Skip to content

Commit

Permalink
Test qemu secure boot
Browse files Browse the repository at this point in the history 
Add qemu settings for secure boot and add test in smoke suite to
actually test that secure boot is enabled.

Signed-off-by: Fredrik Lönnegren <fredrik.lonnegren@suse.com>
  • Loading branch information
@frelon
frelon committed Mar 20, 2024
1 parent a2c4f0b commit f615b00
Show file tree
Hide file tree
Showing 4 changed files with 26 additions and 10 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/build_and_test_x86.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -213,7 +213,7 @@ jobs:
sudo udevadm trigger --name-match=kvm
- name: Run ${{ matrix.test }}
run: |
make DISK=/tmp/elemental-${{ env.FLAVOR }}.${{ env.ARCH}}.qcow2 ELMNTL_TARGETARCH=${{ env.ARCH }} ELMNTL_FIRMWARE=/usr/share/OVMF/OVMF_CODE.fd ${{ matrix.test }}
make DISK=/tmp/elemental-${{ env.FLAVOR }}.${{ env.ARCH}}.qcow2 ELMNTL_TARGETARCH=${{ env.ARCH }} ELMNTL_FIRMWARE=/usr/share/OVMF/OVMF_CODE.fd ELMNTL_FIRMWARE_ORIG_VARS=/usr/share/OVMF/OVMF_VARS_4M.ms.fd ${{ matrix.test }}
- name: Upload serial console for ${{ matrix.test }}
uses: actions/upload-artifact@v4
if: always()
Expand Down Expand Up @@ -276,7 +276,7 @@ jobs:
sudo udevadm trigger --name-match=kvm
- name: Run installer test
run: |
make ISO=/tmp/elemental-${{ env.FLAVOR }}.${{ env.ARCH}}.iso ELMNTL_TARGETARCH=${{ env.ARCH }} ELMNTL_FIRMWARE=/usr/share/OVMF/OVMF_CODE.fd test-installer
make ISO=/tmp/elemental-${{ env.FLAVOR }}.${{ env.ARCH}}.iso ELMNTL_TARGETARCH=${{ env.ARCH }} ELMNTL_FIRMWARE=/usr/share/OVMF/OVMF_CODE_4M.ms.fd ELMNTL_FIRMWARE_ORIG_VARS=/usr/share/OVMF/OVMF_VARS_4M.ms.fd test-installer
- name: Upload serial console for installer tests
uses: actions/upload-artifact@v4
if: always()
Expand Down
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ isowork/
*.img
*.log
*.pid
*.bin
iso-meta.json
iso-meta.yaml
.idea/
Expand Down
23 changes: 16 additions & 7 deletions scripts/run_vm.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,9 @@ SCRIPTS_PATH=$(dirname "${SCRIPT}")
TESTS_PATH=$(realpath -s "${SCRIPTS_PATH}/../tests")

: "${ELMNTL_PREFIX:=}"
: "${ELMNTL_FIRMWARE:=/usr/share/qemu/ovmf-x86_64.bin}"
: "${ELMNTL_FIRMWARE:=/usr/share/qemu/ovmf-x86_64-smm-ms-code.bin}"
: "${ELMNTL_FIRMWARE_ORIG_VARS:=/usr/share/qemu/ovmf-x86_64-smm-ms-vars.bin}"
: "${ELMNTL_FIRMWARE_VARS:=${TESTS_PATH}/${ELMNTL_PREFIX}/ovmf-x86_64-vars.bin}"
: "${ELMNTL_FWDIP:=127.0.0.1}"
: "${ELMNTL_FWDPORT:=2222}"
: "${ELMNTL_MEMORY:=4096}"
Expand All @@ -32,12 +34,14 @@ function start {
local usrnet_arg="-netdev user,id=user0,hostfwd=tcp:${ELMNTL_FWDIP}:${ELMNTL_FWDPORT}-:22 -device virtio-net-pci,romfile=,netdev=user0"
local accel_arg
local memory_arg="-m ${ELMNTL_MEMORY}"
local firmware_arg="-drive if=pflash,format=raw,readonly=on,file=${ELMNTL_FIRMWARE}"
local global_arg="-global driver=cfi.pflash01,property=secure,value=on"
local firmware_arg="-drive if=pflash,format=raw,unit=0,readonly=on,file=${ELMNTL_FIRMWARE}"
local firwmare_vars_arg="-drive if=pflash,format=raw,unit=1,file="${ELMNTL_FIRMWARE_VARS}""
local disk_arg="-drive file=${ELMNTL_TESTDISK},if=none,id=disk,format=qcow2,media=disk -device virtio-blk-pci,drive=disk,bootindex=1"
local serial_arg="-serial file:${ELMNTL_LOGFILE}"
local pidfile_arg="-pidfile ${ELMNTL_PIDFILE}"
local display_arg="-display ${ELMNTL_DISPLAY}"
local machine_arg="-machine type=${ELMNTL_MACHINETYPE}"
local machine_arg="-machine type=${ELMNTL_MACHINETYPE},smm=on"
local cdrom_arg
local cpu_arg
local vmpid
Expand All @@ -54,6 +58,11 @@ function start {
fi
fi

if [ ! -e "${ELMNTL_FIRMWARE_ARGS}" ]; then
echo Copy "${ELMNTL_FIRMWARE_ORIG_VARS}" to "${ELMNTL_FIRMWARE_VARS}"
cp "${ELMNTL_FIRMWARE_ORIG_VARS}" "${ELMNTL_FIRMWARE_VARS}"
fi

[ -f "${base_disk}" ] || _abort "Disk not found: ${base_disk}"

case "${base_disk}" in
Expand All @@ -73,12 +82,12 @@ function start {
[ "kvm" == "${ELMNTL_ACCEL}" ] && cpu_arg="-cpu host" && kvm_arg="-enable-kvm"

if [ "${ELMNTL_DEBUG}" == "yes" ]; then
qemu-system-${ELMNTL_TARGETARCH} ${kvm_arg} ${disk_arg} ${cdrom_arg} ${firmware_arg} ${usrnet_arg} \
${kvm_arg} ${memory_arg} ${graphics_arg} -serial stdio ${pidfile_arg} \
qemu-system-${ELMNTL_TARGETARCH} ${kvm_arg} ${disk_arg} ${cdrom_arg} ${global_arg} ${firmware_arg} ${firwmare_vars_arg} \
${usrnet_arg} ${kvm_arg} ${memory_arg} ${graphics_arg} -serial stdio ${pidfile_arg} \
${display_arg} ${machine_arg} ${accel_arg} ${cpu_arg}
else
qemu-system-${ELMNTL_TARGETARCH} ${kvm_arg} ${disk_arg} ${cdrom_arg} ${firmware_arg} ${usrnet_arg} \
${kvm_arg} ${memory_arg} ${graphics_arg} ${serial_arg} ${pidfile_arg} \
qemu-system-${ELMNTL_TARGETARCH} ${kvm_arg} ${disk_arg} ${cdrom_arg} ${global_arg} ${firmware_arg} ${firwmare_vars_arg} \
${usrnet_arg} ${kvm_arg} ${memory_arg} ${graphics_arg} ${serial_arg} ${pidfile_arg} \
${display_arg} ${machine_arg} ${accel_arg} ${cpu_arg} > ${ELMNTL_VMSTDOUT} 2>&1 &
fi
}
Expand Down
8 changes: 7 additions & 1 deletion tests/smoke/smoke_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,13 +41,19 @@ var _ = Describe("Elemental Smoke tests", func() {
})

Context("After install", func() {
It("has booted with secure boot enabled", func() {
out, err := s.Command("mokutil --sb-state")
Expect(err).ToNot(HaveOccurred())
Expect(out).To(Equal("SecureBoot enabled"))
})

It("has default services on", func() {
for _, svc := range []string{"systemd-timesyncd"} {
sut.SystemdUnitIsActive(svc, s)
}
})

It("it can reboot into recovery and back to active having active persistent data still available", func() {
It("can reboot into recovery and back to active having active persistent data still available", func() {
By("Adding some persistent data in root folder")
persistentFileName := fmt.Sprintf("file-%v.txt", rand.Int())
persistentData := rand.Uint32()
Expand Down

0 comments on commit f615b00

Please sign in to comment.