VMware: Added secure boot enable/disable to vmware_guest_boot_manager. (#46717)

* Added secure boot enable/disable to vmware_guest_boot_manager.  Also added its state to facts
* VMware does not support secure boot when boot_firmware is bios.  Add some guardrails to protect the user from misconfiguration
* Address review comments
pull/47049/head
Mike Healey 6 years ago committed by Abhijeet Kasurde
parent ebeb788117
commit c73b2aa415

@ -74,6 +74,7 @@ vm_boot_facts:
"current_boot_retry_enabled": true,
"current_enter_bios_setup": true,
"current_boot_firmware": "bios",
"current_secure_boot_enabled": false,
}
"""
@ -143,6 +144,7 @@ class VmBootFactsManager(PyVmomi):
current_boot_retry_enabled=self.vm.config.bootOptions.bootRetryEnabled,
current_boot_retry_delay=self.vm.config.bootOptions.bootRetryDelay,
current_boot_firmware=self.vm.config.firmware,
current_secure_boot_enabled=self.vm.config.bootOptions.efiSecureBootEnabled
)
self.module.exit_json(changed=False, vm_boot_facts=results)

@ -72,6 +72,12 @@ options:
description:
- Choose which firmware should be used to boot the virtual machine.
choices: ["bios", "efi"]
secure_boot_enabled:
description:
- Choose if EFI secure boot should be enabled. EFI secure boot can only be enabled with boot_firmware = efi
type: 'bool'
default: False
version_added: '2.8'
extends_documentation_fragment: vmware.documentation
'''
@ -87,6 +93,7 @@ EXAMPLES = r'''
boot_retry_enabled: True
boot_retry_delay: 22300
boot_firmware: bios
secure_boot_enabled: False
boot_order:
- floppy
- cdrom
@ -113,11 +120,13 @@ vm_boot_status:
"current_boot_retry_enabled": true,
"current_enter_bios_setup": true,
"current_boot_firmware": "bios",
"current_secure_boot_enabled": false,
"previous_boot_delay": 10,
"previous_boot_retry_delay": 10000,
"previous_boot_retry_enabled": true,
"previous_enter_bios_setup": false,
"previous_boot_firmware": "bios",
"previous_boot_firmware": "efi",
"previous_secure_boot_enabled": true,
"previous_boot_order": [
"ethernet",
"cdrom",
@ -245,6 +254,20 @@ class VmBootManager(PyVmomi):
change_needed = True
boot_firmware_required = True
if self.vm.config.bootOptions.efiSecureBootEnabled != self.params.get('secure_boot_enabled'):
if self.params.get('secure_boot_enabled') and self.params.get('boot_firmware') == "bios":
self.module.fail_json(msg="EFI secure boot cannot be enabled when boot_firmware = bios, but both are specified")
# If the user is not specifying boot_firmware, make sure they aren't trying to enable it on a
# system with boot_firmware already set to 'bios'
if self.params.get('secure_boot_enabled') and \
self.params.get('boot_firmware') is None and \
self.vm.config.firmware == 'bios':
self.module.fail_json(msg="EFI secure boot cannot be enabled when boot_firmware = bios. VM's boot_firmware currently set to bios")
kwargs.update({'efiSecureBootEnabled': self.params.get('secure_boot_enabled')})
change_needed = True
changed = False
results = dict(
previous_boot_order=self.humanize_boot_order(self.vm.config.bootOptions.bootOrder),
@ -253,6 +276,7 @@ class VmBootManager(PyVmomi):
previous_boot_retry_enabled=self.vm.config.bootOptions.bootRetryEnabled,
previous_boot_retry_delay=self.vm.config.bootOptions.bootRetryDelay,
previous_boot_firmware=self.vm.config.firmware,
previous_secure_boot_enabled=self.vm.config.bootOptions.efiSecureBootEnabled,
current_boot_order=[],
)
@ -278,6 +302,7 @@ class VmBootManager(PyVmomi):
'current_boot_retry_enabled': self.vm.config.bootOptions.bootRetryEnabled,
'current_boot_retry_delay': self.vm.config.bootOptions.bootRetryDelay,
'current_boot_firmware': self.vm.config.firmware,
'current_secure_boot_enabled': self.vm.config.bootOptions.efiSecureBootEnabled,
}
)
@ -313,6 +338,10 @@ def main():
type='int',
default=0,
),
secure_boot_enabled=dict(
type='bool',
default=False,
),
boot_firmware=dict(
type='str',
choices=['efi', 'bios'],

Loading…
Cancel
Save