From 511518e49323f5588d78cac6371031bf417b3816 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Mon, 1 Dec 2025 22:20:58 +0900
Subject: [PATCH] libvirt: Add basic xml generation for firmware auto selection

Extend the existing (but unused) guest xml generation logic for
firmware detection, by adding the firmware features flags to require
secure boot support.

Partially-Implements: blueprint libvirt-firmware-auto-selection
Change-Id: I907c9c88f370a52b54b98e1e1cbda6c21d2bff62
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
---
 nova/tests/unit/virt/libvirt/test_config.py | 10 ++++++++++
 nova/virt/libvirt/config.py                 |  8 ++++++++
 2 files changed, 18 insertions(+)

diff --git a/nova/tests/unit/virt/libvirt/test_config.py b/nova/tests/unit/virt/libvirt/test_config.py
index bd5f55ebfe..e9f2dc6fd8 100644
--- a/nova/tests/unit/virt/libvirt/test_config.py
+++ b/nova/tests/unit/virt/libvirt/test_config.py
@@ -2896,6 +2896,7 @@ class LibvirtConfigGuestTest(LibvirtConfigBaseTest):
         obj.os_mach_type = "pc-q35-5.1"
         obj.os_loader_secure = secure
         obj.os_loader_stateless = stateless
+
         return obj.to_xml()
 
     def test_config_uefi_autoconfigure(self):
@@ -2910,6 +2911,9 @@ class LibvirtConfigGuestTest(LibvirtConfigBaseTest):
               <memory>104857600</memory>
               <vcpu>1</vcpu>
               <os firmware="efi">
+                <firmware>
+                  <feature enabled='no' name='secure-boot'/>
+                </firmware>
                 <type machine="pc-q35-5.1">hvm</type>
                 <loader secure="no"/>
               </os>
@@ -2928,6 +2932,9 @@ class LibvirtConfigGuestTest(LibvirtConfigBaseTest):
               <memory>104857600</memory>
               <vcpu>1</vcpu>
               <os firmware="efi">
+                <firmware>
+                  <feature enabled='yes' name='secure-boot'/>
+                </firmware>
                 <type machine="pc-q35-5.1">hvm</type>
                 <loader secure="yes"/>
               </os>
@@ -2946,6 +2953,9 @@ class LibvirtConfigGuestTest(LibvirtConfigBaseTest):
               <memory>104857600</memory>
               <vcpu>1</vcpu>
               <os firmware="efi">
+                <firmware>
+                  <feature enabled='no' name='secure-boot'/>
+                </firmware>
                 <type machine="pc-q35-5.1">hvm</type>
                 <loader stateless="yes" secure="no"/>
               </os>
diff --git a/nova/virt/libvirt/config.py b/nova/virt/libvirt/config.py
index 849a1c7f6b..476cace031 100644
--- a/nova/virt/libvirt/config.py
+++ b/nova/virt/libvirt/config.py
@@ -3178,6 +3178,14 @@ class LibvirtConfigGuest(LibvirtConfigObject):
 
         if self.os_firmware is not None:
             os.set("firmware", self.os_firmware)
+            if self.os_loader_secure is not None:
+                firmware = etree.Element("firmware")
+                sb_feature = etree.Element("feature")
+                sb_feature.set("name", "secure-boot")
+                sb_feature.set(
+                    "enabled", self.get_yes_no_str(self.os_loader_secure))
+                firmware.append(sb_feature)
+                os.append(firmware)
 
         type_node = self._text_node("type", self.os_type)
         if self.os_arch is not None: