From 492310fa239c5356f913b50e23e3bb05c1bc2bbb Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Tue, 1 Oct 2024 17:48:08 +0100 Subject: [PATCH 1/3] kola: cork: Handle QCOW2 EFI firmare images and use them by default Forthcoming Flatcar releases will use QCOW2 instead of raw .fd images. Signed-off-by: James Le Cuirot --- README.md | 24 ++++++++++++------------ cmd/cork/downloadimage.go | 2 +- cmd/kola/options.go | 2 +- platform/qemu.go | 17 +++++++++++++++-- 4 files changed, 29 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 0b979262f..00fc64cee 100644 --- a/README.md +++ b/README.md @@ -91,17 +91,17 @@ wget https://alpha.release.flatcar-linux.net/amd64-usr/current/flatcar_productio wget https://alpha.release.flatcar-linux.net/amd64-usr/current/flatcar_production_qemu_image.img.sig gpg --verify flatcar_production_qemu_image.img.sig -wget https://alpha.release.flatcar-linux.net/amd64-usr/current/flatcar_production_qemu_uefi_efi_code.fd -wget https://alpha.release.flatcar-linux.net/amd64-usr/current/flatcar_production_qemu_uefi_efi_code.fd.sig -gpg --verify flatcar_production_qemu_uefi_efi_code.fd.sig +wget https://alpha.release.flatcar-linux.net/amd64-usr/current/flatcar_production_qemu_uefi_efi_code.qcow2 +wget https://alpha.release.flatcar-linux.net/amd64-usr/current/flatcar_production_qemu_uefi_efi_code.qcow2.sig +gpg --verify flatcar_production_qemu_uefi_efi_code.qcow2.sig -wget https://alpha.release.flatcar-linux.net/amd64-usr/current/flatcar_production_qemu_uefi_efi_vars.fd -wget https://alpha.release.flatcar-linux.net/amd64-usr/current/flatcar_production_qemu_uefi_efi_vars.fd.sig -gpg --verify flatcar_production_qemu_uefi_efi_vars.fd.sig +wget https://alpha.release.flatcar-linux.net/amd64-usr/current/flatcar_production_qemu_uefi_efi_vars.qcow2 +wget https://alpha.release.flatcar-linux.net/amd64-usr/current/flatcar_production_qemu_uefi_efi_vars.qcow2.sig +gpg --verify flatcar_production_qemu_uefi_efi_vars.qcow2.sig sudo ./bin/kola run --board amd64-usr --key ${HOME}/.ssh/id_rsa.pub -k -b cl -p qemu \ - --qemu-firmware flatcar_production_qemu_uefi_efi_code.fd \ - --qemu-ovmf-vars flatcar_production_qemu_uefi_efi_vars.fd \ + --qemu-firmware flatcar_production_qemu_uefi_efi_code.qcow2 \ + --qemu-ovmf-vars flatcar_production_qemu_uefi_efi_vars.qcow2 \ --qemu-image flatcar_production_qemu_image.img \ cl.locksmith.cluster ``` @@ -113,12 +113,12 @@ wget https://alpha.release.flatcar-linux.net/arm64-usr/current/flatcar_productio wget https://alpha.release.flatcar-linux.net/arm64-usr/current/flatcar_production_qemu_uefi_image.img.sig gpg --verify flatcar_production_qemu_uefi_image.img.sig -wget https://alpha.release.flatcar-linux.net/arm64-usr/current/flatcar_production_qemu_uefi_efi_code.fd -wget https://alpha.release.flatcar-linux.net/arm64-usr/current/flatcar_production_qemu_uefi_efi_code.fd.sig -gpg --verify flatcar_production_qemu_uefi_efi_code.fd.sig +wget https://alpha.release.flatcar-linux.net/arm64-usr/current/flatcar_production_qemu_uefi_efi_code.qcow2 +wget https://alpha.release.flatcar-linux.net/arm64-usr/current/flatcar_production_qemu_uefi_efi_code.qcow2.sig +gpg --verify flatcar_production_qemu_uefi_efi_code.qcow2.sig sudo ./bin/kola run --board arm64-usr --key ${HOME}/.ssh/id_rsa.pub -k -b cl -p qemu \ - --qemu-firmware flatcar_production_qemu_uefi_efi_code.fd \ + --qemu-firmware flatcar_production_qemu_uefi_efi_code.qcow2 \ --qemu-image flatcar_production_qemu_uefi_image.img \ cl.etcd-member.discovery ``` diff --git a/cmd/cork/downloadimage.go b/cmd/cork/downloadimage.go index d865a8cf7..e0cf9d60e 100644 --- a/cmd/cork/downloadimage.go +++ b/cmd/cork/downloadimage.go @@ -87,7 +87,7 @@ func (platforms *platformList) Set(value string) error { "esx": {"_vmware_ova.ova"}, "gce": {"_gce.tar.gz"}, "qemu": {"_image.bin.bz2"}, - "qemu_uefi": {"_qemu_uefi_efi_code.fd", "_qemu_uefi_efi_vars.fd", "_image.bin.bz2"}, + "qemu_uefi": {"_qemu_uefi_efi_code.qcow2", "_qemu_uefi_efi_vars.qcow2", "_image.bin.bz2"}, } values := strings.Split(value, ",") diff --git a/cmd/kola/options.go b/cmd/kola/options.go index 3b3c12070..5f94bb5bd 100644 --- a/cmd/kola/options.go +++ b/cmd/kola/options.go @@ -56,7 +56,7 @@ var ( kolaDefaultFirmware = map[string]string{ "amd64-usr": "bios-256k.bin", - "arm64-usr": sdk.BuildRoot() + "/images/arm64-usr/latest/flatcar_production_qemu_uefi_efi_code.fd", + "arm64-usr": sdk.BuildRoot() + "/images/arm64-usr/latest/flatcar_production_qemu_uefi_efi_code.qcow2", } kolaSSHRetries = 60 diff --git a/platform/qemu.go b/platform/qemu.go index 8c80c1f06..26a339e6f 100644 --- a/platform/qemu.go +++ b/platform/qemu.go @@ -372,9 +372,22 @@ func CreateQEMUCommand(board, uuid, firmware, ovmfVars, consolePath, confPath, d "-device", "virtio-rng-pci,rng=rng0", ) if ovmfVars != "" { + var fwFormat, varsFormat string + + if strings.HasSuffix(firmware, ".qcow2") { + fwFormat = "qcow2" + } else { + fwFormat = "raw" + } + if strings.HasSuffix(ovmfVars, ".qcow2") { + varsFormat = "qcow2" + } else { + varsFormat = "raw" + } + qmCmd = append(qmCmd, - "-drive", fmt.Sprintf("if=pflash,unit=0,file=%v,format=raw,readonly=on", firmware), - "-drive", fmt.Sprintf("if=pflash,unit=1,file=%v,format=raw", ovmfVars), + "-drive", fmt.Sprintf("if=pflash,unit=0,file=%v,format=%v,readonly=on", firmware, fwFormat), + "-drive", fmt.Sprintf("if=pflash,unit=1,file=%v,format=%v", ovmfVars, varsFormat), ) if enableSecureboot { // When OVMF is built for X64 with SMM enabled S3 (suspend/resume) From 9ffa93defa6abe8fa6d83d30152ddd563b1d8693 Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Fri, 4 Oct 2024 11:12:23 +0100 Subject: [PATCH 2/3] platform/qemu: Only pass SMM-related arguments to QEMU for amd64-usr EDK2 doesn't have SMM for arm64 yet and these arguments break it. Signed-off-by: James Le Cuirot --- platform/qemu.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/qemu.go b/platform/qemu.go index 26a339e6f..1e18311a7 100644 --- a/platform/qemu.go +++ b/platform/qemu.go @@ -389,7 +389,7 @@ func CreateQEMUCommand(board, uuid, firmware, ovmfVars, consolePath, confPath, d "-drive", fmt.Sprintf("if=pflash,unit=0,file=%v,format=%v,readonly=on", firmware, fwFormat), "-drive", fmt.Sprintf("if=pflash,unit=1,file=%v,format=%v", ovmfVars, varsFormat), ) - if enableSecureboot { + if enableSecureboot && board == "amd64-usr" { // When OVMF is built for X64 with SMM enabled S3 (suspend/resume) // must be disabled. This is required for secure boot and not very // well documented. The flag comes from here: From b583d18ffac499ddbcbcd7aa4b3da02903d19a9b Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Tue, 8 Oct 2024 17:31:03 +0100 Subject: [PATCH 3/3] kola/tests: Skip tests that change the verity hash when SB is enabled Changing the verity hash breaks Secure Boot verification, causing GRUB to error and then just sit at the menu forever. It's not clear why these tests worked before we applied the Red Hat patches to GRUB, but it's now behaving as it should. Signed-off-by: James Le Cuirot --- kola/tests/misc/update.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kola/tests/misc/update.go b/kola/tests/misc/update.go index 2dcb84e73..7d4f7a9ce 100644 --- a/kola/tests/misc/update.go +++ b/kola/tests/misc/update.go @@ -21,6 +21,7 @@ import ( "golang.org/x/net/context" + "github.com/flatcar/mantle/kola" "github.com/flatcar/mantle/kola/cluster" "github.com/flatcar/mantle/kola/register" "github.com/flatcar/mantle/kola/tests/util" @@ -58,6 +59,9 @@ func init() { Distros: []string{"cl"}, // This test is normally not related to the cloud environment Platforms: []string{"qemu", "qemu-unpriv"}, + // Changing the verity hash breaks Secure Boot verification, causing + // GRUB to error and then just sit at the menu forever. + SkipFunc: kola.SkipSecureboot, }) register.Register(®ister.Test{ Run: RecoverBadUsr, @@ -68,6 +72,9 @@ func init() { Distros: []string{"cl"}, // This test is normally not related to the cloud environment Platforms: []string{"qemu", "qemu-unpriv"}, + // Changing the verity hash breaks Secure Boot verification, causing + // GRUB to error and then just sit at the menu forever. + SkipFunc: kola.SkipSecureboot, }) }