Test qemu secure boot

.github/workflows/build_and_test_x86.yaml

@@ -213,7 +213,7 @@ jobs:
           sudo udevadm trigger --name-match=kvm
       - name: Run ${{ matrix.test }}
         run: |
-          make DISK=/tmp/elemental-${{ env.FLAVOR }}.${{ env.ARCH}}.qcow2 ELMNTL_TARGETARCH=${{ env.ARCH }} ELMNTL_FIRMWARE=/usr/share/OVMF/OVMF_CODE.fd ${{ matrix.test }}
+          make DISK=/tmp/elemental-${{ env.FLAVOR }}.${{ env.ARCH}}.qcow2 ELMNTL_TARGETARCH=${{ env.ARCH }} ELMNTL_FIRMWARE=/usr/share/OVMF/OVMF_CODE.fd ELMNTL_FIRMWARE_ORIG_VARS=/usr/share/OVMF/OVMF_VARS_4M.ms.fd ${{ matrix.test }}
       - name: Upload serial console for ${{ matrix.test }}
         uses: actions/upload-artifact@v4
         if: always()
@@ -276,7 +276,7 @@ jobs:
           sudo udevadm trigger --name-match=kvm
       - name: Run installer test
         run: |
-          make ISO=/tmp/elemental-${{ env.FLAVOR }}.${{ env.ARCH}}.iso ELMNTL_TARGETARCH=${{ env.ARCH }} ELMNTL_FIRMWARE=/usr/share/OVMF/OVMF_CODE.fd test-installer
+          make ISO=/tmp/elemental-${{ env.FLAVOR }}.${{ env.ARCH}}.iso ELMNTL_TARGETARCH=${{ env.ARCH }} ELMNTL_FIRMWARE=/usr/share/OVMF/OVMF_CODE_4M.ms.fd ELMNTL_FIRMWARE_ORIG_VARS=/usr/share/OVMF/OVMF_VARS_4M.ms.fd test-installer
       - name: Upload serial console for installer tests
         uses: actions/upload-artifact@v4
         if: always()

.gitignore

@@ -7,6 +7,7 @@ isowork/
 *.img
 *.log
 *.pid
+*.bin
 iso-meta.json
 iso-meta.yaml
 .idea/

scripts/run_vm.sh

@@ -7,7 +7,9 @@ SCRIPTS_PATH=$(dirname "${SCRIPT}")
 TESTS_PATH=$(realpath -s "${SCRIPTS_PATH}/../tests")
 
 : "${ELMNTL_PREFIX:=}" 
-: "${ELMNTL_FIRMWARE:=/usr/share/qemu/ovmf-x86_64.bin}"
+: "${ELMNTL_FIRMWARE:=/usr/share/qemu/ovmf-x86_64-smm-ms-code.bin}"
+: "${ELMNTL_FIRMWARE_ORIG_VARS:=/usr/share/qemu/ovmf-x86_64-smm-ms-vars.bin}"
+: "${ELMNTL_FIRMWARE_VARS:=${TESTS_PATH}/${ELMNTL_PREFIX}/ovmf-x86_64-vars.bin}"
 : "${ELMNTL_FWDIP:=127.0.0.1}"
 : "${ELMNTL_FWDPORT:=2222}"
 : "${ELMNTL_MEMORY:=4096}"
@@ -32,12 +34,14 @@ function start {
   local usrnet_arg="-netdev user,id=user0,hostfwd=tcp:${ELMNTL_FWDIP}:${ELMNTL_FWDPORT}-:22 -device virtio-net-pci,romfile=,netdev=user0"
   local accel_arg
   local memory_arg="-m ${ELMNTL_MEMORY}"
-  local firmware_arg="-drive if=pflash,format=raw,readonly=on,file=${ELMNTL_FIRMWARE}"
+  local global_arg="-global driver=cfi.pflash01,property=secure,value=on"
+  local firmware_arg="-drive if=pflash,format=raw,unit=0,readonly=on,file=${ELMNTL_FIRMWARE}"
+  local firwmare_vars_arg="-drive if=pflash,format=raw,unit=1,file="${ELMNTL_FIRMWARE_VARS}""
   local disk_arg="-drive file=${ELMNTL_TESTDISK},if=none,id=disk,format=qcow2,media=disk -device virtio-blk-pci,drive=disk,bootindex=1"
   local serial_arg="-serial file:${ELMNTL_LOGFILE}"
   local pidfile_arg="-pidfile ${ELMNTL_PIDFILE}"
   local display_arg="-display ${ELMNTL_DISPLAY}"
-  local machine_arg="-machine type=${ELMNTL_MACHINETYPE}"
+  local machine_arg="-machine type=${ELMNTL_MACHINETYPE},smm=on"
   local cdrom_arg
   local cpu_arg
   local vmpid
@@ -54,6 +58,11 @@ function start {
     fi
   fi
 
+  if [ ! -e "${ELMNTL_FIRMWARE_ARGS}" ]; then
+    echo Copy "${ELMNTL_FIRMWARE_ORIG_VARS}" to "${ELMNTL_FIRMWARE_VARS}"
+    cp "${ELMNTL_FIRMWARE_ORIG_VARS}" "${ELMNTL_FIRMWARE_VARS}"
+  fi
+
   [ -f "${base_disk}" ] || _abort "Disk not found: ${base_disk}"
 
   case "${base_disk}" in
@@ -73,12 +82,12 @@ function start {
   [ "kvm" == "${ELMNTL_ACCEL}" ] && cpu_arg="-cpu host" && kvm_arg="-enable-kvm"
 
   if [ "${ELMNTL_DEBUG}" == "yes" ]; then
-      qemu-system-${ELMNTL_TARGETARCH} ${kvm_arg} ${disk_arg} ${cdrom_arg} ${firmware_arg} ${usrnet_arg} \
-          ${kvm_arg} ${memory_arg} ${graphics_arg} -serial stdio ${pidfile_arg} \
+      qemu-system-${ELMNTL_TARGETARCH} ${kvm_arg} ${disk_arg} ${cdrom_arg} ${global_arg} ${firmware_arg} ${firwmare_vars_arg} \
+          ${usrnet_arg} ${kvm_arg} ${memory_arg} ${graphics_arg} -serial stdio ${pidfile_arg} \
           ${display_arg} ${machine_arg} ${accel_arg} ${cpu_arg}
   else 
-      qemu-system-${ELMNTL_TARGETARCH} ${kvm_arg} ${disk_arg} ${cdrom_arg} ${firmware_arg} ${usrnet_arg} \
-          ${kvm_arg} ${memory_arg} ${graphics_arg} ${serial_arg} ${pidfile_arg} \
+      qemu-system-${ELMNTL_TARGETARCH} ${kvm_arg} ${disk_arg} ${cdrom_arg} ${global_arg} ${firmware_arg} ${firwmare_vars_arg} \
+          ${usrnet_arg} ${kvm_arg} ${memory_arg} ${graphics_arg} ${serial_arg} ${pidfile_arg} \
           ${display_arg} ${machine_arg} ${accel_arg} ${cpu_arg} > ${ELMNTL_VMSTDOUT} 2>&1 &
   fi
 }

tests/smoke/smoke_test.go

@@ -41,13 +41,19 @@ var _ = Describe("Elemental Smoke tests", func() {
 	})
 
 	Context("After install", func() {
+		It("has booted with secure boot enabled", func() {
+			out, err := s.Command("mokutil --sb-state")
+			Expect(err).ToNot(HaveOccurred())
+			Expect(out).To(Equal("SecureBoot enabled"))
+		})
+
 		It("has default services on", func() {
 			for _, svc := range []string{"systemd-timesyncd"} {
 				sut.SystemdUnitIsActive(svc, s)
 			}
 		})
 
-		It("it can reboot into recovery and back to active having active persistent data still available", func() {
+		It("can reboot into recovery and back to active having active persistent data still available", func() {
 			By("Adding some persistent data in root folder")
 			persistentFileName := fmt.Sprintf("file-%v.txt", rand.Int())
 			persistentData := rand.Uint32()