|
2 | 2 |
|
3 | 3 | import logging |
4 | 4 |
|
5 | | -from lib.efi import SB_CERTS, EFIAuth |
| 5 | +from lib.commands import SSHCommandFailed |
| 6 | +from lib.efi import EFI_AT_ATTRS, EFI_VARIABLE_APPEND_WRITE, SB_CERTS, EFIAuth, image_security_database_guid |
6 | 7 | from lib.vm import VM |
7 | 8 |
|
8 | 9 | from .utils import ( |
@@ -87,6 +88,38 @@ def test_sb_off_really_means_off(self, uefi_vm): |
87 | 88 | logging.info("Check that SB is NOT enabled according to the OS.") |
88 | 89 | assert not vm.booted_with_secureboot() |
89 | 90 |
|
| 91 | + def test_append_with_default(self, uefi_vm: VM): |
| 92 | + vm = uefi_vm |
| 93 | + vm.host.pool.clear_custom_uefi_certs() |
| 94 | + vm.set_uefi_user_mode() |
| 95 | + vm.set_variable_from_file( |
| 96 | + SB_CERTS.dbx_hashes_ms_amd64(), |
| 97 | + image_security_database_guid, |
| 98 | + "dbx", |
| 99 | + EFI_AT_ATTRS | EFI_VARIABLE_APPEND_WRITE, |
| 100 | + ) |
| 101 | + vm.start() |
| 102 | + vm.wait_for_vm_running_and_ssh_up() |
| 103 | + |
| 104 | + def test_append_with_poison(self, uefi_vm: VM): |
| 105 | + vm = uefi_vm |
| 106 | + vm.host.pool.clear_custom_uefi_certs() |
| 107 | + vm.set_uefi_user_mode() |
| 108 | + vm.set_variable_from_file(SB_CERTS.dbx_poison(), image_security_database_guid, "dbx", EFI_AT_ATTRS) |
| 109 | + try: |
| 110 | + vm.set_variable_from_file( |
| 111 | + SB_CERTS.dbx_hashes_ms_amd64(), |
| 112 | + image_security_database_guid, |
| 113 | + "dbx", |
| 114 | + EFI_AT_ATTRS | EFI_VARIABLE_APPEND_WRITE, |
| 115 | + ) |
| 116 | + except SSHCommandFailed: |
| 117 | + # Appending the MS dbx may succeed or fail, doesn't matter, as appending the poison may not necessarily take |
| 118 | + # dbx over the DATA_LIMIT. The important thing is that the VM boots up following this append attempt. |
| 119 | + pass |
| 120 | + vm.start() |
| 121 | + vm.wait_for_vm_running_and_ssh_up() |
| 122 | + |
90 | 123 |
|
91 | 124 | @pytest.mark.usefixtures("host_at_least_8_3") |
92 | 125 | @pytest.mark.usefixtures("windows_vm") |
|
0 commit comments