Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

edk2_check_mor: add a new case #4162

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
+103 −0
Open

edk2_check_mor: add a new case #4162

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions qemu/tests/cfg/edk2_check_mor.cfg
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
- edk2_check_mor:
only q35
only ovmf
only Linux
start_vm = no
type = edk2_check_mor
no Host_RHEL.m7 Host_RHEL.m8 Host_RHEL.m9.u0 Host_RHEL.m9.u1 Host_RHEL.m9.u2 Host_RHEL.m9.u3 Host_RHEL.m9.u4
restore_ovmf_vars = yes
backup_image_before_testing = yes
restore_image_after_testing = yes
package_installed = virt-firmware
cmd_installed = virt-fw-vars
check_mor_cmd = '${cmd_installed} -i %s -p'
image_copy_on_error = no
check_sign_cmd = 'pesign --show-signature -i %s'
check_secure_boot_enabled_cmd = 'dmesg | grep -i "Secure boot enabled"'
sign_keyword = ' Red Hat Secure Boot (\(signing key 1\)|Signing 501)'
mor_msg = 'MemoryOverwriteRequestControl MemoryOverwriteRequestControlLock'
85 changes: 85 additions & 0 deletions qemu/tests/edk2_check_mor.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
import re
from virttest import env_process
from virttest import error_context
from virttest import utils_misc
from virttest import utils_package
from avocado.utils import process
from avocado.utils.path import find_command
from avocado.utils.path import CmdNotFoundError


@error_context.context_aware
def run(test, params, env):
"""
Verify MOR enabled in edk2 build

1. Boot guest under secure mode and check if the guest is signed
2. Check if secure boot is enabled inside guest
3. Reboot and shutdown the guest
4. Check MOR message after shutdown the guest

:param test: Kvm test object
:param params: Dictionary with the test parameters
:param env: Dictionary with test environment.
"""

def _check_signed():
""" Check and return if guest is signed """
return True if re.search(sign_keyword, sign_info) else False

package = params["package_installed"]
install_status = utils_package.package_install(package)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to uninstall the package post-test?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, this package is very small and it contains test scripts, I think it can be kept. Thanks.
(Of course, we can call the function utils_package.package_remove(), but I think we can keep it here.)

if not install_status:
test.error(f"Failed to install {package}.")
try:
find_command(params["cmd_installed"])
except CmdNotFoundError as e:
test.error(str(e))
params['ovmf_vars_filename'] = 'OVMF_VARS.secboot.fd'
env_process.preprocess_vm(test, params, env, params['main_vm'])
vm = env.get_vm(params['main_vm'])
vm.create(params=params)
vm.verify_alive()
session = vm.wait_for_login()
check_sign_cmd = params['check_sign_cmd']
sign_keyword = params['sign_keyword']
if session.cmd_status('which pesign') != 0:
install_status = utils_package.package_install('pesign', session)
if not install_status:
test.error("Failed to install pesign.")
error_context.context('Check whether secure boot has been enabled.',
test.log.info)
check_cmd = params['check_secure_boot_enabled_cmd']
status, output = session.cmd_status_output(check_cmd)
if status:
test.cancel('Secure boot is not enabled,'
'MOR must run under secure mode')
error_context.context('Check whether the guest has been signed.',
test.log.info)
vmlinuz = '/boot/vmlinuz-%s' % session.cmd_output('uname -r')
check_sign_cmd %= vmlinuz
sign_info = session.cmd_output(check_sign_cmd)
signed = _check_signed()
if not signed:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

move the if under line 53?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated, check whether the guest has been signed after checking secure boot enabled. If the guest is not signed, it should not boot succeed under secure mode. Thanks.

test.fail('The guest is not signed, '
'but boot succeed under secure mode.')
session.close()
vars_dev = vm.devices.get_by_params({"node-name": "file_ovmf_vars"})[0]
ovmf_vars_file = vars_dev.params["filename"]
check_mor_cmd = params["check_mor_cmd"] % ovmf_vars_file
error_context.context('Reboot and shutdown the guest.', test.log.info)
vm.reboot()
vm.destroy()
if utils_misc.wait_for(vm.is_dead, 180, 1, 1):
test.log.info("Guest managed to shutdown cleanly")
error_context.context("Check the MOR message by command '%s'."
% check_mor_cmd, test.log.info)
status, output = process.getstatusoutput(check_mor_cmd,
ignore_status=True,
shell=True)
if status:
test.fail("Failed to run '%s', the error message is '%s'"
% (check_mor_cmd, output))
mor_msg_list = params.get_list("mor_msg")
if not mor_msg_list[0] in output or not mor_msg_list[1] in output:
test.fail("Failed to get MOR message, the output is '%s'" % output)
Loading