edk2_check_mor: add a new case

check mor enabled under secure mode Signed-off-by: Xueqiang Wei <[email protected]>
autotest · Sep 19, 2024 · 4226ff5 · 4226ff5
1 parent 8126058
commit 4226ff5
Show file tree

Hide file tree

Showing 2 changed files with 128 additions and 0 deletions.
diff --git a/qemu/tests/cfg/edk2_check_mor.cfg b/qemu/tests/cfg/edk2_check_mor.cfg
@@ -0,0 +1,50 @@
+- uefi_secureboot:
+    only ovmf
+    type = uefi_secureboot
+    restore_ovmf_vars = yes
+    backup_image_before_testing = yes
+    restore_image_after_testing = yes
+    start_vm = no
+    kill_vm = no
+    force_create_image = yes
+    guest_port_unattended_install = 12323
+    kernel = vmlinuz
+    initrd = initrd.img
+    inactivity_watcher = error
+    inactivity_treshold = 1800
+    image_verify_bootable = no
+    image_copy_on_error = no
+    lowest_mem = 512
+    image_aio = threads
+    check_sign_cmd = 'pesign --show-signature -i %s'
+    check_secure_boot_enabled_cmd = 'dmesg|grep -i "Secure boot enabled"'
+    unattended_delivery_method = cdrom
+    cdroms += ' unattended'
+    drive_index_unattended = 1
+    drive_index_cd1 = 2
+    boot_once = d
+    medium = cdrom
+    redirs += ' unattended_install'
+    RHEL:
+        sign_keyword = ' Red Hat Secure Boot (\(signing key 1\)|Signing 501)'
+        pesign_install_cmd = 'yum install -y pesign'
+    Windows:
+        no WinXP Win2000 Win2003 WinVista
+        send_key_at_install = ret
+        check_sign_cmd = 'driverquery /si'
+        # For windows if this sign_keyword exist then it is unsigned
+        sign_keyword = 'Red Hat VirtIO(\s+\S+)*\s+FALSE\s+Red Hat\, Inc\.'
+        check_secure_boot_enabled_cmd = 'powershell -command "Confirm-SecureBootUEFI"'
+        i440fx:
+            cd_format_cd1 = ide
+            cd_format_winutils = ide
+            cd_format_unattended = ide
+        q35:
+            cd_format_cd1 = ahci
+            cd_format_winutils = ahci
+            cd_format_unattended = ahci
+    # Below variants is to share configurations related to installation defined in other cfg
+    variants:
+        - @with_installation:
+    variants:
+        - @extra_cdrom_ks:
diff --git a/qemu/tests/edk2_check_mor.py b/qemu/tests/edk2_check_mor.py
@@ -0,0 +1,78 @@
+import re
+from virttest import error_context
+from virttest import utils_misc
+from virttest import utils_package
+from avocado.utils import process
+from avocado.utils.path import find_command
+from avocado.utils.path import CmdNotFoundError
+
+
+@error_context.context_aware
+def run(test, params, env):
+    """
+    Verify MOR enabled in edk2 build
+
+    1. Boot guest under secure mode and check if the guest is signed
+    2. Check if secure boot is enabled inside guest
+    3. Reboot and shutdown the guest
+    4. Check MOR message after shutdown the guest
+
+    :param test: Kvm test object
+    :param params: Dictionary with the test parameters
+    :param env: Dictionary with test environment.
+    """
+
+    def _check_signed():
+        """ Check and return if guest is signed """
+        return True if re.search(sign_keyword, sign_info) else False
+
+    package = params["package_installed"]
+    install_status = utils_package.package_install(package)
+    if not install_status:
+        test.error("Failed to install {package}.")
+    try:
+        find_command(params["cmd_installed"])
+    except CmdNotFoundError as e:
+        test.error(str(e))
+    vm = env.get_vm(params['main_vm'])
+    vm.verify_alive()
+    session = vm.wait_for_login()
+    check_sign_cmd = params['check_sign_cmd']
+    sign_keyword = params['sign_keyword']
+    if session.cmd_status('which pesign') != 0:
+        install_status = utils_package.package_install('pesign', session)
+    if not install_status:
+        test.error("Failed to install pesign.")
+    vmlinuz = '/boot/vmlinuz-%s' % session.cmd_output('uname -r')
+    check_sign_cmd %= vmlinuz
+    sign_info = session.cmd_output(check_sign_cmd)
+    signed = _check_signed()
+    error_context.context('Guest signed status is %s' % signed, test.log.info)
+    check_cmd = params['check_secure_boot_enabled_cmd']
+    status, output = session.cmd_status_output(check_cmd)
+    if status != 0:
+        test.cancel('Secure boot is not enabled,'
+                    'MOR must run under secure mode')
+    if not signed:
+        test.fail('The guest is not signed, '
+                  'but boot succeed under secure mode.')
+    session.close()
+    vars_dev = vm.devices.get_by_params({"node-name": "file_ovmf_vars"})[0]
+    ovmf_vars_file = vars_dev.params["filename"]
+    check_mor_cmd = params["check_mor_cmd"] % ovmf_vars_file
+    error_context.context('Reboot, shutdown the guest,'
+                          'and then check the MOR message.', test.log.info)
+    vm.reboot()
+    vm.destroy()
+    if utils_misc.wait_for(vm.is_dead, 180, 1, 1):
+        test.log.info("Guest managed to shutdown cleanly")
+    status, output = process.getstatusoutput(check_mor_cmd,
+                                             ignore_status=True,
+                                             shell=True)
+    if status:
+        test.fail("Failed to run '%s', the error message is '%s'"
+                  % (check_mor_cmd, output))
+    mor_msg_list = params.get_list("mor_msg")
+    if not mor_msg_list[0] in output or not mor_msg_list[1] in output:
+        test.fail("Failed to get MOR message, the output of "
+                  "command '%s': is '%s'" % (check_mor_cmd, output))