RFE: virt-install should add secure-boot convenience options

[andreabolognani]

Right now, enabling and disabling Secure Boot requires fairly unwieldy incantations such as --boot uefi,firmware.feature0.name=secure-boot,firmware.feature0.enabled=yes,firmware.feature1.name=enrolled-keys,firmware.feature1.enabled=yes.

It would be great if virt-install implemented more user-friendly shorthands for that, such as --boot uefi,firmware.secure-boot=yes.

Where things get hairy is that you have two ways to disable Secure Boot: get libvirt to pick either a firmware that contains the feature but doesn't have certificates enrolled, or one where the feature is absent altogether. Depending on the firmware shipped with your distro, you might want one or the other. So maybe a sort of tristate would be more fitting, with the accepted option being enabled, disabled and absent.

Ideally this would also be wired up in the GUI: firmware type (UEFI/BIOS) is already one of the choices that you're presented with, and having one more knob for the UEFI case doesn't seem unreasonable.

Another idea that's floating around is the possibility of enrolling specific Secure Boot certificates at VM creation time. That could be handled by a second key, along the lines of secure-boot-enroll=microsoft, secure-boot-enroll=redhat, secure-boot-enroll=path/to/custom/certs. Probably too specialized to be exposed via the GUI.

[andreabolognani]

It could also be useful to have an option in virt-xml that can be used to flip the status of Secure Boot after the VM has been installed.