Changeset 98992 in vbox for trunk/src/VBox/ValidationKit/testdriver

Timestamp:

Mar 15, 2023 3:53:43 PM (2 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

156342

Message:

ValidationKit: Add Linux test VMs which have Secure Boot enabled, bugref:10287.

Location:

trunk/src/VBox/ValidationKit/testdriver

Files:

• vbox.py (modified) (2 diffs)
• vboxtestvms.py (modified) (5 diffs)
• vboxwrappers.py (modified) (2 diffs)

trunk/src/VBox/ValidationKit/testdriver/vbox.py

@@ -2509 +2509 @@
                      sIommuType = 'none',
                      sDvdControllerType = 'IDE Controller',
-                     sCom1RawFile = None):
+                     sCom1RawFile = None,
+                     fSecureBoot = False,
+                     sUefiMokPathPrefix = None):
         """
         Creates a test VM with a immutable HD from the test resources.
@@ -2567 +2569 @@
             elif fRc and sFirmwareType == 'efi':
                 fRc = oSession.setFirmwareType(vboxcon.FirmwareType_EFI);
+                if fRc and self.fpApiVer >= 7.0 and fSecureBoot:
+                    fRc = oSession.enableSecureBoot(fSecureBoot, sUefiMokPathPrefix);
             if fRc and self.fEnableDebugger:
                 fRc = oSession.setExtraData('VBoxInternal/DBGC/Enabled', '1');

trunk/src/VBox/ValidationKit/testdriver/vboxtestvms.py

@@ -973 +973 @@
                  sIommuType = 'none',                       # type: str
                  sHddControllerType = 'IDE Controller',     # type: str
-                 sDvdControllerType = 'IDE Controller'      # type: str
+                 sDvdControllerType = 'IDE Controller',     # type: str
+                 fSecureBoot = False,                       # type: bool
+                 sUefiMokPathPrefix = None                  # type: str
                  ):
         self.oSet                    = oSet;
@@ -1001 +1003 @@
         self.fCom1RawFile            = False;
 
+        self.fSecureBoot             = fSecureBoot;
+        self.sUefiMokPathPrefix      = sUefiMokPathPrefix;
+
         self.fSnapshotRestoreCurrent = False;        # Whether to restore execution on the current snapshot.
         self.fSkip                   = False;        # All VMs are included in the configured set by default.
@@ -1198 +1203 @@
                                      sChipsetType       = self.sChipsetType,
                                      sIommuType         = self.sIommuType,
-                                     sCom1RawFile       = self.sCom1RawFile if self.fCom1RawFile else None
+                                     sCom1RawFile       = self.sCom1RawFile if self.fCom1RawFile else None,
+                                     fSecureBoot        = self.fSecureBoot,
+                                     sUefiMokPathPrefix = self.sUefiMokPathPrefix
                                      );
 
@@ -1950 +1957 @@
                sKind = 'Oracle_64', acCpusSup = range(1, 33), fIoApic = True, sFirmwareType = 'efi',
                asParavirtModesSup = [g_ksParavirtProviderKVM,]),
+        TestVm('tst-ol-8_1-64-efi-sb',      kfGrpStdSmoke,        sHd = '6.1/efi/ol-8_1-efi-amd64-2.vdi',
+               sKind = 'Oracle_64', acCpusSup = range(1, 33), fIoApic = True, sFirmwareType = 'efi',
+               asParavirtModesSup = [g_ksParavirtProviderKVM,], fSecureBoot = True, sUefiMokPathPrefix = '7.0/mok/vbox-test-MOK'),
         TestVm('tst-ol-6u2-32',             kfGrpStdSmoke,        sHd = '6.1/ol-6u2-x86.vdi',
                sKind = 'Oracle',    acCpusSup = range(1, 33), fIoApic = True,
@@ -1956 +1966 @@
                sKind = 'Ubuntu_64', acCpusSup = range(1, 33), fIoApic = True, sFirmwareType = 'efi',
                asParavirtModesSup = [g_ksParavirtProviderKVM,]),
+        TestVm('tst-ubuntu-15_10-64-efi-sb', kfGrpStdSmoke,       sHd = '6.1/efi/ubuntu-15_10-efi-amd64-3.vdi',
+               sKind = 'Ubuntu_64', acCpusSup = range(1, 33), fIoApic = True, sFirmwareType = 'efi',
+               asParavirtModesSup = [g_ksParavirtProviderKVM,], fSecureBoot = True, sUefiMokPathPrefix = '7.0/mok/vbox-test-MOK'),
         # Note: Deprecated / buggy; use the one in the 6.1 folder.
         #TestVm('tst-ubuntu-15_10-64-efi',   kfGrpStdSmoke,        sHd = '4.2/efi/ubuntu-15_10-efi-amd64.vdi',

trunk/src/VBox/ValidationKit/testdriver/vboxwrappers.py

@@ -45 +45 @@
 import socket;
 import sys;
+import uuid;
 
 # Validation Kit imports.
@@ -1229 +1230 @@
             reporter.log('set firmwareType=%s for "%s"' % (eType, self.sName));
         self.oTstDrv.processPendingEvents();
+        return fRc;
+
+    def enableSecureBoot(self, fEnable, sUefiMokPathPrefix = None):
+        """
+        Enables or disables Secure Boot. Error information is logged.
+        """
+
+        if self.fpApiVer >= 7.0:
+
+            fRc = True;
+            try:
+                self.o.machine.nonVolatileStore.initUefiVariableStore(0);
+
+                # Enroll necessary keys and signatures in case if Secure Boot needs to be turned ON.
+                if fEnable:
+                    self.o.machine.nonVolatileStore.uefiVariableStore.enrollDefaultMsSignatures();
+                    self.o.machine.nonVolatileStore.uefiVariableStore.enrollOraclePlatformKey();
+                    if sUefiMokPathPrefix is not None:
+                        sFullName = self.oTstDrv.getFullResourceName(sUefiMokPathPrefix) + '.der';
+                        with open(sFullName, "rb") as f:
+                            self.o.machine.nonVolatileStore.uefiVariableStore.addSignatureToMok(bytearray(f.read()), uuid.uuid4().hex, vboxcon.SignatureType_X509);
+
+                self.o.machine.nonVolatileStore.uefiVariableStore.secureBootEnabled = fEnable;
+            except:
+                reporter.errorXcpt('failed to change Secure Boot to %s for "%s"' % (fEnable, self.sName));
+                fRc = False;
+            else:
+                reporter.log('changed Secure Boot to %s for "%s"' % (fEnable, self.sName));
+            self.oTstDrv.processPendingEvents();
+
+        else:
+            reporter.log('Secure Boot is only supported for API 7.0 or newer');
+            fRc = False;
+
         return fRc;