petri: Disable secure boot by default for HyperV tests and introduce secure boot tests #1386
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maheeraeron
changed the title
Contributor
|
Think the title and description need updating |
smalis-msft
reviewed
May 22, 2025
smalis-msft
reviewed
May 22, 2025
Contributor
Author
Oh, I kept the title for now since this might still be a work in progress. I made this PR away from draft so that I can test the CI runs |
Contributor
|
Well it's still a WIP, but the change we're actually making is the opposite of the current title |
maheeraeron
changed the title
smalis-msft
reviewed
May 23, 2025
…, added no template test, unified hyperv and openvmm logic
…pass, remove hyperv_uefi_* tests
maheeraeron
commented
Jun 4, 2025
maheeraeron
changed the title
maheeraeron
changed the title
smalis-msft
previously approved these changes
Jun 5, 2025
Contributor
smalis-msft
left a comment
smalis-msft
left a comment
There was a problem hiding this comment.
LGTM, but Trevor should probably take a pass on the hyperv changes
tjones60
reviewed
Jun 5, 2025
tjones60
reviewed
Jun 5, 2025
tjones60
reviewed
Jun 5, 2025
smalis-msft
approved these changes
Jun 6, 2025
tjones60
pushed a commit
to tjones60/openvmm
that referenced
this pull request
Sep 2, 2025
…secure boot tests (microsoft#1386) This PR focuses on: - Disabling secure boot for HyperV VMs by default. This matches the default configuration of OpenVMM tests - Introduce (for HyperV) // Modify (for OpenVMM) the `with_secure_boot` function to only enable secure boot - `with_windows_secure_boot_template()` and `with_uefi_ca_secure_boot_template()` are now only responsible for injecting the templates - Adds multiarch secure_boot tests and mismatched secure boot tests
tjones60
added
the
backport_2505
tjones60
pushed a commit
to tjones60/openvmm
that referenced
this pull request
Sep 5, 2025
…secure boot tests (microsoft#1386) This PR focuses on: - Disabling secure boot for HyperV VMs by default. This matches the default configuration of OpenVMM tests - Introduce (for HyperV) // Modify (for OpenVMM) the `with_secure_boot` function to only enable secure boot - `with_windows_secure_boot_template()` and `with_uefi_ca_secure_boot_template()` are now only responsible for injecting the templates - Adds multiarch secure_boot tests and mismatched secure boot tests
mebersol
pushed a commit
that referenced
this pull request
Sep 8, 2025
Bring release/2505 up to speed with the latest improvements to Petri in main. Includes the following changes: **petri: Disable secure boot by default for HyperV tests and introduce secure boot tests (#1386)** - Disables secure boot for HyperV VMs by default. This matches the default configuration of OpenVMM tests - Introduces (for HyperV) / Modify (for OpenVMM) the `with_secure_boot` function to only enable secure boot - `with_windows_secure_boot_template()` and `with_uefi_ca_secure_boot_template()` are now only responsible for injecting the templates - Adds multiarch secure_boot tests and mismatched secure boot tests **vmm_tests: add hyperv openhcl servicing tests (#1648)** This change adds basic support for OpenHCL servicing using Hyper-V as the VMM. This increases coverage on x64, and crucially, adds some OpenHCL servicing coverage on aarch64. This is foundational work in service of validating the nvme keepalive feature. **petri: use generics instead of Box for backends (#1669)** Refactors petri to use generics instead of Box for backends. This should reduce duplicate code going forward and makes it possible to use generics in backend-agnostic configuration functions. **petri: extra wait for shutdown ic, move to generic (#1760)** Always wait an extra second after the shutdown IC reports OK to hopefully get around some occasional flakiness where the shutdown IC hangs if the request is sent too early. This change also moves the handling of the delay, including guest quirks, into the generic `PetriVm` instead of being backend-specific. Backends could still add extra time via an additional wait in `wait_for_enlightened_shutdown_ready` if necessary. **petri: use cloudinit even if not using pipette (#1778)** This change makes using pipette for vtl0 optional, which allows us to use the unrelated parts of cloudinit to speed up boot on Ubuntu 24.04. **petri: don't try to start pipette on reboot if it doesn't exist (#1793)** Only try launch pipette for linux direct on reboot if pipette is included in the CI data disk. (Bug fix for above) **petri: increase shutdown IC extra wait (#1813)** VMs are still occasionally dropping the shutdown request, so increase the extra wait time a bit more. Also switches to using an agent for the "heavy" tests that didn't need to be no_agent. **petri: hyperv watchdogs and screenshots (#1826)** Take screenshots and collect inspect info using a watchdog when using the Hyper-V backend as well as OpenVMM **petri/hyperv: Don't attempt screenshots when isolated (#1882)** Isolation blocks access to graphics forwarding from the guest, so this will error out every time. Removes a bunch of error logs from cvm hyperv tests. **petri: truncate VM names to respect Hyper-V 100-character limit (#1739)** Hyper-V limits VM names to 100 characters, but Petri's test names can exceed this limit. **petri: unblock commands and use com3 for hyper-v kmsg logs when possible (#1176)** Using COM3 instead of diag_client allows us to get OpenHCL logs if it crashes early in boot. Currently this only works on our TDX and SNP runners, since our nested runners have a build of windows that is too old and additional com ports are not yet supported on ARM. To make this work, the powershell and hvc commands needed to be run in a separate process (using the `unblock` function) to avoid blocking the process doing the logging. Also fixes guest serial logs that fail to reconnect after os error 231 (ubuntu 22.04 tests). **petri: hyper-v reset support (#1916)** Add support for guest resets for the Hyper-V petri backend. Refactors some of the framebuffer code to make this possible. Enables Hyper-V reboot tests that are now possible due to this change. Also includes some other minor Petri refactoring to move more logic into backend-agnostic code. **petri: use vhdmp to create differencing disks (#1964)** Use the Win32 VirtualDisk APIs instead of powershell for creating differencing disks in Petri. Issue #1600 --------- Co-authored-by: Maheer Aeron <maheeraeron@microsoft.com> Co-authored-by: Matt LaFayette (Kurjanowicz) <mattkur@microsoft.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: mattkur <13772048+mattkur@users.noreply.github.com> Co-authored-by: Steven Malis <137308034+smalis-msft@users.noreply.github.com> Co-authored-by: benhillis <17727402+benhillis@users.noreply.github.com> Co-authored-by: Ben Hillis <benhillis@gmail.com>
Member
|
Backported to release/2505 in #1947 |
benhillis
added
backported_2505
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR focuses on:
with_secure_bootfunction to only enable secure bootwith_windows_secure_boot_template()andwith_uefi_ca_secure_boot_template()are now only responsible for injecting the templates