tests/uefi_sb: Add Windows key upgrade test

Signed-off-by: Tu Dinh <ngoc-tu.dinh@vates.tech>
xcp-ng · Feb 21, 2025 · fb56bf7 · fb56bf7
1 parent 1471c87
commit fb56bf7
Show file tree

Hide file tree

Showing 5 changed files with 72 additions and 1 deletion.
diff --git a/.gitmodules b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "contrib/secureboot_objects"]
+	path = contrib/secureboot_objects
+	url = https://github.com/microsoft/secureboot_objects.git
diff --git a/contrib/secureboot_objects b/contrib/secureboot_objects
diff --git a/lib/efi.py b/lib/efi.py
@@ -47,6 +47,25 @@ def getfile(self, suffix=None, prefix=None):
 _tempdir = _EfiGlobalTempdir()
 
 
+class _SecureBootCertList:
+    _prefix = Path(__file__).parent / '../contrib/secureboot_objects/PreSignedObjects'
+
+    def kek_ms_2011(self):
+        return str(self._prefix / "KEK/Certificates/MicCorKEKCA2011_2011-06-24.der")
+
+    def kek_ms_2023(self):
+        return str(self._prefix / "KEK/Certificates/microsoft corporation kek 2k ca 2023.der")
+
+    def db_win_2011(self):
+        return str(self._prefix / "DB/Certificates/MicWinProPCA2011_2011-10-19.der")
+
+    def db_win_2023(self):
+        return str(self._prefix / "DB/Certificates/microsoft uefi ca 2023.der")
+
+
+ms_certs = _SecureBootCertList()
+
+
 class GUID(UUID):
     def as_bytes(self):
         return self.bytes_le

diff --git a/pytest.ini b/pytest.ini
@@ -1,5 +1,5 @@
 [pytest]
-addopts = -ra --maxfail=1
+addopts = -ra --maxfail=1 --ignore=contrib/
 markers =
     # *** Markers that change test behaviour ***
     default_vm: mark a test with a default VM in case no --vm parameter was given.

diff --git a/tests/uefi_sb/test_varstored_sb.py b/tests/uefi_sb/test_varstored_sb.py
@@ -1,6 +1,9 @@
 import logging
 import pytest
 
+from lib.efi import EFIAuth, ms_certs
+from lib.vm import VM
+
 from .utils import _test_key_exchanges, boot_and_check_no_sb_errors, boot_and_check_sb_failed, \
     boot_and_check_sb_succeeded, generate_keys, revert_vm_state, sign_efi_bins
 
@@ -153,3 +156,48 @@ def test_key_exchanges(self, uefi_vm):
         vm.set_uefi_setup_mode()
 
         _test_key_exchanges(vm)
+
+@pytest.mark.small_vm
+@pytest.mark.usefixtures("host_at_least_8_3")
+@pytest.mark.usefixtures("windows_vm")
+class TestGuestWindowsUEFIKeyUpgrade:
+    @pytest.fixture(autouse=True)
+    def setup_and_cleanup(self, uefi_vm_and_snapshot):
+        vm, snapshot = uefi_vm_and_snapshot
+        yield
+        revert_vm_state(vm, snapshot)
+
+    def test_key_upgrade(self, uefi_vm: VM):
+        vm = uefi_vm
+
+        # Populate a key set that looks like the old defaults.
+        PK = EFIAuth.self_signed('PK')
+        KEK = EFIAuth.self_signed('KEK', other_certs=[ms_certs.kek_ms_2011()])
+        db = EFIAuth('db', other_certs=[ms_certs.db_win_2011()])
+        # Some test VMs don't like an empty dbx when their own dbx is empty, so just put whatever in there
+        dbx = EFIAuth.self_signed('dbx')
+
+        PK.sign_auth(PK)
+        PK.sign_auth(KEK)
+        KEK.sign_auth(db)
+        KEK.sign_auth(dbx)
+
+        vm.install_uefi_certs([PK, KEK, db, dbx])
+        vm.param_set('platform', True, key='secureboot')
+        boot_and_check_sb_succeeded(vm)
+        vm.shutdown(verify=True)
+
+        newPK = EFIAuth.self_signed('PK')
+        newKEK = EFIAuth('KEK', other_certs=[ms_certs.kek_ms_2011(), ms_certs.kek_ms_2023()])
+        newdb = EFIAuth('db', other_certs=[ms_certs.db_win_2011(), ms_certs.db_win_2023()])
+        newdbx = EFIAuth('dbx')
+
+        newPK.sign_auth(newPK)
+        # Technically, there's no need to sign the other databases since we're setting them from Dom0.
+        # If signing with the old PK works, there'd be no need to test signing with the new PK.
+        PK.sign_auth(newKEK)
+        PK.sign_auth(newdb)
+        PK.sign_auth(newdbx)
+
+        vm.install_uefi_certs([newPK, newKEK, newdb, newdbx])
+        boot_and_check_sb_succeeded(vm)