On 01/04/2025 2:08 pm, Roger Pau Monne wrote: > Such OVMF build does honor the PE sections attributes, and will not blindly > create all section mappings with read-write-execute permissions. > > Strict NX build is only available in the Fedora edk2-experimental > package, so add the required dependencies to run a QEMU EFI job on the > Fedora 41 container and use it for the test. > > Signed-off-by: Roger Pau Monné <roger....@citrix.com>
I guess this always has to go last? It will need a bit of careful gymnastics to deploy the new container prior to committing this patch, but it shouldn't be difficult. Alternatively, you can submit hunk 1 in a separate patch and we can get the new container deployed independently of the rest of the series. > diff --git a/automation/build/fedora/41-x86_64.dockerfile > b/automation/build/fedora/41-x86_64.dockerfile > index 8032a2098632..84f366ac0643 100644 > --- a/automation/build/fedora/41-x86_64.dockerfile > +++ b/automation/build/fedora/41-x86_64.dockerfile > @@ -65,6 +65,11 @@ RUN <<EOF > glib2-devel > pixman-devel > ninja-build > + > + # EFI Strict NX test > + qemu-system-x86 > + edk2-experimental > + expect Please could this follow the pattern in debian. # for test phase, qemu-smoke-* jobs expect qemu-system-x86 # for *-efi-strictnx edk2-experimental > diff --git a/automation/scripts/qemu-smoke-x86-64-efi.sh > b/automation/scripts/qemu-smoke-x86-64-efi.sh > index 7572722be6e5..fbb662f1a756 100755 > --- a/automation/scripts/qemu-smoke-x86-64-efi.sh > +++ b/automation/scripts/qemu-smoke-x86-64-efi.sh > @@ -4,6 +4,7 @@ set -ex -o pipefail > > # variant should be either pv or pvh > variant=$1 # mode should be nothing, or strict Also, I'd suggest using mode=strictnx here as it matches both the test name and the OVMF file name. Assuming you're ok with these changes, Reviewed-by: Andrew Cooper <andrew.coop...@citrix.com> (however you end up splitting).
