Skip to content

Add Windows Secure Boot key upgrade tests #277

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

Add Windows Secure Boot key upgrade tests #277

wants to merge 9 commits into from

Conversation

dinhngtu
Copy link
Member

As we're including more Secure Boot keys by default in varstored, add tests for upgrading guest keys from the old defaults to the new ones, using certificates provided by microsoft/secureboot_objects. Additionally, disable tests that aren't applicable any more with the variable changes.

Since the new SB variables each include multiple certificates, refactor the Certificate and EFIAuth classes to support them.

Finally, add some tweaks for running tests with VM UUIDs.

@dinhngtu dinhngtu requested a review from stormi April 1, 2025 09:33
ydirson
ydirson reviewed Apr 1, 2025
View reviewed changes
Copy link
Contributor

@ydirson ydirson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have very mixed feelings about this large "Rework Certificate and EFIAuth" commit. There seem to be many things inside (type hints additions, API changes, API extension....). This is already a part of the tests (and a feature set) I suspect few of us are familiar with. We surely want to improve on the situation. As it is, I cannot really give an opinion on this and that disturbs me.

@dinhngtu
Copy link
Member Author

dinhngtu commented Apr 1, 2025

I have very mixed feelings about this large "Rework Certificate and EFIAuth" commit. There seem to be many things inside (type hints additions, API changes, API extension....). This is already a part of the tests (and a feature set) I suspect few of us are familiar with. We surely want to improve on the situation. As it is, I cannot really give an opinion on this and that disturbs me.

The main goal of the efi.py changes is to support multi-cert variables, where one is an owner cert (i.e. contains a private key) and the others (e.g. MS-distributed ones) are not.

@dinhngtu dinhngtu force-pushed the sb-windows branch 2 times, most recently from 94d620d to b898476 Compare April 1, 2025 15:03
@dinhngtu
Copy link
Member Author

dinhngtu commented Apr 1, 2025

I've tried to break up the refactor into several commits.

@dinhngtu dinhngtu force-pushed the sb-windows branch 3 times, most recently from 51b1db6 to 887b5ce Compare April 4, 2025 08:15
stormi
stormi reviewed Apr 9, 2025
View reviewed changes
stormi
stormi reviewed Apr 9, 2025
View reviewed changes
stormi
stormi reviewed Apr 9, 2025
View reviewed changes
dinhngtu added 9 commits April 10, 2025 11:03
@dinhngtu
lib/vm: Use execute_powershell_script in booted_with_secureboot
8e21493 
Signed-off-by: Tu Dinh <[email protected]>
@dinhngtu
lib/vm: Rename is_cert_present
ec5710f 
Since UEFI vars can contain multiple certs (and even non-certs), rename
the method to is_uefi_var_present.

Signed-off-by: Tu Dinh <[email protected]>
@dinhngtu
lib/efi: Encapsulate auth and auth_data
e526c70 
We don't want users to grab these variables directly from EFIAuth before
they're ever generated by sign_auth.

Protect these two variables with an assertion.

Signed-off-by: Tu Dinh <[email protected]>
@dinhngtu
lib/vm: Clean up tempdir in install_uefi_certs
9480f08 
We want to remove the generated temporary directory even if the auth
file installation fails.

Signed-off-by: Tu Dinh <[email protected]>
@dinhngtu
lib/efi: Reorder Certificate and EFIAuth
41cd8af 
Since EFIAuth depends on Certificate, reorder them to prevent typecheck
issues later.

Signed-off-by: Tu Dinh <[email protected]>
@dinhngtu
lib/efi: Rework Certificate and EFIAuth
495a6c3 
Separate a variable's owner key and non-owner certs.
This allows creating Secure Boot variables with multiple certificates.
Also make self-signed cert/key initialization explicit.

Signed-off-by: Tu Dinh <[email protected]>
@dinhngtu
tests/uefi_sb: Adapt tests for varstored changes
8c07f2c 
We're now shipping more Secure Boot variables with varstored.
As such, the following tests have changed:

- test_start_vm_without_uefi_vars_on_pool_with_only_pk: No longer
  applicable.
- test_clear_custom_pool_certificates: Only check for symlink when
  clearing certs, as the condition that hosts only have PK after
  `secureboot-certs clear` is no longer true.

Signed-off-by: Tu Dinh <[email protected]>
@dinhngtu
lib/efi: Add Microsoft secure boot certs
2f7a8cb 
Taken from microsoft/secureboot_objects@ca77ceb.

Signed-off-by: Tu Dinh <[email protected]>
@dinhngtu
tests/uefi_sb: Add Windows key upgrade tests
ff5219d 
Signed-off-by: Tu Dinh <[email protected]>
@stormi
Copy link
Member

stormi commented Apr 10, 2025

The PR looks good to me. We'll have to run the related jobs in Jenkins to make sure all is still good, and this also depends on having varstored with the certs available in the ci RPM repository (PR xcp-ng-rpms/varstored#5)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stormi stormi stormi left review comments

@ydirson ydirson ydirson left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dinhngtu @stormi @ydirson