From 7fe2b597bd0d98ee27823e5f254523e7d1d43479 Mon Sep 17 00:00:00 2001 From: Xueqiang Wei Date: Thu, 19 Sep 2024 10:19:29 +0800 Subject: [PATCH] edk2_check_mor: add a new case check mor enabled under secure mode Signed-off-by: Xueqiang Wei --- qemu/tests/cfg/edk2_check_mor.cfg | 18 +++++++ qemu/tests/edk2_check_mor.py | 85 +++++++++++++++++++++++++++++++ 2 files changed, 103 insertions(+) create mode 100755 qemu/tests/cfg/edk2_check_mor.cfg create mode 100755 qemu/tests/edk2_check_mor.py diff --git a/qemu/tests/cfg/edk2_check_mor.cfg b/qemu/tests/cfg/edk2_check_mor.cfg new file mode 100755 index 0000000000..058a42c090 --- /dev/null +++ b/qemu/tests/cfg/edk2_check_mor.cfg @@ -0,0 +1,18 @@ +- edk2_check_mor: + only q35 + only ovmf + only Linux + start_vm = no + type = edk2_check_mor + no Host_RHEL.m7 Host_RHEL.m8 Host_RHEL.m9.u0 Host_RHEL.m9.u1 Host_RHEL.m9.u2 Host_RHEL.m9.u3 Host_RHEL.m9.u4 + restore_ovmf_vars = yes + backup_image_before_testing = yes + restore_image_after_testing = yes + package_installed = virt-firmware + cmd_installed = virt-fw-vars + check_mor_cmd = '${cmd_installed} -i %s -p' + image_copy_on_error = no + check_sign_cmd = 'pesign --show-signature -i %s' + check_secure_boot_enabled_cmd = 'dmesg | grep -i "Secure boot enabled"' + sign_keyword = ' Red Hat Secure Boot (\(signing key 1\)|Signing 501)' + mor_msg = 'MemoryOverwriteRequestControl MemoryOverwriteRequestControlLock' diff --git a/qemu/tests/edk2_check_mor.py b/qemu/tests/edk2_check_mor.py new file mode 100755 index 0000000000..85f06d0a66 --- /dev/null +++ b/qemu/tests/edk2_check_mor.py @@ -0,0 +1,85 @@ +import re +from virttest import env_process +from virttest import error_context +from virttest import utils_misc +from virttest import utils_package +from avocado.utils import process +from avocado.utils.path import find_command +from avocado.utils.path import CmdNotFoundError + + +@error_context.context_aware +def run(test, params, env): + """ + Verify MOR enabled in edk2 build + + 1. Boot guest under secure mode and check if the guest is signed + 2. Check if secure boot is enabled inside guest + 3. Reboot and shutdown the guest + 4. Check MOR message after shutdown the guest + + :param test: Kvm test object + :param params: Dictionary with the test parameters + :param env: Dictionary with test environment. + """ + + def _check_signed(): + """ Check and return if guest is signed """ + return True if re.search(sign_keyword, sign_info) else False + + package = params["package_installed"] + install_status = utils_package.package_install(package) + if not install_status: + test.error(f"Failed to install {package}.") + try: + find_command(params["cmd_installed"]) + except CmdNotFoundError as e: + test.error(str(e)) + params['ovmf_vars_filename'] = 'OVMF_VARS.secboot.fd' + env_process.preprocess_vm(test, params, env, params['main_vm']) + vm = env.get_vm(params['main_vm']) + vm.create(params=params) + vm.verify_alive() + session = vm.wait_for_login() + check_sign_cmd = params['check_sign_cmd'] + sign_keyword = params['sign_keyword'] + if session.cmd_status('which pesign') != 0: + install_status = utils_package.package_install('pesign', session) + if not install_status: + test.error("Failed to install pesign.") + error_context.context('Check whether secure boot has been enabled.', + test.log.info) + check_cmd = params['check_secure_boot_enabled_cmd'] + status, output = session.cmd_status_output(check_cmd) + if status: + test.cancel('Secure boot is not enabled,' + 'MOR must run under secure mode') + error_context.context('Check whether the guest has been signed.', + test.log.info) + vmlinuz = '/boot/vmlinuz-%s' % session.cmd_output('uname -r') + check_sign_cmd %= vmlinuz + sign_info = session.cmd_output(check_sign_cmd) + signed = _check_signed() + if not signed: + test.fail('The guest is not signed, ' + 'but boot succeed under secure mode.') + session.close() + vars_dev = vm.devices.get_by_params({"node-name": "file_ovmf_vars"})[0] + ovmf_vars_file = vars_dev.params["filename"] + check_mor_cmd = params["check_mor_cmd"] % ovmf_vars_file + error_context.context('Reboot and shutdown the guest.', test.log.info) + vm.reboot() + vm.destroy() + if utils_misc.wait_for(vm.is_dead, 180, 1, 1): + test.log.info("Guest managed to shutdown cleanly") + error_context.context("Check the MOR message by command '%s'." + % check_mor_cmd, test.log.info) + status, output = process.getstatusoutput(check_mor_cmd, + ignore_status=True, + shell=True) + if status: + test.fail("Failed to run '%s', the error message is '%s'" + % (check_mor_cmd, output)) + mor_msg_list = params.get_list("mor_msg") + if not mor_msg_list[0] in output or not mor_msg_list[1] in output: + test.fail("Failed to get MOR message, the output is '%s'" % output)