Add UEFI variable append tests

Fallout from the varstored update.

At the moment, test the following scenarios:
* From the varstored defaults, append MS dbx and verify VM boots
* From the varstored 1.2.0-3.1 defaults, append MS dbx and verify VM
  boots (which implies not having the oversized variable append bug)

Signed-off-by: Tu Dinh <[email protected]>

Author: dinhngtu

contrib/secureboot_objects/DBX/amd64/DBXUpdate.bin

@@ -72,6 +72,12 @@ def db_uefi_2023(self):
     def db_oprom_2023(self):
         return str(self._prefix / "secureboot_objects/DB/Certificates/microsoft option rom uefi ca 2023.der")
 
+    def dbx_hashes_ms_amd64(self):
+        return str(self._prefix / "secureboot_objects/DBX/amd64/DBXUpdate.bin")
+
+    def dbx_poison(self):
+        return str(self._prefix / "varstored/dbx_poison.auth")
+
 
 SB_CERTS = _SecureBootCertList()
 
@@ -91,6 +97,7 @@ def as_str(self):
 
 # Variable attributes for time based authentication attrs
 EFI_AT_ATTRS = 0x27
+EFI_VARIABLE_APPEND_WRITE = 0x40
 
 time_seed = datetime.now()
 time_offset = 1

contrib/varstored/dbx_poison.auth

@@ -2,7 +2,8 @@
 
 import logging
 
-from lib.efi import SB_CERTS, EFIAuth
+from lib.commands import SSHCommandFailed
+from lib.efi import EFI_AT_ATTRS, EFI_VARIABLE_APPEND_WRITE, SB_CERTS, EFIAuth, image_security_database_guid
 from lib.vm import VM
 
 from .utils import (
@@ -87,6 +88,38 @@ def test_sb_off_really_means_off(self, uefi_vm):
         logging.info("Check that SB is NOT enabled according to the OS.")
         assert not vm.booted_with_secureboot()
 
+    def test_append_with_default(self, uefi_vm: VM):
+        vm = uefi_vm
+        vm.host.pool.clear_custom_uefi_certs()
+        vm.set_uefi_user_mode()
+        vm.set_variable_from_file(
+            SB_CERTS.dbx_hashes_ms_amd64(),
+            image_security_database_guid,
+            "dbx",
+            EFI_AT_ATTRS | EFI_VARIABLE_APPEND_WRITE,
+        )
+        vm.start()
+        vm.wait_for_vm_running_and_ssh_up()
+
+    def test_append_with_poison(self, uefi_vm: VM):
+        vm = uefi_vm
+        vm.host.pool.clear_custom_uefi_certs()
+        vm.set_uefi_user_mode()
+        vm.set_variable_from_file(SB_CERTS.dbx_poison(), image_security_database_guid, "dbx", EFI_AT_ATTRS)
+        try:
+            vm.set_variable_from_file(
+                SB_CERTS.dbx_hashes_ms_amd64(),
+                image_security_database_guid,
+                "dbx",
+                EFI_AT_ATTRS | EFI_VARIABLE_APPEND_WRITE,
+            )
+        except SSHCommandFailed:
+            # Appending the MS dbx may succeed or fail, doesn't matter, as appending the poison may not necessarily take
+            # dbx over the DATA_LIMIT. The important thing is that the VM boots up following this append attempt.
+            pass
+        vm.start()
+        vm.wait_for_vm_running_and_ssh_up()
+
 
 @pytest.mark.usefixtures("host_at_least_8_3")
 @pytest.mark.usefixtures("windows_vm")