On Thu, Jul 31, 2025 at 07:33:21PM +0100, Daniel P. Berrangé via Devel wrote:
> +++ b/src/qemu/qemu_firmware.c
> @@ -1540,6 +1540,7 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw,
> bool requiresSMM = false;
> bool supportsSecureBoot = false;
> bool hasEnrolledKeys = false;
> + bool cvm = false;
Maybe isConfidential instead, to follow the existing convention and
be a little more descriptive?
> @@ -1566,7 +1569,8 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw,
> }
> }
>
> - if ((supportsSecureBoot != requiresSMM) ||
> + if ((!cvm &&
> + (supportsSecureBoot != requiresSMM)) ||
> (hasEnrolledKeys && !supportsSecureBoot)) {
> VIR_WARN("Firmware description '%s' has invalid set of features: "
> "%s = %d, %s = %d, %s = %d",
This could use a short comment explaining why firmware intended for
CVM doesn't need SSM for Secure Boot.
Regardless of whether you want to act on any of the above
suggestions, the change makes sense so
Reviewed-by: Andrea Bolognani <abologna@xxxxxxxxxx>
--
Andrea Bolognani / Red Hat / Virtualization
