-
Notifications
You must be signed in to change notification settings - Fork 173
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
edk2_check_mor: add a new case #4162
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
- edk2_check_mor: | ||
only q35 | ||
only ovmf | ||
only Linux | ||
start_vm = no | ||
type = edk2_check_mor | ||
no Host_RHEL.m7 Host_RHEL.m8 Host_RHEL.m9.u0 Host_RHEL.m9.u1 Host_RHEL.m9.u2 Host_RHEL.m9.u3 Host_RHEL.m9.u4 | ||
restore_ovmf_vars = yes | ||
backup_image_before_testing = yes | ||
restore_image_after_testing = yes | ||
package_installed = virt-firmware | ||
cmd_installed = virt-fw-vars | ||
check_mor_cmd = '${cmd_installed} -i %s -p' | ||
image_copy_on_error = no | ||
check_sign_cmd = 'pesign --show-signature -i %s' | ||
check_secure_boot_enabled_cmd = 'dmesg | grep -i "Secure boot enabled"' | ||
sign_keyword = ' Red Hat Secure Boot (\(signing key 1\)|Signing 501)' | ||
mor_msg = 'MemoryOverwriteRequestControl MemoryOverwriteRequestControlLock' |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
import re | ||
from virttest import env_process | ||
from virttest import error_context | ||
from virttest import utils_misc | ||
from virttest import utils_package | ||
from avocado.utils import process | ||
from avocado.utils.path import find_command | ||
from avocado.utils.path import CmdNotFoundError | ||
|
||
|
||
@error_context.context_aware | ||
def run(test, params, env): | ||
""" | ||
Verify MOR enabled in edk2 build | ||
|
||
1. Boot guest under secure mode and check if the guest is signed | ||
2. Check if secure boot is enabled inside guest | ||
3. Reboot and shutdown the guest | ||
4. Check MOR message after shutdown the guest | ||
|
||
:param test: Kvm test object | ||
:param params: Dictionary with the test parameters | ||
:param env: Dictionary with test environment. | ||
""" | ||
|
||
def _check_signed(): | ||
""" Check and return if guest is signed """ | ||
return True if re.search(sign_keyword, sign_info) else False | ||
|
||
package = params["package_installed"] | ||
install_status = utils_package.package_install(package) | ||
if not install_status: | ||
test.error(f"Failed to install {package}.") | ||
try: | ||
find_command(params["cmd_installed"]) | ||
except CmdNotFoundError as e: | ||
test.error(str(e)) | ||
params['ovmf_vars_filename'] = 'OVMF_VARS.secboot.fd' | ||
env_process.preprocess_vm(test, params, env, params['main_vm']) | ||
vm = env.get_vm(params['main_vm']) | ||
vm.create(params=params) | ||
vm.verify_alive() | ||
session = vm.wait_for_login() | ||
check_sign_cmd = params['check_sign_cmd'] | ||
sign_keyword = params['sign_keyword'] | ||
if session.cmd_status('which pesign') != 0: | ||
install_status = utils_package.package_install('pesign', session) | ||
if not install_status: | ||
test.error("Failed to install pesign.") | ||
error_context.context('Check whether secure boot has been enabled.', | ||
test.log.info) | ||
check_cmd = params['check_secure_boot_enabled_cmd'] | ||
status, output = session.cmd_status_output(check_cmd) | ||
if status: | ||
test.cancel('Secure boot is not enabled,' | ||
'MOR must run under secure mode') | ||
error_context.context('Check whether the guest has been signed.', | ||
test.log.info) | ||
vmlinuz = '/boot/vmlinuz-%s' % session.cmd_output('uname -r') | ||
check_sign_cmd %= vmlinuz | ||
sign_info = session.cmd_output(check_sign_cmd) | ||
signed = _check_signed() | ||
if not signed: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. move the if under line 53? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. updated, check whether the guest has been signed after checking secure boot enabled. If the guest is not signed, it should not boot succeed under secure mode. Thanks. |
||
test.fail('The guest is not signed, ' | ||
'but boot succeed under secure mode.') | ||
session.close() | ||
vars_dev = vm.devices.get_by_params({"node-name": "file_ovmf_vars"})[0] | ||
ovmf_vars_file = vars_dev.params["filename"] | ||
check_mor_cmd = params["check_mor_cmd"] % ovmf_vars_file | ||
error_context.context('Reboot and shutdown the guest.', test.log.info) | ||
vm.reboot() | ||
vm.destroy() | ||
if utils_misc.wait_for(vm.is_dead, 180, 1, 1): | ||
test.log.info("Guest managed to shutdown cleanly") | ||
error_context.context("Check the MOR message by command '%s'." | ||
% check_mor_cmd, test.log.info) | ||
status, output = process.getstatusoutput(check_mor_cmd, | ||
ignore_status=True, | ||
shell=True) | ||
if status: | ||
test.fail("Failed to run '%s', the error message is '%s'" | ||
% (check_mor_cmd, output)) | ||
mor_msg_list = params.get_list("mor_msg") | ||
if not mor_msg_list[0] in output or not mor_msg_list[1] in output: | ||
test.fail("Failed to get MOR message, the output is '%s'" % output) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to uninstall the package post-test?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, this package is very small and it contains test scripts, I think it can be kept. Thanks.
(Of course, we can call the function utils_package.package_remove(), but I think we can keep it here.)