From 3030010fa9c52f5951ac4e69b0785cb801bd8376 Mon Sep 17 00:00:00 2001 From: Andrea Bolognani Date: Wed, 15 Mar 2023 20:51:51 +0100 Subject: [PATCH] tests: Fix firmware descriptor masking test Right now we're checking that firmware descriptor masking works as intended by creating an empty file matching 60-ovmf-sb.json in name. However, that firmware descriptors contains the details for a perfectly valid and quite common situation: Secure Boot being supported by the firmware build, but being effectively disabled by the lack of certificates in the NVRAM template. Unmask that firmware descriptor, and instead create a dummy one that has higher priority than all other OVMF builds and points to paths that are obviously incorrect, which should make it easy to notice it getting accidentally unmasked in the future. Signed-off-by: Andrea Bolognani Reviewed-by: Michal Privoznik --- .../{60-ovmf-sb.json => 42-masked.json} | 0 .../usr/share/qemu/firmware/42-masked.json | 37 +++++++++++++++++++ tests/qemufirmwaretest.c | 2 + ...to-efi-no-enrolled-keys.x86_64-latest.args | 5 ++- ...uto-efi-no-enrolled-keys.x86_64-latest.xml | 3 +- 5 files changed, 44 insertions(+), 3 deletions(-) rename tests/qemufirmwaredata/etc/qemu/firmware/{60-ovmf-sb.json => 42-masked.json} (100%) create mode 100644 tests/qemufirmwaredata/usr/share/qemu/firmware/42-masked.json diff --git a/tests/qemufirmwaredata/etc/qemu/firmware/60-ovmf-sb.json b/tests/qemufirmwaredata/etc/qemu/firmware/42-masked.json similarity index 100% rename from tests/qemufirmwaredata/etc/qemu/firmware/60-ovmf-sb.json rename to tests/qemufirmwaredata/etc/qemu/firmware/42-masked.json diff --git a/tests/qemufirmwaredata/usr/share/qemu/firmware/42-masked.json b/tests/qemufirmwaredata/usr/share/qemu/firmware/42-masked.json new file mode 100644 index 0000000000..300dab1a9e --- /dev/null +++ b/tests/qemufirmwaredata/usr/share/qemu/firmware/42-masked.json @@ -0,0 +1,37 @@ +{ + "description": "bad firmware used to test descriptor masking", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "mode": "split", + "executable": { + "filename": "/bad/executable/should/have/been/masked.fd", + "format": "raw" + }, + "nvram-template": { + "filename": "/bad/nvram/template/should/have/been/masked.fd", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-*", + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s3", + "amd-sev", + "requires-smm", + "secure-boot", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff --git a/tests/qemufirmwaretest.c b/tests/qemufirmwaretest.c index 6817c93d9a..56df443056 100644 --- a/tests/qemufirmwaretest.c +++ b/tests/qemufirmwaretest.c @@ -72,6 +72,7 @@ testFWPrecedence(const void *opaque G_GNUC_UNUSED) PREFIX "/share/qemu/firmware/45-ovmf-sev-stateless.json", PREFIX "/share/qemu/firmware/50-ovmf-sb-keys.json", PREFIX "/share/qemu/firmware/55-ovmf-sb-combined.json", + PREFIX "/share/qemu/firmware/60-ovmf-sb.json", PREFIX "/share/qemu/firmware/61-ovmf.json", PREFIX "/share/qemu/firmware/65-ovmf-qcow2.json", PREFIX "/share/qemu/firmware/66-aavmf-qcow2.json", @@ -270,6 +271,7 @@ mymain(void) "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.secboot.fd:" "/usr/share/OVMF/OVMF.sev.fd:NULL:" "/usr/share/OVMF/OVMF.secboot.fd:NULL:" + "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd:" "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd:" "/usr/share/OVMF/OVMF_CODE.qcow2:/usr/share/OVMF/OVMF_VARS.qcow2", VIR_DOMAIN_OS_DEF_FIRMWARE_BIOS, diff --git a/tests/qemuxml2argvdata/firmware-auto-efi-no-enrolled-keys.x86_64-latest.args b/tests/qemuxml2argvdata/firmware-auto-efi-no-enrolled-keys.x86_64-latest.args index 9326bfe305..b412af644c 100644 --- a/tests/qemuxml2argvdata/firmware-auto-efi-no-enrolled-keys.x86_64-latest.args +++ b/tests/qemuxml2argvdata/firmware-auto-efi-no-enrolled-keys.x86_64-latest.args @@ -10,13 +10,14 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-guest/.config \ -name guest=guest,debug-threads=on \ -S \ -object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-guest/master-key.aes"}' \ --blockdev '{"driver":"file","filename":"/usr/share/OVMF/OVMF_CODE.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \ +-blockdev '{"driver":"file","filename":"/usr/share/OVMF/OVMF_CODE.secboot.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \ -blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}' \ -blockdev '{"driver":"file","filename":"/var/lib/libvirt/qemu/nvram/guest_VARS.fd","node-name":"libvirt-pflash1-storage","auto-read-only":true,"discard":"unmap"}' \ -blockdev '{"node-name":"libvirt-pflash1-format","read-only":false,"driver":"raw","file":"libvirt-pflash1-storage"}' \ --machine pc-q35-4.0,usb=off,dump-guest-core=off,memory-backend=pc.ram,pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format,acpi=on \ +-machine pc-q35-4.0,usb=off,smm=on,dump-guest-core=off,memory-backend=pc.ram,pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format,acpi=on \ -accel kvm \ -cpu qemu64 \ +-global driver=cfi.pflash01,property=secure,value=on \ -m 1024 \ -object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":1073741824}' \ -overcommit mem-lock=off \ diff --git a/tests/qemuxml2xmloutdata/firmware-auto-efi-no-enrolled-keys.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-efi-no-enrolled-keys.x86_64-latest.xml index 8b3853dc17..6722b22aa1 100644 --- a/tests/qemuxml2xmloutdata/firmware-auto-efi-no-enrolled-keys.x86_64-latest.xml +++ b/tests/qemuxml2xmloutdata/firmware-auto-efi-no-enrolled-keys.x86_64-latest.xml @@ -6,12 +6,13 @@ 1 hvm - /usr/share/OVMF/OVMF_CODE.fd + /usr/share/OVMF/OVMF_CODE.secboot.fd /var/lib/libvirt/qemu/nvram/guest_VARS.fd + qemu64 -- 2.47.2