Add UEFI variable append tests

Fallout from the varstored update.

At the moment, test the following scenarios:
* From the varstored defaults, append MS dbx and verify VM boots
* From the varstored 1.2.0-3.1 defaults, append MS dbx and verify VM
  boots (which implies not having the oversized variable append bug)

Signed-off-by: Tu Dinh <ngoc-tu.dinh@vates.tech>

Author: dinhngtu

contrib/secureboot_objects/DBX/amd64/DBXUpdate.bin

@@ -72,6 +72,12 @@ def db_uefi_2023(self):
     def db_oprom_2023(self):
         return str(self._prefix / "secureboot_objects/DB/Certificates/microsoft option rom uefi ca 2023.der")
 
+    def dbx_hashes_ms_amd64(self):
+        return str(self._prefix / "secureboot_objects/DBX/amd64/DBXUpdate.bin")
+
+    def dbx_poison(self):
+        return str(self._prefix / "varstored/dbx_poison.auth")
+
 
 SB_CERTS = _SecureBootCertList()
 
@@ -90,7 +96,9 @@ def as_str(self):
 image_security_database_guid = GUID('d719b2cb-3d3a-4596-a3bc-dad00e67656f')
 
 # Variable attributes for time based authentication attrs
+# Refer to https://uefi.org/specs/UEFI/2.11/08_Services_Runtime_Services.html#getvariable
 EFI_AT_ATTRS = 0x27
+EFI_VARIABLE_APPEND_WRITE = 0x40
 
 time_seed = datetime.now()
 time_offset = 1

contrib/varstored/dbx_poison.auth

@@ -2,7 +2,8 @@
 
 import logging
 
-from lib.efi import SB_CERTS, EFIAuth
+from lib.commands import SSHCommandFailed
+from lib.efi import EFI_AT_ATTRS, EFI_VARIABLE_APPEND_WRITE, SB_CERTS, EFIAuth, image_security_database_guid
 from lib.vm import VM
 
 from .utils import (
@@ -87,6 +88,45 @@ def test_sb_off_really_means_off(self, uefi_vm):
         logging.info("Check that SB is NOT enabled according to the OS.")
         assert not vm.booted_with_secureboot()
 
+    def test_append_with_default(self, uefi_vm: VM):
+        vm = uefi_vm
+        vm.host.pool.clear_custom_uefi_certs()
+        vm.set_uefi_user_mode()
+        vm.set_variable_from_file(
+            SB_CERTS.dbx_hashes_ms_amd64(),
+            image_security_database_guid,
+            "dbx",
+            EFI_AT_ATTRS | EFI_VARIABLE_APPEND_WRITE,
+        )
+        vm.start()
+        vm.wait_for_vm_running_and_ssh_up()
+
+    def test_append_with_poison(self, uefi_vm: VM):
+        """
+        Context: https://xcp-ng.org/blog/2025/10/30/xcp-ng-8-3-varstored-update-unbootable-vm-risk-and-remediation/
+
+        In short, the dbx variable previously used in the bad update did not use the Microsoft owner GUID, preventing
+        deduplication of EFI signature data entries during an append call. Normally, this would not cause the VM to
+        crash; except varstored does not check for the variable data length on append, triggering the issue.
+        """
+        vm = uefi_vm
+        vm.host.pool.clear_custom_uefi_certs()
+        vm.set_uefi_user_mode()
+        vm.set_variable_from_file(SB_CERTS.dbx_poison(), image_security_database_guid, "dbx", EFI_AT_ATTRS)
+        try:
+            vm.set_variable_from_file(
+                SB_CERTS.dbx_hashes_ms_amd64(),
+                image_security_database_guid,
+                "dbx",
+                EFI_AT_ATTRS | EFI_VARIABLE_APPEND_WRITE,
+            )
+        except SSHCommandFailed:
+            # Appending the MS dbx may succeed or fail, doesn't matter, as appending the poison may not necessarily take
+            # dbx over the DATA_LIMIT. The important thing is that the VM boots up following this append attempt.
+            pass
+        vm.start()
+        vm.wait_for_vm_running_and_ssh_up()
+
 
 @pytest.mark.usefixtures("host_at_least_8_3")
 @pytest.mark.usefixtures("windows_vm")