Before this, attempting to use a ROM that was not explictly
marked at read only resulted in an error at startup time.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
---
 src/security/virt-aa-helper.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index f4ec6b7826..3ac4740fb5 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1021,7 +1021,15 @@ get_files(vahControl * ctl)
 
     if (ctl->def->os.loader && ctl->def->os.loader->path) {
         bool readonly = false;
+
+        /* Look at the readonly attribute, but also keep in mind that ROMs
+         * are always loaded read-only regardless of whether the attribute
+         * is present. Validation ensures that nonsensical configurations
+         * (type=rom readonly=no) are rejected long before we get here */
         virTristateBoolToBool(ctl->def->os.loader->readonly, &readonly);
+        if (ctl->def->os.loader->type == VIR_DOMAIN_LOADER_TYPE_ROM)
+            readonly = true;
+
         if (vah_add_file(&buf,
                          ctl->def->os.loader->path,
                          readonly ? "rk" : "rwk") != 0) {
-- 
2.53.0

On Wed, Feb 18, 2026 at 01:05:56PM +0100, Andrea Bolognani via Devel wrote:
> Before this, attempting to use a ROM that was not explictly
> marked at read only resulted in an error at startup time.
> 
> Signed-off-by: Andrea Bolognani <abologna@redhat.com>
> ---
>  src/security/virt-aa-helper.c | 8 ++++++++
>  1 file changed, 8 insertions(+)

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>


With regards,
Daniel
-- 
|: https://berrange.com       ~~        https://hachyderm.io/@berrange :|
|: https://libvirt.org          ~~          https://entangle-photo.org :|
|: https://pixelfed.art/berrange   ~~    https://fstop138.berrange.com :|