From 5ae58ac2b93a4046fbae4e0c825b8cc9d03d10d8 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Sun, 27 Jul 2025 21:23:17 +0100
Subject: [PATCH] test: add a secureboot test with an addon

---
 mkosi/mkosi.finalize                            | 10 ++++++++++
 .../TEST-87-AUX-UTILS-VM/meson.build            |  1 +
 test/units/TEST-87-AUX-UTILS-VM.bootctl.sh      | 17 +++++++++++++++++
 3 files changed, 28 insertions(+)

diff --git a/mkosi/mkosi.finalize b/mkosi/mkosi.finalize
index e6aededc604..bb7ad2d9ea7 100755
--- a/mkosi/mkosi.finalize
+++ b/mkosi/mkosi.finalize
@@ -3,3 +3,13 @@
 set -e
 
 touch -r "$BUILDROOT/usr" "$BUILDROOT/etc/.updated" "$BUILDROOT/var/.updated"
+
+if [ -n "$EFI_ARCHITECTURE" ]; then
+    mkdir -p "$BUILDROOT/boot/loader/addons"
+    ukify build \
+        --stub "$BUILDROOT/usr/lib/systemd/boot/efi/addon${EFI_ARCHITECTURE}.efi.stub" \
+        --cmdline="addonfoobar" \
+        --output "$BUILDROOT/boot/loader/addons/test.addon.efi" \
+        --secureboot-certificate "$SRCDIR/mkosi/mkosi.crt" \
+        --secureboot-private-key "$SRCDIR/mkosi/mkosi.key"
+fi
diff --git a/test/integration-tests/TEST-87-AUX-UTILS-VM/meson.build b/test/integration-tests/TEST-87-AUX-UTILS-VM/meson.build
index 84901392047..d82172729fc 100644
--- a/test/integration-tests/TEST-87-AUX-UTILS-VM/meson.build
+++ b/test/integration-tests/TEST-87-AUX-UTILS-VM/meson.build
@@ -7,5 +7,6 @@ integration_tests += [
                 'storage': 'persistent',
                 'coredump-exclude-regex' : '/(test-usr-dump|test-dump|bash)$',
                 'vm' : true,
+                'firmware' : 'auto',
         },
 ]
diff --git a/test/units/TEST-87-AUX-UTILS-VM.bootctl.sh b/test/units/TEST-87-AUX-UTILS-VM.bootctl.sh
index 0f5f45b3d8b..c6b4ea06552 100755
--- a/test/units/TEST-87-AUX-UTILS-VM.bootctl.sh
+++ b/test/units/TEST-87-AUX-UTILS-VM.bootctl.sh
@@ -342,4 +342,21 @@ EOF
     bootctl remove
 }
 
+testcase_secureboot() {
+    if [ ! -d /sys/firmware/efi ]; then
+        echo "Not booted with EFI, skipping secureboot tests."
+        return 0
+    fi
+
+    # Ensure secure boot is enabled and not in setup mode
+    cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1')
+    cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0')
+    bootctl status | grep -q "Secure Boot: enabled"
+
+    # Ensure the addon is fully loaded and parsed
+    bootctl status | grep -q "global-addon: loader/addons/test.addon.efi"
+    bootctl status | grep "cmdline" | grep -q addonfoobar
+    grep -q addonfoobar /proc/cmdline
+}
+
 run_testcases
-- 
2.47.3