Such OVMF build does honor the PE sections attributes, and will not blindly
create all section mappings with read-write-execute permissions.
Strict NX build is only available in the Fedora edk2-experimental
package, so add the required dependencies to run a QEMU EFI job on the
Fedora 41 container and use it for the test.
Signed-off-by: Roger Pau Monné <roger....@citrix.com>
---
automation/build/fedora/41-x86_64.dockerfile | 5 +++++
automation/gitlab-ci/test.yaml | 9 ++++++++
automation/scripts/qemu-smoke-x86-64-efi.sh | 22 ++++++++++++++++----
3 files changed, 32 insertions(+), 4 deletions(-)
diff --git a/automation/build/fedora/41-x86_64.dockerfile
b/automation/build/fedora/41-x86_64.dockerfile
index 8032a2098632..84f366ac0643 100644
--- a/automation/build/fedora/41-x86_64.dockerfile
+++ b/automation/build/fedora/41-x86_64.dockerfile
@@ -65,6 +65,11 @@ RUN <<EOF
glib2-devel
pixman-devel
ninja-build
+
+ # EFI Strict NX test
+ qemu-system-x86
+ edk2-experimental
+ expect
)
dnf -y --setopt=install_weak_deps=False install "${DEPS[@]}"
diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml
index 225eb4399807..dec14420ab62 100644
--- a/automation/gitlab-ci/test.yaml
+++ b/automation/gitlab-ci/test.yaml
@@ -593,6 +593,15 @@ qemu-smoke-x86-64-gcc-efi:
needs:
- debian-12-x86_64-gcc-debug
+qemu-smoke-x86-64-gcc-efi-strictnx:
+ extends: .qemu-smoke-x86-64
+ variables:
+ CONTAINER: fedora:41-x86_64
+ script:
+ - ./automation/scripts/qemu-smoke-x86-64-efi.sh pv strict 2>&1 | tee
${LOGFILE}
+ needs:
+ - debian-12-x86_64-gcc-debug
+
qemu-smoke-riscv64-gcc:
extends: .qemu-riscv64
script:
diff --git a/automation/scripts/qemu-smoke-x86-64-efi.sh
b/automation/scripts/qemu-smoke-x86-64-efi.sh
index 7572722be6e5..fbb662f1a756 100755
--- a/automation/scripts/qemu-smoke-x86-64-efi.sh
+++ b/automation/scripts/qemu-smoke-x86-64-efi.sh
@@ -4,6 +4,7 @@ set -ex -o pipefail
# variant should be either pv or pvh
variant=$1
+mode=$2
# Clone and build XTF
git clone https://xenbits.xen.org/git-http/xtf.git
@@ -14,6 +15,19 @@ case $variant in
*) k=test-pv64-example extra= ;;
esac
+case $mode in
+ strict)
+
ovmf_code=/usr/share/edk2/experimental/OVMF_CODE_4M.secboot.strictnx.qcow2
+ ovmf_vars=/usr/share/edk2/ovmf/OVMF_VARS_4M.qcow2
+ ovmf_format=qcow2
+ ;;
+ *)
+ ovmf_code=/usr/share/OVMF/OVMF_CODE.fd
+ ovmf_vars=/usr/share/OVMF/OVMF_VARS.fd
+ ovmf_format=raw
+ ;;
+esac
+
mkdir -p boot-esp/EFI/BOOT
cp binaries/xen.efi boot-esp/EFI/BOOT/BOOTX64.EFI
cp xtf/tests/example/$k boot-esp/EFI/BOOT/kernel
@@ -27,13 +41,13 @@ options=loglvl=all console=com1 noreboot
console_timestamps=boot $extra
kernel=kernel
EOF
-cp /usr/share/OVMF/OVMF_CODE.fd OVMF_CODE.fd
-cp /usr/share/OVMF/OVMF_VARS.fd OVMF_VARS.fd
+cp $ovmf_code OVMF_CODE.fd
+cp $ovmf_vars OVMF_VARS.fd
rm -f smoke.serial
export TEST_CMD="qemu-system-x86_64 -nographic -M q35,kernel-irqchip=split \
- -drive if=pflash,format=raw,readonly=on,file=OVMF_CODE.fd \
- -drive if=pflash,format=raw,file=OVMF_VARS.fd \
+ -drive if=pflash,format=${ovmf_format},readonly=on,file=OVMF_CODE.fd \
+ -drive if=pflash,format=${ovmf_format},file=OVMF_VARS.fd \
-drive file=fat:rw:boot-esp,media=disk,index=0,format=raw \
-m 512 -monitor none -serial stdio"
--
2.48.1
