libvirt: Switch to UEFI (and tpm2) by default

Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

crates/kit/src/libvirt/create.rs

@@ -81,6 +81,14 @@ pub struct LibvirtCreateOpts {
     #[clap(long)]
     pub disk_size: Option<String>,
 
+    /// Firmware type for the VM (\"uefi\", \"uefi-secure\", or \"bios\", defaults to \"uefi\")
+    #[clap(long, default_value = "uefi")]
+    pub firmware: String,
+
+    /// Disable TPM 2.0 support (enabled by default)
+    #[clap(long)]
+    pub disable_tpm: bool,
+
     /// Memory size for installation VM during auto-upload (e.g. 2G, 1024M)
     #[clap(flatten)]
     pub install_memory: MemoryOpts,
@@ -487,7 +495,9 @@ impl LibvirtCreateOpts {
             .with_memory(memory_mb)
             .with_vcpus(self.vcpus.unwrap_or_else(default_vcpus))
             .with_disk(&domain_volume_path)
-            .with_network(network_config);
+            .with_network(network_config)
+            .with_firmware(&self.firmware)
+            .with_tpm(!self.disable_tpm);
 
         // Add QEMU arguments if we have any
         if !qemu_args.is_empty() {

crates/kit/src/libvirt/domain.rs

@@ -36,6 +36,8 @@ pub struct DomainBuilder {
     metadata: HashMap<String, String>,
     qemu_args: Vec<String>,
     virtiofs_filesystems: Vec<VirtiofsFilesystem>,
+    firmware: Option<String>, // "uefi" (default), "uefi-secure", or "bios"
+    tpm: bool,
 }
 
 impl Default for DomainBuilder {
@@ -59,6 +61,8 @@ impl DomainBuilder {
             metadata: HashMap::new(),
             qemu_args: Vec::new(),
             virtiofs_filesystems: Vec::new(),
+            firmware: None, // Defaults to UEFI
+            tpm: true,      // Default to enabled
         }
     }
 
@@ -122,6 +126,18 @@ impl DomainBuilder {
         self
     }
 
+    /// Set firmware type (\"uefi\", \"uefi-secure\", or \"bios\", defaults to \"uefi\")
+    pub fn with_firmware(mut self, firmware: &str) -> Self {
+        self.firmware = Some(firmware.to_string());
+        self
+    }
+
+    /// Enable TPM 2.0 support using swtpm
+    pub fn with_tpm(mut self, tpm: bool) -> Self {
+        self.tpm = tpm;
+        self
+    }
+
     /// Build the domain XML
     pub fn build_xml(self) -> Result<String> {
         let name = self.name.ok_or_else(|| eyre!("Domain name is required"))?;
@@ -160,17 +176,80 @@ impl DomainBuilder {
         )?;
         writer.write_text_element("vcpu", &vcpus.to_string())?;
 
-        // OS section
-        writer.start_element("os", &[])?;
-        writer.write_text_element_with_attrs(
-            "type",
-            &arch_config.os_type,
-            &[
-                ("arch", &arch_config.arch),
-                ("machine", &arch_config.machine),
-            ],
-        )?;
-        writer.write_empty_element("boot", &[("dev", "hd")])?;
+        // OS section with firmware configuration
+        let use_uefi = self.firmware.as_deref() != Some("bios");
+        let secure_boot = self.firmware.as_deref() == Some("uefi-secure");
+
+        if use_uefi && secure_boot {
+            // Secure boot requires explicit firmware paths
+            writer.start_element("os", &[("firmware", "efi")])?;
+            writer.write_text_element_with_attrs(
+                "type",
+                &arch_config.os_type,
+                &[
+                    ("arch", &arch_config.arch),
+                    ("machine", &arch_config.machine),
+                ],
+            )?;
+
+            // Define architecture-specific firmware paths
+            let (code_path, nvram_template) = match arch_config.arch {
+                "x86_64" => (
+                    "/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd",
+                    "/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd",
+                ),
+                "aarch64" => (
+                    "/usr/share/edk2/aarch64/QEMU_EFI.fd",
+                    "/usr/share/edk2/aarch64/QEMU_VARS.fd",
+                ),
+                _ => {
+                    return Err(eyre!(
+                        "Secure boot not supported for architecture: {}",
+                        arch_config.arch
+                    ));
+                }
+            };
+
+            writer.write_text_element_with_attrs(
+                "loader",
+                code_path,
+                &[("readonly", "yes"), ("type", "pflash"), ("secure", "yes")],
+            )?;
+
+            // Generate per-domain NVRAM path
+            let nvram_path = format!("/var/lib/libvirt/qemu/nvram/{}_VARS.fd", &name);
+            writer.write_text_element_with_attrs(
+                "nvram",
+                &nvram_path,
+                &[("template", nvram_template)],
+            )?;
+
+            writer.write_empty_element("boot", &[("dev", "hd")])?;
+        } else if use_uefi {
+            // Regular UEFI without secure boot
+            writer.start_element("os", &[("firmware", "efi")])?;
+            writer.write_text_element_with_attrs(
+                "type",
+                &arch_config.os_type,
+                &[
+                    ("arch", &arch_config.arch),
+                    ("machine", &arch_config.machine),
+                ],
+            )?;
+            writer.write_empty_element("boot", &[("dev", "hd")])?;
+        } else {
+            // BIOS firmware
+            writer.start_element("os", &[])?;
+            writer.write_text_element_with_attrs(
+                "type",
+                &arch_config.os_type,
+                &[
+                    ("arch", &arch_config.arch),
+                    ("machine", &arch_config.machine),
+                ],
+            )?;
+            writer.write_empty_element("boot", &[("dev", "hd")])?;
+        }
 
         // Add kernel arguments if specified (for direct boot)
         if let Some(ref kargs) = self.kernel_args {
@@ -283,6 +362,15 @@ impl DomainBuilder {
             writer.end_element("filesystem")?;
         }
 
+        // TPM device
+        if self.tpm {
+            writer.start_element("tpm", &[("model", "tpm-tis")])?;
+            writer.start_element("backend", &[("type", "emulator"), ("version", "2.0")])?;
+            writer.write_empty_element("device", &[("path", "/dev/tpm0")])?;
+            writer.end_element("backend")?;
+            writer.end_element("tpm")?;
+        }
+
         writer.end_element("devices")?;
 
         // QEMU commandline section (if we have QEMU args)
@@ -437,6 +525,96 @@ mod tests {
         assert!(xml.contains("<timer name=\"rtc\""));
     }
 
+    #[test]
+    fn test_secure_boot_configuration() {
+        // Test secure boot enabled with uefi-secure
+        let xml = DomainBuilder::new()
+            .with_name("test-secure-boot")
+            .with_firmware("uefi-secure")
+            .build_xml()
+            .unwrap();
+
+        // Should include explicit loader and nvram configuration
+        assert!(xml.contains("loader"));
+        assert!(xml.contains("nvram"));
+        assert!(xml.contains("secure=\"yes\""));
+        assert!(xml.contains("template="));
+
+        // Should include secure boot firmware paths based on architecture
+        let arch = std::env::consts::ARCH;
+        match arch {
+            "x86_64" => {
+                assert!(xml.contains("/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd"));
+                assert!(xml.contains("/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd"));
+            }
+            "aarch64" => {
+                assert!(xml.contains("/usr/share/edk2/aarch64/QEMU_EFI.fd"));
+                assert!(xml.contains("/usr/share/edk2/aarch64/QEMU_VARS.fd"));
+            }
+            _ => {
+                // Test should still pass for unsupported architectures
+            }
+        }
+
+        // Test regular UEFI without secure boot
+        let xml_regular = DomainBuilder::new()
+            .with_name("test-regular-uefi")
+            .with_firmware("uefi")
+            .build_xml()
+            .unwrap();
+
+        // Should use libvirt auto firmware selection
+        assert!(xml_regular.contains("firmware=\"efi\""));
+        assert!(!xml_regular.contains("secure=\"yes\""));
+        assert!(!xml_regular.contains("template="));
+
+        // Test BIOS firmware (no secure boot)
+        let xml_bios = DomainBuilder::new()
+            .with_name("test-bios")
+            .with_firmware("bios")
+            .build_xml()
+            .unwrap();
+
+        // Should not have firmware="efi" or secure boot settings
+        assert!(!xml_bios.contains("firmware=\"efi\""));
+        assert!(!xml_bios.contains("secure=\"yes\""));
+    }
+
+    #[test]
+    fn test_tpm_configuration() {
+        // Test TPM enabled (default)
+        let xml = DomainBuilder::new()
+            .with_name("test-tpm-enabled")
+            .build_xml()
+            .unwrap();
+
+        // Should include TPM device by default
+        assert!(xml.contains("<tpm model=\"tpm-tis\">"));
+        assert!(xml.contains("<backend type=\"emulator\" version=\"2.0\">"));
+        assert!(xml.contains("<device path=\"/dev/tpm0\"/>"));
+
+        // Test TPM explicitly enabled
+        let xml_enabled = DomainBuilder::new()
+            .with_name("test-tpm-explicit")
+            .with_tpm(true)
+            .build_xml()
+            .unwrap();
+
+        assert!(xml_enabled.contains("<tpm model=\"tpm-tis\">"));
+        assert!(xml_enabled.contains("backend type=\"emulator\""));
+
+        // Test TPM disabled
+        let xml_disabled = DomainBuilder::new()
+            .with_name("test-tpm-disabled")
+            .with_tpm(false)
+            .build_xml()
+            .unwrap();
+
+        // Should not contain TPM configuration
+        assert!(!xml_disabled.contains("<tpm"));
+        assert!(!xml_disabled.contains("backend type=\"emulator\""));
+    }
+
     #[test]
     fn test_virtiofs_filesystem_configuration() {
         // Test read-write virtiofs filesystem

crates/kit/src/libvirt/run.rs

@@ -65,6 +65,14 @@ pub struct LibvirtRunOpts {
     /// Mount host container storage (RO) at /run/virtiofs-mnt-hoststorage
     #[clap(long = "bind-storage-ro")]
     pub bind_storage_ro: bool,
+
+    /// Firmware type for the VM ("uefi", "uefi-secure", or "bios", defaults to "uefi")
+    #[clap(long, default_value = "uefi")]
+    pub firmware: String,
+
+    /// Disable TPM 2.0 support (enabled by default)
+    #[clap(long)]
+    pub disable_tpm: bool,
 }
 
 /// Execute the libvirt run command
@@ -542,6 +550,8 @@ fn create_libvirt_domain_from_disk(
         .with_vcpus(opts.cpus)
         .with_disk(disk_path.as_str())
         .with_network("none") // Use QEMU args for SSH networking instead
+        .with_firmware(&opts.firmware)
+        .with_tpm(!opts.disable_tpm)
         .with_metadata("bootc:source-image", &opts.image)
         .with_metadata("bootc:memory-mb", &opts.memory.to_string())
         .with_metadata("bootc:vcpus", &opts.cpus.to_string())

docs/src/man/bcvk-libvirt-create.md

@@ -85,6 +85,16 @@ Create and start domains from uploaded bootc volumes
 
     Size of the disk image for automatic upload (e.g., '20G', '10240M')
 
+**--firmware**=*FIRMWARE*
+
+    Firmware type for the VM (\"uefi\", \"uefi-secure\", or \"bios\", defaults to \"uefi\")
+
+    Default: uefi
+
+**--disable-tpm**
+
+    Disable TPM 2.0 support (enabled by default)
+
 **--memory**=*MEMORY*
 
     Memory size (e.g. 4G, 2048M, or plain number for MB)

docs/src/man/bcvk-libvirt-run.md

@@ -73,6 +73,16 @@ Run a bootable container as a persistent VM
 
     Mount host container storage (RO) at /run/virtiofs-mnt-hoststorage
 
+**--firmware**=*FIRMWARE*
+
+    Firmware type for the VM ("uefi", "uefi-secure", or "bios", defaults to "uefi")
+
+    Default: uefi
+
+**--disable-tpm**
+
+    Disable TPM 2.0 support (enabled by default)
+
 <!-- END GENERATED OPTIONS -->
 
 # EXAMPLES