VMware: Added secure boot enable/disable to vmware_guest_boot_manager. (#46717)

* Added secure boot enable/disable to vmware_guest_boot_manager.  Also added its state to facts
* VMware does not support secure boot when boot_firmware is bios.  Add some guardrails to protect the user from misconfiguration
* Address review comments
This commit is contained in:
Mike Healey 2018-10-15 05:32:01 -04:00 committed by Abhijeet Kasurde
parent ebeb788117
commit c73b2aa415
2 changed files with 32 additions and 1 deletions

View file

@ -74,6 +74,7 @@ vm_boot_facts:
"current_boot_retry_enabled": true, "current_boot_retry_enabled": true,
"current_enter_bios_setup": true, "current_enter_bios_setup": true,
"current_boot_firmware": "bios", "current_boot_firmware": "bios",
"current_secure_boot_enabled": false,
} }
""" """
@ -143,6 +144,7 @@ class VmBootFactsManager(PyVmomi):
current_boot_retry_enabled=self.vm.config.bootOptions.bootRetryEnabled, current_boot_retry_enabled=self.vm.config.bootOptions.bootRetryEnabled,
current_boot_retry_delay=self.vm.config.bootOptions.bootRetryDelay, current_boot_retry_delay=self.vm.config.bootOptions.bootRetryDelay,
current_boot_firmware=self.vm.config.firmware, current_boot_firmware=self.vm.config.firmware,
current_secure_boot_enabled=self.vm.config.bootOptions.efiSecureBootEnabled
) )
self.module.exit_json(changed=False, vm_boot_facts=results) self.module.exit_json(changed=False, vm_boot_facts=results)

View file

@ -72,6 +72,12 @@ options:
description: description:
- Choose which firmware should be used to boot the virtual machine. - Choose which firmware should be used to boot the virtual machine.
choices: ["bios", "efi"] choices: ["bios", "efi"]
secure_boot_enabled:
description:
- Choose if EFI secure boot should be enabled. EFI secure boot can only be enabled with boot_firmware = efi
type: 'bool'
default: False
version_added: '2.8'
extends_documentation_fragment: vmware.documentation extends_documentation_fragment: vmware.documentation
''' '''
@ -87,6 +93,7 @@ EXAMPLES = r'''
boot_retry_enabled: True boot_retry_enabled: True
boot_retry_delay: 22300 boot_retry_delay: 22300
boot_firmware: bios boot_firmware: bios
secure_boot_enabled: False
boot_order: boot_order:
- floppy - floppy
- cdrom - cdrom
@ -113,11 +120,13 @@ vm_boot_status:
"current_boot_retry_enabled": true, "current_boot_retry_enabled": true,
"current_enter_bios_setup": true, "current_enter_bios_setup": true,
"current_boot_firmware": "bios", "current_boot_firmware": "bios",
"current_secure_boot_enabled": false,
"previous_boot_delay": 10, "previous_boot_delay": 10,
"previous_boot_retry_delay": 10000, "previous_boot_retry_delay": 10000,
"previous_boot_retry_enabled": true, "previous_boot_retry_enabled": true,
"previous_enter_bios_setup": false, "previous_enter_bios_setup": false,
"previous_boot_firmware": "bios", "previous_boot_firmware": "efi",
"previous_secure_boot_enabled": true,
"previous_boot_order": [ "previous_boot_order": [
"ethernet", "ethernet",
"cdrom", "cdrom",
@ -245,6 +254,20 @@ class VmBootManager(PyVmomi):
change_needed = True change_needed = True
boot_firmware_required = True boot_firmware_required = True
if self.vm.config.bootOptions.efiSecureBootEnabled != self.params.get('secure_boot_enabled'):
if self.params.get('secure_boot_enabled') and self.params.get('boot_firmware') == "bios":
self.module.fail_json(msg="EFI secure boot cannot be enabled when boot_firmware = bios, but both are specified")
# If the user is not specifying boot_firmware, make sure they aren't trying to enable it on a
# system with boot_firmware already set to 'bios'
if self.params.get('secure_boot_enabled') and \
self.params.get('boot_firmware') is None and \
self.vm.config.firmware == 'bios':
self.module.fail_json(msg="EFI secure boot cannot be enabled when boot_firmware = bios. VM's boot_firmware currently set to bios")
kwargs.update({'efiSecureBootEnabled': self.params.get('secure_boot_enabled')})
change_needed = True
changed = False changed = False
results = dict( results = dict(
previous_boot_order=self.humanize_boot_order(self.vm.config.bootOptions.bootOrder), previous_boot_order=self.humanize_boot_order(self.vm.config.bootOptions.bootOrder),
@ -253,6 +276,7 @@ class VmBootManager(PyVmomi):
previous_boot_retry_enabled=self.vm.config.bootOptions.bootRetryEnabled, previous_boot_retry_enabled=self.vm.config.bootOptions.bootRetryEnabled,
previous_boot_retry_delay=self.vm.config.bootOptions.bootRetryDelay, previous_boot_retry_delay=self.vm.config.bootOptions.bootRetryDelay,
previous_boot_firmware=self.vm.config.firmware, previous_boot_firmware=self.vm.config.firmware,
previous_secure_boot_enabled=self.vm.config.bootOptions.efiSecureBootEnabled,
current_boot_order=[], current_boot_order=[],
) )
@ -278,6 +302,7 @@ class VmBootManager(PyVmomi):
'current_boot_retry_enabled': self.vm.config.bootOptions.bootRetryEnabled, 'current_boot_retry_enabled': self.vm.config.bootOptions.bootRetryEnabled,
'current_boot_retry_delay': self.vm.config.bootOptions.bootRetryDelay, 'current_boot_retry_delay': self.vm.config.bootOptions.bootRetryDelay,
'current_boot_firmware': self.vm.config.firmware, 'current_boot_firmware': self.vm.config.firmware,
'current_secure_boot_enabled': self.vm.config.bootOptions.efiSecureBootEnabled,
} }
) )
@ -313,6 +338,10 @@ def main():
type='int', type='int',
default=0, default=0,
), ),
secure_boot_enabled=dict(
type='bool',
default=False,
),
boot_firmware=dict( boot_firmware=dict(
type='str', type='str',
choices=['efi', 'bios'], choices=['efi', 'bios'],