mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 21:55:25 +00:00
tests: Fix firmware descriptor masking test
Right now we're checking that firmware descriptor masking works as intended by creating an empty file matching 60-ovmf-sb.json in name. However, that firmware descriptors contains the details for a perfectly valid and quite common situation: Secure Boot being supported by the firmware build, but being effectively disabled by the lack of certificates in the NVRAM template. Unmask that firmware descriptor, and instead create a dummy one that has higher priority than all other OVMF builds and points to paths that are obviously incorrect, which should make it easy to notice it getting accidentally unmasked in the future. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
parent
bf6a6f90a9
commit
3030010fa9
@ -0,0 +1,37 @@
|
|||||||
|
{
|
||||||
|
"description": "bad firmware used to test descriptor masking",
|
||||||
|
"interface-types": [
|
||||||
|
"uefi"
|
||||||
|
],
|
||||||
|
"mapping": {
|
||||||
|
"device": "flash",
|
||||||
|
"mode": "split",
|
||||||
|
"executable": {
|
||||||
|
"filename": "/bad/executable/should/have/been/masked.fd",
|
||||||
|
"format": "raw"
|
||||||
|
},
|
||||||
|
"nvram-template": {
|
||||||
|
"filename": "/bad/nvram/template/should/have/been/masked.fd",
|
||||||
|
"format": "raw"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"targets": [
|
||||||
|
{
|
||||||
|
"architecture": "x86_64",
|
||||||
|
"machines": [
|
||||||
|
"pc-*",
|
||||||
|
"pc-q35-*"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"features": [
|
||||||
|
"acpi-s3",
|
||||||
|
"amd-sev",
|
||||||
|
"requires-smm",
|
||||||
|
"secure-boot",
|
||||||
|
"verbose-dynamic"
|
||||||
|
],
|
||||||
|
"tags": [
|
||||||
|
|
||||||
|
]
|
||||||
|
}
|
@ -72,6 +72,7 @@ testFWPrecedence(const void *opaque G_GNUC_UNUSED)
|
|||||||
PREFIX "/share/qemu/firmware/45-ovmf-sev-stateless.json",
|
PREFIX "/share/qemu/firmware/45-ovmf-sev-stateless.json",
|
||||||
PREFIX "/share/qemu/firmware/50-ovmf-sb-keys.json",
|
PREFIX "/share/qemu/firmware/50-ovmf-sb-keys.json",
|
||||||
PREFIX "/share/qemu/firmware/55-ovmf-sb-combined.json",
|
PREFIX "/share/qemu/firmware/55-ovmf-sb-combined.json",
|
||||||
|
PREFIX "/share/qemu/firmware/60-ovmf-sb.json",
|
||||||
PREFIX "/share/qemu/firmware/61-ovmf.json",
|
PREFIX "/share/qemu/firmware/61-ovmf.json",
|
||||||
PREFIX "/share/qemu/firmware/65-ovmf-qcow2.json",
|
PREFIX "/share/qemu/firmware/65-ovmf-qcow2.json",
|
||||||
PREFIX "/share/qemu/firmware/66-aavmf-qcow2.json",
|
PREFIX "/share/qemu/firmware/66-aavmf-qcow2.json",
|
||||||
@ -270,6 +271,7 @@ mymain(void)
|
|||||||
"/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.secboot.fd:"
|
"/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.secboot.fd:"
|
||||||
"/usr/share/OVMF/OVMF.sev.fd:NULL:"
|
"/usr/share/OVMF/OVMF.sev.fd:NULL:"
|
||||||
"/usr/share/OVMF/OVMF.secboot.fd:NULL:"
|
"/usr/share/OVMF/OVMF.secboot.fd:NULL:"
|
||||||
|
"/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd:"
|
||||||
"/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd:"
|
"/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd:"
|
||||||
"/usr/share/OVMF/OVMF_CODE.qcow2:/usr/share/OVMF/OVMF_VARS.qcow2",
|
"/usr/share/OVMF/OVMF_CODE.qcow2:/usr/share/OVMF/OVMF_VARS.qcow2",
|
||||||
VIR_DOMAIN_OS_DEF_FIRMWARE_BIOS,
|
VIR_DOMAIN_OS_DEF_FIRMWARE_BIOS,
|
||||||
|
@ -10,13 +10,14 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-guest/.config \
|
|||||||
-name guest=guest,debug-threads=on \
|
-name guest=guest,debug-threads=on \
|
||||||
-S \
|
-S \
|
||||||
-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-guest/master-key.aes"}' \
|
-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-guest/master-key.aes"}' \
|
||||||
-blockdev '{"driver":"file","filename":"/usr/share/OVMF/OVMF_CODE.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \
|
-blockdev '{"driver":"file","filename":"/usr/share/OVMF/OVMF_CODE.secboot.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \
|
||||||
-blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}' \
|
-blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}' \
|
||||||
-blockdev '{"driver":"file","filename":"/var/lib/libvirt/qemu/nvram/guest_VARS.fd","node-name":"libvirt-pflash1-storage","auto-read-only":true,"discard":"unmap"}' \
|
-blockdev '{"driver":"file","filename":"/var/lib/libvirt/qemu/nvram/guest_VARS.fd","node-name":"libvirt-pflash1-storage","auto-read-only":true,"discard":"unmap"}' \
|
||||||
-blockdev '{"node-name":"libvirt-pflash1-format","read-only":false,"driver":"raw","file":"libvirt-pflash1-storage"}' \
|
-blockdev '{"node-name":"libvirt-pflash1-format","read-only":false,"driver":"raw","file":"libvirt-pflash1-storage"}' \
|
||||||
-machine pc-q35-4.0,usb=off,dump-guest-core=off,memory-backend=pc.ram,pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format,acpi=on \
|
-machine pc-q35-4.0,usb=off,smm=on,dump-guest-core=off,memory-backend=pc.ram,pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format,acpi=on \
|
||||||
-accel kvm \
|
-accel kvm \
|
||||||
-cpu qemu64 \
|
-cpu qemu64 \
|
||||||
|
-global driver=cfi.pflash01,property=secure,value=on \
|
||||||
-m 1024 \
|
-m 1024 \
|
||||||
-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":1073741824}' \
|
-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":1073741824}' \
|
||||||
-overcommit mem-lock=off \
|
-overcommit mem-lock=off \
|
||||||
|
@ -6,12 +6,13 @@
|
|||||||
<vcpu placement='static'>1</vcpu>
|
<vcpu placement='static'>1</vcpu>
|
||||||
<os>
|
<os>
|
||||||
<type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
|
<type arch='x86_64' machine='pc-q35-4.0'>hvm</type>
|
||||||
<loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>
|
<loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd</loader>
|
||||||
<nvram template='/usr/share/OVMF/OVMF_VARS.fd'>/var/lib/libvirt/qemu/nvram/guest_VARS.fd</nvram>
|
<nvram template='/usr/share/OVMF/OVMF_VARS.fd'>/var/lib/libvirt/qemu/nvram/guest_VARS.fd</nvram>
|
||||||
<boot dev='hd'/>
|
<boot dev='hd'/>
|
||||||
</os>
|
</os>
|
||||||
<features>
|
<features>
|
||||||
<acpi/>
|
<acpi/>
|
||||||
|
<smm state='on'/>
|
||||||
</features>
|
</features>
|
||||||
<cpu mode='custom' match='exact' check='none'>
|
<cpu mode='custom' match='exact' check='none'>
|
||||||
<model fallback='forbid'>qemu64</model>
|
<model fallback='forbid'>qemu64</model>
|
||||||
|
Loading…
Reference in New Issue
Block a user