|
1 | 1 | import logging |
2 | 2 | import pytest |
3 | 3 |
|
| 4 | +from lib.efi import EFIAuth, ms_certs |
| 5 | +from lib.vm import VM |
| 6 | + |
4 | 7 | from .utils import _test_key_exchanges, boot_and_check_no_sb_errors, boot_and_check_sb_failed, \ |
5 | 8 | boot_and_check_sb_succeeded, generate_keys, revert_vm_state, sign_efi_bins |
6 | 9 |
|
@@ -153,3 +156,102 @@ def test_key_exchanges(self, uefi_vm): |
153 | 156 | vm.set_uefi_setup_mode() |
154 | 157 |
|
155 | 158 | _test_key_exchanges(vm) |
| 159 | + |
| 160 | +@pytest.mark.small_vm |
| 161 | +@pytest.mark.usefixtures("host_at_least_8_3") |
| 162 | +@pytest.mark.usefixtures("windows_vm") |
| 163 | +class TestGuestWindowsUEFIKeyUpgrade: |
| 164 | + @pytest.fixture(autouse=True) |
| 165 | + def setup_and_cleanup(self, uefi_vm_and_snapshot): |
| 166 | + vm, snapshot = uefi_vm_and_snapshot |
| 167 | + yield |
| 168 | + revert_vm_state(vm, snapshot) |
| 169 | + |
| 170 | + def install_old_certs(self, vm: VM): |
| 171 | + """Populate a key set that looks like the old defaults.""" |
| 172 | + |
| 173 | + PK = EFIAuth.self_signed("PK") |
| 174 | + KEK = EFIAuth.self_signed("KEK", other_certs=[ms_certs.kek_ms_2011()]) |
| 175 | + db = EFIAuth("db", other_certs=[ms_certs.db_uefi_2011(), ms_certs.db_win_2011()]) |
| 176 | + # Some test VMs don't like an empty dbx when their own dbx is empty, so just put whatever in there |
| 177 | + dbx = EFIAuth.self_signed("dbx") |
| 178 | + |
| 179 | + PK.sign_auth(PK) |
| 180 | + PK.sign_auth(KEK) |
| 181 | + KEK.sign_auth(db) |
| 182 | + KEK.sign_auth(dbx) |
| 183 | + |
| 184 | + vm.install_uefi_certs([PK, KEK, db, dbx]) |
| 185 | + return [PK, KEK, db, dbx] |
| 186 | + |
| 187 | + def install_new_certs(self, vm: VM, signer: EFIAuth): |
| 188 | + """Populate a key set that looks like the new defaults with 2023 MS keys.""" |
| 189 | + |
| 190 | + newPK = EFIAuth.self_signed("PK") |
| 191 | + newKEK = EFIAuth("KEK", other_certs=[ms_certs.kek_ms_2011(), ms_certs.kek_ms_2023()]) |
| 192 | + newdb = EFIAuth( |
| 193 | + "db", |
| 194 | + other_certs=[ |
| 195 | + ms_certs.db_win_2011(), |
| 196 | + ms_certs.db_win_2023(), |
| 197 | + ms_certs.db_uefi_2011(), |
| 198 | + ms_certs.db_uefi_2023(), |
| 199 | + ms_certs.db_oprom_2023(), |
| 200 | + ], |
| 201 | + ) |
| 202 | + newdbx = EFIAuth("dbx") |
| 203 | + |
| 204 | + newPK.sign_auth(newPK) |
| 205 | + # Technically, there's no need to sign the other databases since we're setting them from Dom0. |
| 206 | + # If signing with the old PK works, there'd be no need to test signing with the new PK. |
| 207 | + # We use an invalid signer to test scenarios where the user mixes and matches default and custom keys. |
| 208 | + signer.sign_auth(newKEK) |
| 209 | + signer.sign_auth(newdb) |
| 210 | + signer.sign_auth(newdbx) |
| 211 | + |
| 212 | + vm.install_uefi_certs([newPK, newKEK, newdb, newdbx]) |
| 213 | + |
| 214 | + def test_key_upgrade(self, uefi_vm: VM): |
| 215 | + vm = uefi_vm |
| 216 | + vm.param_set("platform", True, key="secureboot") |
| 217 | + assert not vm.get_vtpm_uuid() |
| 218 | + vm.create_vtpm() |
| 219 | + |
| 220 | + PK, _, _, _ = self.install_old_certs(vm) |
| 221 | + boot_and_check_sb_succeeded(vm) |
| 222 | + |
| 223 | + vm.shutdown(verify=True) |
| 224 | + |
| 225 | + self.install_new_certs(vm, PK) |
| 226 | + boot_and_check_sb_succeeded(vm) |
| 227 | + |
| 228 | + def test_key_upgrade_bitlocker(self, uefi_vm: VM): |
| 229 | + vm = uefi_vm |
| 230 | + vm.param_set("platform", True, key="secureboot") |
| 231 | + assert not vm.get_vtpm_uuid() |
| 232 | + vm.create_vtpm() |
| 233 | + |
| 234 | + PK, _, _, _ = self.install_old_certs(vm) |
| 235 | + boot_and_check_sb_succeeded(vm) |
| 236 | + |
| 237 | + vm.execute_powershell_script("Add-WindowsFeature BitLocker,EnhancedStorage") |
| 238 | + vm.reboot(verify=True) |
| 239 | + |
| 240 | + vm.execute_powershell_script("Enable-BitLocker $Env:SystemDrive -TpmProtector -UsedSpaceOnly") |
| 241 | + # Confirm if PCR7 is bound. |
| 242 | + assert vm.execute_powershell_script( |
| 243 | + r"""Get-CimInstance -Namespace Root\CIMV2\Security\MicrosoftVolumeEncryption ` |
| 244 | +-Query "select * from Win32_EncryptableVolume where VolumeType=0" | |
| 245 | +Invoke-CimMethod -MethodName GetSecureBootBindingState | |
| 246 | +Where-Object ReturnValue -eq 0 | |
| 247 | +Select-Object -ExpandProperty BindingState""" |
| 248 | + ) == "3" # Bound |
| 249 | + vm.execute_powershell_script("Suspend-BitLocker $Env:SystemDrive") |
| 250 | + vm.shutdown(verify=True) |
| 251 | + |
| 252 | + self.install_new_certs(vm, PK) |
| 253 | + boot_and_check_sb_succeeded(vm) |
| 254 | + |
| 255 | + # After Enable-BitLocker, Windows would boot into encryption test. |
| 256 | + # If the test failed, Windows would cancel the encryption and give the status FullyDecrypted. |
| 257 | + assert vm.execute_powershell_script("(Get-BitLockerVolume $Env:SystemDrive).VolumeStatus") != "FullyDecrypted" |
0 commit comments