@@ -196,41 +196,8 @@ impl DomainBuilder {
196196 ) ?;
197197
198198 if use_uefi && secure_boot {
199- // Secure boot requires explicit firmware paths
200- // NOTE: These paths are currently hardcoded for Fedora/RHEL systems.
201- // Different distributions may use different paths. In the future, this
202- // should be made configurable or detected at runtime.
203- // Define architecture-specific firmware paths
204- let ( code_path, nvram_template) = match arch_config. arch {
205- "x86_64" => (
206- "/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd" ,
207- "/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd" ,
208- ) ,
209- "aarch64" => (
210- "/usr/share/edk2/aarch64/QEMU_EFI.fd" ,
211- "/usr/share/edk2/aarch64/QEMU_VARS.fd" ,
212- ) ,
213- _ => {
214- return Err ( eyre ! (
215- "Secure boot not supported for architecture: {}" ,
216- arch_config. arch
217- ) ) ;
218- }
219- } ;
220-
221- writer. write_text_element_with_attrs (
222- "loader" ,
223- code_path,
224- & [ ( "readonly" , "yes" ) , ( "type" , "pflash" ) , ( "secure" , "yes" ) ] ,
225- ) ?;
226-
227- // Generate per-domain NVRAM path
228- let nvram_path = format ! ( "/var/lib/libvirt/qemu/nvram/{}_VARS.fd" , & name) ;
229- writer. write_text_element_with_attrs (
230- "nvram" ,
231- & nvram_path,
232- & [ ( "template" , nvram_template) ] ,
233- ) ?;
199+ // Modern libvirt handles firmware paths automatically for secure boot
200+ writer. write_empty_element ( "loader" , & [ ( "secure" , "yes" ) ] ) ?;
234201 }
235202
236203 writer. write_empty_element ( "boot" , & [ ( "dev" , "hd" ) ] ) ?;
@@ -513,35 +480,14 @@ mod tests {
513480 . with_name ( "test-secure-boot" )
514481 . with_firmware ( "uefi-secure" ) ;
515482
516- let arch = std:: env:: consts:: ARCH ;
517- match arch {
518- "x86_64" | "aarch64" => {
519- let xml = builder. build_xml ( ) . unwrap ( ) ;
520- // Should include explicit loader and nvram configuration
521- assert ! ( xml. contains( "loader" ) ) ;
522- assert ! ( xml. contains( "nvram" ) ) ;
523- assert ! ( xml. contains( "secure=\" yes\" " ) ) ;
524- assert ! ( xml. contains( "template=" ) ) ;
525-
526- // Should include secure boot firmware paths based on architecture
527- if arch == "x86_64" {
528- assert ! ( xml. contains( "/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd" ) ) ;
529- assert ! ( xml. contains( "/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd" ) ) ;
530- } else {
531- assert ! ( xml. contains( "/usr/share/edk2/aarch64/QEMU_EFI.fd" ) ) ;
532- assert ! ( xml. contains( "/usr/share/edk2/aarch64/QEMU_VARS.fd" ) ) ;
533- }
534- }
535- _ => {
536- // For unsupported architectures, build should fail.
537- let result = builder. build_xml ( ) ;
538- assert ! ( result. is_err( ) ) ;
539- assert ! ( result
540- . unwrap_err( )
541- . to_string( )
542- . contains( "Secure boot not supported" ) ) ;
543- }
544- }
483+ let xml = builder. build_xml ( ) . unwrap ( ) ;
484+
485+ // Should include secure boot loader configuration
486+ assert ! ( xml. contains( "loader" ) ) ;
487+ assert ! ( xml. contains( "secure=\" yes\" " ) ) ;
488+
489+ // Should use firmware="efi" for UEFI
490+ assert ! ( xml. contains( "firmware=\" efi\" " ) ) ;
545491
546492 // Test regular UEFI without secure boot
547493 let xml_regular = DomainBuilder :: new ( )
@@ -553,7 +499,6 @@ mod tests {
553499 // Should use libvirt auto firmware selection
554500 assert ! ( xml_regular. contains( "firmware=\" efi\" " ) ) ;
555501 assert ! ( !xml_regular. contains( "secure=\" yes\" " ) ) ;
556- assert ! ( !xml_regular. contains( "template=" ) ) ;
557502
558503 // Test BIOS firmware (no secure boot)
559504 let xml_bios = DomainBuilder :: new ( )
0 commit comments