Add Secure Boot testing

Signed-off-by: Adam Williamson <awilliam@redhat.com>
2024-03-19 16:52:00 -07:00 · 2024-03-19 16:52:00 -07:00 · c879906d16
parent a0eb2827b8
commit c879906d16
3 changed files with 53 additions and 2 deletions
--- a/templates.fif.json
+++ b/templates.fif.json
@ -63,11 +63,14 @@
                "QEMU_VIDEO_DEVICE": "virtio-vga",
                "XRES": "1024",
                "YRES": "768",
+                "QEMUMACHINE": "q35,smm=on",
+                "QEMU_APPEND": "global driver=cfi.pflash01,property=secure,value=on",
                "QEMU_MAX_MIGRATION_TIME": "480",
                "QEMU_VIRTIO_RNG": "1",
                "UEFI": "1",
-                "UEFI_PFLASH_CODE": "/usr/share/edk2/ovmf/OVMF_CODE.fd",
-                "UEFI_PFLASH_VARS": "/usr/share/edk2/ovmf/OVMF_VARS.fd",
+                "UEFI_PFLASH_CODE": "/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd",
+                "UEFI_PFLASH_VARS": "/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd",
+                "UEFI_SECURE": "1",
                "WORKER_CLASS": "qemu_x86_64"
            }
        }
@ -1626,6 +1629,7 @@
                "fedora-Server-dvd-iso-aarch64-*-aarch64": 10,
                "fedora-Server-dvd-iso-ppc64le-*-ppc64le": 10,
                "fedora-Server-dvd-iso-x86_64-*-64bit": 10,
+                "fedora-Server-dvd-iso-x86_64-*-uefi": 10,
                "fedora-Silverblue-dvd_ostree-iso-ppc64le-*-ppc64le": 50,
                "fedora-Silverblue-dvd_ostree-iso-x86_64-*-64bit": 50,
                "fedora-Workstation-live-iso-ppc64le-*-ppc64le": 10,
@ -2516,6 +2520,22 @@
                "USER_LOGIN": "false"
            }
        },
+        "secure_boot_fallback": {
+            "profiles": {
+                "fedora-BaseOS-dvd-iso-x86_64-*-uefi": 50,
+                "fedora-IoT-dvd_ostree-iso-x86_64-*-uefi": 30,
+                "fedora-Server-dvd-iso-x86_64-*-uefi": 30,
+                "fedora-Workstation-live_osbuild-iso-x86_64-*-uefi": 60
+            },
+            "settings": {
+                "BOOTFROM": "c",
+                "HDD_1": "disk_%FLAVOR%_%MACHINE%.qcow2",
+                "POSTINSTALL": "_secure_boot_fallback",
+                "ROOT_PASSWORD": "weakpassword",
+                "+START_AFTER_TEST": "%DEPLOY_UPLOAD_TEST%",
+                "USER_LOGIN": "false"
+            }
+        },
        "server_cockpit_basic": {
            "profiles": {
                "fedora-Server-dvd-iso-aarch64-*-aarch64": 30,
--- a/tests/_secure_boot_fallback.pm
+++ b/tests/_secure_boot_fallback.pm
@ -0,0 +1,27 @@
+use base "installedtest";
+use strict;
+use testapi;
+use utils;
+
+sub run {
+    my $self = shift;
+    # now try deleting the "Fedora" boot entry and rebooting, to check the fallback path
+    assert_script_run('efibootmgr -b $(efibootmgr | grep Fedora | head -1 | cut -f1 | sed -e "s,[^0-9],,g") -B');
+    # check that worked
+    validate_script_output('efibootmgr', sub { $_ !~ m/.*Fedora.*/s });
+    type_string("reboot\n");
+    boot_to_login_screen;
+    $self->root_console(tty => 3);
+    # Fedora entry should have been recreated
+    validate_script_output('efibootmgr', sub { m/Fedora/ });
+    # SB should still be enabled
+    validate_script_output('mokutil --sb-state', sub { m/SecureBoot enabled/ });
+}
+
+sub test_flags {
+    return {fatal => 1};
+}
+
+1;
+
+# vim: set sw=4 et:
--- a/tests/uefi_postinstall.pm
+++ b/tests/uefi_postinstall.pm
@ -13,6 +13,10 @@ sub run {
    console_loadkeys_us;
    # this test shows if the system is booted with efi
    assert_script_run '[ -d /sys/firmware/efi/ ]';
+    # if Secure Boot should be enabled, check it is; if it isn't,
+    # that *probably* indicates a test system issue not a distro bug,
+    # but we want to know either way
+    validate_script_output('mokutil --sb-state', sub { m/SecureBoot enabled/ }) if (get_var("UEFI_SECURE"));
 }

 sub test_flags {