2:27 p.m.
Right now we're checking that firmware descriptor masking works
as intended by creating an empty file matching 60-ovmf-sb.json
in name.
However, that firmware descriptors contains the details for a
perfectly valid and quite common situation: Secure Boot being
supported by the firmware build, but being effectively disabled
by the lack of certificates in the NVRAM template.
Unmask that firmware descriptor, and instead create a dummy one
that has higher priority than all other OVMF builds and points
to paths that are obviously incorrect, which should make it
easy to notice it getting accidentally unmasked in the future.
Signed-off-by: Andrea Bolognani <abologna(a)redhat.com>
---
.../{60-ovmf-sb.json => 42-masked.json} | 0
.../usr/share/qemu/firmware/42-masked.json | 37 +++++++++++++++++++
tests/qemufirmwaretest.c | 2 +
...to-efi-no-enrolled-keys.x86_64-latest.args | 5 ++-
...uto-efi-no-enrolled-keys.x86_64-latest.xml | 3 +-
5 files changed, 44 insertions(+), 3 deletions(-)
rename tests/qemufirmwaredata/etc/qemu/firmware/{60-ovmf-sb.json => 42-masked.json}
(100%)
create mode 100644 tests/qemufirmwaredata/usr/share/qemu/firmware/42-masked.json
diff --git a/tests/qemufirmwaredata/etc/qemu/firmware/60-ovmf-sb.json
b/tests/qemufirmwaredata/etc/qemu/firmware/42-masked.json
similarity index 100%
rename from tests/qemufirmwaredata/etc/qemu/firmware/60-ovmf-sb.json
rename to tests/qemufirmwaredata/etc/qemu/firmware/42-masked.json
diff --git a/tests/qemufirmwaredata/usr/share/qemu/firmware/42-masked.json
b/tests/qemufirmwaredata/usr/share/qemu/firmware/42-masked.json
new file mode 100644
index 0000000000..300dab1a9e
--- /dev/null
+++ b/tests/qemufirmwaredata/usr/share/qemu/firmware/42-masked.json
@@ -0,0 +1,37 @@
+{
+ "description": "bad firmware used to test descriptor masking",
+ "interface-types": [
+ "uefi"
+ ],
+ "mapping": {
+ "device": "flash",
+ "mode": "split",
+ "executable": {
+ "filename":
"/bad/executable/should/have/been/masked.fd",
+ "format": "raw"
+ },
+ "nvram-template": {
+ "filename":
"/bad/nvram/template/should/have/been/masked.fd",
+ "format": "raw"
+ }
+ },
+ "targets": [
+ {
+ "architecture": "x86_64",
+ "machines": [
+ "pc-*",
+ "pc-q35-*"
+ ]
+ }
+ ],
+ "features": [
+ "acpi-s3",
+ "amd-sev",
+ "requires-smm",
+ "secure-boot",
+ "verbose-dynamic"
+ ],
+ "tags": [
+
+ ]
+}
diff --git a/tests/qemufirmwaretest.c b/tests/qemufirmwaretest.c
index 6817c93d9a..56df443056 100644
--- a/tests/qemufirmwaretest.c
+++ b/tests/qemufirmwaretest.c
@@ -72,6 +72,7 @@ testFWPrecedence(const void *opaque G_GNUC_UNUSED)
PREFIX "/share/qemu/firmware/45-ovmf-sev-stateless.json",
PREFIX "/share/qemu/firmware/50-ovmf-sb-keys.json",
PREFIX "/share/qemu/firmware/55-ovmf-sb-combined.json",
+ PREFIX "/share/qemu/firmware/60-ovmf-sb.json",
PREFIX "/share/qemu/firmware/61-ovmf.json",
PREFIX "/share/qemu/firmware/65-ovmf-qcow2.json",
PREFIX "/share/qemu/firmware/66-aavmf-qcow2.json",
@@ -270,6 +271,7 @@ mymain(void)
"/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.secboot.fd:"
"/usr/share/OVMF/OVMF.sev.fd:NULL:"
"/usr/share/OVMF/OVMF.secboot.fd:NULL:"
+
"/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd:"
"/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd:"
"/usr/share/OVMF/OVMF_CODE.qcow2:/usr/share/OVMF/OVMF_VARS.qcow2",
VIR_DOMAIN_OS_DEF_FIRMWARE_BIOS,
diff --git a/tests/qemuxml2argvdata/firmware-auto-efi-no-enrolled-keys.x86_64-latest.args
b/tests/qemuxml2argvdata/firmware-auto-efi-no-enrolled-keys.x86_64-latest.args
index 9326bfe305..b412af644c 100644
--- a/tests/qemuxml2argvdata/firmware-auto-efi-no-enrolled-keys.x86_64-latest.args
+++ b/tests/qemuxml2argvdata/firmware-auto-efi-no-enrolled-keys.x86_64-latest.args
@@ -10,13 +10,14 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-guest/.config \
-name guest=guest,debug-threads=on \
-S \
-object
'{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-guest/master-key.aes"}'
\
--blockdev
'{"driver":"file","filename":"/usr/share/OVMF/OVMF_CODE.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}'
\
+-blockdev
'{"driver":"file","filename":"/usr/share/OVMF/OVMF_CODE.secboot.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}'
\
-blockdev
'{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}'
\
-blockdev
'{"driver":"file","filename":"/var/lib/libvirt/qemu/nvram/guest_VARS.fd","node-name":"libvirt-pflash1-storage","auto-read-only":true,"discard":"unmap"}'
\
-blockdev
'{"node-name":"libvirt-pflash1-format","read-only":false,"driver":"raw","file":"libvirt-pflash1-storage"}'
\
--machine
pc-q35-4.0,usb=off,dump-guest-core=off,memory-backend=pc.ram,pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format,acpi=on
\
+-machine
pc-q35-4.0,usb=off,smm=on,dump-guest-core=off,memory-backend=pc.ram,pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format,acpi=on
\
-accel kvm \
-cpu qemu64 \
+-global driver=cfi.pflash01,property=secure,value=on \
-m 1024 \
-object
'{"qom-type":"memory-backend-ram","id":"pc.ram","size":1073741824}'
\
-overcommit mem-lock=off \
diff --git a/tests/qemuxml2xmloutdata/firmware-auto-efi-no-enrolled-keys.x86_64-latest.xml
b/tests/qemuxml2xmloutdata/firmware-auto-efi-no-enrolled-keys.x86_64-latest.xml
index 8b3853dc17..6722b22aa1 100644
--- a/tests/qemuxml2xmloutdata/firmware-auto-efi-no-enrolled-keys.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-auto-efi-no-enrolled-keys.x86_64-latest.xml
@@ -6,12 +6,13 @@
<vcpu placement='static'>1</vcpu>
<os>
<type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
- <loader readonly='yes'
type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>
+ <loader readonly='yes' secure='yes'
type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd</loader>
<nvram
template='/usr/share/OVMF/OVMF_VARS.fd'>/var/lib/libvirt/qemu/nvram/guest_VARS.fd</nvram>
<boot dev='hd'/>
</os>
<features>
<acpi/>
+ <smm state='on'/>
</features>
<cpu mode='custom' match='exact' check='none'>
<model fallback='forbid'>qemu64</model>
--
2.39.2