Skip to content

Commit

Permalink
edk2_check_mor: add a new case
Browse files Browse the repository at this point in the history
check mor enabled under secure mode

Signed-off-by: Xueqiang Wei <[email protected]>
  • Loading branch information
XueqiangWei committed Sep 19, 2024
1 parent 8126058 commit 090d2ef
Show file tree
Hide file tree
Showing 2 changed files with 100 additions and 0 deletions.
18 changes: 18 additions & 0 deletions qemu/tests/cfg/edk2_check_mor.cfg
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
- edk2_check_mor:
only q35
only ovmf
only Linux
start_vm = no
type = edk2_check_mor
no Host_RHEL.m7 Host_RHEL.m8 Host_RHEL.m9.u0 Host_RHEL.m9.u1 Host_RHEL.m9.u2 Host_RHEL.m9.u3 Host_RHEL.m9.u4
restore_ovmf_vars = yes
backup_image_before_testing = yes
restore_image_after_testing = yes
package_installed = virt-firmware
cmd_installed = virt-fw-vars
check_mor_cmd = '${cmd_installed} -i %s -p'
image_copy_on_error = no
check_sign_cmd = 'pesign --show-signature -i %s'
check_secure_boot_enabled_cmd = 'dmesg | grep -i "Secure boot enabled"'
sign_keyword = ' Red Hat Secure Boot (\(signing key 1\)|Signing 501)'
mor_msg = 'MemoryOverwriteRequestControl MemoryOverwriteRequestControlLock'
82 changes: 82 additions & 0 deletions qemu/tests/edk2_check_mor.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
import re
from virttest import env_process
from virttest import error_context
from virttest import utils_misc
from virttest import utils_package
from avocado.utils import process
from avocado.utils.path import find_command
from avocado.utils.path import CmdNotFoundError


@error_context.context_aware
def run(test, params, env):
"""
Verify MOR enabled in edk2 build
1. Boot guest under secure mode and check if the guest is signed
2. Check if secure boot is enabled inside guest
3. Reboot and shutdown the guest
4. Check MOR message after shutdown the guest
:param test: Kvm test object
:param params: Dictionary with the test parameters
:param env: Dictionary with test environment.
"""

def _check_signed():
""" Check and return if guest is signed """
return True if re.search(sign_keyword, sign_info) else False

package = params["package_installed"]
install_status = utils_package.package_install(package)
if not install_status:
test.error(f"Failed to install {package}.")
try:
find_command(params["cmd_installed"])
except CmdNotFoundError as e:
test.error(e.__str__())
params['ovmf_vars_filename'] = 'OVMF_VARS.secboot.fd'
env_process.preprocess_vm(test, params, env, params['main_vm'])
vm = env.get_vm(params['main_vm'])
vm.create(params=params)
vm.verify_alive()
session = vm.wait_for_login()
check_sign_cmd = params['check_sign_cmd']
sign_keyword = params['sign_keyword']
if session.cmd_status('which pesign') != 0:
install_status = utils_package.package_install('pesign', session)
if not install_status:
test.error("Failed to install pesign.")
vmlinuz = '/boot/vmlinuz-%s' % session.cmd_output('uname -r')
check_sign_cmd %= vmlinuz
sign_info = session.cmd_output(check_sign_cmd)
signed = _check_signed()
error_context.context('Guest signed status is %s' % signed, test.log.info)
check_cmd = params['check_secure_boot_enabled_cmd']
status, output = session.cmd_status_output(check_cmd)
if status:
test.cancel('Secure boot is not enabled,'
'MOR must run under secure mode')
if not signed:
test.fail('The guest is not signed, '
'but boot succeed under secure mode.')
session.close()
vars_dev = vm.devices.get_by_params({"node-name": "file_ovmf_vars"})[0]
ovmf_vars_file = vars_dev.params["filename"]
check_mor_cmd = params["check_mor_cmd"] % ovmf_vars_file
error_context.context('Reboot and shutdown the guest.', test.log.info)
vm.reboot()
vm.destroy()
if utils_misc.wait_for(vm.is_dead, 180, 1, 1):
test.log.info("Guest managed to shutdown cleanly")
error_context.context("Check the MOR message by command '%s'."
% check_mor_cmd, test.log.info)
status, output = process.getstatusoutput(check_mor_cmd,
ignore_status=True,
shell=True)
if status:
test.fail("Failed to run '%s', the error message is '%s'"
% (check_mor_cmd, output))
mor_msg_list = params.get_list("mor_msg")
if not mor_msg_list[0] in output or not mor_msg_list[1] in output:
test.fail("Failed to get MOR message, the output is '%s'" % output)

0 comments on commit 090d2ef

Please sign in to comment.