From 2999945eb826caf846ee6d625528dce33c49b709 Mon Sep 17 00:00:00 2001
From: Jonathon Jongsma <jjongsma@redhat.com>
Date: Tue, 14 Feb 2023 13:41:41 -0600
Subject: [PATCH] virt-manager-4.1.0-4.el9

- virt-install: Recommend '--boot uefi' (rhbz#2112154)
- virt-install: Document Secure Boot setups (rhbz#2112154)

Resolves: rhbz#2112154
---
 ...-install-Document-Secure-Boot-setups.patch | 62 +++++++++++++++++++
 ...ger-virt-install-Recommend-boot-uefi.patch | 42 +++++++++++++
 virt-manager.spec                             |  8 ++-
 3 files changed, 111 insertions(+), 1 deletion(-)
 create mode 100644 virt-manager-virt-install-Document-Secure-Boot-setups.patch
 create mode 100644 virt-manager-virt-install-Recommend-boot-uefi.patch

diff --git a/virt-manager-virt-install-Document-Secure-Boot-setups.patch b/virt-manager-virt-install-Document-Secure-Boot-setups.patch
new file mode 100644
index 0000000..04ea773
--- /dev/null
+++ b/virt-manager-virt-install-Document-Secure-Boot-setups.patch
@@ -0,0 +1,62 @@
+From f44c6ec970413843214f52d5523ee8cf277b0150 Mon Sep 17 00:00:00 2001
+From: Andrea Bolognani <abologna@redhat.com>
+Date: Mon, 12 Dec 2022 19:38:22 +0100
+Subject: [PATCH] virt-install: Document Secure Boot setups
+
+Provide ready to use recipes for explicitly enabling and
+explicitly disabling Secure Boot, as well as a pointer to
+the more extensive information found on the libvirt website.
+
+Setting loader_secure=yes is only one part of a proper Secure
+Boot setup, so stop documenting it in the section about manual
+firmware selection to avoid confusion.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=2112154
+https://bugzilla.redhat.com/show_bug.cgi?id=2149971
+
+Signed-off-by: Andrea Bolognani <abologna@redhat.com>
+(cherry picked from commit 33ff193ee9fcfdb74f95d946a1b93239a1a12a61)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2112154
+
+Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
+---
+ man/virt-install.rst | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/man/virt-install.rst b/man/virt-install.rst
+index 684f22655..a0df73280 100644
+--- a/man/virt-install.rst
++++ b/man/virt-install.rst
+@@ -957,13 +957,26 @@ Some examples:
+     via domcapabilities XML, so this will likely only work if using properly
+     configured distro packages. This is the recommended UEFI setup.
+ 
++``--boot uefi,firmware.feature0.name=secure-boot,firmware.feature0.enabled=yes,firmware.feature1.name=enrolled-keys,firmware.feature1.enabled=yes``
++    Configure the VM to boot from UEFI with Secure Boot support enabled.
++    Only signed operating systems will be able to boot with this configuration.
++
++``--boot uefi,firmware.feature0.name=secure-boot,firmware.feature0.enabled=no``
++    Configure the VM to boot from UEFI with Secure Boot support disabled.
++    This configuration allows both signed and unsigned operating systems to
++    run.
++
++    Additional information about the ``secure-boot`` and
++    ``enrolled-keys`` firmware features and how they can be used to
++    influence firmware selection is available at
++    https://libvirt.org/kbase/secureboot.html
++
+ ``--boot loader=/.../OVMF_CODE.fd,loader.readonly=yes,loader.type=pflash,nvram.template=/.../OVMF_VARS.fd,loader_secure=no``
+     Specify that the virtual machine use the custom OVMF binary as boot firmware,
+     mapped as a virtual flash chip. In addition, request that libvirt instantiate
+     the VM-specific UEFI varstore from the custom "/.../OVMF_VARS.fd" varstore
+     template. This setup is not recommended, and should only be used if
+-    --boot uefi doesn't know about your UEFI binaries. If your UEFI firmware
+-    supports Secure boot feature you can enable it via loader_secure.
++    --boot uefi doesn't know about your UEFI binaries.
+ 
+ Use --boot=? to see a list of all available sub options.
+ Complete details at https://libvirt.org/formatdomain.html#elementsOS
+-- 
+2.39.1
+
diff --git a/virt-manager-virt-install-Recommend-boot-uefi.patch b/virt-manager-virt-install-Recommend-boot-uefi.patch
new file mode 100644
index 0000000..96f34a2
--- /dev/null
+++ b/virt-manager-virt-install-Recommend-boot-uefi.patch
@@ -0,0 +1,42 @@
+From 19b683f075d11b920552990d16b9a7a82eed12e3 Mon Sep 17 00:00:00 2001
+From: Andrea Bolognani <abologna@redhat.com>
+Date: Mon, 12 Dec 2022 19:32:32 +0100
+Subject: [PATCH] virt-install: Recommend '--boot uefi'
+
+Firmware autoselection is the way to go in most cases, so
+recommend that instead of telling users that they should provide
+all information manually.
+
+Signed-off-by: Andrea Bolognani <abologna@redhat.com>
+(cherry picked from commit f2b5aaf458764ec7ecf105038e5f2f7cc26b6c17)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2112154
+
+Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
+---
+ man/virt-install.rst | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/man/virt-install.rst b/man/virt-install.rst
+index 3a6e8dcd2..684f22655 100644
+--- a/man/virt-install.rst
++++ b/man/virt-install.rst
+@@ -955,13 +955,13 @@ Some examples:
+     Configure the VM to boot from UEFI. In order for virt-install to know the
+     correct UEFI parameters, libvirt needs to be advertising known UEFI binaries
+     via domcapabilities XML, so this will likely only work if using properly
+-    configured distro packages.
++    configured distro packages. This is the recommended UEFI setup.
+ 
+ ``--boot loader=/.../OVMF_CODE.fd,loader.readonly=yes,loader.type=pflash,nvram.template=/.../OVMF_VARS.fd,loader_secure=no``
+     Specify that the virtual machine use the custom OVMF binary as boot firmware,
+     mapped as a virtual flash chip. In addition, request that libvirt instantiate
+     the VM-specific UEFI varstore from the custom "/.../OVMF_VARS.fd" varstore
+-    template. This is the recommended UEFI setup, and should be used if
++    template. This setup is not recommended, and should only be used if
+     --boot uefi doesn't know about your UEFI binaries. If your UEFI firmware
+     supports Secure boot feature you can enable it via loader_secure.
+ 
+-- 
+2.39.1
+
diff --git a/virt-manager.spec b/virt-manager.spec
index 6633c3c..794629f 100644
--- a/virt-manager.spec
+++ b/virt-manager.spec
@@ -8,7 +8,7 @@
 
 Name: virt-manager
 Version: 4.1.0
-Release: 3%{?dist}%{?extra_release}
+Release: 4%{?dist}%{?extra_release}
 %global verrel %{version}-%{release}
 
 Summary: Desktop tool for managing virtual machines via libvirt
@@ -23,6 +23,8 @@ Patch2: virt-manager-virtinstall-fix-regression-with-boot-and-no-install-method.
 Patch3: virt-manager-progress-Fix-showing-correct-final-total.patch
 Patch4: virt-manager-virtinstall-Fix-the-allocating-disk-size-printed-by-the-progress-bar.patch
 Patch5: virt-manager-virtinstall-Hide-total_size-in-the-progress-bar-if-it-doesn-t-need.patch
+Patch6: virt-manager-virt-install-Recommend-boot-uefi.patch
+Patch7: virt-manager-virt-install-Document-Secure-Boot-setups.patch
 
 
 Requires: virt-manager-common = %{verrel}
@@ -188,6 +190,10 @@ git config gc.auto 0
 
 
 %changelog
+* Tue Feb 14 2023 Jonathon Jongsma <jjongsma@redhat.com> - 4.1.0-4
+- virt-install: Recommend '--boot uefi' (rhbz#2112154)
+- virt-install: Document Secure Boot setups (rhbz#2112154)
+
 * Wed Feb  1 2023 Jonathon Jongsma <jjongsma@redhat.com> - 4.1.0-3
 - progress: Fix showing correct final total (rhbz#2156247)
 - virtinstall: Fix the allocating disk size printed by the progress bar (rhbz#2156247)