From 8a77b11fc88de405eb58dfec7241d9b8bbe6d9cc Mon Sep 17 00:00:00 2001 From: Ashwin Gopalan Date: Fri, 18 Aug 2023 15:44:14 -0700 Subject: [PATCH 1/2] Initial additions for arm64 harness The harness now works on an arm64 vm. Tried to maintain compatibility on x86 as well, however, there seems to be a buffer decoding issue when running on an x86 platform. --- test/collect-firmwares | 24 ++++++++----- test/get-krd | 2 +- test/harness | 81 ++++++++++++++++++++++++++++++++++++++---- 3 files changed, 91 insertions(+), 16 deletions(-) diff --git a/test/collect-firmwares b/test/collect-firmwares index ccf3118..969422c 100755 --- a/test/collect-firmwares +++ b/test/collect-firmwares @@ -12,7 +12,7 @@ EOF info() { echo "release: $REL" echo "packages:" - for p in ovmf shim-signed ; do + for p in ovmf shim-signed qemu-system-arm qemu-efi-aarch64 ; do v=$(dpkg-query --show --showformat='${Version}' "$p") || fail "failed to get version for $p" echo " $p: \"$v\"" @@ -39,7 +39,7 @@ if [ "$install" = "true" ]; then apt-get update --quiet || fail "apt-get update failed." apt-get install --quiet \ --assume-yes --no-install-recommends \ - ovmf shim-signed || + ovmf shim-signed qemu-system-arm qemu-efi-aarch64 || fail "failed install deps" else echo "skipping install" @@ -53,13 +53,17 @@ set -- "$@" \ "signing.key|link:PkKek-1-snakeoil.key" \ "signing.password|text:snakeoil" -bd=/usr/share/OVMF +ovmfbd=/usr/share/OVMF +aavmfbd=/usr/share/AAVMF + case "$REL" in jammy) set -- "$@" \ - "$bd/OVMF_VARS_4M.fd" \ - "$bd/OVMF_CODE_4M.secboot.fd" \ - "$bd/OVMF_VARS_4M.snakeoil.fd" \ + "$ovmfbd/OVMF_VARS_4M.fd" \ + "$ovmfbd/OVMF_CODE_4M.secboot.fd" \ + "$ovmfbd/OVMF_VARS_4M.snakeoil.fd" \ + "$aavmfbd/AAVMF_VARS.fd" \ + "$aavmfbd/AAVMF_CODE.ms.fd" \ "ovmf-insecure-code.fd|link:OVMF_CODE_4M.secboot.fd" \ "ovmf-insecure-vars.fd|link:OVMF_VARS_4M.fd" \ "ovmf-secure-code.fd|link:OVMF_CODE_4M.secboot.fd" \ @@ -67,9 +71,11 @@ case "$REL" in ;; focal) set -- "$@" \ - "$bd/OVMF_VARS.fd" \ - "$bd/OVMF_CODE.secboot.fd" \ - "$bd/OVMF_VARS.snakeoil.fd" \ + "$ovmfbd/OVMF_VARS.fd" \ + "$ovmfbd/OVMF_CODE.secboot.fd" \ + "$ovmfbd/OVMF_VARS.snakeoil.fd" \ + "$aavmfbd/AAVMF_VARS.fd" \ + "$aavmfbd/AAVMF_CODE.ms.fd" \ "ovmf-insecure-code.fd|link:OVMF_CODE.secboot.fd" \ "ovmf-insecure-vars.fd|link:OVMF_VARS.fd" \ "ovmf-secure-code.fd|link:OVMF_CODE.secboot.fd" \ diff --git a/test/get-krd b/test/get-krd index fe6382a..e449d2e 100755 --- a/test/get-krd +++ b/test/get-krd @@ -3,7 +3,7 @@ set -o pipefail TEMP_D="" CIRROS_VERSION=${CIRROS_VERSION:-0.6.0} -CIRROS_ARCH=${CIRROS_ARCH:-x86_64} +CIRROS_ARCH=$(uname -m) CIRROS_MIRROR="http://download.cirros-cloud.net/" Usage() { diff --git a/test/harness b/test/harness index b7cd890..35dc0cb 100755 --- a/test/harness +++ b/test/harness @@ -17,6 +17,7 @@ import tempfile import textwrap import time import yaml +import platform MODE_NVRAM = 'nvram' @@ -26,6 +27,7 @@ TEST_EXECUTED = "executed" TMP_PREFIX = "stubbytest." STARTUP_NSH_UEFI_SHELL = r"""setvar SecureBoot +setvar SHIM_VERBOSE -guid 605dab50-e046-4300-abb6-3dd810dd8b23 -bs =1 fs0: cd fs0:\efi\boot launch.nsh @@ -33,6 +35,7 @@ reset -s "exited with %lasterror%" """ STARTUP_NSH_NVRAM = r"""setvar SecureBoot +setvar SHIM_VERBOSE -guid 605dab50-e046-4300-abb6-3dd810dd8b23 -bs =1 fs0: cd fs0:\efi\boot bcfg boot rm 00 @@ -288,11 +291,11 @@ def _check_run_args(cliargs): ("stubby", "stubby.efi", None), ("sbat", "sbat.csv", None), ("shim", "shim.efi", - lambda: first_file("/usr/lib/shim/shimx64.efi")), + lambda: first_file("usr/lib/shim/shimx64.efi", "/usr/lib/shim/shimaa64.efi",)), ("signing_key", "signing.key", - lambda: first_file("/usr/share/ovmf/PkKek-1-snakeoil.key")), + lambda: first_file("/usr/share/qemu-efi-aarch64/PkKek-1-snakeoil.key")), ("signing_cert", "signing.pem", - lambda: first_file("/usr/share/ovmf/PkKek-1-snakeoil.pem")), + lambda: first_file("/usr/share/qemu-efi-aarch64/PkKek-1-snakeoil.pem")), ("ovmf_secure_code", "ovmf-secure-code.fd", lambda: first_file( "/usr/share/OVMF/OVMF_CODE_4M.snakeoil.fd", @@ -313,6 +316,24 @@ def _check_run_args(cliargs): "/usr/share/OVMF/OVMF_VARS_4M.fd", "/usr/share/OVMF/OVMF_VARS.fd", )), + ("aavmf_secure_code", "aavmf-secure-code.fd", + lambda: first_file( + "/usr/share/AAVMF/AAVMF_CODE.snakeoil.fd", + "/usr/share/AAVMF/AAVMF_CODE.ms.fd", + )), + ("aavmf_secure_vars", "aavmf-secure-vars.fd", + lambda: first_file( + "/usr/share/AAVMF/AAVMF_VARS.snakeoil.fd", + "/usr/share/AAVMF/AAVMF_VARS.ms.fd", + )), + ("aavmf_insecure_vars", "aavmf-insecure-vars.fd", + lambda: first_file( + "/usr/share/AAVMF/AAVMF_VARS.fd" + )), + ("aavmf_insecure_code", "aavmf-insecure-code.fd", + lambda: first_file( + "/usr/share/AAVMF/AAVMF_CODE.fd", + )), ) errors = [] @@ -338,7 +359,7 @@ def _check_run_args(cliargs): # for these paths, we know passwords. known_passwords = { - "/usr/share/ovmf/PkKek-1-snakeoil.key": "snakeoil", + "/usr/share/qemu-efi-aarch64/PkKek-1-snakeoil.key": "snakeoil", } # signing_pass is either a file in /signing.password or password as a string. if cliargs.signing_pass is None: @@ -400,6 +421,18 @@ def _add_run_args(s): (("--work-dir",), {"action": "store", "default": None, "help": "Use provided dir for working directory"}), + (("--aavmf-secure-code",), + {"action": "store", "help": "aavmf-secure-code [/aavmf-secure-code.fd]"}), + (("--aavmf-insecure-code",), + {"action": "store", "help": "aavmf-insecure-code [/aavmf-insecure-code.fd]"}), + (("--aavmf-secure-vars",), + {"action": "store", + "help": ( + "aavmf-vars for secure boot. Must allow execution of code signed" + "by provided signing-key [/aavmf-secure-vars.fd]")}), + (("--aavmf-insecure-vars",), + {"action": "store", + "help": ("aavmf-vars for insecure boot. [/aavmf-insecure-vars.fd]")}), ) for args, kwargs in runargs: @@ -671,6 +704,14 @@ class Runner: cliargs.ovmf_secure_code, "ovmf-secure-code.fd") self.ovmf_insecure_code = self._to_workd( cliargs.ovmf_insecure_code, "ovmf-insecure-code.fd") + self.aavmf_secure_vars = self._to_workd( + cliargs.aavmf_secure_vars, "aavmf-secure-vars.fd") + self.aavmf_insecure_vars = self._to_workd( + cliargs.aavmf_insecure_vars, "aavmf-insecure-vars.fd") + self.aavmf_secure_code = self._to_workd( + cliargs.aavmf_secure_code, "aavmf-secure-code.fd") + self.aavmf_insecure_code = self._to_workd( + cliargs.aavmf_insecure_code, "aavmf-insecure-code.fd") self.signing_key_in = cliargs.signing_key self.signing_cert = self._to_workd(cliargs.signing_cert, "signing.pem") @@ -780,6 +821,17 @@ class Runner: signing_key=self.signing_key, signing_cert=self.signing_cert, cmdline_builtin=testdata["builtin"], runtime_cli=testdata["runtime"]) + acode_src = self.aavmf_secure_code + avars_src = self.aavmf_secure_vars + avars = path_join(run_d, "aavmf-vars.fd") + if not testdata["sb"]: + acode_src = self.aavmf_insecure_code + avars_src = self.aavmf_insecure_vars + + shutil.copyfile(avars_src, avars) + rel_avars = os.path.basename(avars) + rel_acode_src = path_join("..", os.path.basename(acode_src)) + ocode_src = self.ovmf_secure_code ovars_src = self.ovmf_secure_vars ovars = path_join(run_d, "ovmf-vars.fd") @@ -793,7 +845,24 @@ class Runner: rel_esp = os.path.basename(esp) tpmd = "./tpm" - cmd_base = [ + if platform.machine() == "aarch64": + cmd_base = [ + "qemu-system-aarch64", + "-M", "virt" + (",accel=kvm" if self.kvm else ""), + "-cpu", "host", + "-m", "4096", + "-nic", "none", + "-drive", f"if=pflash,format=raw,file={rel_acode_src},readonly=on", + # snapshot=on {rel_ovars} so debug with 'boot' will take the full path + # rather than shortcutting out the setting of nvram in MODE_NVRAM + "-drive", f"if=pflash,format=raw,file={rel_avars},snapshot=on", + "-drive", f"file={rel_esp},id=disk00,if=none,format=raw,index=0,snapshot=on", + "-device", "virtio-blk,drive=disk00,serial=esp-image", + "-chardev", "socket,id=chrtpm,path=" + path_join(tpmd, "socket"), + "-tpmdev", "emulator,id=tpm0,chardev=chrtpm", + "-device", "tpm-tis-device,tpmdev=tpm0"] + elif (platform.machine() == "x86_64" or platform.machine() == "x86_64"): + cmd_base = [ "qemu-system-x86_64", "-M", "q35,smm=on" + (",accel=kvm" if self.kvm else ""), "-m", "256", @@ -1034,4 +1103,4 @@ def main(): if __name__ == "__main__": - sys.exit(main()) + sys.exit(main()) \ No newline at end of file From 3ed67b421d8827bbf6eba3dc0f00d077afd51f27 Mon Sep 17 00:00:00 2001 From: Ashwin Gopalan Date: Fri, 18 Aug 2023 15:58:36 -0700 Subject: [PATCH 2/2] Use ovmf snakeoil for x86 and efi-aarch64 snakeoil for aarch64 Signed-off-by: Ashwin Gopalan --- test/harness | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/test/harness b/test/harness index 35dc0cb..decaaf5 100755 --- a/test/harness +++ b/test/harness @@ -291,11 +291,11 @@ def _check_run_args(cliargs): ("stubby", "stubby.efi", None), ("sbat", "sbat.csv", None), ("shim", "shim.efi", - lambda: first_file("usr/lib/shim/shimx64.efi", "/usr/lib/shim/shimaa64.efi",)), + lambda: first_file("/usr/lib/shim/shimx64.efi", "/usr/lib/shim/shimaa64.efi",)), ("signing_key", "signing.key", - lambda: first_file("/usr/share/qemu-efi-aarch64/PkKek-1-snakeoil.key")), + lambda: first_file("/usr/share/ovmf/PkKek-1-snakeoil.key", "/usr/share/qemu-efi-aarch64/PkKek-1-snakeoil.key")), ("signing_cert", "signing.pem", - lambda: first_file("/usr/share/qemu-efi-aarch64/PkKek-1-snakeoil.pem")), + lambda: first_file("/usr/share/ovmf/PkKek-1-snakeoil.pem", "/usr/share/qemu-efi-aarch64/PkKek-1-snakeoil.pem")), ("ovmf_secure_code", "ovmf-secure-code.fd", lambda: first_file( "/usr/share/OVMF/OVMF_CODE_4M.snakeoil.fd", @@ -358,9 +358,14 @@ def _check_run_args(cliargs): errors.append("did not find value for " + fname) # for these paths, we know passwords. - known_passwords = { - "/usr/share/qemu-efi-aarch64/PkKek-1-snakeoil.key": "snakeoil", - } + if platform.machine() == "aarch64": + known_passwords = { + "/usr/share/qemu-efi-aarch64/PkKek-1-snakeoil.key": "snakeoil", + } + elif (platform.machine() == "x86_64" or platform.machine() == "amd64"): + known_passwords = { + "/usr/share/ovmf/PkKek-1-snakeoil.key": "snakeoil", + } # signing_pass is either a file in /signing.password or password as a string. if cliargs.signing_pass is None: if idir is not None: @@ -861,7 +866,7 @@ class Runner: "-chardev", "socket,id=chrtpm,path=" + path_join(tpmd, "socket"), "-tpmdev", "emulator,id=tpm0,chardev=chrtpm", "-device", "tpm-tis-device,tpmdev=tpm0"] - elif (platform.machine() == "x86_64" or platform.machine() == "x86_64"): + elif (platform.machine() == "x86_64" or platform.machine() == "amd64"): cmd_base = [ "qemu-system-x86_64", "-M", "q35,smm=on" + (",accel=kvm" if self.kvm else ""), @@ -1103,4 +1108,4 @@ def main(): if __name__ == "__main__": - sys.exit(main()) \ No newline at end of file + sys.exit(main())