diff --git a/debian/changelog b/debian/changelog index dd5cbdd..a473869 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,8 +1,12 @@ shim (15.7-2) UNRELEASED; urgency=medium + [ Steve McIntyre ] * Cope with changes in pesign packaging. - -- Steve McIntyre <93sam@debian.org> Wed, 01 Nov 2023 23:35:52 +0000 + [ Bastien Roucariès ] + * Port autopkgtest from ubuntu + + -- Bastien Roucariès Mon, 15 Apr 2024 14:15:58 +0000 shim (15.7-1) unstable; urgency=medium diff --git a/debian/tests/01_sanity_tests.py b/debian/tests/01_sanity_tests.py new file mode 100755 index 0000000..63d9863 --- /dev/null +++ b/debian/tests/01_sanity_tests.py @@ -0,0 +1,54 @@ +# +# UEFI Shim sanity checks for tests +# +# Copyright (C) 2019 Canonical, Ltd. +# Author: Mathieu Trudel-Lapierre +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 3. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import subprocess +import sys +import unittest + +from uefi_tests_base import UEFITestsBase + + +class SanityTests(UEFITestsBase): + ''' + Sanity checks for uefi tests + ''' + + def testArchitectureSuffixes(self): + """Ensure sanity of our concept of architecture suffixes for UEFI""" + + machine = subprocess.check_output(['uname', '-m']).rstrip().decode('utf-8') + if machine == 'x86_64': + self.assertEqual('x64', self.arch_suffix) + self.assertEqual('x86_64-efi', self.grub_arch) + self.assertEqual('qemu-system-x86_64', self.qemu_arch) + elif machine == 'aarch64': + self.assertEqual('aa64', self.arch_suffix) + self.assertEqual('arm64-efi', self.grub_arch) + self.assertEqual('qemu-system-aarch64', self.qemu_arch) + + def testQemuAvailable(self): + """Ensure QEMU is available for this architecture""" + try: + out = subprocess.run([self.qemu_arch, '-version'], stdout=None) + out.check_returncode() + except: + raise UEFINotAvailable(feature="qemu", arch=self.arch_machine, + details="%s failed to run" % self.qemu_arch) + + +unittest.main(testRunner=unittest.TextTestRunner(stream=sys.stdout, verbosity=2)) diff --git a/debian/tests/05_signature_tests.py b/debian/tests/05_signature_tests.py new file mode 100755 index 0000000..1d9f8e7 --- /dev/null +++ b/debian/tests/05_signature_tests.py @@ -0,0 +1,91 @@ +# +# UEFI signature validation +# +# Copyright (C) 2019 Canonical, Ltd. +# Author: Mathieu Trudel-Lapierre +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 3. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os +import subprocess +import sys +import unittest +import tempfile + +from pathlib import Path + +from uefi_tests_base import UEFITestsBase + + +class TestSignatures(UEFITestsBase): + """ + Validate UEFI signatures for common problems + """ + @classmethod + def setUpClass(klass): + UEFITestsBase.setUpClass() + + + def testInstalledGrubIsSigned(self): + """Check that the GRUB copy we installed is correctly signed""" + installed_grub_file = Path(self.signed_grub_path) + self.assertTrue(installed_grub_file.exists()) + signed_out = subprocess.run(['sbverify', '--list', self.signed_grub_path], + stdout=subprocess.PIPE) + self.assertIn(b'image signature issuers:', signed_out.stdout) + + def testGrubSignatureValid(self): + return + """Ensure the installed GRUB binary from packaging is signed with the expected key""" + self.assertSignatureOK(self.ca, self.signed_grub_path) + + def testInstalledShimIsSigned(self): + """Check that the installed shim is signed""" + installed_shim_file = Path(self.signed_shim_path) + self.assertTrue(installed_shim_file.exists()) + signed_out = subprocess.run(['sbverify', '--list', self.signed_shim_path], + stdout=subprocess.PIPE) + self.assertIn(b'image signature issuers:', signed_out.stdout) + + def testHaveSignedShimOnESP(self): + """Verify that packaging has provided a signed shim""" + return + signed_shim_file = Path(self.installed_shim) + self.assertTrue(signed_shim_file.exists()) + + def testSignaturesExist(self): + """Validate that a binary has non-zero signatures""" + unsigned_out = subprocess.run(['sbverify', '--list', self.unsigned_shim_path], + stderr=subprocess.PIPE, stdout=subprocess.PIPE) + self.assertIn(b'No signature table present', unsigned_out.stderr) + signed_out = subprocess.run(['sbverify', '--list', self.signed_shim_path], + stderr=subprocess.PIPE, stdout=subprocess.PIPE) + self.assertIn(b'image signature issuers:', signed_out.stdout) + + def testSignatureIsReplayable(self): + """Attest that signature is retrievable from a binary and can be replayed""" + with tempfile.TemporaryDirectory() as tmpdirname: + subprocess.call(['sbattach', + '--detach', os.path.join(tmpdirname, 'sig.pkcs7'), + self.signed_shim_path]) + pkcs7_certs = subprocess.run(['openssl', 'pkcs7', + '-inform', 'der', + '-in', os.path.join(tmpdirname, 'sig.pkcs7'), + '-print_certs'], + stdout=subprocess.PIPE) + with open(os.path.join(tmpdirname, 'out.crt'), 'ab+') as certstore: + certstore.write(pkcs7_certs.stdout) + self.assertSignatureOK(os.path.join(tmpdirname, 'out.crt'), self.signed_shim_path) + + +unittest.main(testRunner=unittest.TextTestRunner(stream=sys.stdout, verbosity=2)) diff --git a/debian/tests/10_uefi_boot_tests.py b/debian/tests/10_uefi_boot_tests.py new file mode 100755 index 0000000..7ef4df4 --- /dev/null +++ b/debian/tests/10_uefi_boot_tests.py @@ -0,0 +1,51 @@ +# +# UEFI boot testing +# +# Copyright (C) 2019 Canonical, Ltd. +# Author: Mathieu Trudel-Lapierre +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 3. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import subprocess +import sys +import unittest + +from uefi_tests_base import UEFITestsBase, UEFINotAvailable, UEFIVirtualMachine + + +class UEFIBootTests(UEFITestsBase): + """ + Validate UEFI signatures for common problems + """ + @classmethod + def setUpClass(klass): + UEFITestsBase.setUpClass() + klass.base_image = UEFIVirtualMachine(arch=klass.image_arch) + #klass.base_image.prepare() + + def testCanary(self): + """Validate that a control/canary (unchanged) image boots fine""" + canary = UEFIVirtualMachine(self.base_image) + canary.run() + self.assertBoots(canary) + + def testNewShim(self): + """Validate that a new SHIM binary on the image will boot""" + new_shim = UEFIVirtualMachine(self.base_image) + new_shim.update(src='/usr/lib/shim/shimx64.efi.signed', dst='/boot/efi/EFI/debian/shimx64.efi') + new_shim.update(src='/usr/lib/shim/shimx64.efi.signed', dst='/boot/efi/EFI/BOOT/BOOTX64.efi') + new_shim.run() + self.assertBoots(new_shim) + + +unittest.main(testRunner=unittest.TextTestRunner(stream=sys.stdout, verbosity=2)) diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..4cad1b6 --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,47 @@ +Test-Command: python3 debian/tests/01_sanity_tests.py +Depends: @, + qemu-system-arm [arm64], + qemu-system-x86 [amd64], + lsb-release, + python3, + wget, + openssl, +Restrictions: allow-stderr, needs-root, isolation-machine +Features: test-name=sanity + +Test-Command: python3 debian/tests/05_signature_tests.py +Depends: @, + sbsigntool, + grub-efi-arm64-signed [arm64], + grub-efi-amd64-signed [amd64], + shim-signed [amd64], + shim-signed [arm64], + lsb-release, + python3, + wget, + openssl, +Restrictions: allow-stderr, needs-root, isolation-machine +Features: test-name=signatures + +Test-Command: python3 debian/tests/10_uefi_boot_tests.py +Depends: @, + autopkgtest, + genisoimage, + qemu-utils, + sbsigntool, + qemu-system-arm [arm64], + qemu-system-x86 [amd64], + ovmf [amd64], + qemu-efi-aarch64 [arm64], + grub-efi-arm64-signed [arm64], + grub-efi-amd64-signed [amd64], + shim-signed [amd64], + shim-signed [arm64], + lsb-release, + python3, + wget, + openssl, + ca-certificates, + distro-info, +Restrictions: allow-stderr, needs-root, isolation-machine +Features: test-name=boot-test diff --git a/debian/tests/uefi_tests_base.py b/debian/tests/uefi_tests_base.py new file mode 100644 index 0000000..166d98c --- /dev/null +++ b/debian/tests/uefi_tests_base.py @@ -0,0 +1,261 @@ +# +# UEFI validation/integration tests +# +# Copyright (C) 2019 Canonical, Ltd. +# Author: Mathieu Trudel-Lapierre +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 3. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os +import shutil +import stat +import math +import subprocess +import tempfile +from time import sleep +import unittest + + +class UEFINotAvailable(Exception): + """Exception class for unavailable UEFI features""" + def __init__(self, feature=None, arch=None, details=None): + self.message = "UEFI is not available" + if arch and feature: + self.message = "%s is not available on %s" % (feature, arch) + elif feature: + self.message = "%s is not available" % feature + if details: + self.message = self.message + ": %s" % details + + def __str__(self): + return repr(self.message) + +class UEFITestsBase(unittest.TestCase): + ''' + Common functionality for shim test cases + ''' + + @classmethod + def setUpClass(klass): + klass.arch_machine = os.uname().machine + klass.arch_suffix = '' + klass.grub_arch = '' + klass.qemu_arch = '' + if klass.arch_machine == 'x86_64': + klass.image_arch = 'amd64' + klass.arch_suffix = 'x64' + klass.grub_arch = 'x86_64-efi' + klass.qemu_arch = 'qemu-system-x86_64' + elif klass.arch_machine == 'aarch64': + klass.image_arch = 'arm64' + klass.arch_suffix = 'aa64' + klass.grub_arch = 'arm64-efi' + klass.qemu_arch = 'qemu-system-aarch64' + else: + raise UEFINotAvailable(feature='any UEFI Shim features', arch=klass.arch_machine) + + # Base paths for the ESP. + klass.uefi_base_dir = os.path.join('/', 'boot', 'efi', 'EFI') + klass.uefi_boot_dir = os.path.join(klass.uefi_base_dir, 'BOOT') + klass.uefi_install_dir = os.path.join(klass.uefi_base_dir, 'debian') + + # CAs for signature validation (not yet) + # klass.ca = os.path.join('/usr/share/grub', 'debian-uefi-ca.crt') + + # Shim paths + klass.shim_pkg_dir = os.path.join('/', 'usr', 'lib', 'shim') + klass.unsigned_shim_path = os.path.join(klass.shim_pkg_dir, 'shim%s.efi' % klass.arch_suffix) + klass.signed_shim_path = os.path.join(klass.shim_pkg_dir, 'shim%s.efi.signed' % klass.arch_suffix) + klass.installed_shim = os.path.join(klass.uefi_install_dir, 'shim%s.efi' % klass.arch_suffix) + klass.removable_shim = os.path.join(klass.uefi_boot_dir, 'boot%s.efi' % klass.arch_suffix) + + # GRUB paths + klass.grub_pkg_dir = os.path.join('/', 'usr', 'lib', 'grub', "%s-signed" % klass.grub_arch) + klass.signed_grub_path = os.path.join(klass.grub_pkg_dir, 'grub%s.efi.signed' % klass.arch_suffix) + klass.installed_grub = os.path.join(klass.uefi_install_dir, 'grub%s.efi' % klass.arch_suffix) + + # OMVF paths + if klass.arch_machine == 'x86_64': + klass.uefi_code_path = '/usr/share/OVMF/OVMF_CODE_4M.ms.fd' + klass.uefi_vars_path = '/usr/share/OVMF/OVMF_VARS_4M.ms.fd' + klass.uefi_qemu_extra = [ '-machine', 'q35,smm=on' ] + elif klass.arch_machine == 'aarch64': + klass.uefi_code_path = '/usr/share/AAVMF/AAVMF_CODE.fd' + klass.uefi_vars_path = '/usr/share/AAVMF/AAVMF_VARS.fd' + klass.uefi_qemu_extra = [] + + subprocess.run(['modprobe', 'nbd']) + + @classmethod + def tearDownClass(klass): + pass + + def tearDown(self): + pass + + def setUp(self): + pass + + + # + # Internal implementation details + # + + @classmethod + def poll_text(klass, logpath, string, timeout=50): + '''Poll log file for a given string with a timeout. + + Timeout is given in deciseconds. + ''' + log = '' + while timeout > 0: + if os.path.exists(logpath): + break + timeout -= 1 + sleep(0.1) + assert timeout > 0, 'Timed out waiting for file %s to appear' % logpath + + with open(logpath) as f: + while timeout > 0: + line = f.readline() + if line: + log += line + if string in line: + break + continue + timeout -= 1 + sleep(0.1) + + assert timeout > 0, 'Timed out waiting for "%s":\n------------\n%s\n-------\n' % (string, log) + + + def assertSignatureOK(self, expected_signature, binary): + result = subprocess.check_call(['sbverify', '--cert', expected_signature, binary]) + self.assertEquals(0, result) + + + def assertBoots(self, vm=None): + '''Assert that the VM is booted and ready for use''' + self.assertTrue(vm.ready()) + + +DEFAULT_METADATA = 'instance-id: nocloud\nlocal-hostname: autopkgtest\n' + +DEFAULT_USERDATA = """#cloud-config +locale: en_US.UTF-8 +password: debian +chpasswd: { expire: False } +ssh_pwauth: True +manage_etc_hosts: True +runcmd: + - (while [ ! -e /var/lib/cloud/instance/boot-finished ]; do sleep 1; done; + touch /TESTOK; + shutdown -P now) & +""" + +# +# VM management tools +# +class UEFIVirtualMachine(UEFITestsBase): + + def __init__(self, base=None, arch=None): + self.autopkgtest_dir = tempfile.TemporaryDirectory() + os.makedirs(os.path.join(self.autopkgtest_dir.name, 'img')) + self.arch = arch + release = subprocess.run(['lsb_release','-c','-s'], capture_output=True, check=True) + self.release = release.stdout.strip().decode('utf-8') + release_number = subprocess.run(['lsb_release','-r','-s'], capture_output=True, check=True).stdout.strip().decode('utf-8') + self.release_number = None + try: + self.release_number = int(math.floor(float(release_number))) + except: + if(self.release == 'sid'): + self.release_number = 'sid' + else: + alias = subprocess.run(['distro-info','--alias', self.release], capture_output=True, check=True).stdout.strip().decode('utf-8') + number_distro = subprocess.run(['distro-info','-r', '--%s' % (alias)], capture_output=True, check=True).stdout.strip().decode('utf-8') + self.release_number = int(math.floor(float(number_distro))) + self.path = tempfile.mkstemp(dir=self.autopkgtest_dir.name)[1] + if not base: + subprocess.run(['wget', + 'https://cloud.debian.org/images/cloud/%s/daily/latest/debian-%s-genericcloud-%s-daily.qcow2' + % (self.release, self.release_number, self.arch), + '-O', '%s/base.img' % self.autopkgtest_dir.name], check = True) + else: + self.arch = base.arch + shutil.copy(base.path, os.path.join(self.autopkgtest_dir.name, 'base.img')) + shutil.copy(os.path.join(self.autopkgtest_dir.name, 'base.img'), self.path) + shutil.copy("%s" % self.uefi_vars_path, "%s.VARS.fd" % self.path) + + def _mount(self): + subprocess.run(['qemu-nbd', '--connect=/dev/nbd0', self.path]) + # nbd doesn't show instantly... + sleep(1) + subprocess.run(['mount', '/dev/nbd0p1', os.path.join(self.autopkgtest_dir.name, 'img')]) + subprocess.run(['mount', '/dev/nbd0p15', os.path.join(self.autopkgtest_dir.name, 'img', 'boot/efi')]) + + def _unmount(self): + subprocess.run(['umount', '/dev/nbd0p15']) + subprocess.run(['umount', '/dev/nbd0p1']) + subprocess.run(['qemu-nbd', '--disconnect', '/dev/nbd0']) + + def prepare(self): + with open(os.path.join(self.autopkgtest_dir.name, 'meta-data'), 'w') as f: + f.write(DEFAULT_METADATA) + with open(os.path.join(self.autopkgtest_dir.name, 'user-data'), 'w') as f: + f.write(DEFAULT_USERDATA) + with open(os.path.join(self.autopkgtest_dir.name, 'network-config'), 'w') as f: + f.write('') + + subprocess.run(['genisoimage', '-output', 'cloud-init.seed', + '-volid', 'cidata', '-joliet', '-rock', + '-quiet', 'user-data', 'meta-data', 'network-config'], + cwd=self.autopkgtest_dir.name) + + def list(self, path='/etc/'): + self._mount() + subprocess.run(['ls', '-l', os.path.join(self.autopkgtest_dir.name, 'img', path)]) + self._unmount() + + def update(self, src=None, dst=None): + self._mount() + try: + os.makedirs(os.path.join(self.autopkgtest_dir.name, 'img', os.path.dirname(dst))) + except FileExistsError: + pass + shutil.copy(src, os.path.join(self.autopkgtest_dir.name, 'img', dst)) + self._unmount() + + def run(self): + self.prepare() + # start qemu-system-$arch, output log to serial and capture to variable + subprocess.run([self.qemu_arch] + self.uefi_qemu_extra + [ + '-m', '1024', '-nographic', + '-serial', 'mon:stdio', + '-netdev', 'user,id=network0', + '-device', 'virtio-net-pci,netdev=network0,mac=52:54:00:12:34:56', + '-drive', 'file=%s,if=pflash,format=raw,unit=0,readonly=on' % self.uefi_code_path, + '-drive', 'file=%s.VARS.fd,if=pflash,format=raw,unit=1' % self.path, + '-drive', 'file=%s,if=none,id=harddrive0,format=qcow2' % self.path, + '-device', 'virtio-blk-pci,drive=harddrive0,bootindex=0', + '-drive', 'file=%s/cloud-init.seed,if=virtio,readonly=on' % self.autopkgtest_dir.name]) + + def ready(self): + """Returns true if the VM is booted and ready at userland""" + # check captured serial for our marker + self._mount() + result = os.path.exists(os.path.join(self.autopkgtest_dir.name, 'img', 'TESTOK')) + self._unmount() + return result + +