[v4,13/13] meta-arm: Add UEFI Secure Boot test

Message ID	20240829163209.47945-14-javier.tia@linaro.org
State	New
Headers	show Return-Path: <javier.tia@linaro.org> ip: 209.85.128.181, mailfrom: javier.tia@linaro.org) From: Javier Tia <javier.tia@linaro.org> To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli <mikko.rapeli@linaro.org>, Ross Burton <Ross.Burton@arm.com>, Jon Mason <jon.mason@arm.com>, Javier Tia <javier.tia@linaro.org> Subject: [PATCH v4 13/13] meta-arm: Add UEFI Secure Boot test Date: Thu, 29 Aug 2024 10:32:09 -0600 Message-ID: <20240829163209.47945-14-javier.tia@linaro.org> In-Reply-To: <20240829163209.47945-1-javier.tia@linaro.org> References: <20240829163209.47945-1-javier.tia@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	qemuarm64-secureboot: Add UEFI Secure Boot \| expand [v4,00/13] qemuarm64-secureboot: Add UEFI Secure Boot [v4,01/13] qemuarm64-secureboot: Introduce uefi-secureboot machine feature [v4,02/13] core-image-minimal: Use UEFI layout disk partitions [v4,03/13] layer.conf: Introduce UEFI_SB_KEYS_DIR [v4,04/13] uefi-sb-keys.bbclass: Add class to validate UEFI keys [v4,05/13] sbsign.bbclass: Add class to sign binaries [v4,06/13] core-image-minimal: Inherit uefi-sb-keys [v4,07/13] meta-arm: Introduce gen-uefi-sb-keys.bb recipe [v4,08/13] u-boot: Setup UEFI and Secure Boot [v4,09/13] qemuarm64-secureboot: Add meta-secure-core layer as dependency [v4,10/13] linux-yocto: Setup UEFI and sign kernel image [v4,11/13] systemd: Add UEFI support [v4,12/13] systemd-boot: Use it as bootloader & sign UEFI image [v4,13/13] meta-arm: Add UEFI Secure Boot test

Message ID

20240829163209.47945-14-javier.tia@linaro.org

State

New

Headers

From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v4 13/13] meta-arm: Add UEFI Secure Boot test
Date: Thu, 29 Aug 2024 10:32:09 -0600
Message-ID: <20240829163209.47945-14-javier.tia@linaro.org>
In-Reply-To: <20240829163209.47945-1-javier.tia@linaro.org>
References: <20240829163209.47945-1-javier.tia@linaro.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

qemuarm64-secureboot: Add UEFI Secure Boot | expand

Commit Message

Javier Tia Aug. 29, 2024, 4:32 p.m. UTC

Add a test to verify UEFI Secure Boot is enabled

Run the test:

kas build 'ci/qemuarm64-secureboot.yml:ci/testimage.yml'

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 ci/qemuarm64-secureboot.yml                   |  2 ++
 .../oeqa/runtime/cases/uefi_secure_boot.py    | 32 +++++++++++++++++++
 .../core-image-minimal-uefi-secureboot.inc    |  6 +++-
 3 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py

Comments

Jon Mason Aug. 30, 2024, 3:28 p.m. UTC | #1

On Thu, Aug 29, 2024 at 10:32:09AM -0600, Javier Tia wrote:
> Add a test to verify UEFI Secure Boot is enabled
> 
> Run the test:
> 
> kas build 'ci/qemuarm64-secureboot.yml:ci/testimage.yml'
> 
> Signed-off-by: Javier Tia <javier.tia@linaro.org>
> ---
>  ci/qemuarm64-secureboot.yml                   |  2 ++
>  .../oeqa/runtime/cases/uefi_secure_boot.py    | 32 +++++++++++++++++++
>  .../core-image-minimal-uefi-secureboot.inc    |  6 +++-
>  3 files changed, 39 insertions(+), 1 deletion(-)
>  create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
> 
> diff --git a/ci/qemuarm64-secureboot.yml b/ci/qemuarm64-secureboot.yml
> index 03281a08..3eb8c20c 100644
> --- a/ci/qemuarm64-secureboot.yml
> +++ b/ci/qemuarm64-secureboot.yml
> @@ -11,6 +11,8 @@ local_conf_header:
>    optee: |
>      IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta"
>      TEST_SUITES:append = " optee ftpm"
> +  uefi_secure_boot: |
> +    TEST_SUITES:append = " uefi_secure_boot"
>  
>  machine: qemuarm64-secureboot
>  
> diff --git a/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py b/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
> new file mode 100644
> index 00000000..4a62b54c
> --- /dev/null
> +++ b/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
> @@ -0,0 +1,32 @@
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +import os
> +
> +from oeqa.runtime.case import OERuntimeTestCase
> +from oeqa.runtime.decorator.package import OEHasPackage
> +from oeqa.core.decorator.oetimeout import OETimeout
> +
> +
> +class UEFI_SB_TestSuite(OERuntimeTestCase):
> +    """
> +    Validate Secure Boot is Enabled
> +    """
> +
> +    @OETimeout(1300)
> +    def test_uefi_secure_boot(self):
> +        # Validate Secure Boot is enabled by checking
> +        # 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot.
> +        # The GUID '8be4df61-93ca-11d2-aa0d-00e098032b8c' is a well-known
> +        # identifier for the Secure Boot UEFI variable. By checking the value of
> +        # this variable, specifically
> +        # '8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot', we can determine
> +        # whether Secure Boot is enabled or not. This variable is set by the
> +        # UEFI firmware to indicate the current Secure Boot state. If the
> +        # variable is set to a value of '0x1' (or '1'), it indicates that Secure
> +        # Boot is enabled. If the variable is set to a value of '0x0' (or '0'),
> +        # it indicates that Secure Boot is disabled.
> +        cmd = "efivar -d -n 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot"
> +        status, output = self.target.run(cmd, timeout=120)
> +        self.assertEqual(output, "1", msg="\n".join([cmd, output]))
> diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> index e5cf7760..ce64b8b5 100644
> --- a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> +++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> @@ -10,4 +10,8 @@ QB_DEFAULT_KERNEL = "none"
>  
>  KERNEL_IMAGETYPE = "Image"
>  
> -IMAGE_INSTALL += "systemd systemd-boot"
> +IMAGE_INSTALL += "systemd systemd-boot util-linux coreutils efivar"
> +
> +inherit extrausers
> +
> +EXTRA_IMAGE_FEATURES += "allow-root-login empty-root-password"

I don't think you want this.  testimage adds all that fun stuff, but
this is making part of the image, which is making it for all machines
that have this machine feature enabled (due to the previous patches in
this series).

Thanks,
Jon

> -- 
> 2.46.0
> 
>

diff --git a/ci/qemuarm64-secureboot.yml b/ci/qemuarm64-secureboot.yml
index 03281a08..3eb8c20c 100644
--- a/ci/qemuarm64-secureboot.yml
+++ b/ci/qemuarm64-secureboot.yml
@@ -11,6 +11,8 @@  local_conf_header:
   optee: |
     IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta"
     TEST_SUITES:append = " optee ftpm"
+  uefi_secure_boot: |
+    TEST_SUITES:append = " uefi_secure_boot"
 
 machine: qemuarm64-secureboot
 
diff --git a/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py b/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
new file mode 100644
index 00000000..4a62b54c
--- /dev/null
+++ b/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
@@ -0,0 +1,32 @@ 
+#
+# SPDX-License-Identifier: MIT
+#
+
+import os
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.runtime.decorator.package import OEHasPackage
+from oeqa.core.decorator.oetimeout import OETimeout
+
+
+class UEFI_SB_TestSuite(OERuntimeTestCase):
+    """
+    Validate Secure Boot is Enabled
+    """
+
+    @OETimeout(1300)
+    def test_uefi_secure_boot(self):
+        # Validate Secure Boot is enabled by checking
+        # 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot.
+        # The GUID '8be4df61-93ca-11d2-aa0d-00e098032b8c' is a well-known
+        # identifier for the Secure Boot UEFI variable. By checking the value of
+        # this variable, specifically
+        # '8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot', we can determine
+        # whether Secure Boot is enabled or not. This variable is set by the
+        # UEFI firmware to indicate the current Secure Boot state. If the
+        # variable is set to a value of '0x1' (or '1'), it indicates that Secure
+        # Boot is enabled. If the variable is set to a value of '0x0' (or '0'),
+        # it indicates that Secure Boot is disabled.
+        cmd = "efivar -d -n 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot"
+        status, output = self.target.run(cmd, timeout=120)
+        self.assertEqual(output, "1", msg="\n".join([cmd, output]))
diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
index e5cf7760..ce64b8b5 100644
--- a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
+++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
@@ -10,4 +10,8 @@  QB_DEFAULT_KERNEL = "none"
 
 KERNEL_IMAGETYPE = "Image"
 
-IMAGE_INSTALL += "systemd systemd-boot"
+IMAGE_INSTALL += "systemd systemd-boot util-linux coreutils efivar"
+
+inherit extrausers
+
+EXTRA_IMAGE_FEATURES += "allow-root-login empty-root-password"

[v4,13/13] meta-arm: Add UEFI Secure Boot test

Commit Message

Comments

Patch