Changeset 98992 in vbox for trunk

Timestamp:

Mar 15, 2023 3:53:43 PM (21 months ago)

Author:

vboxsync

Message:

ValidationKit: Add Linux test VMs which have Secure Boot enabled, bugref:10287.

Location:

trunk/src/VBox/ValidationKit

Files:

• testdriver/vbox.py (modified) (2 diffs)
• testdriver/vboxtestvms.py (modified) (5 diffs)
• testdriver/vboxwrappers.py (modified) (2 diffs)
• tests/additions/tdAddBasic1.py (modified) (6 diffs)

trunk/src/VBox/ValidationKit/testdriver/vbox.py

@@ -2509 +2509 @@
                      sIommuType = 'none',
                      sDvdControllerType = 'IDE Controller',
-                     sCom1RawFile = None):
+                     sCom1RawFile = None,
+                     fSecureBoot = False,
+                     sUefiMokPathPrefix = None):
         """
         Creates a test VM with a immutable HD from the test resources.
@@ -2567 +2569 @@
             elif fRc and sFirmwareType == 'efi':
                 fRc = oSession.setFirmwareType(vboxcon.FirmwareType_EFI);
+                if fRc and self.fpApiVer >= 7.0 and fSecureBoot:
+                    fRc = oSession.enableSecureBoot(fSecureBoot, sUefiMokPathPrefix);
             if fRc and self.fEnableDebugger:
                 fRc = oSession.setExtraData('VBoxInternal/DBGC/Enabled', '1');

trunk/src/VBox/ValidationKit/testdriver/vboxtestvms.py

@@ -973 +973 @@
                  sIommuType = 'none',                       # type: str
                  sHddControllerType = 'IDE Controller',     # type: str
-                 sDvdControllerType = 'IDE Controller'      # type: str
+                 sDvdControllerType = 'IDE Controller',     # type: str
+                 fSecureBoot = False,                       # type: bool
+                 sUefiMokPathPrefix = None                  # type: str
                  ):
         self.oSet                    = oSet;
@@ -1001 +1003 @@
         self.fCom1RawFile            = False;
 
+        self.fSecureBoot             = fSecureBoot;
+        self.sUefiMokPathPrefix      = sUefiMokPathPrefix;
+
         self.fSnapshotRestoreCurrent = False;        # Whether to restore execution on the current snapshot.
         self.fSkip                   = False;        # All VMs are included in the configured set by default.
@@ -1198 +1203 @@
                                      sChipsetType       = self.sChipsetType,
                                      sIommuType         = self.sIommuType,
-                                     sCom1RawFile       = self.sCom1RawFile if self.fCom1RawFile else None
+                                     sCom1RawFile       = self.sCom1RawFile if self.fCom1RawFile else None,
+                                     fSecureBoot        = self.fSecureBoot,
+                                     sUefiMokPathPrefix = self.sUefiMokPathPrefix
                                      );
 
@@ -1950 +1957 @@
                sKind = 'Oracle_64', acCpusSup = range(1, 33), fIoApic = True, sFirmwareType = 'efi',
                asParavirtModesSup = [g_ksParavirtProviderKVM,]),
+        TestVm('tst-ol-8_1-64-efi-sb',      kfGrpStdSmoke,        sHd = '6.1/efi/ol-8_1-efi-amd64-2.vdi',
+               sKind = 'Oracle_64', acCpusSup = range(1, 33), fIoApic = True, sFirmwareType = 'efi',
+               asParavirtModesSup = [g_ksParavirtProviderKVM,], fSecureBoot = True, sUefiMokPathPrefix = '7.0/mok/vbox-test-MOK'),
         TestVm('tst-ol-6u2-32',             kfGrpStdSmoke,        sHd = '6.1/ol-6u2-x86.vdi',
                sKind = 'Oracle',    acCpusSup = range(1, 33), fIoApic = True,
@@ -1956 +1966 @@
                sKind = 'Ubuntu_64', acCpusSup = range(1, 33), fIoApic = True, sFirmwareType = 'efi',
                asParavirtModesSup = [g_ksParavirtProviderKVM,]),
+        TestVm('tst-ubuntu-15_10-64-efi-sb', kfGrpStdSmoke,       sHd = '6.1/efi/ubuntu-15_10-efi-amd64-3.vdi',
+               sKind = 'Ubuntu_64', acCpusSup = range(1, 33), fIoApic = True, sFirmwareType = 'efi',
+               asParavirtModesSup = [g_ksParavirtProviderKVM,], fSecureBoot = True, sUefiMokPathPrefix = '7.0/mok/vbox-test-MOK'),
         # Note: Deprecated / buggy; use the one in the 6.1 folder.
         #TestVm('tst-ubuntu-15_10-64-efi',   kfGrpStdSmoke,        sHd = '4.2/efi/ubuntu-15_10-efi-amd64.vdi',

trunk/src/VBox/ValidationKit/testdriver/vboxwrappers.py

@@ -45 +45 @@
 import socket;
 import sys;
+import uuid;
 
 # Validation Kit imports.
@@ -1229 +1230 @@
             reporter.log('set firmwareType=%s for "%s"' % (eType, self.sName));
         self.oTstDrv.processPendingEvents();
+        return fRc;
+
+    def enableSecureBoot(self, fEnable, sUefiMokPathPrefix = None):
+        """
+        Enables or disables Secure Boot. Error information is logged.
+        """
+
+        if self.fpApiVer >= 7.0:
+
+            fRc = True;
+            try:
+                self.o.machine.nonVolatileStore.initUefiVariableStore(0);
+
+                # Enroll necessary keys and signatures in case if Secure Boot needs to be turned ON.
+                if fEnable:
+                    self.o.machine.nonVolatileStore.uefiVariableStore.enrollDefaultMsSignatures();
+                    self.o.machine.nonVolatileStore.uefiVariableStore.enrollOraclePlatformKey();
+                    if sUefiMokPathPrefix is not None:
+                        sFullName = self.oTstDrv.getFullResourceName(sUefiMokPathPrefix) + '.der';
+                        with open(sFullName, "rb") as f:
+                            self.o.machine.nonVolatileStore.uefiVariableStore.addSignatureToMok(bytearray(f.read()), uuid.uuid4().hex, vboxcon.SignatureType_X509);
+
+                self.o.machine.nonVolatileStore.uefiVariableStore.secureBootEnabled = fEnable;
+            except:
+                reporter.errorXcpt('failed to change Secure Boot to %s for "%s"' % (fEnable, self.sName));
+                fRc = False;
+            else:
+                reporter.log('changed Secure Boot to %s for "%s"' % (fEnable, self.sName));
+            self.oTstDrv.processPendingEvents();
+
+        else:
+            reporter.log('Secure Boot is only supported for API 7.0 or newer');
+            fRc = False;
+
         return fRc;
 

trunk/src/VBox/ValidationKit/tests/additions/tdAddBasic1.py

@@ -83 +83 @@
 
         # Wether to reboot guest after Guest Additions installation.
-        self.fRebbotAfterInstall = True;
+        self.fRebootAfterInstall = True;
 
         self.addSubTestDriver(SubTstDrvAddGuestCtrl(self));
@@ -119 +119 @@
 
         elif asArgs[iArg] == '--no-reboot-after-install':
-            self.fRebbotAfterInstall = False;
+            self.fRebootAfterInstall = False;
             reporter.log('Guest will not be rebooted after Guest Additions installation, ' +
                          'kernel modules and user services should be reloaded automatically without reboot');
@@ -491 +491 @@
         # The actual install.
         # Also tell the installer to produce the appropriate log files.
-        #
+
+        # Deploy signing keys into guest if VM has Secure Boot enabled.
+        if oTestVm.fSecureBoot:
+            reporter.log('Deploying Secure Boot signing keys to the guest');
+            fRc = self.txsMkDirPath(oSession, oTxsSession, '/var/lib/shim-signed/mok');
+            if fRc:
+                fRc = self.txsUploadFile(oSession, oTxsSession,
+                                         self.getFullResourceName(oTestVm.sUefiMokPathPrefix) + '.der',
+                                         '/var/lib/shim-signed/mok/MOK.der')
+            if fRc:
+                fRc = self.txsUploadFile(oSession, oTxsSession,
+                                         self.getFullResourceName(oTestVm.sUefiMokPathPrefix) + '.priv',
+                                         '/var/lib/shim-signed/mok/MOK.priv')
+            if fRc and oTxsSession.isSuccess():
+                pass
+            else:
+                reporter.testFailure('Unable to deploy Secure Boot signing keys to the guest');
+
         # Make sure to add "--nox11" to the makeself wrapper in order to not getting any blocking
         # xterm window spawned.
@@ -498 +515 @@
                               (self.getGuestSystemShell(oTestVm),
                               '${CDROM}/%s/VBoxLinuxAdditions.run' % self.sGstPathGaPrefix, '--nox11'));
-        if not fRc:
-            iRc = self.getAdditionsInstallerResult(oTxsSession);
-            # Check for rc == 0 just for completeness.
-            if iRc in (0, 2): # Can happen if the GA installer has detected older VBox kernel modules running and needs a reboot.
-                reporter.log('Guest has old(er) VBox kernel modules still running; requires a reboot');
-                fRc = True;
+        if fRc and oTxsSession.isSuccess():
+            reporter.log('Installation completed');
+        else:
+            # Guest Additions installer which requires guest reboot after installation might return
+            # special exit code which can indicate that all was installed, but kernel modules were
+            # not rebooted. Handle this case here.
+            if self.fRebootAfterInstall:
+                iRc = self.getAdditionsInstallerResult(oTxsSession);
+                # Check for rc == 0 just for completeness.
+                if iRc in (0, 2): # Can happen if the GA installer has detected older VBox kernel modules running and needs a reboot.
+                    reporter.log('Guest has old(er) VBox kernel modules still running; requires a reboot');
+                    fRc = True;
 
             if not fRc:
@@ -519 +542 @@
         # Do the final reboot to get the just installed Guest Additions up and running.
         if fRc:
-            if self.fRebbotAfterInstall:
+            if self.fRebootAfterInstall:
                 reporter.testStart('Rebooting guest w/ updated Guest Additions active');
                 (fRc, oTxsSession) = self.txsRebootAndReconnectViaTcp(oSession, oTxsSession, cMsTimeout = 15 * 60 * 1000);
@@ -530 +553 @@
                                       (self.getGuestSystemShell(oTestVm),
                                       '/sbin/rcvboxadd', 'status-kernel'));
-                iRc = self.getAdditionsInstallerResult(oTxsSession);
-                if fRc and iRc == 0:
+                if fRc and oTxsSession.isSuccess():
                     fRc = self.txsRunTest(oTxsSession, 'Check Guest Additions user services status', 5 * 60 * 1000,
                                           self.getGuestSystemShell(oTestVm),
                                           (self.getGuestSystemShell(oTestVm),
                                           '/sbin/rcvboxadd', 'status-user'));
-                    iRc = self.getAdditionsInstallerResult(oTxsSession);
-                    if fRc and iRc == 0:
+                    if fRc and oTxsSession.isSuccess():
                         pass;
                     else: