Test UEFI var are kept upon live migration

Signed-off-by: Benjamin Reis <[email protected]>
xcp-ng · Dec 4, 2024 · b404ec3 · b404ec3
1 parent 2a59861
commit b404ec3
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 8 deletions.
diff --git a/conftest.py b/conftest.py
@@ -263,6 +263,12 @@ def local_sr_on_hostB1(hostB1):
     logging.info(">> local SR on hostB1 present : %s" % sr.uuid)
     yield sr
 
+@pytest.fixture(scope='session')
+def existing_shared_sr(host):
+    sr = host.pool.first_shared_sr()
+    assert sr is not None, "A shared SR on the pool is required"
+    return sr
+
 @pytest.fixture(scope='session')
 def sr_disk(pytestconfig, host):
     disks = pytestconfig.getoption("sr_disk")

diff --git a/tests/misc/test_basic_without_ssh.py b/tests/misc/test_basic_without_ssh.py
@@ -18,12 +18,6 @@
 #   the local SR or shared SR: the test will adapt itself.
 #   Note however that an existing VM will be left on a different SR after the tests.
 
-@pytest.fixture(scope='session')
-def existing_shared_sr(host):
-    sr = host.pool.first_shared_sr()
-    assert sr is not None, "A shared SR on the pool is required"
-    return sr
-
 @pytest.mark.multi_vms # run them on a variety of VMs
 @pytest.mark.big_vm # and also on a really big VM ideally
 def test_vm_start_stop(imported_vm):

diff --git a/tests/uefi_sb/test_uefistored_sb.py b/tests/uefi_sb/test_uefistored_sb.py
@@ -5,7 +5,8 @@
 from lib.common import wait_for
 
 from .utils import test_key_exchanges, boot_and_check_no_sb_errors, boot_and_check_sb_failed, \
-    boot_and_check_sb_succeeded, generate_keys, revert_vm_state, sign_efi_bins, VM_SECURE_BOOT_FAILED
+    boot_and_check_sb_succeeded, generate_keys, revert_vm_state, sign_efi_bins, VM_SECURE_BOOT_FAILED, \
+    test_uefi_var_migrate
 
 # These tests check the behaviour of XAPI and uefistored as they are in XCP-ng 8.2
 # For XCP-ng 8.3 or later, see test_varstored_sb.py
@@ -217,3 +218,16 @@ def test_key_exchanges(self, uefi_vm):
         vm = uefi_vm
 
         test_key_exchanges(vm)
+
+@pytest.mark.small_vm
+@pytest.mark.usefixtures("host_less_than_8_3", "existing_shared_sr")
+@pytest.mark.usefixtures("pool_without_uefi_certs")
+class TestUEFIVarMigrate:
+    @pytest.fixture(autouse=True)
+    def setup_and_cleanup(self, uefi_vm_and_snapshot):
+        vm, snapshot = uefi_vm_and_snapshot
+        yield
+        revert_vm_state(vm, snapshot)
+
+    def test_uefi_var_migrate(self, host, hostA2, uefi_vm):
+        test_uefi_var_migrate(uefi_vm, host, hostA2)
diff --git a/tests/uefi_sb/test_varstored_sb.py b/tests/uefi_sb/test_varstored_sb.py
@@ -2,7 +2,7 @@
 import pytest
 
 from .utils import test_key_exchanges, boot_and_check_no_sb_errors, boot_and_check_sb_failed, \
-    boot_and_check_sb_succeeded, generate_keys, revert_vm_state, sign_efi_bins
+    boot_and_check_sb_succeeded, generate_keys, revert_vm_state, sign_efi_bins, test_uefi_var_migrate
 
 # These tests check the behaviour of XAPI and varstored as they are in XCP-ng 8.3
 # For XCP-ng 8.2, see test_uefistored_sb.py
@@ -153,3 +153,15 @@ def test_key_exchanges(self, uefi_vm):
         vm.set_uefi_setup_mode()
 
         test_key_exchanges(vm)
+
+@pytest.mark.small_vm
+@pytest.mark.usefixtures("host_at_least_8_3", "existing_shared_sr")
+class TestUEFIVarMigrate:
+    @pytest.fixture(autouse=True)
+    def setup_and_cleanup(self, uefi_vm_and_snapshot):
+        vm, snapshot = uefi_vm_and_snapshot
+        yield
+        revert_vm_state(vm, snapshot)
+
+    def test_uefi_var_migrate(self, host, hostA2, uefi_vm):
+        test_uefi_var_migrate(uefi_vm, host, hostA2)
diff --git a/tests/uefi_sb/utils.py b/tests/uefi_sb/utils.py
@@ -173,3 +173,20 @@ def check_vm_cert_md5sum(vm, key, reference_file):
     assert res.returncode == 0, f"Cert {key} must be present"
     reference_md5 = get_md5sum_from_auth(reference_file)
     assert hashlib.md5(res.stdout).hexdigest() == reference_md5
+
+def test_uefi_var_migrate(vm, source_host, dest_host):
+    shared_sr = source_host.pool.first_shared_sr()
+    vm.clear_uefi_variables()
+    pool_auths = generate_keys(as_dict=True)
+    vm.host.pool.install_custom_uefi_certs([pool_auths[key] for key in ['PK', 'KEK', 'db', 'dbx']])
+    vm.start(on=source_host.uuid)
+    vm.wait_for_os_booted()
+    logging.info("Check that the VM certs were kept before live migration: PK, KEK, db, dbx")
+    for key in ['PK', 'KEK', 'db', 'dbx']:
+        check_vm_cert_md5sum(vm, key, pool_auths[key].auth)
+    vm.migrate(dest_host, shared_sr)
+
+    # Check UEFI var kept upon live migration
+    logging.info("Check that the VM certs were kept after live migration: PK, KEK, db, dbx")
+    for key in ['PK', 'KEK', 'db', 'dbx']:
+        check_vm_cert_md5sum(vm, key, pool_auths[key].auth)