VMware: Added secure boot enable/disable to vmware_guest_boot_manager. (#46717)

* Added secure boot enable/disable to vmware_guest_boot_manager. Also added its state to facts * VMware does not support secure boot when boot_firmware is bios. Add some guardrails to protect the user from misconfiguration * Address review comments
2018-10-15 05:32:01 -04:00 · 2018-10-15 05:32:01 -04:00 · c73b2aa415
commit c73b2aa415
parent ebeb788117
2 changed files with 32 additions and 1 deletions
--- a/lib/ansible/modules/cloud/vmware/vmware_guest_boot_facts.py
+++ b/lib/ansible/modules/cloud/vmware/vmware_guest_boot_facts.py
@ -74,6 +74,7 @@ vm_boot_facts:
        "current_boot_retry_enabled": true,
        "current_enter_bios_setup": true,
        "current_boot_firmware": "bios",
+        "current_secure_boot_enabled": false,
    }
 """

@ -143,6 +144,7 @@ class VmBootFactsManager(PyVmomi):
                current_boot_retry_enabled=self.vm.config.bootOptions.bootRetryEnabled,
                current_boot_retry_delay=self.vm.config.bootOptions.bootRetryDelay,
                current_boot_firmware=self.vm.config.firmware,
+                current_secure_boot_enabled=self.vm.config.bootOptions.efiSecureBootEnabled
            )

        self.module.exit_json(changed=False, vm_boot_facts=results)
--- a/lib/ansible/modules/cloud/vmware/vmware_guest_boot_manager.py
+++ b/lib/ansible/modules/cloud/vmware/vmware_guest_boot_manager.py
@ -72,6 +72,12 @@ options:
     description:
     - Choose which firmware should be used to boot the virtual machine.
     choices: ["bios", "efi"]
+   secure_boot_enabled:
+     description:
+     - Choose if EFI secure boot should be enabled.  EFI secure boot can only be enabled with boot_firmware = efi
+     type: 'bool'
+     default: False
+     version_added: '2.8'
 extends_documentation_fragment: vmware.documentation
 '''

@ -87,6 +93,7 @@ EXAMPLES = r'''
    boot_retry_enabled: True
    boot_retry_delay: 22300
    boot_firmware: bios
+    secure_boot_enabled: False
    boot_order:
      - floppy
      - cdrom
@ -113,11 +120,13 @@ vm_boot_status:
        "current_boot_retry_enabled": true,
        "current_enter_bios_setup": true,
        "current_boot_firmware": "bios",
+        "current_secure_boot_enabled": false,
        "previous_boot_delay": 10,
        "previous_boot_retry_delay": 10000,
        "previous_boot_retry_enabled": true,
        "previous_enter_bios_setup": false,
-        "previous_boot_firmware": "bios",
+        "previous_boot_firmware": "efi",
+        "previous_secure_boot_enabled": true,
        "previous_boot_order": [
            "ethernet",
            "cdrom",
@ -245,6 +254,20 @@ class VmBootManager(PyVmomi):
            change_needed = True
            boot_firmware_required = True

+        if self.vm.config.bootOptions.efiSecureBootEnabled != self.params.get('secure_boot_enabled'):
+            if self.params.get('secure_boot_enabled') and self.params.get('boot_firmware') == "bios":
+                self.module.fail_json(msg="EFI secure boot cannot be enabled when boot_firmware = bios, but both are specified")
+
+            # If the user is not specifying boot_firmware, make sure they aren't trying to enable it on a
+            # system with boot_firmware already set to 'bios'
+            if self.params.get('secure_boot_enabled') and \
+               self.params.get('boot_firmware') is None and \
+               self.vm.config.firmware == 'bios':
+                    self.module.fail_json(msg="EFI secure boot cannot be enabled when boot_firmware = bios.  VM's boot_firmware currently set to bios")
+
+            kwargs.update({'efiSecureBootEnabled': self.params.get('secure_boot_enabled')})
+            change_needed = True
+
        changed = False
        results = dict(
            previous_boot_order=self.humanize_boot_order(self.vm.config.bootOptions.bootOrder),
@ -253,6 +276,7 @@ class VmBootManager(PyVmomi):
            previous_boot_retry_enabled=self.vm.config.bootOptions.bootRetryEnabled,
            previous_boot_retry_delay=self.vm.config.bootOptions.bootRetryDelay,
            previous_boot_firmware=self.vm.config.firmware,
+            previous_secure_boot_enabled=self.vm.config.bootOptions.efiSecureBootEnabled,
            current_boot_order=[],
        )

@ -278,6 +302,7 @@ class VmBootManager(PyVmomi):
                'current_boot_retry_enabled': self.vm.config.bootOptions.bootRetryEnabled,
                'current_boot_retry_delay': self.vm.config.bootOptions.bootRetryDelay,
                'current_boot_firmware': self.vm.config.firmware,
+                'current_secure_boot_enabled': self.vm.config.bootOptions.efiSecureBootEnabled,
            }
        )

@ -313,6 +338,10 @@ def main():
            type='int',
            default=0,
        ),
+        secure_boot_enabled=dict(
+            type='bool',
+            default=False,
+        ),
        boot_firmware=dict(
            type='str',
            choices=['efi', 'bios'],