From a2805bfae946a3e0c8acbbc7580ac7b17c9f6772 Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Sun, 4 Aug 2024 19:13:09 +0530
Subject: [PATCH] ci-automation: qemu: Support passing OVMF vars and
 secure-boot flag

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
---
 ci-automation/ci-config.env                 | 12 ++++----
 ci-automation/vendor-testing/qemu.sh        | 32 +++++++++++++++------
 ci-automation/vendor-testing/qemu_update.sh |  6 ++--
 3 files changed, 33 insertions(+), 17 deletions(-)

diff --git a/ci-automation/ci-config.env b/ci-automation/ci-config.env
index 309b12c2116..e321cb4cdd9 100644
--- a/ci-automation/ci-config.env
+++ b/ci-automation/ci-config.env
@@ -60,13 +60,15 @@ QEMU_PARALLEL="${PARALLEL_TESTS:-20}"
 # Whether kola can use loop devices to capture serial console output and check for error patterns
 QEMU_KOLA_SKIP_MANGLE="${QEMU_KOLA_SKIP_MANGLE:-}"
 
-# BIOS path within the SDK
-QEMU_BIOS="/usr/share/qemu/bios-256k.bin"
+# Firmware path within the SDK
+QEMU_FIRMWARE="/usr/share/qemu/bios-256k.bin"
 
-# UEFI bios filename on build cache.
+# UEFI firmware filename on build cache.
 # Published by vms.sh as part of the qemu vendor build.
-QEMU_UEFI_BIOS="${QEMU_UEFI_BIOS:-flatcar_production_qemu_uefi_efi_code.fd}"
-QEMU_UEFI_SECURE_BIOS="${QEMU_UEFI_SECURE_BIOS:-flatcar_production_qemu_uefi_secure_efi_code.fd}"
+QEMU_UEFI_FIRMWARE="${QEMU_UEFI_FIRMWARE:-flatcar_production_qemu_uefi_efi_code.fd}"
+QEMU_UEFI_SECURE_FIRMWARE="${QEMU_UEFI_SECURE_FIRMWARE:-flatcar_production_qemu_uefi_secure_efi_code.fd}"
+QEMU_UEFI_OVMF_VARS="${QEMU_UEFI_OVMF_VARS:-flatcar_production_qemu_uefi_efi_vars.fd}"
+QEMU_UEFI_SECURE_OVMF_VARS="${QEMU_UEFI_SECURE_OVMF_VARS:-flatcar_production_qemu_uefi_secure_efi_vars.fd}"
 
 # Update payload for the qemu_update.sh test.
 # The default path set below is relative to TEST_WORK_DIR
diff --git a/ci-automation/vendor-testing/qemu.sh b/ci-automation/vendor-testing/qemu.sh
index 75c97fb8551..62fd76b966b 100755
--- a/ci-automation/vendor-testing/qemu.sh
+++ b/ci-automation/vendor-testing/qemu.sh
@@ -10,6 +10,9 @@ set -euo pipefail
 
 source ci-automation/vendor_test.sh
 
+SECUREBOOT=""
+ovmf_vars=""
+
 # ARM64 qemu tests only supported on UEFI
 if [ "${CIA_ARCH}" = "arm64" ] && [ "${CIA_TESTSCRIPT}" != "qemu_uefi.sh" ] ; then
     echo "1..1" > "${CIA_TAPFILE}"
@@ -21,7 +24,7 @@ if [ "${CIA_ARCH}" = "arm64" ] && [ "${CIA_TESTSCRIPT}" != "qemu_uefi.sh" ] ; th
     exit 1
 fi
 
-# Fetch image and BIOS if not present
+# Fetch image and firmware if not present
 if [ -f "${QEMU_IMAGE_NAME}" ] ; then
     echo "++++ ${CIA_TESTSCRIPT}: Using existing ${QEMU_IMAGE_NAME} for testing ${CIA_VERNUM} (${CIA_ARCH}) ++++"
 else
@@ -31,21 +34,30 @@ else
     lbunzip2 "${QEMU_IMAGE_NAME}.bz2"
 fi
 
-bios="${QEMU_BIOS}"
+firmware="${QEMU_FIRMWARE}"
 if [ "${CIA_TESTSCRIPT}" = "qemu_uefi.sh" ] ; then
-    bios="${QEMU_UEFI_BIOS}"
+  firmware="${QEMU_UEFI_FIRMWARE}"
+  ovmf_vars="${QEMU_UEFI_OVMF_VARS}"
 fi
 
 if [ "${CIA_TESTSCRIPT}" = "qemu_uefi_secure.sh" ] ; then
-    bios="${QEMU_UEFI_SECURE_BIOS}"
+  firmware="${QEMU_UEFI_SECURE_FIRMWARE}"
+  ovmf_vars="${QEMU_UEFI_SECURE_OVMF_VARS}"
+  SECUREBOOT=1
 fi
 
 if [ "${CIA_TESTSCRIPT}" = "qemu_uefi.sh" ] || [ "${CIA_TESTSCRIPT}" = "qemu_uefi_secure.sh" ] ; then
-    if [ -f "${bios}" ] ; then
-        echo "++++ ${CIA_TESTSCRIPT}: Using existing ${bios} ++++"
+  if [ -f "${firmware}" ] ; then
+        echo "++++ ${CIA_TESTSCRIPT}: Using existing ${firmware} ++++"
+    else
+        echo "++++ ${CIA_TESTSCRIPT}: downloading ${firmware} for ${CIA_VERNUM} (${CIA_ARCH}) ++++"
+        copy_from_buildcache "images/${CIA_ARCH}/${CIA_VERNUM}/${firmware}" .
+    fi
+    if [ -f "${ovmf_vars}" ] ; then
+      echo "++++ ${CIA_TESTSCRIPT}: Using existing ${ovmf_vars} ++++"
     else
-        echo "++++ ${CIA_TESTSCRIPT}: downloading ${bios} for ${CIA_VERNUM} (${CIA_ARCH}) ++++"
-        copy_from_buildcache "images/${CIA_ARCH}/${CIA_VERNUM}/${bios}" .
+      echo "++++ ${CIA_TESTSCRIPT}: downloading ${ovmf_vars} for ${CIA_VERNUM} (${CIA_ARCH}) ++++"
+      copy_from_buildcache "images/${CIA_ARCH}/${CIA_VERNUM}/${ovmf_vars}" .
     fi
 fi
 
@@ -68,11 +80,13 @@ kola run \
     --board="${CIA_ARCH}-usr" \
     --parallel="${QEMU_PARALLEL}" \
     --platform=qemu \
-    --qemu-bios="${bios}" \
+    --qemu-firmware="${firmware}" \
     --qemu-image="${QEMU_IMAGE_NAME}" \
     --tapfile="${CIA_TAPFILE}" \
+    "${ovmf_vars:+--qemu-ovmf-vars=${ovmf_vars}}" \
     ${QEMU_KOLA_SKIP_MANGLE:+--qemu-skip-mangle} \
     "${devcontainer_opts[@]}" \
+    ${SECUREBOOT:+--enable-secureboot} \
     "${@}"
 
 set +x
diff --git a/ci-automation/vendor-testing/qemu_update.sh b/ci-automation/vendor-testing/qemu_update.sh
index 4795e278714..d05ee2a9e26 100755
--- a/ci-automation/vendor-testing/qemu_update.sh
+++ b/ci-automation/vendor-testing/qemu_update.sh
@@ -68,9 +68,9 @@ else
     lbunzip2 -k -f tmp/flatcar_production_image_first_dual.bin.bz2
 fi
 
-bios="${QEMU_BIOS}"
+bios="${QEMU_FIRMWARE}"
 if [ "${CIA_ARCH}" = "arm64" ]; then
-    bios="${QEMU_UEFI_BIOS}"
+    bios="${QEMU_UEFI_FIRMWARE}"
     if [ -f "${bios}" ] ; then
         echo "++++ qemu_update.sh: Using existing ./${bios} ++++"
     else
@@ -114,7 +114,7 @@ run_kola_tests() {
       --board="${CIA_ARCH}-usr" \
       --parallel="${QEMU_PARALLEL}" \
       --platform=qemu \
-      --qemu-bios="${bios}" \
+      --qemu-firmware="${bios}" \
       --qemu-image="${image}" \
       --tapfile="${instance_tapfile}" \
       --update-payload="${QEMU_UPDATE_PAYLOAD}" \