src/hyperv/hyperv_driver.c | 33 ++++++++++++++++++++++++++++++++- src/hyperv/hyperv_driver.h | 3 +++ 2 files changed, 35 insertions(+), 1 deletion(-)
When getting the xml description of a guest, check if secure boot is
enabled and set firmware features accordingly.
Also support firmware autoselection and honor the secure boot setting
when defining new vms from xml.
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
---
src/hyperv/hyperv_driver.c | 33 ++++++++++++++++++++++++++++++++-
src/hyperv/hyperv_driver.h | 3 +++
2 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/src/hyperv/hyperv_driver.c b/src/hyperv/hyperv_driver.c
index eb28093028..ae9502404c 100644
--- a/src/hyperv/hyperv_driver.c
+++ b/src/hyperv/hyperv_driver.c
@@ -2743,6 +2743,22 @@ hypervDomainGetXMLDesc(virDomainPtr domain, unsigned int flags)
def->os.type = VIR_DOMAIN_OSTYPE_HVM;
+ /* Generation 2 VMs use UEFI firmware */
+ if (STREQ_NULLABLE(virtualSystemSettingData->data->VirtualSystemSubType, HYPERV_VM_GEN2)) {
+ def->os.firmware = VIR_DOMAIN_OS_DEF_FIRMWARE_EFI;
+
+ if (virtualSystemSettingData->data->SecureBootEnabled) {
+ int *features = g_new0(int, VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_LAST);
+
+ /* Hyper-V doesn't distinguish between secure-boot and enrolled-keys,
+ * so set both when SecureBootEnabled is true */
+ features[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_SECURE_BOOT] = VIR_TRISTATE_BOOL_YES;
+ features[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_ENROLLED_KEYS] = VIR_TRISTATE_BOOL_YES;
+
+ def->os.firmwareFeatures = features;
+ }
+ }
+
/* Allocate space for all potential devices */
/* 256 scsi drives + 4 ide drives */
@@ -2948,6 +2964,20 @@ hypervDomainDefineXML(virConnectPtr conn, const char *xml)
if (hypervSetEmbeddedProperty(defineSystemParam, "ElementName", def->name) < 0)
goto error;
+ /* Set firmware settings */
+ if (def->os.firmware == VIR_DOMAIN_OS_DEF_FIRMWARE_EFI) {
+ /* Generation 2 VM (UEFI) */
+ if (hypervSetEmbeddedProperty(defineSystemParam, "VirtualSystemSubType", HYPERV_VM_GEN2) < 0)
+ goto error;
+
+ if (def->os.firmwareFeatures &&
+ (def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_SECURE_BOOT] == VIR_TRISTATE_BOOL_YES ||
+ def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_ENROLLED_KEYS] == VIR_TRISTATE_BOOL_YES)) {
+ if (hypervSetEmbeddedProperty(defineSystemParam, "SecureBootEnabled", "true") < 0)
+ goto error;
+ }
+ }
+
if (hypervAddEmbeddedParam(params, "SystemSettings",
&defineSystemParam, Msvm_VirtualSystemSettingData_WmiInfo) < 0)
goto error;
@@ -3889,7 +3919,8 @@ static virHypervisorDriver hypervHypervisorDriver = {
virDomainDefParserConfig hypervDomainDefParserConfig = {
- .features = VIR_DOMAIN_DEF_FEATURE_MEMORY_HOTPLUG,
+ .features = VIR_DOMAIN_DEF_FEATURE_MEMORY_HOTPLUG |
+ VIR_DOMAIN_DEF_FEATURE_FW_AUTOSELECT,
};
diff --git a/src/hyperv/hyperv_driver.h b/src/hyperv/hyperv_driver.h
index 3764844494..aa2a820830 100644
--- a/src/hyperv/hyperv_driver.h
+++ b/src/hyperv/hyperv_driver.h
@@ -27,4 +27,7 @@
#define HYPERV_MAX_IDE_CHANNELS 2
#define HYPERV_MAX_DRIVES_PER_IDE_CHANNEL 2
+#define HYPERV_VM_GEN1 "Microsoft:Hyper-V:SubType:1"
+#define HYPERV_VM_GEN2 "Microsoft:Hyper-V:SubType:2"
+
int hypervRegister(void);
--
2.53.0On 2/17/26 18:55, Jonathon Jongsma via Devel wrote: > When getting the xml description of a guest, check if secure boot is > enabled and set firmware features accordingly. > > Also support firmware autoselection and honor the secure boot setting > when defining new vms from xml. > > Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> > --- > src/hyperv/hyperv_driver.c | 33 ++++++++++++++++++++++++++++++++- > src/hyperv/hyperv_driver.h | 3 +++ > 2 files changed, 35 insertions(+), 1 deletion(-) Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Michal
© 2016 - 2026 Red Hat, Inc.