Run integration using uroot

.github/workflows/ci.yaml

@@ -3,14 +3,17 @@ on: [push, pull_request]
 jobs:
    arch:
       runs-on: ubuntu-latest
-      container: archlinux:latest
+      container:
+         image: archlinux:latest
+         options: --device /dev/kvm
       steps:
          - run: pacman --noconfirm --noprogressbar -Syu
-         - run: pacman --noconfirm --noprogressbar -S make go asciidoc gcc git
+         - run: pacman --noconfirm --noprogressbar -S make go asciidoc gcc git edk2-ovmf qemu-system-x86
          - uses: actions/checkout@v1
          - run: git config --global --add safe.directory $(pwd)
          - run: make
          - run: make test
+         - run: make integration
          - run: GOBIN=/usr/bin make lint
    void:
       runs-on: ubuntu-latest

.gitignore

@@ -3,4 +3,3 @@ releases/*
 /sbctl
 docs/*.8
 rootfs*
-bzImage

Makefile

@@ -66,7 +66,9 @@ test:
 
 .PHONY: integration
 integration:
-	go test -v tests/integration_test.go
+	# vmtest doesn't allow provide a way to pass --tags to the command that compiles
+	# the test (see: vmtest.RunGoTestsInVM) so we pass it as an env variable.
+	GOFLAGS=--tags=integration go test -v tests/integration_test.go
 
 .PHONY: local-aur
 .ONESHELL:

go.mod

@@ -6,23 +6,50 @@ require (
 	github.com/anatol/vmtest v0.0.0-20220413190228-7a42f1f6d7b8
 	github.com/fatih/color v1.13.0
 	github.com/foxboron/go-uefi v0.0.0-20230808201820-18b9ba9cd4c3
-	github.com/google/go-attestation v0.3.3-0.20210901195502-505680f536da
+	github.com/google/go-attestation v0.5.1
 	github.com/google/uuid v1.3.0
+	github.com/hugelgupf/vmtest v0.0.0-20240110072021-f6f07acb7aa1
+	github.com/onsi/gomega v1.7.1
 	github.com/spf13/afero v1.9.3
 	github.com/spf13/cobra v1.1.3
-	golang.org/x/crypto v0.6.0
-	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1
-	golang.org/x/sys v0.5.0
+	golang.org/x/crypto v0.16.0
+	golang.org/x/exp v0.0.0-20231219180239-dc181d75b848
+	golang.org/x/sys v0.15.0
 )
 
 require (
+	github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 // indirect
+	github.com/creack/pty v1.1.21 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/google/certificate-transparency-go v1.1.2 // indirect
-	github.com/google/go-tpm v0.3.2 // indirect
+	github.com/google/go-tpm v0.9.0 // indirect
 	github.com/google/go-tspi v0.3.0 // indirect
+	github.com/google/goterm v0.0.0-20200907032337-555d40f16ae2 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2 // indirect
+	github.com/josharian/native v1.1.0 // indirect
+	github.com/klauspost/compress v1.17.4 // indirect
+	github.com/klauspost/pgzip v1.2.6 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
-	github.com/mattn/go-isatty v0.0.14 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mdlayher/packet v1.1.2 // indirect
+	github.com/mdlayher/socket v0.5.0 // indirect
+	github.com/pierrec/lz4/v4 v4.1.14 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	golang.org/x/text v0.7.0 // indirect
+	github.com/u-root/gobusybox/src v0.0.0-20231224233253-2944a440b6b6 // indirect
+	github.com/u-root/u-root v0.11.1-0.20230807200058-f87ad7ccb594 // indirect
+	github.com/u-root/uio v0.0.0-20230305220412-3e8cd9d6bf63 // indirect
+	github.com/ulikunitz/xz v0.5.11 // indirect
+	github.com/vishvananda/netlink v1.2.1-beta.2 // indirect
+	github.com/vishvananda/netns v0.0.4 // indirect
+	golang.org/x/mod v0.14.0 // indirect
+	golang.org/x/net v0.19.0 // indirect
+	golang.org/x/sync v0.5.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/tools v0.16.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	src.elv.sh v0.16.0-rc1.0.20220116211855-fda62502ad7f // indirect
 )

tests/integration_test.go

@@ -1,29 +1,45 @@
+//go:build integration
 // +build integration
 
 package tests
 
 import (
+	"fmt"
+	"io"
 	"log"
 	"os"
 	"os/exec"
+	"path"
 	"testing"
+	"time"
 
-	"github.com/foxboron/sbctl/tests/utils"
+	"github.com/hugelgupf/vmtest"
+	"github.com/hugelgupf/vmtest/qemu"
 )
 
-func TestKeyEnrollment(t *testing.T) {
-	conf := utils.NewConfig()
-	conf.AddFile("sbctl")
-
-	utils.WithVM(conf,
-		func(vm *utils.TestVM) {
-			t.Run("Enroll Keys", vm.RunTest("./integrations/enroll_keys_test.go"))
-		})
+type VMTest struct {
+	ovmf    string
+	secboot string
+}
 
-	utils.WithVM(conf,
-		func(vm *utils.TestVM) {
-			t.Run("Check SecureBoot enabled", vm.RunTest("./integrations/secure_boot_enabled_test.go"))
-		})
+func (vm *VMTest) RunTests(packages ...string) func(t *testing.T) {
+	return func(t *testing.T) {
+		vmtest.RunGoTestsInVM(t, packages,
+			vmtest.WithVMOpt(
+				vmtest.WithSharedDir("ovmf/keys"),
+				vmtest.WithInitramfsFiles("sbctl:bin/sbctl"),
+				vmtest.WithQEMUFn(
+					qemu.WithVMTimeout(time.Minute),
+					qemu.WithQEMUCommand("qemu-system-x86_64 -enable-kvm"),
+					qemu.WithKernel("bzImage"),
+					qemu.ArbitraryArgs(
+						"-m", "1G", "-machine", "type=q35,smm=on",
+						"-drive", fmt.Sprintf("if=pflash,format=raw,unit=0,file=%s,readonly=on", vm.secboot),
+						"-drive", fmt.Sprintf("if=pflash,format=raw,unit=1,file=%s", vm.ovmf),
+					),
+				)),
+		)
+	}
 }
 
 func TestMain(m *testing.M) {
@@ -35,3 +51,61 @@ func TestMain(m *testing.M) {
 	}
 	os.Exit(m.Run())
 }
+
+func TestEnrollement(t *testing.T) {
+	os.Setenv("VMTEST_QEMU", "qemu-system-x86_64")
+	if err := buildSbctl(); err != nil {
+		t.Fatal(err)
+	}
+
+	WithVM(t, func(vm *VMTest) {
+		t.Run("Enroll keys", vm.RunTests("github.com/foxboron/sbctl/tests/integrations/enroll_keys"))
+		t.Run("Secure boot enabled", vm.RunTests("github.com/foxboron/sbctl/tests/integrations/secure_boot_enabled"))
+		t.Run("List enrolled keys", vm.RunTests("github.com/foxboron/sbctl/tests/integrations/list_enrolled_keys"))
+	})
+}
+
+// Sets up the test by making a copy of the OVMF files from the system
+func WithVM(t *testing.T, fn func(*VMTest)) {
+	t.Helper()
+	dir := t.TempDir()
+	vm := VMTest{
+		ovmf:    path.Join(dir, "OVMF_VARS.fd"),
+		secboot: path.Join(dir, "OVMF_CODE.secboot.fd"),
+	}
+	CopyFile("/usr/share/edk2-ovmf/x64/OVMF_VARS.fd", vm.ovmf)
+	CopyFile("/usr/share/edk2-ovmf/x64/OVMF_CODE.secboot.fd", vm.secboot)
+	fn(&vm)
+}
+
+func CopyFile(src, dst string) bool {
+	source, err := os.Open(src)
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer source.Close()
+
+	f, err := os.OpenFile(dst, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0644)
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer f.Close()
+	io.Copy(f, source)
+	si, err := os.Stat(src)
+	if err != nil {
+		log.Fatal(err)
+	}
+	err = os.Chmod(dst, si.Mode())
+	if err != nil {
+		log.Fatal(err)
+	}
+	return true
+}
+
+func buildSbctl() error {
+	cmd := exec.Command("go", "build", "../cmd/sbctl")
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+
+	return cmd.Run()
+}

tests/integrations/enroll_keys/enroll_keys_test.go

@@ -0,0 +1,34 @@
+//go:build integration
+// +build integration
+
+package main
+
+import (
+	"testing"
+
+	"github.com/foxboron/go-uefi/efi"
+	"github.com/foxboron/sbctl/tests/utils"
+	"github.com/hugelgupf/vmtest/guest"
+	. "github.com/onsi/gomega"
+)
+
+func TestEnrollKeys(t *testing.T) {
+	g := NewWithT(t)
+
+	guest.SkipIfNotInVM(t)
+
+	g.Expect(efi.GetSecureBoot()).To(BeFalse(), "should not be in secure boot mode")
+	g.Expect(efi.GetSetupMode()).To(BeTrue(), "should be in setup mode")
+
+	utils.Exec("rm -rf /usr/share/secureboot")
+	utils.Exec("sbctl status")
+	utils.Exec("sbctl create-keys")
+	out, err := utils.ExecWithOutput("sbctl enroll-keys")
+	g.Expect(err).To(HaveOccurred())
+	g.Expect(out).To(MatchRegexp("Could not find any TPM Eventlog in the system"))
+
+	out, err = utils.ExecWithOutput("sbctl enroll-keys --yes-this-might-brick-my-machine")
+	g.Expect(err).ToNot(HaveOccurred(), out)
+
+	g.Expect(efi.GetSetupMode()).To(BeFalse(), "should no longer be in setup mode")
+}

tests/integrations/list_enrolled_keys/list_enrolled_keys_test.go

@@ -0,0 +1,25 @@
+//go:build integration
+// +build integration
+
+package main
+
+import (
+	"testing"
+
+	"github.com/foxboron/sbctl/tests/utils"
+	"github.com/hugelgupf/vmtest/guest"
+	. "github.com/onsi/gomega"
+)
+
+func TestListEnrolledKeys(t *testing.T) {
+	g := NewWithT(t)
+
+	guest.SkipIfNotInVM(t)
+
+	out, err := utils.ExecWithOutput("sbctl list-enrolled-keys")
+	g.Expect(err).ToNot(HaveOccurred(), out)
+	g.Expect(out).To(SatisfyAll(
+		MatchRegexp("Platform Key"),
+		MatchRegexp("Key Exchange Key"),
+		MatchRegexp("Database Key")))
+}

tests/integrations/secure_boot_enabled/secure_boot_enabled_test.go

@@ -0,0 +1,26 @@
+//go:build integration
+// +build integration
+
+package main
+
+import (
+	"testing"
+
+	"github.com/foxboron/go-uefi/efi"
+	"github.com/foxboron/sbctl/tests/utils"
+	"github.com/hugelgupf/vmtest/guest"
+	. "github.com/onsi/gomega"
+)
+
+func TestSecureBootEnabled(t *testing.T) {
+	g := NewWithT(t)
+
+	guest.SkipIfNotInVM(t)
+
+	g.Expect(efi.GetSecureBoot()).To(BeTrue(), "should be in secure boot mode")
+	g.Expect(efi.GetSetupMode()).To(BeFalse(), "should not be in setup mode")
+
+	out, err := utils.ExecWithOutput("sbctl status")
+	g.Expect(err).ToNot(HaveOccurred(), out)
+	g.Expect(out).To(MatchRegexp("Secure Boot:.*Enabled"))
+}