libvirt: Disable firmware debug log (isa-debugcon) by default

Previously I added `isa-debugcon` when debugging a secure boot issue,
but it slows down boot significantly if it's found. Make it an opt
in thing.

Assisted-by: OpenCode (Claude Opus 4)
Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

crates/kit/src/libvirt/domain.rs

@@ -30,6 +30,7 @@ pub enum FirmwareLogOutput {
     #[allow(dead_code)]
     File(String),
     /// Make firmware log available via virsh console (pty)
+    #[allow(dead_code)]
     Console,
 }
 
@@ -85,7 +86,7 @@ impl DomainBuilder {
             ovmf_code_format: None,
             nvram_template: None,
             nvram_format: None,
-            firmware_log: Some(FirmwareLogOutput::Console), // Default to pty for virsh console access
+            firmware_log: None,
         }
     }
 
@@ -776,57 +777,4 @@ mod tests {
         assert!(xml_ro.contains("source dir=\"/host/storage\""));
         assert!(xml_ro.contains("target dir=\"hoststorage\""));
     }
-
-    #[test]
-    fn test_firmware_log_default() {
-        // By default, firmware log should be enabled (pty/console mode)
-        let xml = DomainBuilder::new()
-            .with_name("test-firmware-log-default")
-            .build_xml()
-            .unwrap();
-
-        // On x86_64, should have isa-debugcon serial device
-        if std::env::consts::ARCH == "x86_64" {
-            assert!(xml.contains("serial type=\"pty\""));
-            assert!(xml.contains("target type=\"isa-debug\""));
-            assert!(xml.contains("model name=\"isa-debugcon\""));
-            assert!(xml.contains("address type=\"isa\" iobase=\"0x402\""));
-        }
-    }
-
-    #[test]
-    fn test_firmware_log_file() {
-        // Test firmware log to file
-        let xml = DomainBuilder::new()
-            .with_name("test-firmware-log-file")
-            .with_firmware_log(FirmwareLogOutput::File("/tmp/ovmf-debug.log".to_string()))
-            .build_xml()
-            .unwrap();
-
-        // On x86_64, should have isa-debugcon with file output
-        if std::env::consts::ARCH == "x86_64" {
-            assert!(xml.contains("serial type=\"file\""));
-            assert!(xml.contains("source path=\"/tmp/ovmf-debug.log\""));
-            assert!(xml.contains("target type=\"isa-debug\""));
-            assert!(xml.contains("model name=\"isa-debugcon\""));
-            assert!(xml.contains("address type=\"isa\" iobase=\"0x402\""));
-        }
-    }
-
-    #[test]
-    fn test_firmware_log_disabled() {
-        // Test disabling firmware log by setting firmware_log to None after construction
-        // Note: There's no public API to disable it once set, but we can test the XML
-        // generation doesn't include it on non-x86 architectures
-        let xml = DomainBuilder::new()
-            .with_name("test-firmware-log")
-            .build_xml()
-            .unwrap();
-
-        // On non-x86_64, should NOT have isa-debugcon (it's x86-only)
-        if std::env::consts::ARCH != "x86_64" {
-            assert!(!xml.contains("isa-debugcon"));
-            assert!(!xml.contains("isa-debug"));
-        }
-    }
 }

crates/kit/src/libvirt/run.rs

@@ -285,6 +285,10 @@ pub struct LibvirtRunOpts {
     #[clap(long)]
     pub disable_tpm: bool,
 
+    /// Enable firmware debug log (captures OVMF/EDK2 DEBUG output via isa-debugcon)
+    #[clap(long)]
+    pub firmware_log: bool,
+
     /// Directory containing secure boot keys (required for uefi-secure)
     #[clap(long)]
     pub secure_boot_keys: Option<Utf8PathBuf>,
@@ -1091,15 +1095,19 @@ fn create_libvirt_domain_from_disk(
     };
 
     // Build domain XML using the existing DomainBuilder with bootc metadata and SSH keys
-    let mut domain_builder = DomainBuilder::new()
+    let mut builder = DomainBuilder::new()
         .with_name(domain_name)
         .with_memory(memory.into())
         .with_vcpus(cpus)
         .with_disk(disk_path.as_str())
         .with_transient_disk(opts.transient)
         .with_network("none") // Use QEMU args for SSH networking instead
         .with_firmware(opts.firmware)
-        .with_tpm(!opts.disable_tpm)
+        .with_tpm(!opts.disable_tpm);
+    if opts.firmware_log {
+        builder = builder.with_firmware_log(crate::libvirt::domain::FirmwareLogOutput::Console);
+    }
+    let mut domain_builder = builder
         .with_metadata("bootc:source-image", &opts.image)
         .with_metadata("bootc:memory-mb", &memory.to_string())
         .with_metadata("bootc:vcpus", &cpus.to_string())