          :volumes => []
+        }
+      )
+      xml = server.to_xml
+
+      os_firmware = xml.include?('<os firmware="efi">')
+      secure_boot = xml.include?('<feature name="secure-boot" enabled="yes"/>')
+      enrolled_keys = xml.include?('<feature name="enrolled-keys" enabled="yes"/>')
+
+      os_firmware && secure_boot && enrolled_keys
+    end
   end
 end