Dasharo · miczyg1 · Jul 31, 2025 · Jul 31, 2025
diff --git a/dasharo-security/sovereign-boot.robot b/dasharo-security/sovereign-boot.robot
@@ -183,6 +183,160 @@ SVB003.001 Sovereign Boot Wizard parses boot options correctly
     # Remove it later once the proper flow is implemented
     Read From Terminal Until    Sovereign Boot is already provisioned.
 
+SVB004.001 Sovereign Boot Wizard wipes Secure Boot variables correctly
+    [Documentation]    This test aims to verify that wizard wipes Secure Boot keys.
+    Skip If    not ${TESTS_IN_FIRMWARE_SUPPORT}    SVB004.001 not supported
+    Power On
+    Read From Terminal Until    Sovereign Boot Provisioning Wizard
+    Read From Terminal Until    restored default system settings.
+    ${menu}=    Get Menu Construction    Esc=Exit    0    1
+    # Read the remaining part of the menu
+    Read From Terminal
+    # We should check if [Exit] exists, but the menu is so small, that it has to be scrolled
+    Press Key N Times    1    ${ESC}
+    ${menu}=    Get Setup Menu Construction
+    ${sb_menu}=    Enter Secure Boot Menu From Setup    ${menu}
+    # Remove line that is not an option
+    ${sv_index}=    Get Index From List    ${sb_menu}    *** Sovereign Boot Options ***
+    Remove From List    ${sb_menu}    ${sv_index}
+    Make Sure That Keys Are Provisioned    ${sb_menu}
+    Tianocore Reset System
+    Read From Terminal Until    Sovereign Boot Provisioning Wizard
+    Read From Terminal Until    restored default system settings.
+    # Select Sovereign Boot, it should wipe out the keys.
+    Press Key N Times And Enter    1    ${ARROW_DOWN}
+    Read From Terminal Until    A new bootloader/key has been detected.
+    # Press ESC twice to get back to setup.
+    Read From Terminal
+    Press Key N Times    1    ${ESC}
+    Sleep    2s
+    Read From Terminal
+    Press Key N Times    1    ${ESC}
+    ${menu}=    Get Setup Menu Construction
+    ${device_mgr_menu}=    Enter Submenu From Snapshot And Return Construction
+    ...    ${menu}
+    ...    Device Manager
+    Enter Submenu From Snapshot    ${device_mgr_menu}    Secure Boot Configuration
+    ${out}=    Read From Terminal Until    Esc=Exit
+    Should Contain    ${out}    enroll the keys/PK first
+
+SVB004.002 Sovereign Boot Wizard parses certificate correctly
+    [Documentation]    This test aims to verify that wizard parses certificates properly.
+    Skip If    not ${TESTS_IN_FIRMWARE_SUPPORT}    SVB004.002 not supported
+    Power On
+    Read From Terminal Until    Sovereign Boot Provisioning Wizard
+    Read From Terminal Until    restored default system settings.
+    # Select Sovereign Boot, it should wipe out the keys.
+    Press Key N Times And Enter    1    ${ARROW_DOWN}
+    Read From Terminal Until    A new bootloader/key has been detected.
+    # Read the remaining part of the menu
+    ${out}=    Read From Terminal
+    Should Contain    ${out}    \\EFI\\DTS\\grubx64.efi
+    # For 80x25 TUI resolution 3 arrows down to highlight "Do NOT trust"
+    # Then 3 arrows down to skip. First should be DTS which is unsigned
+    Press Key N Times And Enter    6    ${ARROW_DOWN}
+    ${out}=    Read From Terminal
+    Should Contain    ${out}    \\EFI\\ubuntu\\shimx64.efi
+    # This is the expected hash fragment of the test data
+    # \EFI\ubuntu\shimx64.efi (MS UEFI CA 2011).
+    Should Contain    ${out}    9589B8C95168F79243F61922FAA5990DE0A4866DE928736FED65
+    # Rest of the hash is in next line
+    Should Contain    ${out}    8EA7BFF1A5E2
+    # Press "Show key/certificate details"
+    Press Key N Times And Enter    1    ${ARROW_DOWN}
+    ${out}=    Read From Terminal
+    # Check serial number
+    Should Contain    ${out}    6108D3C40000000000
+    # Check Issuer CN
+    Should Contain    ${out}    Third Party Marketplace
+    # Check Subject CN
+    Should Contain    ${out}    UEFI CA 2011
+    # Check Valid Not Before
+    Should Contain    ${out}    2011-06-27 21:22:45 GMT
+    # Check Valid Not After
+    Should Contain    ${out}    2026-06-27 21:32:45 GMT
+
+SVB004.003 Sovereign Boot Wizard verifies signature correctly
+    [Documentation]    This test aims to verify that wizard verifies signatures properly.
+    Skip If    not ${TESTS_IN_FIRMWARE_SUPPORT}    SVB004.003 not supported
+    Power On
+    Read From Terminal Until    Sovereign Boot Provisioning Wizard
+    Read From Terminal Until    restored default system settings.
+    # Select Sovereign Boot, it should wipe out the keys.
+    Press Key N Times And Enter    1    ${ARROW_DOWN}
+    Read From Terminal Until    A new bootloader/key has been detected.
+    # First comes DTS, it should be unsigned
+    Log To Console    \nChecking if Wizard detects unsigned images correctly:
+    ${out}=    Read From Terminal Until    Do you want to trust
+    Should Contain    ${out}    \\EFI\\DTS\\grubx64.efi
+    Should Contain    ${out}    !!! Image is unsigned !!!
+    Log To Console    ${SPACE}PASS\n
+    # For 80x25 TUI resolution 3 arrows down to highlight "Do NOT trust"
+    # Then 3 arrows down to skip.
+    Log To Console    \nChecking if Wizard detects invalid signatures correctly:
+    Press Key N Times And Enter    6    ${ARROW_DOWN}
+
+    # Locate redhat shimx64.efi. It is delibarately patched to fail signature verification
+    Wait Until Keyword Succeeds    10x    10s
+    ...    Locate Bootloader    \\EFI\\redhat\\shimx64.efi
+    # Arrow up to Trust
+    Press Key N Times And Enter    1    ${ARROW_UP}
+    ${out}=    Read From Terminal Until    [ Yes ]
+    Should Contain    ${out}    Are you sure you want to trust
+    Press Enter
+    Sleep    2s
+    ${out}=    Read From Terminal
+    Should Contain    ${out}    The image signature verification failed with this certificate.
+    # Press enter to abort the process
+    Press Enter
+    Log To Console    ${SPACE}PASS\n
+    # Back to skip button
+    Press Key N Times    1    ${ARROW_DOWN}
+    Log To Console    \nChecking if Wizard can trust valid signatures:
+    # Locate debian shimx64.efi and trust it.
+    Wait Until Keyword Succeeds    10x    10s
+    ...    Locate Bootloader    \\EFI\\debian\\shimx64.efi
+    # Arrow up to Trust
+    Press Key N Times And Enter    1    ${ARROW_UP}
+    ${out}=    Read From Terminal Until    [ Yes ]
+    Should Contain    ${out}    Are you sure you want to trust
+    Press Enter
+    ${out}=    Read From Terminal
+    # Should move to next cert in the debian shimx64.efi without errors
+    Should Contain    ${out}    8B458FDB1D6F0A9D0650C1486D2644BF398A6CABAFA97CBA8B40
+    Should Not Contain    ${out}    Can not add the certificate as trusted.
+    Log To Console    ${SPACE}PASS\n
+
+SVB004.004 Sovereign Boot Wizard enroll ephemeral PK correctly
+    [Documentation]    This test aims to verify that wizard enrolls ephemeral PK correctly.
+    Skip If    not ${TESTS_IN_FIRMWARE_SUPPORT}    SVB004.002 not supported
+    Power On
+    Read From Terminal Until    Sovereign Boot Provisioning Wizard
+    Read From Terminal Until    restored default system settings.
+    # Select Sovereign Boot, it should wipe out the keys.
+    Press Key N Times And Enter    1    ${ARROW_DOWN}
+    Read From Terminal Until    A new bootloader/key has been detected.
+    # For 80x25 TUI resolution 3 arrows down to highlight "Do NOT trust"
+    # Then 3 arrows down to skip.
+    Press Key N Times And Enter    6    ${ARROW_DOWN}
+    # Locate redhat shimx64.efi and trust it.
+    Wait Until Keyword Succeeds    10x    10s
+    ...    Locate Bootloader    \\EFI\\ubuntu\\shimx64.efi
+    # Arrow up 2x to Trust and boot
+    Press Key N Times And Enter    2    ${ARROW_UP}
+    ${out}=    Read From Terminal Until    [ Yes ]
+    Should Contain    ${out}    Are you sure you want to trust
+    Press Enter
+    Read From Terminal Until    Sovereign Boot provisioning successful.
+    # Should boot to GRUB after a while
+    Read From Terminal Until    grub>
+    Tianocore Reset System
+    # CHeck if RSA2048 is visible i nthe PK options in Secure Boot menu
+    ${sb_menu}=    Enter Secure Boot Menu And Return Construction
+    ${adv_sb_menu}=    Enter Advanced Secure Boot Keys Management And Return Construction    ${sb_menu}
+    ${pk_opts_menu}=    Enter PK Options    ${adv_sb_menu}    ${FALSE}
+    Should Contain    ${pk_opts_menu}    RSA2048
+
 
 *** Keywords ***
 Enter UEFI Shell From Setup
@@ -201,3 +355,22 @@ Enter Secure Boot Menu From Setup
     Enter Submenu From Snapshot    ${device_mgr_menu}    Secure Boot Configuration
     ${sb_menu}=    Get Secure Boot Menu Construction
     RETURN    ${sb_menu}
+
+Reset To Defaults
+    ${main_menu}=    Enter Setup Menu Tianocore And Return Construction
+    Read From Terminal
+    Press Key N Times    1    ${F9}
+    Read From Terminal Until    ignore.
+    Write Bare Into Terminal    y
+
+Locate Bootloader
+    [Arguments]    ${bootloader_file}
+    ${out}=    Read From Terminal
+    ${status}=    Run Keyword And Return Status
+    ...    Should Contain    ${out}    ${bootloader_file}
+    IF    not ${status}
+        # If not found skip to next bootloader
+        Press Enter
+        # Just to fail the keyword and repeat execution
+        Should Be True    ${status}
+    END
diff --git a/lib/secure-boot-lib.robot b/lib/secure-boot-lib.robot
@@ -178,6 +178,15 @@ Enter Enroll DB Signature Using File In DB Options
     ...    opt_only=${FALSE}
     Enter Submenu From Snapshot    ${enroll_sig_menu}    Enroll Signature Using File
 
+Enter PK Options
+    [Documentation]    Keyword enters PK Option in Secure Boot Menu.
+    [Arguments]    ${advanced_menu}    ${opt_only}=${TRUE}
+    ${pk_opts_menu}=    Enter Submenu From Snapshot And Return Construction
+    ...    ${advanced_menu}
+    ...    PK Options
+    ...    opt_only=${opt_only}
+    RETURN    ${pk_opts_menu}
+
 Enter Volume In File Explorer
     [Documentation]    Enter the given volume
     [Arguments]    ${target_volume}