From c73b2aa4151268fdb2d4df898597ebc43a9830f2 Mon Sep 17 00:00:00 2001 From: Mike Healey Date: Mon, 15 Oct 2018 05:32:01 -0400 Subject: [PATCH] VMware: Added secure boot enable/disable to vmware_guest_boot_manager. (#46717) * Added secure boot enable/disable to vmware_guest_boot_manager. Also added its state to facts * VMware does not support secure boot when boot_firmware is bios. Add some guardrails to protect the user from misconfiguration * Address review comments --- .../cloud/vmware/vmware_guest_boot_facts.py | 2 ++ .../cloud/vmware/vmware_guest_boot_manager.py | 31 ++++++++++++++++++- 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/lib/ansible/modules/cloud/vmware/vmware_guest_boot_facts.py b/lib/ansible/modules/cloud/vmware/vmware_guest_boot_facts.py index 30e699481f..b14b6c2406 100644 --- a/lib/ansible/modules/cloud/vmware/vmware_guest_boot_facts.py +++ b/lib/ansible/modules/cloud/vmware/vmware_guest_boot_facts.py @@ -74,6 +74,7 @@ vm_boot_facts: "current_boot_retry_enabled": true, "current_enter_bios_setup": true, "current_boot_firmware": "bios", + "current_secure_boot_enabled": false, } """ @@ -143,6 +144,7 @@ class VmBootFactsManager(PyVmomi): current_boot_retry_enabled=self.vm.config.bootOptions.bootRetryEnabled, current_boot_retry_delay=self.vm.config.bootOptions.bootRetryDelay, current_boot_firmware=self.vm.config.firmware, + current_secure_boot_enabled=self.vm.config.bootOptions.efiSecureBootEnabled ) self.module.exit_json(changed=False, vm_boot_facts=results) diff --git a/lib/ansible/modules/cloud/vmware/vmware_guest_boot_manager.py b/lib/ansible/modules/cloud/vmware/vmware_guest_boot_manager.py index 78e1f958ee..6780be37a5 100644 --- a/lib/ansible/modules/cloud/vmware/vmware_guest_boot_manager.py +++ b/lib/ansible/modules/cloud/vmware/vmware_guest_boot_manager.py @@ -72,6 +72,12 @@ options: description: - Choose which firmware should be used to boot the virtual machine. choices: ["bios", "efi"] + secure_boot_enabled: + description: + - Choose if EFI secure boot should be enabled. EFI secure boot can only be enabled with boot_firmware = efi + type: 'bool' + default: False + version_added: '2.8' extends_documentation_fragment: vmware.documentation ''' @@ -87,6 +93,7 @@ EXAMPLES = r''' boot_retry_enabled: True boot_retry_delay: 22300 boot_firmware: bios + secure_boot_enabled: False boot_order: - floppy - cdrom @@ -113,11 +120,13 @@ vm_boot_status: "current_boot_retry_enabled": true, "current_enter_bios_setup": true, "current_boot_firmware": "bios", + "current_secure_boot_enabled": false, "previous_boot_delay": 10, "previous_boot_retry_delay": 10000, "previous_boot_retry_enabled": true, "previous_enter_bios_setup": false, - "previous_boot_firmware": "bios", + "previous_boot_firmware": "efi", + "previous_secure_boot_enabled": true, "previous_boot_order": [ "ethernet", "cdrom", @@ -245,6 +254,20 @@ class VmBootManager(PyVmomi): change_needed = True boot_firmware_required = True + if self.vm.config.bootOptions.efiSecureBootEnabled != self.params.get('secure_boot_enabled'): + if self.params.get('secure_boot_enabled') and self.params.get('boot_firmware') == "bios": + self.module.fail_json(msg="EFI secure boot cannot be enabled when boot_firmware = bios, but both are specified") + + # If the user is not specifying boot_firmware, make sure they aren't trying to enable it on a + # system with boot_firmware already set to 'bios' + if self.params.get('secure_boot_enabled') and \ + self.params.get('boot_firmware') is None and \ + self.vm.config.firmware == 'bios': + self.module.fail_json(msg="EFI secure boot cannot be enabled when boot_firmware = bios. VM's boot_firmware currently set to bios") + + kwargs.update({'efiSecureBootEnabled': self.params.get('secure_boot_enabled')}) + change_needed = True + changed = False results = dict( previous_boot_order=self.humanize_boot_order(self.vm.config.bootOptions.bootOrder), @@ -253,6 +276,7 @@ class VmBootManager(PyVmomi): previous_boot_retry_enabled=self.vm.config.bootOptions.bootRetryEnabled, previous_boot_retry_delay=self.vm.config.bootOptions.bootRetryDelay, previous_boot_firmware=self.vm.config.firmware, + previous_secure_boot_enabled=self.vm.config.bootOptions.efiSecureBootEnabled, current_boot_order=[], ) @@ -278,6 +302,7 @@ class VmBootManager(PyVmomi): 'current_boot_retry_enabled': self.vm.config.bootOptions.bootRetryEnabled, 'current_boot_retry_delay': self.vm.config.bootOptions.bootRetryDelay, 'current_boot_firmware': self.vm.config.firmware, + 'current_secure_boot_enabled': self.vm.config.bootOptions.efiSecureBootEnabled, } ) @@ -313,6 +338,10 @@ def main(): type='int', default=0, ), + secure_boot_enabled=dict( + type='bool', + default=False, + ), boot_firmware=dict( type='str', choices=['efi', 'bios'],