test: add a secureboot test with an addon

2025-10-06 00:13:24 +02:00 · 2025-07-27 21:23:17 +01:00
parent 5ba50a7f2c
commit 5ae58ac2b9
3 changed files with 28 additions and 0 deletions
--- a/mkosi/mkosi.finalize
+++ b/mkosi/mkosi.finalize
@@ -3,3 +3,13 @@
 set -e

 touch -r "$BUILDROOT/usr" "$BUILDROOT/etc/.updated" "$BUILDROOT/var/.updated"
+
+if [ -n "$EFI_ARCHITECTURE" ]; then
+    mkdir -p "$BUILDROOT/boot/loader/addons"
+    ukify build \
+        --stub "$BUILDROOT/usr/lib/systemd/boot/efi/addon${EFI_ARCHITECTURE}.efi.stub" \
+        --cmdline="addonfoobar" \
+        --output "$BUILDROOT/boot/loader/addons/test.addon.efi" \
+        --secureboot-certificate "$SRCDIR/mkosi/mkosi.crt" \
+        --secureboot-private-key "$SRCDIR/mkosi/mkosi.key"
+fi
--- a/test/integration-tests/TEST-87-AUX-UTILS-VM/meson.build
+++ b/test/integration-tests/TEST-87-AUX-UTILS-VM/meson.build
@@ -7,5 +7,6 @@ integration_tests += [
                'storage': 'persistent',
                'coredump-exclude-regex' : '/(test-usr-dump|test-dump|bash)$',
                'vm' : true,
+                'firmware' : 'auto',
        },
 ]
--- a/test/units/TEST-87-AUX-UTILS-VM.bootctl.sh
+++ b/test/units/TEST-87-AUX-UTILS-VM.bootctl.sh
@@ -342,4 +342,21 @@ EOF
    bootctl remove
 }

+testcase_secureboot() {
+    if [ ! -d /sys/firmware/efi ]; then
+        echo "Not booted with EFI, skipping secureboot tests."
+        return 0
+    fi
+
+    # Ensure secure boot is enabled and not in setup mode
+    cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1')
+    cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0')
+    bootctl status | grep -q "Secure Boot: enabled"
+
+    # Ensure the addon is fully loaded and parsed
+    bootctl status | grep -q "global-addon: loader/addons/test.addon.efi"
+    bootctl status | grep "cmdline" | grep -q addonfoobar
+    grep -q addonfoobar /proc/cmdline
+}
+
 run_testcases