Configure SPICE over TLS

I’m running Minione for evaluation purposes and trying to configure secure SPICE connection over TLS. So far, I’ve done the following:

  1. in /etc/libvirt/qemu.conf, I’ve set the following:

    spice_tls = 1
    spice_tls_x509_cert_dir = “/etc/pki/libvirt-spice”

  2. created required certificates

  3. restarted libvirtd service (systemctl restart libvirtd)

But, I still can connect over insecure connection. When I look at generated domain XML for my VM, I see the following:

<graphics type='spice' listen='' port='5905'/>

Looking at libvirt documentation here, I would need something like this:

<graphics type='spice' port='5905' tlsPort='5906' defaultMode="secure">

But, I have no idea how to generate that. I can tweak XML by hand, but I doubt it will be picked up when I restart the machine?
I thought I can ass this in /etc/one/vmm_exec/vmm_exec_kvm.conf under SPICE_OPTIONS, but from what I can see here, it will just append this section after the tag.

So, my question is, is there a way to customize tag configuration? I suppose I could patch the source code and recompile, but then I would have to do it on every update. Looking to avoid this.
I thought maybe using a hook to modify XML before the machine is launched. Is that possible? And if so, what state should trigger the hook?