[v3,13/13] meta-arm: Add UEFI Secure Boot test

Message ID	20240822014335.3394568-14-javier.tia@linaro.org
State	New
Headers	show Return-Path: <javier.tia@linaro.org> ip: 209.85.128.176, mailfrom: javier.tia@linaro.org) From: Javier Tia <javier.tia@linaro.org> To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli <mikko.rapeli@linaro.org>, Ross Burton <Ross.Burton@arm.com>, Jon Mason <jon.mason@arm.com>, Javier Tia <javier.tia@linaro.org> Subject: [PATCH v3 13/13] meta-arm: Add UEFI Secure Boot test Date: Wed, 21 Aug 2024 19:43:35 -0600 Message-ID: <20240822014335.3394568-14-javier.tia@linaro.org> In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org> References: <20240822014335.3394568-1-javier.tia@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	qemuarm64-secureboot: Add UEFI Secure Boot \| expand [v3,00/13] qemuarm64-secureboot: Add UEFI Secure Boot [v3,01/13] qemuarm64-secureboot: Introduce uefi-secureboot machine feature [v3,02/13] core-image-base: Use UEFI layout disk partitions [v3,03/13] layer.conf: Introduce UEFI_SB_KEYS_DIR [v3,04/13] uefi-sb-keys.bbclass: Add class to validate UEFI keys [v3,05/13] sbsign.bbclass: Add class to sign binaries [v3,06/13] core-image-base: Inherit uefi-sb-keys [v3,07/13] meta-arm: Introduce gen-uefi-sb-keys.bb recipe [v3,08/13] u-boot: Setup UEFI and Secure Boot [v3,09/13] qemuarm64-secureboot: Add meta-secure-core layer as dependency [v3,10/13] linux-yocto: Setup UEFI and sign kernel image [v3,11/13] systemd: Add UEFI support [v3,12/13] systemd-boot: Use it as bootloader & sign UEFI image [v3,13/13] meta-arm: Add UEFI Secure Boot test

Message ID

20240822014335.3394568-14-javier.tia@linaro.org

State

New

Headers

From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v3 13/13] meta-arm: Add UEFI Secure Boot test
Date: Wed, 21 Aug 2024 19:43:35 -0600
Message-ID: <20240822014335.3394568-14-javier.tia@linaro.org>
In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org>
References: <20240822014335.3394568-1-javier.tia@linaro.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

qemuarm64-secureboot: Add UEFI Secure Boot | expand

Commit Message

Javier Tia Aug. 22, 2024, 1:43 a.m. UTC

Add a test to verify UEFI Secure Boot is enabled

Run the test:

kas build 'ci/qemuarm64-secureboot.yml:ci/testimage.yml'

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 ci/qemuarm64-secureboot.yml                   |  2 ++
 .../core-image-base-uefi-secureboot.inc       |  6 +++-
 .../oeqa/runtime/cases/uefi_secure_boot.py    | 32 +++++++++++++++++++
 3 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py

diff --git a/ci/qemuarm64-secureboot.yml b/ci/qemuarm64-secureboot.yml
index 958a1ff1..02341934 100644
--- a/ci/qemuarm64-secureboot.yml
+++ b/ci/qemuarm64-secureboot.yml
@@ -11,6 +11,8 @@  local_conf_header:
   optee: |
     IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta"
     TEST_SUITES:append = " optee ftpm"
+  uefi_secure_boot: |
+    TEST_SUITES:append = " uefi_secure_boot"
 
 machine: qemuarm64-secureboot
 
diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
index e5cf7760..ce64b8b5 100644
--- a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
+++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
@@ -10,4 +10,8 @@  QB_DEFAULT_KERNEL = "none"
 
 KERNEL_IMAGETYPE = "Image"
 
-IMAGE_INSTALL += "systemd systemd-boot"
+IMAGE_INSTALL += "systemd systemd-boot util-linux coreutils efivar"
+
+inherit extrausers
+
+EXTRA_IMAGE_FEATURES += "allow-root-login empty-root-password"
diff --git a/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py b/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
new file mode 100644
index 00000000..4a62b54c
--- /dev/null
+++ b/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
@@ -0,0 +1,32 @@ 
+#
+# SPDX-License-Identifier: MIT
+#
+
+import os
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.runtime.decorator.package import OEHasPackage
+from oeqa.core.decorator.oetimeout import OETimeout
+
+
+class UEFI_SB_TestSuite(OERuntimeTestCase):
+    """
+    Validate Secure Boot is Enabled
+    """
+
+    @OETimeout(1300)
+    def test_uefi_secure_boot(self):
+        # Validate Secure Boot is enabled by checking
+        # 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot.
+        # The GUID '8be4df61-93ca-11d2-aa0d-00e098032b8c' is a well-known
+        # identifier for the Secure Boot UEFI variable. By checking the value of
+        # this variable, specifically
+        # '8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot', we can determine
+        # whether Secure Boot is enabled or not. This variable is set by the
+        # UEFI firmware to indicate the current Secure Boot state. If the
+        # variable is set to a value of '0x1' (or '1'), it indicates that Secure
+        # Boot is enabled. If the variable is set to a value of '0x0' (or '0'),
+        # it indicates that Secure Boot is disabled.
+        cmd = "efivar -d -n 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot"
+        status, output = self.target.run(cmd, timeout=120)
+        self.assertEqual(output, "1", msg="\n".join([cmd, output]))

[v3,13/13] meta-arm: Add UEFI Secure Boot test

Commit Message

Patch