diff --git a/ocaml/xapi/xapi_globs.ml b/ocaml/xapi/xapi_globs.ml index 62e373590e9..56ba357b219 100644 --- a/ocaml/xapi/xapi_globs.ml +++ b/ocaml/xapi/xapi_globs.ml @@ -998,6 +998,8 @@ let prefer_nbd_attach = ref false (** 1 MiB *) let max_observer_file_size = ref (1 lsl 20) +let secureboot_enforce = ref false + let xapi_globs_spec = [ ( "master_connection_reset_timeout" @@ -1470,6 +1472,11 @@ let other_options = , (fun () -> string_of_int !max_observer_file_size) , "The maximum size of log files for saving spans" ) + ; ( "secureboot-enforce" + , Arg.Set secureboot_enforce + , (fun () -> string_of_bool !secureboot_enforce) + , "Do not start a VM with no SB certificates if secureboot is set to on" + ) ] (* The options can be set with the variable xapiflags in /etc/sysconfig/xapi. diff --git a/ocaml/xapi/xapi_vm.ml b/ocaml/xapi/xapi_vm.ml index c1c34037694..3de41a48828 100644 --- a/ocaml/xapi/xapi_vm.ml +++ b/ocaml/xapi/xapi_vm.ml @@ -605,6 +605,10 @@ let create ~__context ~name_label ~name_description ~power_state ~user_version else other_config in + let _platform = if !Xapi_globs.secureboot_enforce + then ("secureboot-enforce", "true") :: platform + else platform + in (* NB apart from the above, parameter validation is delayed until VM.start *) let uuid = Uuidx.make () in let vm_ref = Ref.make () in @@ -664,7 +668,7 @@ let create ~__context ~name_label ~name_description ~power_state ~user_version ~memory_static_min ~vCPUs_params ~vCPUs_at_startup ~vCPUs_max ~actions_after_softreboot ~actions_after_shutdown ~actions_after_reboot ~actions_after_crash ~hVM_boot_policy ~hVM_boot_params - ~hVM_shadow_multiplier ~suspend_VDI:_suspend_VDI ~platform ~nVRAM ~pV_kernel + ~hVM_shadow_multiplier ~suspend_VDI:_suspend_VDI ~platform:_platform ~nVRAM ~pV_kernel ~pV_ramdisk ~pV_args ~pV_bootloader ~pV_bootloader_args ~pV_legacy_args ~pCI_bus ~other_config ~domid:(-1L) ~domarch:"" ~last_boot_CPU_flags:_last_boot_CPU_flags ~is_control_domain:false ~metrics