Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package virt-manager for openSUSE:Factory checked in at 2026-04-01 19:55:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/virt-manager (Old) and /work/SRC/openSUSE:Factory/.virt-manager.new.21863 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "virt-manager" Wed Apr 1 19:55:06 2026 rev:291 rq:1344191 version:5.1.0 Changes: -------- --- /work/SRC/openSUSE:Factory/virt-manager/virt-manager.changes 2026-03-27 06:52:23.037088396 +0100 +++ /work/SRC/openSUSE:Factory/.virt-manager.new.21863/virt-manager.changes 2026-04-01 19:56:04.142673687 +0200 @@ -1,0 +2,13 @@ +Tue Mar 31 14:50:13 MDT 2026 - [email protected] + +- Upstream features and bug fixes (bsc#1027942) (jsc#PED-14625) + 008-Fix-typo-in-virt-clone-documentation.patch + 062-cli-add--boot-secure-boot-option.patch + 063-man-secure-boot-dont-mention-enrolled-keys.patch + 077-man-virt-install-change--boot-secure-boot--docs.patch + 079-domain-os-add-set_firmware_feature-helper.patch + 080-cli-add--boot-firmware.enrolled-keys--firmware.secure-boot.patch +- Fix the UI Enable Launch Security checkbox + virtman-add-launch-security-support.patch + +------------------------------------------------------------------- New: ---- 008-Fix-typo-in-virt-clone-documentation.patch 062-cli-add--boot-secure-boot-option.patch 063-man-secure-boot-dont-mention-enrolled-keys.patch 077-man-virt-install-change--boot-secure-boot--docs.patch 079-domain-os-add-set_firmware_feature-helper.patch 080-cli-add--boot-firmware.enrolled-keys--firmware.secure-boot.patch ----------(New B)---------- New:- Upstream features and bug fixes (bsc#1027942) (jsc#PED-14625) 008-Fix-typo-in-virt-clone-documentation.patch 062-cli-add--boot-secure-boot-option.patch New: 008-Fix-typo-in-virt-clone-documentation.patch 062-cli-add--boot-secure-boot-option.patch 063-man-secure-boot-dont-mention-enrolled-keys.patch New: 062-cli-add--boot-secure-boot-option.patch 063-man-secure-boot-dont-mention-enrolled-keys.patch 077-man-virt-install-change--boot-secure-boot--docs.patch New: 063-man-secure-boot-dont-mention-enrolled-keys.patch 077-man-virt-install-change--boot-secure-boot--docs.patch 079-domain-os-add-set_firmware_feature-helper.patch New: 077-man-virt-install-change--boot-secure-boot--docs.patch 079-domain-os-add-set_firmware_feature-helper.patch 080-cli-add--boot-firmware.enrolled-keys--firmware.secure-boot.patch New: 079-domain-os-add-set_firmware_feature-helper.patch 080-cli-add--boot-firmware.enrolled-keys--firmware.secure-boot.patch - Fix the UI Enable Launch Security checkbox ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ virt-manager.spec ++++++ --- /var/tmp/diff_new_pack.ltqo9t/_old 2026-04-01 19:56:06.758782610 +0200 +++ /var/tmp/diff_new_pack.ltqo9t/_new 2026-04-01 19:56:06.762782777 +0200 @@ -54,6 +54,7 @@ Patch5: 005-xmlbase-fix-parentnode-None-check.patch Patch6: 006-xmllibxml2-lazily-import-libxml2.patch Patch7: 007-xmlapi-add-xmletree.py-backend.patch +Patch8: 008-Fix-typo-in-virt-clone-documentation.patch Patch9: 009-avoid-NoneType-pixbuf.patch Patch12: 012-virtManager-wrapped-details-hw-panel-with-GtkScrolledWindow.patch Patch13: 013-virtinst-interface-add-support-for-backend.hostname-and-backend.fqdn.patch @@ -73,6 +74,11 @@ Patch59: 059-ui-Show-NVMe-Controller-details.patch Patch60: 060-virtinst-fix-locale-when-running-in-flatpak.patch Patch61: 061-virtinst-add-support-for-iommufd.patch +Patch62: 062-cli-add--boot-secure-boot-option.patch +Patch63: 063-man-secure-boot-dont-mention-enrolled-keys.patch +Patch77: 077-man-virt-install-change--boot-secure-boot--docs.patch +Patch79: 079-domain-os-add-set_firmware_feature-helper.patch +Patch80: 080-cli-add--boot-firmware.enrolled-keys--firmware.secure-boot.patch # SUSE Only Patch150: virtman-desktop.patch Patch151: virtman-kvm.patch ++++++ 008-Fix-typo-in-virt-clone-documentation.patch ++++++ Subject: Fix typo in virt-clone documentation From: Adrian Vollmer [email protected] Fri Oct 10 13:39:50 2025 +0200 Date: Fri Oct 10 14:08:00 2025 +0200: Git: 6fe47feca692ad8cff7b88fa4eb8bd328e0a9584 diff --git a/man/virt-clone.rst b/man/virt-clone.rst index 5b2b82972..e8fe73483 100644 --- a/man/virt-clone.rst +++ b/man/virt-clone.rst @@ -129,7 +129,7 @@ storage options via -file. ``--reflink`` Perform a lightweight copy. This is much faster if source images and destination images are all on the same btrfs filesystem. This only works for raw format disk - images, any non-raw images will not attempt to use refink + images, any non-raw images will not attempt to use reflink. ``-m``, ``--mac`` MAC ++++++ 062-cli-add--boot-secure-boot-option.patch ++++++ Subject: cli: add --boot secure-boot option From: Pavel Hrdina [email protected] Fri Feb 6 11:11:10 2026 +0100 Date: Fri Feb 6 17:06:41 2026 +0100: Git: 23dd48ae94430cb77dfd6fb718578dc91036fa42 The new option can be used to enable/disable secure boot verification of UEFI firmware. If virt-xml is used to change secure-boot print warning that resetting NVRAM is required to make the change effective. Fixes: https://github.com/virt-manager/virt-manager/issues/495 Signed-off-by: Pavel Hrdina <[email protected]> diff --git a/man/virt-install.rst b/man/virt-install.rst index fddf84f2c..8ccac382d 100644 --- a/man/virt-install.rst +++ b/man/virt-install.rst @@ -973,6 +973,12 @@ Some examples: ``--boot uefi=off`` Do not use UEFI if the VM would normally default to it. +``--boot uefi=on,secure-boot=off`` + Configure the VM to boot from UEFI with secure-boot enabled and enforced. + This requires libvirt with firmware auto-selection. Setting ``secure-boot`` + to off ensures the firmware can boot unsigned binaries. + This is a convenience option to control the enrolled-keys firmware feature. + ``--boot uefi,firmware.feature0.name=secure-boot,firmware.feature0.enabled=yes,firmware.feature1.name=enrolled-keys,firmware.feature1.enabled=yes`` Configure the VM to boot from UEFI with Secure Boot support enabled. Only signed operating systems will be able to boot with this configuration. diff --git a/virtinst/cli.py b/virtinst/cli.py index c6001644c..05b09d431 100644 --- a/virtinst/cli.py +++ b/virtinst/cli.py @@ -3237,6 +3237,7 @@ class ParserBoot(VirtCLIParser): cls.add_arg("domain_type", None, lookup_cb=None, cb=cls.set_domain_type_cb) cls.add_arg("emulator", None, lookup_cb=None, cb=cls.set_emulator_cb) cls.add_arg("uefi", None, lookup_cb=None, cb=cls.set_uefi_cb) + cls.add_arg("secure-boot", "secure_boot", is_onoff=True) # Common/Shared boot options cls.add_arg("loader", "loader") diff --git a/virtinst/domain/os.py b/virtinst/domain/os.py index 95285fdd3..a797f141b 100644 --- a/virtinst/domain/os.py +++ b/virtinst/domain/os.py @@ -5,6 +5,7 @@ # See the COPYING file in the top-level directory. from ..xmlbuilder import XMLBuilder, XMLProperty, XMLChildProperty +from ..logger import log class _InitArg(XMLBuilder): @@ -195,6 +196,54 @@ class DomainOs(XMLBuilder): obj = self.initargs.add_new() obj.val = val + @property + def secure_boot(self): + for feature in self.firmware_features: + if feature.name == "enrolled-keys": + return feature.enabled + return None + + @secure_boot.setter + def secure_boot(self, val): + """ + Enable or disable secure boot by setting enrolled-keys firmware feature. + Currently there are two features controlling how secure boot works: + + - secure-boot=enabled + enrolled-keys=enabled + This enables secure boot and verifies signature on boot. + + - secure-boot=enabled + enrolled-keys=disabled + This enables secure boot but there are no keys to verify signature + so it will boot also unsigned binaries. + + - secure-boot=disabled + enrolled-keys=disabled + This disables secure boot feature completely. + + Effectively we only need to use firmware with nvram that doesn't have + any keys to boot unsigned binaries. + """ + if val is None or self.secure_boot == val: + return + + if self.nvram: + log.warning( + _( + "Changing secure-boot requires resetting NVRAM." + " This can be done using `virsh start VM --reset-nvram`." + ) + ) + + for feature in self.firmware_features: + if feature.name in ["secure-boot", "enrolled-keys"]: + self.remove_child(feature) + + self._xmlstate.xmlapi.node_force_remove("./os/loader") + self._xmlstate.xmlapi.node_force_remove("./os/nvram") + + enrolled_keys = self.firmware_features.add_new() + enrolled_keys.name = "enrolled-keys" + enrolled_keys.enabled = val + ################## # Default config # ################## ++++++ 063-man-secure-boot-dont-mention-enrolled-keys.patch ++++++ Subject: man: secure-boot: don't mention entrolled-keys From: Pavel Hrdina [email protected] Mon Feb 9 20:38:59 2026 +0100 Date: Mon Feb 9 20:56:22 2026 +0100: Git: 5d7c66378be3d6a73b01fe9ddf5265f00b4eb767 Keep the description generic without implementation details. Signed-off-by: Pavel Hrdina <[email protected]> diff --git a/man/virt-install.rst b/man/virt-install.rst index 8ccac382d..d3462172a 100644 --- a/man/virt-install.rst +++ b/man/virt-install.rst @@ -977,7 +977,6 @@ Some examples: Configure the VM to boot from UEFI with secure-boot enabled and enforced. This requires libvirt with firmware auto-selection. Setting ``secure-boot`` to off ensures the firmware can boot unsigned binaries. - This is a convenience option to control the enrolled-keys firmware feature. ``--boot uefi,firmware.feature0.name=secure-boot,firmware.feature0.enabled=yes,firmware.feature1.name=enrolled-keys,firmware.feature1.enabled=yes`` Configure the VM to boot from UEFI with Secure Boot support enabled. ++++++ 077-man-virt-install-change--boot-secure-boot--docs.patch ++++++ Subject: man: virt-install: change `--boot secure-boot=` docs From: Cole Robinson [email protected] Wed Feb 25 07:14:43 2026 -0500 Date: Wed Feb 25 09:44:04 2026 -0500: Git: 3eebb61b7b39fc7098987cafd1d7999299cb63b8 The example is documenting secure-boot=off but the text is covering secure-boot=on. Rework it to cover both options, but expand on the text for what I consider the most important case, which is getting the VM to boot when default policy would reject it. Drop the bit about firmware autoselection. It's correct but applies only to old libvirt which should be rarely used these days IMO. Signed-off-by: Cole Robinson <[email protected]> diff --git a/man/virt-install.rst b/man/virt-install.rst index d3462172a..13bf5afdb 100644 --- a/man/virt-install.rst +++ b/man/virt-install.rst @@ -973,10 +973,13 @@ Some examples: ``--boot uefi=off`` Do not use UEFI if the VM would normally default to it. -``--boot uefi=on,secure-boot=off`` - Configure the VM to boot from UEFI with secure-boot enabled and enforced. - This requires libvirt with firmware auto-selection. Setting ``secure-boot`` - to off ensures the firmware can boot unsigned binaries. +``--boot uefi,secure-boot=on|off`` + Require or forbid Secure Boot enforcement, overriding the ``--boot uefi`` + default. Typically the default is ``on``. + + If your VM install fails to boot, and UEFI in the VM shows an error + with 'Access Denied', you may need to set ``secure-boot=off`` to + install your VM. ``--boot uefi,firmware.feature0.name=secure-boot,firmware.feature0.enabled=yes,firmware.feature1.name=enrolled-keys,firmware.feature1.enabled=yes`` Configure the VM to boot from UEFI with Secure Boot support enabled. ++++++ 079-domain-os-add-set_firmware_feature-helper.patch ++++++ Subject: domain: os: add set_firmware_feature helper From: Cole Robinson [email protected] Wed Feb 25 05:35:22 2026 -0500 Date: Wed Feb 25 09:44:04 2026 -0500: Git: e5c7317874cf3ffade8839d9995b1bc36d94100d Signed-off-by: Cole Robinson <[email protected]> diff --git a/virtinst/domain/os.py b/virtinst/domain/os.py index a797f141b..9f4140316 100644 --- a/virtinst/domain/os.py +++ b/virtinst/domain/os.py @@ -240,9 +240,26 @@ class DomainOs(XMLBuilder): self._xmlstate.xmlapi.node_force_remove("./os/loader") self._xmlstate.xmlapi.node_force_remove("./os/nvram") - enrolled_keys = self.firmware_features.add_new() - enrolled_keys.name = "enrolled-keys" - enrolled_keys.enabled = val + self.set_firmware_feature("enrolled-keys", val) + + def set_firmware_feature(self, feature_name, enabled): + """ + Helper for setting firmware feature XML, creating it if it doesn't exist. + + :param feature_name: Name of the firmware feature (e.g., "enrolled-keys") + :param enabled: Boolean value for the enabled attribute + """ + feature = None + for f in self.firmware_features: + if f.name == feature_name: + feature = f + break + + if feature is None: + feature = self.firmware_features.add_new() + feature.name = feature_name + + feature.enabled = enabled ################## # Default config # ++++++ 080-cli-add--boot-firmware.enrolled-keys--firmware.secure-boot.patch ++++++ Subject: cli: add --boot firmware.enrolled-keys=,firmware.secure-boot= From: Cole Robinson [email protected] Wed Feb 25 05:35:43 2026 -0500 Date: Wed Feb 25 09:44:04 2026 -0500: Git: 19f18e9f559496433b25448cb17164e2c378d635 These are convenience options for just setting the XML features. Signed-off-by: Cole Robinson <[email protected]> --- a/man/virt-install.rst +++ b/man/virt-install.rst @@ -981,14 +981,10 @@ Some examples: with 'Access Denied', you may need to set ``secure-boot=off`` to install your VM. -``--boot uefi,firmware.feature0.name=secure-boot,firmware.feature0.enabled=yes,firmware.feature1.name=enrolled-keys,firmware.feature1.enabled=yes`` - Configure the VM to boot from UEFI with Secure Boot support enabled. - Only signed operating systems will be able to boot with this configuration. - -``--boot uefi,firmware.feature0.name=secure-boot,firmware.feature0.enabled=no`` - Configure the VM to boot from UEFI with Secure Boot support disabled. - This configuration allows both signed and unsigned operating systems to - run. +``--boot uefi,firmware.secure-boot=yes|no`` + Convenience option for toggling individual firmware features on or + off in domain XML. If you don't know you need this, just use + ``--boot uefi,secure-boot=`` instead. Additional information about the ``secure-boot`` and ``enrolled-keys`` firmware features and how they can be used to --- a/tests/data/cli/compare/virt-install-singleton-config-1.xml +++ b/tests/data/cli/compare/virt-install-singleton-config-1.xml @@ -12,6 +12,10 @@ <vcpu cpuset="1,3-5">4</vcpu> <os firmware="efi"> <type arch="x86_64" machine="q35">hvm</type> + <firmware> + <feature enabled="yes" name="secure-boot"/> + <feature enabled="no" name="enrolled-keys"/> + </firmware> <boot dev="cdrom"/> <boot dev="fd"/> <boot dev="hd"/> --- a/tests/test_cli.py +++ b/tests/test_cli.py @@ -916,7 +916,7 @@ c.add_compare( "--seclabel relabel=yes " # lets libvirt fill in type and model "--sysinfo host " # special `--sysinfo host` handling "--noapic --noacpi " # feature backcompat - "--boot uefi,cdrom,fd,hd,network,menu=on " # uefi for default devices, + old style bootorder + "--boot uefi,cdrom,fd,hd,network,menu=on,firmware.secure-boot=yes,firmware.enrolled-keys=no " # uefi for default devices, + old style bootorder, + firmware features "--launchSecurity sev " # sev defaults # Disabling all the default device setup """ --- a/virtinst/cli.py +++ b/virtinst/cli.py @@ -3209,6 +3209,10 @@ class ParserBoot(VirtCLIParser): cb = self._make_find_inst_cb(cliarg, list_propname) return cb(*args, **kwargs) + def set_firmware_feature_cb(self, inst, val, virtarg): + feature_name = virtarg.cliname.split(".", 1)[1] + inst.set_firmware_feature(feature_name, val) + @classmethod def _virtcli_class_init(cls): VirtCLIParser._virtcli_class_init_common(cls) @@ -3255,6 +3259,20 @@ class ParserBoot(VirtCLIParser): is_onoff=True, ) cls.add_arg("firmware.feature[0-9]*.name", "name", find_inst_cb=cls.feature_find_inst_cb) + cls.add_arg( + "firmware.secure-boot", + None, + lookup_cb=None, + cb=cls.set_firmware_feature_cb, + is_onoff=True, + ) + cls.add_arg( + "firmware.enrolled-keys", + None, + lookup_cb=None, + cb=cls.set_firmware_feature_cb, + is_onoff=True, + ) cls.add_arg("nvram", "nvram") cls.add_arg("nvram.template", "nvram_template") cls.add_arg("boot[0-9]*.dev", "dev", find_inst_cb=cls.boot_find_inst_cb) ++++++ virtman-add-launch-security-support.patch ++++++ --- /var/tmp/diff_new_pack.ltqo9t/_old 2026-04-01 19:56:07.830827245 +0200 +++ /var/tmp/diff_new_pack.ltqo9t/_new 2026-04-01 19:56:07.842827745 +0200 @@ -7,28 +7,38 @@ =================================================================== --- virt-manager-5.1.0.orig/ui/details.ui +++ virt-manager-5.1.0/ui/details.ui -@@ -2908,7 +2908,20 @@ +@@ -1936,7 +1936,20 @@ + </packing> + </child> + <child> +- <placeholder/> ++ <object class="GtkCheckButton" id="launch-security"> ++ <property name="label" translatable="yes">Enable launch security</property> ++ <property name="visible">True</property> ++ <property name="can-focus">True</property> ++ <property name="receives-default">False</property> ++ <property name="halign">start</property> ++ <property name="use-underline">True</property> ++ <property name="draw-indicator">True</property> ++ <signal name="toggled" handler="on_mem_launch_security_toggled" swapped="no"/> ++ </object> ++ <packing> ++ <property name="left-attach">1</property> ++ <property name="top-attach">4</property> ++ </packing> + </child> + </object> + <packing> +@@ -2904,9 +2917,6 @@ + <child> <placeholder/> </child> - <child> +- <child> - <placeholder/> -+ <object class="GtkCheckButton" id="launch-security"> -+ <property name="label" translatable="yes">Enable launch security</property> -+ <property name="visible">True</property> -+ <property name="can-focus">True</property> -+ <property name="receives-default">False</property> -+ <property name="halign">start</property> -+ <property name="use-underline">True</property> -+ <property name="draw-indicator">True</property> -+ <signal name="toggled" handler="on_mem_launch_security_toggled" swapped="no"/> -+ </object> -+ <packing> -+ <property name="left-attach">1</property> -+ <property name="top-attach">4</property> -+ </packing> +- </child> + <child> + <placeholder/> </child> - </object> - <packing> Index: virt-manager-5.1.0/virtManager/details/details.py =================================================================== --- virt-manager-5.1.0.orig/virtManager/details/details.py
