Handle secureboot on&off for ima_evm tests

lib/bootloader_setup.pm

@@ -334,7 +334,8 @@ sub uefi_bootmenu_params {
     # assume bios+grub+anim already waited in start.sh
     # in grub2 it's tricky to set the screen resolution
     #send_key_until_needlematch('grub2-enter-edit-mode', 'e', 5, 0.5);
-    (is_jeos) ? send_key_until_needlematch('grub2-enter-edit-mode', 'e', 5, 0.5)
+    (is_jeos)
+      ? send_key_until_needlematch('grub2-enter-edit-mode', 'e', 5, 0.5)
       : send_key 'e';
     # Kiwi in TW uses grub2-mkconfig instead of the custom kiwi config
     # Locate gfxpayload parameter and update it
@@ -647,14 +648,17 @@ sub autoyast_boot_params {
         $autoyast_args .= "$proto://10.0.2.1/";
         $autoyast_args .= 'data/' if $ay_var !~ /^aytests\//;
         $autoyast_args .= $ay_var;
-    } elsif ($ay_var =~ /^ASSET_\d+$/) {
+    }
+    elsif ($ay_var =~ /^ASSET_\d+$/) {
         # In case profile is uploaded as an ASSET we need just filename
         $ay_var = basename(get_required_var($ay_var));
         $autoyast_args .= autoinst_url("/assets/other/$ay_var");
-    } elsif ($ay_var !~ /^slp$|:\/\//) {
+    }
+    elsif ($ay_var !~ /^slp$|:\/\//) {
         # Getting profile from the worker as openQA asset
         $autoyast_args .= data_url($ay_var);
-    } else {
+    }
+    else {
         # Getting profile by direct url or slp
         $autoyast_args .= $ay_var;
     }
@@ -772,7 +776,8 @@ sub remote_install_bootmenu_params {
         if (is_sle('=11-sp4')) {
             #11-SP4 only support ssh=1
             $params .= " ssh=1 VNC=1 VNCSize=1024x768 VNCPassword=$testapi::password ";
-        } else {
+        }
+        else {
             $params .= " sshd=1 VNC=1 VNCSize=1024x768 VNCPassword=$testapi::password ";
         }
     }
@@ -894,7 +899,12 @@ sub tianocore_enter_menu {
 }
 
 sub tianocore_disable_secureboot {
-    my $basetest = shift;
+
+    my ($basetest, $revert) = @_;
+
+    my $neelle_sb_conf_attempt = $revert ? 'tianocore-devicemanager-sb-conf-disabled' : 'tianocore-devicemanager-sb-conf-attempt-sb';
+    my $neelle_sb_change_state = $revert ? 'tianocore-devicemanager-sb-conf-enabled' : 'tianocore-devicemanager-sb-conf-attempt-sb';
+    my $neelle_sb_config_state = $revert ? 'tianocore-secureboot-enabled' : 'tianocore-secureboot-not-enabled';
 
     assert_screen 'grub2';
     send_key 'c';
@@ -906,18 +916,18 @@ sub tianocore_disable_secureboot {
     send_key 'ret';
     send_key_until_needlematch('tianocore-devicemanager-sb-conf', 'down', 5, 5);
     send_key 'ret';
-    send_key_until_needlematch('tianocore-devicemanager-sb-conf-attempt-sb', 'down', 5, 5);
+    send_key_until_needlematch($neelle_sb_conf_attempt, 'down', 5, 5);
     send_key 'spc';
     assert_screen 'tianocore-devicemanager-sb-conf-changed';
     send_key 'ret';
-    assert_screen 'tianocore-devicemanager-sb-conf-attempt-sb';
+    assert_screen($neelle_sb_change_state);
     send_key 'f10';
     assert_screen 'tianocore-bootmanager-save-changes';
     send_key 'Y';
     send_key_until_needlematch 'tianocore-devicemanager', 'esc';
     send_key_until_needlematch 'tianocore-mainmenu-reset', 'down';
     send_key 'ret';
-    send_key 'ret' if check_screen('tianocore-secureboot-not-enabled', 20);
+    send_key 'ret' if check_screen($neelle_sb_config_state, 20);
     $basetest->wait_grub;
 }
 
@@ -990,7 +1000,8 @@ sub zkvm_add_disk {
             my $name = $svirt->name;
             my $patched_img = "$zkvm_img_path/$name" . "a.img";
             $svirt->add_disk({file => $patched_img, dev_id => 'a'});
-        } else {
+        }
+        else {
             # Copy existing disk image to local storage
             if (get_var("HDD_$di")) {
                 my $basename = basename(get_var("HDD_$di"));
@@ -1002,10 +1013,12 @@ sub zkvm_add_disk {
                 if (my $size = get_var("HDDSIZEGB_$di")) {
                     $size .= "G";
                     $svirt->add_disk({file => $hdd_path, backingfile => 1, dev_id => $dev_id, size => $size});
-                } else {
+                }
+                else {
                     $svirt->add_disk({file => $hdd_path, backingfile => 1, dev_id => $dev_id});
                 }
-            } else {
+            }
+            else {
                 # Create a new image, most likely it can be image for installation
                 # or additional optional drive for further testing
                 my $size = sprintf("%dG", get_var("HDDSIZEGB_$di", get_var('HDDSIZEGB', 4)));
@@ -1021,18 +1034,22 @@ sub zkvm_add_pty {
     my ($svirt) = shift;
 
     # serial console used for the serial log
-    $svirt->add_pty({
+    $svirt->add_pty(
+        {
             pty_dev => SERIAL_CONSOLE_DEFAULT_DEVICE,
             pty_dev_type => 'pty',
             target_type => 'sclp',
-            target_port => SERIAL_CONSOLE_DEFAULT_PORT});
+            target_port => SERIAL_CONSOLE_DEFAULT_PORT
+        });
 
     # sut-serial (serial terminal: emulation of QEMU's virtio console for svirt)
-    $svirt->add_pty({
+    $svirt->add_pty(
+        {
             pty_dev => SERIAL_TERMINAL_DEFAULT_DEVICE,
             pty_dev_type => 'pty',
             target_type => 'virtio',
-            target_port => SERIAL_TERMINAL_DEFAULT_PORT});
+            target_port => SERIAL_TERMINAL_DEFAULT_PORT
+        });
 }
 
 sub zkvm_add_interface {
@@ -1147,7 +1164,10 @@ sub add_grub_cmdline_settings {
             add => $add,
             update_grub => 0,
             search => get_cmdline_var(),
-        }, ['update_grub', 'search'], @_);
+        },
+        ['update_grub', 'search'],
+        @_
+    );
 
     change_grub_config('"$', " $add\"", $args{search}, "g", $args{update_grub});
 }
@@ -1181,7 +1201,10 @@ sub replace_grub_cmdline_settings {
             new => $new,
             update_grub => 0,
             search => get_cmdline_var(),
-        }, ['update_grub', 'search'], @_);
+        },
+        ['update_grub', 'search'],
+        @_
+    );
     change_grub_config($old, $new, $args{search}, "g", $args{update_grub});
 }
 
@@ -1278,7 +1301,8 @@ sub compare_bootparams {
     my @difference = arrays_subset($expected_boot_params, $received_boot_params);
     if (scalar @difference > 0) {
         record_info("params mismatch", "Actual bootloader params do not correspond to the expected ones. Mismatched params: @difference", result => 'fail');
-    } else {
+    }
+    else {
         record_info("params ok", "Bootloader parameters are typed correctly.\nVerified parameters:\n" . join("\n", @{$expected_boot_params}));
     }
 }
@@ -1364,11 +1388,13 @@ sub prepare_disks {
         if (get_var('ENCRYPT_ACTIVATE_EXISTING') || get_var('ENCRYPT_CANCEL_EXISTING')) {
             create_encrypted_part(disk => $d);
             if (get_var('ETC_PASSWD') && get_var('ETC_SHADOW')) {
-                mimic_user_to_import(disk => $d,
+                mimic_user_to_import(
+                    disk => $d,
                     passwd => get_var('ETC_PASSWD'),
                     shadow => get_var('ETC_SHADOW'));
             }
-        } else {
+        }
+        else {
             script_run "parted /dev/$d mklabel gpt";
             script_run "sync";
         }

tests/security/ima/evm_protection_digital_signatures.pm

@@ -3,16 +3,16 @@
 #
 # Summary: Test EVM protection using digital signatures
 # Note: This case should come after 'evm_protection_hmacs'
-# Maintainer: llzhao <llzhao@suse.com>
-# Tags: poo#53582, poo#92347
+# Maintainer: llzhao <llzhao@suse.com>, rfan1 <richard.fan@suse.com>
+# Tags: poo#53579, poo#100694, poo#102311
 
-use base "opensusebasetest";
+use base 'opensusebasetest';
 use strict;
 use warnings;
 use testapi;
 use utils;
-use bootloader_setup "replace_grub_cmdline_settings";
-use power_action_utils "power_action";
+use bootloader_setup qw(replace_grub_cmdline_settings tianocore_disable_secureboot);
+use power_action_utils 'power_action';
 
 sub run {
     my ($self) = @_;
@@ -61,7 +61,11 @@ sub run {
     }
     else {
         replace_grub_cmdline_settings('evm=fix ima_appraise=fix', '', update_grub => 1);
+
+        # We need re-enable the secureboot after removing "ima_appraise=fix" kernel parameter
         power_action('reboot', textmode => 1);
+        $self->wait_grub(bootloader_time => 200);
+        $self->tianocore_disable_secureboot('re_enable');
         $self->wait_boot(textmode => 1);
         $self->select_serial_terminal;
 

tests/security/ima/evm_protection_hmacs.pm

@@ -1,18 +1,18 @@
-# Copyright 2019-2020 SUSE LLC
+# Copyright 2019-2021 SUSE LLC
 # SPDX-License-Identifier: GPL-2.0-or-later
 #
 # Summary: Test EVM protection using HMACs
 # Note: This case should come after 'evm_setup'
-# Maintainer: llzhao <llzhao@suse.com>
-# Tags: poo#53579
+# Maintainer: llzhao <llzhao@suse.com>, rfan1 <richard.fan@suse.com>
+# Tags: poo#53579, poo#100694, poo#102311
 
-use base "opensusebasetest";
+use base 'opensusebasetest';
 use strict;
 use warnings;
 use testapi;
 use utils;
-use bootloader_setup "replace_grub_cmdline_settings";
-use power_action_utils "power_action";
+use bootloader_setup qw(replace_grub_cmdline_settings tianocore_disable_secureboot);
+use power_action_utils 'power_action';
 
 sub run {
     my ($self) = @_;
@@ -40,7 +40,10 @@ sub run {
 
     replace_grub_cmdline_settings('evm=fix ima_appraise=fix', '', update_grub => 1);
 
+    # We need re-enable the secureboot after removing "ima_appraise=fix" kernel parameter
     power_action('reboot', textmode => 1);
+    $self->wait_grub(bootloader_time => 200);
+    $self->tianocore_disable_secureboot('re_enable');
     $self->wait_boot(textmode => 1);
     $self->select_serial_terminal;
     my $ret = script_output($sample_cmd, 30, proceed_on_failure => 1);

tests/security/ima/evm_setup.pm

@@ -1,18 +1,18 @@
-# Copyright 2019 SUSE LLC
+# Copyright 2019-2021 SUSE LLC
 # SPDX-License-Identifier: GPL-2.0-or-later
 #
 # Summary: Setup environment for EVM protection testing
 # Note: This case should come after 'ima_setup'
-# Maintainer: llzhao <llzhao@suse.com>
-# Tags: poo#53579
+# Maintainer: llzhao <llzhao@suse.com>, rfan1 <richard.fan@suse.com>
+# Tags: poo#53579, poo#100694, poo#102311
 
-use base "opensusebasetest";
+use base 'opensusebasetest';
 use strict;
 use warnings;
 use testapi;
 use utils;
-use bootloader_setup "add_grub_cmdline_settings";
-use power_action_utils "power_action";
+use bootloader_setup qw(replace_grub_cmdline_settings tianocore_disable_secureboot);
+use power_action_utils 'power_action';
 
 sub run {
     my ($self) = @_;
@@ -38,7 +38,10 @@ sub run {
 
     add_grub_cmdline_settings("evm=fix ima_appraise=fix ima_appraise_tcb", update_grub => 1);
 
-    power_action('reboot', textmode => 1);
+    record_info("bsc#1189988: ", "We need disable secureboot with ima fix mode");
+    power_action("reboot", textmode => 1);
+    $self->wait_grub(bootloader_time => 200);
+    $self->tianocore_disable_secureboot;
     $self->wait_boot(textmode => 1);
     $self->select_serial_terminal;
 

tests/security/ima/ima_appraisal_audit.pm

@@ -6,13 +6,13 @@
 # Maintainer: llzhao <llzhao@suse.com>
 # Tags: poo#49568, poo#92347
 
-use base "opensusebasetest";
+use base 'opensusebasetest';
 use strict;
 use warnings;
 use testapi;
 use utils;
 use bootloader_setup qw(add_grub_cmdline_settings replace_grub_cmdline_settings);
-use power_action_utils "power_action";
+use power_action_utils 'power_action';
 
 sub audit_verify {
 }
@@ -44,7 +44,7 @@ sub run {
 
         # Test both default(no ima_apprais=) and ima_appraise=log situation
         add_grub_cmdline_settings("ima_appraise=log", update_grub => 1);
-        power_action('reboot', textmode => 1);
+        power_action("reboot", textmode => 1);
         $self->wait_boot(textmode => 1);
         $self->select_serial_terminal;
 

tests/security/ima/ima_appraisal_digital_signatures.pm

@@ -2,16 +2,16 @@
 # SPDX-License-Identifier: GPL-2.0-or-later
 #
 # Summary: Test IMA appraisal using digital signatures
-# Maintainer: llzhao <llzhao@suse.com>
-# Tags: poo#49154, poo#92347
+# Maintainer: llzhao <llzhao@suse.com>, rfan1 <richard.fan@suse.com>
+# Tags: poo#53579, poo#100694, poo#102311
 
-use base "opensusebasetest";
+use base 'opensusebasetest';
 use strict;
 use warnings;
 use testapi;
 use utils;
-use bootloader_setup qw(add_grub_cmdline_settings replace_grub_cmdline_settings);
-use power_action_utils "power_action";
+use bootloader_setup qw(add_grub_cmdline_settings replace_grub_cmdline_settings tianocore_disable_secureboot);
+use power_action_utils 'power_action';
 
 sub run {
     my ($self) = @_;
@@ -22,12 +22,15 @@ sub run {
     my $sample_cmd = 'yes --version';
 
     my $mok_priv = '/root/certs/key.asc';
-    my $cert_der = "/root/certs/ima_cert.der";
-    my $mok_pass = "suse";
+    my $cert_der = '/root/certs/ima_cert.der';
+    my $mok_pass = 'suse';
 
     add_grub_cmdline_settings("ima_appraise=fix", update_grub => 1);
 
-    power_action('reboot', textmode => 1);
+    # We need re-enable the secureboot after removing "ima_appraise=fix" kernel parameter
+    power_action("reboot", textmode => 1);
+    $self->wait_grub(bootloader_time => 200);
+    $self->tianocore_disable_secureboot;
     $self->wait_boot(textmode => 1);
     $self->select_serial_terminal;
 
@@ -65,9 +68,10 @@ sub run {
         replace_grub_cmdline_settings('ima_appraise=fix', '', update_grub => 1);
 
         power_action('reboot', textmode => 1);
+        $self->wait_grub(bootloader_time => 200);
+        $self->tianocore_disable_secureboot('re_enable');
         $self->wait_boot(textmode => 1);
         $self->select_serial_terminal;
-
         assert_script_run "dmesg | grep IMA:.*completed";
 
         # Remove security.ima attribute manually, and verify it is empty