diff --git a/libvirt/tests/cfg/guest_os_booting/ovmf_firmware/ovmf_seclabel_in_nvram.cfg b/libvirt/tests/cfg/guest_os_booting/ovmf_firmware/ovmf_seclabel_in_nvram.cfg new file mode 100644 index 0000000000..eeff9ab041 --- /dev/null +++ b/libvirt/tests/cfg/guest_os_booting/ovmf_firmware/ovmf_seclabel_in_nvram.cfg @@ -0,0 +1,34 @@ +- guest_os_booting.ovmf_seclabel_in_nvram: + type = ovmf_seclabel_in_nvram + start_vm = no + loader_path = "/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd" + template_path = "/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd" + os_dict = {'secure': 'yes', 'loader_readonly': 'yes', 'loader_type': 'pflash', 'loader': '${loader_path}'} + nvram_attrs = {'nvram_attrs': {'template': '${template_path}', 'type': 'file'}} + nvram_source = {'nvram_source': {'seclabels': [{'label': '%s', 'model': '%s', 'relabel': 'yes'}], 'attrs': {'file': '%s'}}} + firmware_type = "ovmf" + func_supported_since_libvirt_ver = (8, 5, 0) + only q35 + only x86_64 + variants: + - positive_test: + variants: + - with_selinux_seclabel: + seclabel_model = "selinux" + seclabel_label = "system_u:object_r:svirt_image_t:s0" + - with_dac_seclabel: + seclabel_model = "dac" + seclabel_label = "qemu:qemu" + - negative_test: + error_msg = "Could not open .*: Permission denied" + variants: + - invalid_selinux_seclabel: + seclabel_model = "selinux" + seclabel_label = "unconfined_u:object_r:virt_image_t:s0" + - invalid_dac_seclabel: + seclabel_model = "dac" + seclabel_label = "test:test" + - with_no_relabel: + without_label = "yes" + seclabel_model = "selinux" + nvram_source = {'nvram_source': {'seclabels': [{'model': '%s', 'relabel': 'no'}], 'attrs': {'file': '%s'}}} diff --git a/libvirt/tests/src/guest_os_booting/ovmf_firmware/ovmf_seclabel_in_nvram.py b/libvirt/tests/src/guest_os_booting/ovmf_firmware/ovmf_seclabel_in_nvram.py new file mode 100644 index 0000000000..280d3f9f03 --- /dev/null +++ b/libvirt/tests/src/guest_os_booting/ovmf_firmware/ovmf_seclabel_in_nvram.py @@ -0,0 +1,80 @@ +# Copyright Red Hat +# SPDX-License-Identifier: GPL-2.0 +# Author: Meina Li + +import os + +from avocado.utils import process + +from virttest import libvirt_version +from virttest import virsh +from virttest.data_dir import get_data_dir +from virttest.libvirt_xml import vm_xml +from provider.guest_os_booting import guest_os_booting_base as guest_os + + +def run(test, params, env): + """ + This case is to verify the ovmf backed nvram. + 1) Prepare a guest with related backed nvram elements. + 2) Start and boot the guest. + 3) Check the dumpxml and the label if necessary. + """ + def compare_guest_xml(vmxml, os_attrs): + """ + Compare current xml with the configured values + + :params vmxml: the guest xml + :params os_attrs: the os attributes dict + """ + os_xml = vmxml.os + current_os_attrs = os_xml.fetch_attrs() + for key in os_attrs: + if key in current_os_attrs: + if os_attrs[key] != current_os_attrs[key]: + test.fail("Configured os xml value {} doesn't match the" + " entry {} in guest xml".format(os_attrs[key], current_os_attrs[key])) + else: + test.fail("Configured os attributes {} don't existed in guest.".format(key)) + + vm_name = guest_os.get_vm(params) + firmware_type = params.get("firmware_type") + nvram_file = os.path.join(get_data_dir(), "test.fd") + nvram_attrs = eval(params.get("nvram_attrs")) + os_dict = eval(params.get("os_dict")) + seclabel_label = params.get("seclabel_label") + seclabel_model = params.get("seclabel_model") + error_msg = params.get("error_msg", "") + without_label = "yes" == params.get("without_label", "no") + libvirt_version.is_libvirt_feature_supported(params) + + vm = env.get_vm(vm_name) + vmxml = vm_xml.VMXML.new_from_inactive_dumpxml(vm_name) + bkxml = vmxml.copy() + + try: + if without_label: + nvram_source = eval(params.get("nvram_source") % (seclabel_model, nvram_file)) + else: + nvram_source = eval(params.get("nvram_source") % (seclabel_label, seclabel_model, nvram_file)) + os_attrs = {**os_dict, **nvram_attrs, **nvram_source} + guest_os.prepare_os_xml(vm_name, os_attrs, firmware_type) + vmxml = guest_os.check_vm_startup(vm, vm_name, error_msg) + if error_msg: + return + test.log.info("Check the os xml in dumpxml") + compare_guest_xml(vmxml, os_attrs) + test.log.info("Check the nvram file label in host") + label_result = process.run("ls -lZ {}".format(nvram_file)).stdout_text + if seclabel_model == "dac": + seclabel_label = seclabel_label.replace(":", " ") + if seclabel_label in label_result: + test.log.info("Get expected nvram file label: {}".format(label_result)) + else: + test.fail("The nvram file label {} is not expected".format(label_result)) + finally: + if vm.is_alive(): + virsh.destroy(vm_name) + if os.path.exists(nvram_file): + os.remove(nvram_file) + bkxml.sync()