tests: rebuild OVMF and use generated keys

[valentindavid]

Depends on #14959

The generated OVMF_VARS also contains microsoft "other" db cert. And also the certs for the pc-kernel edge. As well as the now deprecated snakeoil cert.

[github-actions]

Wed Feb 5 09:06:50 UTC 2025
The following results are from: https://github.com/canonical/snapd/actions/runs/13137537509

Failures:

Preparing:

• google-nested:ubuntu-24.04-64:tests/nested/manual/remodel-min-size

Executing:

• google:ubuntu-25.04-64:tests/main/cgroup-devices-v2
• google:ubuntu-25.04-64:tests/main/security-device-cgroups-serial-port
• google:ubuntu-25.04-64:tests/main/security-device-cgroups:kmsg
• google:ubuntu-25.04-64:tests/main/security-device-cgroups-helper
• google:ubuntu-25.04-64:tests/main/security-device-cgroups-self-manage
• google:ubuntu-25.04-64:tests/main/security-device-cgroups-required-or-optional
• google:ubuntu-25.04-64:tests/main/security-device-cgroups-strict-enforced
• google:ubuntu-25.04-64:tests/main/security-device-cgroups:uinput

Restoring:

• google:ubuntu-25.04-64:tests/main/security-device-cgroups-strict-enforced

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Please upload report for BASE (master@b7a1756). Learn more about missing BASE report.
Report is 64 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff            @@
##             master   #14960   +/-   ##
=========================================
  Coverage          ?   78.22%           
=========================================
  Files             ?     1164           
  Lines             ?   154351           
  Branches          ?        0           
=========================================
  Hits              ?   120739           
  Misses            ?    26171           
  Partials          ?     7441           

Flag	Coverage Δ
unittests	78.22% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[bboozzoo]

could we use ovmf and efi-shell from 24.04 instead?

[bboozzoo]

The remaining open question is whether we should have a tests which uses ovmf packages from the repo to run the VM like the docs page at https://ubuntu.com/core/docs/testing-with-qemu state. Or perhaps that's a job to be run in some other repository (core-base?)

[bboozzoo]

we can name it test-snapd-ovmf, update description to mention that that it's ovmf binaries with some testing keys enrolled used for snapd CI and push it to the store

[bboozzoo]

I've opened a name request for test-snapd-ovmf. Can move the snap files to tests/lib/snaps/store/test-snapd-ovmf ?

[bboozzoo]

this will generate new keys each time during the build which isn't obvious. Probably not a problem but users need to be aware of it. Or we can drop pre-generated keys into the snap.

[valentindavid]

The point here is people not to test explicitly a key. They have to test if a key matches specifically DB or KEK. And not just a constant hash in some test.

[bboozzoo]

Suggested change

	install -Dm644 "${OVMF}_VARS.fd" "${CRAFT_PART_INSTALL}/fw/${OVMF}_VARS.secboot.fd"
	install -Dm644 "${OVMF}_VARS.fd" "${CRAFT_PART_INSTALL}/fw/${OVMF}_VARS.secboot-testkeys.fd"

[bboozzoo]

I think I'd rather download the snap from store rather than build it, or even fail explicitly and expect run-spread to do the download.

[valentindavid]

I agree. I will keep it in the draft for now. When the tests seem to work, I will add some CI step that uploads it.

[valentindavid]

The remaining open question is whether we should have a tests which uses ovmf packages from the repo to run the VM like the docs page at https://ubuntu.com/core/docs/testing-with-qemu state.

We have tests/main/mkimage-uc22

[bboozzoo]

I've opened a name request for test-snapd-ovmf. Can move the snap files to tests/lib/snaps/store/test-snapd-ovmf ?

[bboozzoo]

Suggested change

	summary: EDK2
	description: EDK2
	summary: Pre-built OVMF blobs with test keys for snapd CI
	description: |
	Pre-built OVMF blobs with enrolled test keys for use in snapd CI loop.
	The following known keys are enrolled:
	- snakeoil - ## ref?
	- kernel PPA
	<whichever we key we add>

[bboozzoo]

can you rename the directory to tests/lib/snaps/store/test-snapd-ovmf?

[bboozzoo]

Before we got a new copy of the vars blob for each run, and optionally, only in the fde branch, the state file could be kept around. however, with the changes right now we'll reuse the vars blob file each time. IMO it'd be better to keep the old behavior of starting with a clean copy.

Suggested change

	PARAM_BIOS="-drive file=${OVMF_CODE},if=pflash,format=raw,readonly=on -drive file=${OVMF_VARS},if=pflash,format=raw"
	OVMF_VARS_TMP="${OVMF_VARS}.tmp"
	# make a copy of the original VARS blob, so that we start with a clean slate
	cp -fv "$OVMF_VARS" "$OVMF_VARS_TMP"
	PARAM_BIOS="-drive file=${OVMF_CODE},if=pflash,format=raw,readonly=on -drive file=${OVMF_VARS_TMP},if=pflash,format=raw"

[valentindavid]

I suppose I should reset unless NESTED_KEEP_FIRMWARE_STATE is defined.

[valentindavid]

Now I realize we are missing stuff from the FDE branch. For example d016c59

[bboozzoo]

this is fine, we can either cherry pick it or simply add it in the fde branch during rebase

[valentindavid]

Cherry picked the commits needed and fixed the commit.