-
Notifications
You must be signed in to change notification settings - Fork 173
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
check mor enabled under secure mode Signed-off-by: Xueqiang Wei <[email protected]>
- Loading branch information
1 parent
8126058
commit 090d2ef
Showing
2 changed files
with
100 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
- edk2_check_mor: | ||
only q35 | ||
only ovmf | ||
only Linux | ||
start_vm = no | ||
type = edk2_check_mor | ||
no Host_RHEL.m7 Host_RHEL.m8 Host_RHEL.m9.u0 Host_RHEL.m9.u1 Host_RHEL.m9.u2 Host_RHEL.m9.u3 Host_RHEL.m9.u4 | ||
restore_ovmf_vars = yes | ||
backup_image_before_testing = yes | ||
restore_image_after_testing = yes | ||
package_installed = virt-firmware | ||
cmd_installed = virt-fw-vars | ||
check_mor_cmd = '${cmd_installed} -i %s -p' | ||
image_copy_on_error = no | ||
check_sign_cmd = 'pesign --show-signature -i %s' | ||
check_secure_boot_enabled_cmd = 'dmesg | grep -i "Secure boot enabled"' | ||
sign_keyword = ' Red Hat Secure Boot (\(signing key 1\)|Signing 501)' | ||
mor_msg = 'MemoryOverwriteRequestControl MemoryOverwriteRequestControlLock' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,82 @@ | ||
import re | ||
from virttest import env_process | ||
from virttest import error_context | ||
from virttest import utils_misc | ||
from virttest import utils_package | ||
from avocado.utils import process | ||
from avocado.utils.path import find_command | ||
from avocado.utils.path import CmdNotFoundError | ||
|
||
|
||
@error_context.context_aware | ||
def run(test, params, env): | ||
""" | ||
Verify MOR enabled in edk2 build | ||
1. Boot guest under secure mode and check if the guest is signed | ||
2. Check if secure boot is enabled inside guest | ||
3. Reboot and shutdown the guest | ||
4. Check MOR message after shutdown the guest | ||
:param test: Kvm test object | ||
:param params: Dictionary with the test parameters | ||
:param env: Dictionary with test environment. | ||
""" | ||
|
||
def _check_signed(): | ||
""" Check and return if guest is signed """ | ||
return True if re.search(sign_keyword, sign_info) else False | ||
|
||
package = params["package_installed"] | ||
install_status = utils_package.package_install(package) | ||
if not install_status: | ||
test.error(f"Failed to install {package}.") | ||
try: | ||
find_command(params["cmd_installed"]) | ||
except CmdNotFoundError as e: | ||
test.error(e.__str__()) | ||
params['ovmf_vars_filename'] = 'OVMF_VARS.secboot.fd' | ||
env_process.preprocess_vm(test, params, env, params['main_vm']) | ||
vm = env.get_vm(params['main_vm']) | ||
vm.create(params=params) | ||
vm.verify_alive() | ||
session = vm.wait_for_login() | ||
check_sign_cmd = params['check_sign_cmd'] | ||
sign_keyword = params['sign_keyword'] | ||
if session.cmd_status('which pesign') != 0: | ||
install_status = utils_package.package_install('pesign', session) | ||
if not install_status: | ||
test.error("Failed to install pesign.") | ||
vmlinuz = '/boot/vmlinuz-%s' % session.cmd_output('uname -r') | ||
check_sign_cmd %= vmlinuz | ||
sign_info = session.cmd_output(check_sign_cmd) | ||
signed = _check_signed() | ||
error_context.context('Guest signed status is %s' % signed, test.log.info) | ||
check_cmd = params['check_secure_boot_enabled_cmd'] | ||
status, output = session.cmd_status_output(check_cmd) | ||
if status: | ||
test.cancel('Secure boot is not enabled,' | ||
'MOR must run under secure mode') | ||
if not signed: | ||
test.fail('The guest is not signed, ' | ||
'but boot succeed under secure mode.') | ||
session.close() | ||
vars_dev = vm.devices.get_by_params({"node-name": "file_ovmf_vars"})[0] | ||
ovmf_vars_file = vars_dev.params["filename"] | ||
check_mor_cmd = params["check_mor_cmd"] % ovmf_vars_file | ||
error_context.context('Reboot and shutdown the guest.', test.log.info) | ||
vm.reboot() | ||
vm.destroy() | ||
if utils_misc.wait_for(vm.is_dead, 180, 1, 1): | ||
test.log.info("Guest managed to shutdown cleanly") | ||
error_context.context("Check the MOR message by command '%s'." | ||
% check_mor_cmd, test.log.info) | ||
status, output = process.getstatusoutput(check_mor_cmd, | ||
ignore_status=True, | ||
shell=True) | ||
if status: | ||
test.fail("Failed to run '%s', the error message is '%s'" | ||
% (check_mor_cmd, output)) | ||
mor_msg_list = params.get_list("mor_msg") | ||
if not mor_msg_list[0] in output or not mor_msg_list[1] in output: | ||
test.fail("Failed to get MOR message, the output is '%s'" % output) |