autotest · XueqiangWei · Sep 27, 2024 · Sep 19, 2024
diff --git a/qemu/tests/cfg/edk2_check_mor.cfg b/qemu/tests/cfg/edk2_check_mor.cfg
@@ -0,0 +1,18 @@
+- edk2_check_mor:
+    only q35
+    only ovmf
+    only Linux
+    start_vm = no
+    type = edk2_check_mor
+    no Host_RHEL.m7 Host_RHEL.m8 Host_RHEL.m9.u0 Host_RHEL.m9.u1 Host_RHEL.m9.u2 Host_RHEL.m9.u3 Host_RHEL.m9.u4
+    restore_ovmf_vars = yes
+    backup_image_before_testing = yes
+    restore_image_after_testing = yes
+    package_installed = virt-firmware
+    cmd_installed = virt-fw-vars
+    check_mor_cmd = '${cmd_installed} -i %s -p'
+    image_copy_on_error = no
+    check_sign_cmd = 'pesign --show-signature -i %s'
+    check_secure_boot_enabled_cmd = 'dmesg | grep -i "Secure boot enabled"'
+    sign_keyword = ' Red Hat Secure Boot (\(signing key 1\)|Signing 501)'
+    mor_msg = 'MemoryOverwriteRequestControl MemoryOverwriteRequestControlLock'
diff --git a/qemu/tests/edk2_check_mor.py b/qemu/tests/edk2_check_mor.py
@@ -0,0 +1,85 @@
+import re
+from virttest import env_process
+from virttest import error_context
+from virttest import utils_misc
+from virttest import utils_package
+from avocado.utils import process
+from avocado.utils.path import find_command
+from avocado.utils.path import CmdNotFoundError
+
+
+@error_context.context_aware
+def run(test, params, env):
+    """
+    Verify MOR enabled in edk2 build
+
+    1. Boot guest under secure mode and check if the guest is signed
+    2. Check if secure boot is enabled inside guest
+    3. Reboot and shutdown the guest
+    4. Check MOR message after shutdown the guest
+
+    :param test: Kvm test object
+    :param params: Dictionary with the test parameters
+    :param env: Dictionary with test environment.
+    """
+
+    def _check_signed():
+        """ Check and return if guest is signed """
+        return True if re.search(sign_keyword, sign_info) else False
+
+    package = params["package_installed"]
+    install_status = utils_package.package_install(package)
+    if not install_status:
+        test.error(f"Failed to install {package}.")
+    try:
+        find_command(params["cmd_installed"])
+    except CmdNotFoundError as e:
+        test.error(str(e))
+    params['ovmf_vars_filename'] = 'OVMF_VARS.secboot.fd'
+    env_process.preprocess_vm(test, params, env, params['main_vm'])
+    vm = env.get_vm(params['main_vm'])
+    vm.create(params=params)
+    vm.verify_alive()
+    session = vm.wait_for_login()
+    check_sign_cmd = params['check_sign_cmd']
+    sign_keyword = params['sign_keyword']
+    if session.cmd_status('which pesign') != 0:
+        install_status = utils_package.package_install('pesign', session)
+    if not install_status:
+        test.error("Failed to install pesign.")
+    error_context.context('Check whether secure boot has been enabled.',
+                          test.log.info)
+    check_cmd = params['check_secure_boot_enabled_cmd']
+    status, output = session.cmd_status_output(check_cmd)
+    if status:
+        test.cancel('Secure boot is not enabled,'
+                    'MOR must run under secure mode')
+    error_context.context('Check whether the guest has been signed.',
+                          test.log.info)
+    vmlinuz = '/boot/vmlinuz-%s' % session.cmd_output('uname -r')
+    check_sign_cmd %= vmlinuz
+    sign_info = session.cmd_output(check_sign_cmd)
+    signed = _check_signed()
+    if not signed:
+        test.fail('The guest is not signed, '
+                  'but boot succeed under secure mode.')
+    session.close()
+    vars_dev = vm.devices.get_by_params({"node-name": "file_ovmf_vars"})[0]
+    ovmf_vars_file = vars_dev.params["filename"]
+    check_mor_cmd = params["check_mor_cmd"] % ovmf_vars_file
+    error_context.context('Reboot and shutdown the guest.', test.log.info)
+    vm.reboot()
+    vm.destroy()
+    if utils_misc.wait_for(vm.is_dead, 180, 1, 1):
+        test.log.info("Guest managed to shutdown cleanly")
+    error_context.context("Check the MOR message by command '%s'."
+                          % check_mor_cmd, test.log.info)
+    status, output = process.getstatusoutput(check_mor_cmd,
+                                             ignore_status=True,
+                                             shell=True)
+    if status:
+        test.fail("Failed to run '%s', the error message is '%s'"
+                  % (check_mor_cmd, output))
+    mor_msg_list = params.get_list("mor_msg")
+    if not mor_msg_list[0] in output or not mor_msg_list[1] in output:
+        test.fail("Failed to get MOR message, the output is '%s'" % output)