microsoft · maheeraeron · May 20, 2025 · May 20, 2025 · May 20, 2025 · May 20, 2025
@@ -90,10 +90,18 @@ impl PetriVmConfig for PetriVmConfigHyperV {
         Ok((Box::new(vm), client))
     }
 
+    fn with_secure_boot(self: Box<Self>) -> Box<dyn PetriVmConfig> {
+        Box::new(Self::with_secure_boot(*self))
+    }
+
     fn with_windows_secure_boot_template(self: Box<Self>) -> Box<dyn PetriVmConfig> {
         Box::new(Self::with_windows_secure_boot_template(*self))
     }
 
+    fn with_uefi_ca_secure_boot_template(self: Box<Self>) -> Box<dyn PetriVmConfig> {
+        Box::new(Self::with_uefi_ca_secure_boot_template(*self))
+    }
+
     fn with_processor_topology(
         self: Box<Self>,
         topology: ProcessorTopology,
@@ -128,6 +136,10 @@ impl PetriVmConfig for PetriVmConfigHyperV {
     fn with_uefi_frontpage(self: Box<Self>, enable: bool) -> Box<dyn PetriVmConfig> {
         Box::new(Self::with_uefi_frontpage(*self, enable))
     }
+
+    fn os_flavor(&self) -> OsFlavor {
+        self.os_flavor
+    }
 }
 
 /// A running VM that tests can interact with.
@@ -278,16 +290,7 @@ impl PetriVmConfigHyperV {
             memory: 0x1_0000_0000,
             proc_topology: ProcessorTopology::default(),
             vhd_paths,
-            secure_boot_template: matches!(generation, powershell::HyperVGeneration::Two)
-                .then_some(match firmware.os_flavor() {
-                    OsFlavor::Windows => powershell::HyperVSecureBootTemplate::MicrosoftWindows,
-                    OsFlavor::Linux => {
-                        powershell::HyperVSecureBootTemplate::MicrosoftUEFICertificateAuthority
-                    }
-                    OsFlavor::FreeBsd | OsFlavor::Uefi => {
-                        powershell::HyperVSecureBootTemplate::SecureBootDisabled
-                    }
-                }),
+            secure_boot_template: None,
             openhcl_igvm,
             agent_image,
             openhcl_agent_image,
@@ -535,15 +538,38 @@ impl PetriVmConfigHyperV {
         self
     }
 
+    /// Set the VM to enable secure boot and inject the templates per OS flavor.
+    pub fn with_secure_boot(self) -> Self {
+        if !matches!(self.generation, powershell::HyperVGeneration::Two) {
+            panic!("Secure boot is only supported for UEFI firmware.");
+        }
+
+        match self.os_flavor {
+            OsFlavor::Windows => self.with_windows_secure_boot_template(),
+            OsFlavor::Linux => self.with_uefi_ca_secure_boot_template(),
+            _ => panic!("Secure boot unsupported for OS flavor {:?}", self.os_flavor),
+        }
+    }
+
     /// Inject Windows secure boot templates into the VM's UEFI.
     pub fn with_windows_secure_boot_template(mut self) -> Self {
         if !matches!(self.generation, powershell::HyperVGeneration::Two) {
-            panic!("Secure boot templates are only supported for UEFI firmware.");
+            panic!("Secure boot is only supported for UEFI firmware.");
         }
         self.secure_boot_template = Some(powershell::HyperVSecureBootTemplate::MicrosoftWindows);
         self
     }
 
+    /// Inject UEFI CA secure boot templates into the VM's UEFI.
+    pub fn with_uefi_ca_secure_boot_template(mut self) -> Self {
+        if !matches!(self.generation, powershell::HyperVGeneration::Two) {
+            panic!("Secure boot is only supported for UEFI firmware.");
+        }
+        self.secure_boot_template =
+            Some(powershell::HyperVSecureBootTemplate::MicrosoftUEFICertificateAuthority);
+        self
+    }
+
     /// Sets a custom OpenHCL IGVM image to use.
     pub fn with_custom_openhcl(mut self, artifact: ResolvedArtifact) -> Self {
         self.openhcl_igvm = Some(artifact);

@@ -66,8 +66,6 @@ impl ps::AsVal for HyperVGuestStateIsolationType {
 /// Hyper-V Secure Boot Template
 #[derive(Clone, Copy)]
 pub enum HyperVSecureBootTemplate {
-    /// Secure Boot Disabled
-    SecureBootDisabled,
     /// Windows Secure Boot Template
     MicrosoftWindows,
     /// Microsoft UEFI Certificate Authority Template
@@ -79,7 +77,6 @@ pub enum HyperVSecureBootTemplate {
 impl ps::AsVal for HyperVSecureBootTemplate {
     fn as_val(&self) -> impl '_ + AsRef<OsStr> {
         match self {
-            HyperVSecureBootTemplate::SecureBootDisabled => "SecureBootDisabled",
             HyperVSecureBootTemplate::MicrosoftWindows => "MicrosoftWindows",
             HyperVSecureBootTemplate::MicrosoftUEFICertificateAuthority => {
                 "MicrosoftUEFICertificateAuthority"
@@ -409,7 +406,7 @@ pub fn run_set_vm_firmware(args: HyperVSetVMFirmwareArgs<'_>) -> anyhow::Result<
         .pipeline();
 
     builder = match args.secure_boot_template {
-        Some(HyperVSecureBootTemplate::SecureBootDisabled) | None => builder
+        None => builder
             .cmdlet("Set-VMFirmware")
             .arg("EnableSecureBoot", ps::RawVal::new("Off"))
             .finish(),

@@ -119,6 +119,14 @@ impl HyperVVM {
             },
         )?;
 
+        // Disable secure boot for generation 2 VMs
+        if generation == powershell::HyperVGeneration::Two {
+            powershell::run_set_vm_firmware(powershell::HyperVSetVMFirmwareArgs {
+                vmid: &vmid,
+                secure_boot_template: None,
+            })?;
+        }
+
         Ok(this)
     }
 
@@ -186,6 +194,9 @@ impl HyperVVM {
                 powershell::EVENT_ID_BOOT_FAILURE => Ok(FirmwareEvent::BootFailed),
                 powershell::EVENT_ID_NO_BOOT_DEVICE => Ok(FirmwareEvent::NoBootDevice),
                 powershell::EVENT_ID_BOOT_ATTEMPT => Ok(FirmwareEvent::BootAttempt),
+                powershell::EVENT_ID_BOOT_FAILURE_SECURE_BOOT_FAILED => {
+                    Ok(FirmwareEvent::BootFailed)
+                }
                 id => anyhow::bail!("Unexpected event id: {id}"),
             })
             .transpose()

@@ -35,8 +35,12 @@ pub trait PetriVmConfig: Send {
     /// Run the VM, launching pipette and returning a client to it.
     async fn run(self: Box<Self>) -> anyhow::Result<(Box<dyn PetriVm>, PipetteClient)>;
 
+    /// Set the VM to enable secure boot and inject the templates per OS flavor.
+    fn with_secure_boot(self: Box<Self>) -> Box<dyn PetriVmConfig>;
     /// Inject Windows secure boot templates into the VM's UEFI.
     fn with_windows_secure_boot_template(self: Box<Self>) -> Box<dyn PetriVmConfig>;
+    /// Inject UEFI CA secure boot templates into the VM's UEFI.
+    fn with_uefi_ca_secure_boot_template(self: Box<Self>) -> Box<dyn PetriVmConfig>;
     /// Set the VM to use the specified processor topology.
     fn with_processor_topology(
         self: Box<Self>,
@@ -61,6 +65,9 @@ pub trait PetriVmConfig: Send {
     ) -> Box<dyn PetriVmConfig>;
     /// Sets whether UEFI frontpage is enabled.
     fn with_uefi_frontpage(self: Box<Self>, enable: bool) -> Box<dyn PetriVmConfig>;
+
+    /// Get the OS that the VM will boot into.
+    fn os_flavor(&self) -> OsFlavor;
 }
 
 /// Common processor topology information for the VM.

@@ -152,10 +152,18 @@ impl PetriVmConfig for PetriVmConfigOpenVmm {
         Ok((Box::new(vm), client))
     }
 
+    fn with_secure_boot(self: Box<Self>) -> Box<dyn PetriVmConfig> {
+        Box::new(Self::with_secure_boot(*self))
+    }
+
     fn with_windows_secure_boot_template(self: Box<Self>) -> Box<dyn PetriVmConfig> {
         Box::new(Self::with_windows_secure_boot_template(*self))
     }
 
+    fn with_uefi_ca_secure_boot_template(self: Box<Self>) -> Box<dyn PetriVmConfig> {
+        Box::new(Self::with_uefi_ca_secure_boot_template(*self))
+    }
+
     fn with_processor_topology(
         self: Box<Self>,
         topology: ProcessorTopology,
@@ -190,6 +198,10 @@ impl PetriVmConfig for PetriVmConfigOpenVmm {
     fn with_uefi_frontpage(self: Box<Self>, enable: bool) -> Box<dyn PetriVmConfig> {
         Box::new(Self::with_uefi_frontpage(*self, enable))
     }
+
+    fn os_flavor(&self) -> OsFlavor {
+        self.firmware.os_flavor()
+    }
 }
 
 /// Various channels and resources used to interact with the VM while it is running.

@@ -22,6 +22,7 @@ use hvlite_defs::config::VpciDeviceConfig;
 use hvlite_defs::config::Vtl2BaseAddressType;
 use petri_artifacts_common::tags::IsTestVmgs;
 use petri_artifacts_common::tags::MachineArch;
+use petri_artifacts_common::tags::OsFlavor;
 use petri_artifacts_core::ResolvedArtifact;
 use tpm_resources::TpmDeviceHandle;
 use tpm_resources::TpmRegisterLayout;
@@ -127,30 +128,57 @@ impl PetriVmConfigOpenVmm {
         self
     }
 
-    /// Enable secure boot for the VM.
+    /// Set the VM to enable secure boot and inject the templates per OS flavor.
     pub fn with_secure_boot(mut self) -> Self {
         if !self.firmware.is_uefi() {
             panic!("Secure boot is only supported for UEFI firmware.");
         }
+
         if self.firmware.is_openhcl() {
             self.ged.as_mut().unwrap().secure_boot_enabled = true;
         } else {
             self.config.secure_boot_enabled = true;
         }
-        self
+
+        match self.os_flavor() {
+            OsFlavor::Windows => self.with_windows_secure_boot_template(),
+            OsFlavor::Linux => self.with_uefi_ca_secure_boot_template(),
+            _ => panic!(
+                "Secure boot unsupported for OS flavor {:?}",
+                self.os_flavor()
+            ),
+        }
     }
 
     /// Inject Windows secure boot templates into the VM's UEFI.
     pub fn with_windows_secure_boot_template(mut self) -> Self {
         if !self.firmware.is_uefi() {
-            panic!("Secure boot templates are only supported for UEFI firmware.");
+            panic!("Secure boot is only supported for UEFI firmware.");
         }
+
         if self.firmware.is_openhcl() {
             self.ged.as_mut().unwrap().secure_boot_template =
                 get_resources::ged::GuestSecureBootTemplateType::MicrosoftWindows;
         } else {
             self.config.custom_uefi_vars = hyperv_secure_boot_templates::x64::microsoft_windows();
         }
+
+        self
+    }
+
+    /// Inject UEFI CA secure boot templates into the VM's UEFI.
+    pub fn with_uefi_ca_secure_boot_template(mut self) -> Self {
+        if !self.firmware.is_uefi() {
+            panic!("Secure boot is only supported for UEFI firmware.");
+        }
+
+        if self.firmware.is_openhcl() {
+            self.ged.as_mut().unwrap().secure_boot_template =
+                get_resources::ged::GuestSecureBootTemplateType::MicrosoftUefiCertificateAuthoritiy;
+        } else {
+            self.config.custom_uefi_vars = hyperv_secure_boot_templates::x64::microsoft_uefi_ca();
+        }
+
         self
     }
 

@@ -16,6 +16,7 @@ use petri::ShutdownKind;
 use petri::openvmm::NIC_MAC_ADDRESS;
 use petri::openvmm::PetriVmConfigOpenVmm;
 use petri_artifacts_common::tags::MachineArch;
+use petri_artifacts_common::tags::OsFlavor;
 use petri_artifacts_vmm_test::artifacts::test_vmgs::VMGS_WITH_BOOT_ENTRY;
 use std::time::Duration;
 use vmm_core_defs::HaltReason;
@@ -67,6 +68,71 @@ async fn boot(config: Box<dyn PetriVmConfig>) -> anyhow::Result<()> {
     Ok(())
 }
 
+/// Basic boot test with secure boot enabled and a valid template.
+#[vmm_test(
+    openvmm_uefi_aarch64(vhd(ubuntu_2404_server_aarch64)),
+    openvmm_uefi_x64(vhd(windows_datacenter_core_2022_x64)),
+    openvmm_uefi_x64(vhd(ubuntu_2204_server_x64)),
+    openvmm_openhcl_uefi_x64(vhd(windows_datacenter_core_2022_x64)),
+    openvmm_openhcl_uefi_x64(vhd(ubuntu_2204_server_x64)),
+    hyperv_uefi_aarch64(vhd(windows_11_enterprise_aarch64)),
+    hyperv_uefi_aarch64(vhd(ubuntu_2404_server_aarch64)),
+    hyperv_uefi_x64(vhd(windows_datacenter_core_2022_x64)),
+    hyperv_uefi_x64(vhd(ubuntu_2204_server_x64)),
+    hyperv_openhcl_uefi_aarch64(vhd(windows_11_enterprise_aarch64)),
+    hyperv_openhcl_uefi_aarch64(vhd(ubuntu_2404_server_aarch64)),
+    hyperv_openhcl_uefi_x64(vhd(windows_datacenter_core_2022_x64)),
+    hyperv_openhcl_uefi_x64(vhd(ubuntu_2204_server_x64))
+)]
+async fn secure_boot(config: Box<dyn PetriVmConfig>) -> anyhow::Result<()> {
+    let (vm, agent) = config.with_secure_boot().run().await?;
+    agent.power_off().await?;
+    assert_eq!(vm.wait_for_teardown().await?, HaltReason::PowerOff);
+    Ok(())
+}
+
+/// Verify that secure boot fails with a mismatched template.
+/// TODO: Allow Hyper-V VMs to load a UEFI firmware per VM, not system wide.
+#[vmm_test(
+    openvmm_uefi_aarch64(vhd(ubuntu_2404_server_aarch64)),
+    openvmm_uefi_x64(vhd(windows_datacenter_core_2022_x64)),
+    openvmm_uefi_x64(vhd(ubuntu_2204_server_x64)),
+    openvmm_openhcl_uefi_x64(vhd(windows_datacenter_core_2022_x64)),
+    openvmm_openhcl_uefi_x64(vhd(ubuntu_2204_server_x64)),
+    // hyperv_uefi_aarch64(vhd(windows_11_enterprise_aarch64)),
+    // hyperv_uefi_aarch64(vhd(ubuntu_2404_server_aarch64)),
+    // hyperv_uefi_x64(vhd(windows_datacenter_core_2022_x64)),
+    // hyperv_uefi_x64(vhd(ubuntu_2204_server_x64)),
+    hyperv_openhcl_uefi_aarch64(vhd(windows_11_enterprise_aarch64)),
+    hyperv_openhcl_uefi_aarch64(vhd(ubuntu_2404_server_aarch64)),
+    hyperv_openhcl_uefi_x64(vhd(windows_datacenter_core_2022_x64)),
+    hyperv_openhcl_uefi_x64(vhd(ubuntu_2204_server_x64))
+)]
+async fn secure_boot_mismatched_template(config: Box<dyn PetriVmConfig>) -> anyhow::Result<()> {
+    let mut vm = match config.os_flavor() {
+        OsFlavor::Windows => {
+            config
+                .with_secure_boot()
+                .with_uefi_ca_secure_boot_template()
+                .with_uefi_frontpage(false)
+                .run_without_agent()
+                .await?
+        }
+        OsFlavor::Linux => {
+            config
+                .with_secure_boot()
+                .with_windows_secure_boot_template()
+                .with_uefi_frontpage(false)
+                .run_without_agent()
+                .await?
+        }
+        _ => anyhow::bail!("Unsupported OS flavor for test: {:?}", config.os_flavor()),
+    };
+    assert_eq!(vm.wait_for_boot_event().await?, FirmwareEvent::BootFailed);
+    assert_eq!(vm.wait_for_teardown().await?, HaltReason::PowerOff);
+    Ok(())
+}
+
 /// Basic boot test for guests that are expected to reboot
 // TODO: Remove this test and other enable Windows 11 ARM OpenVMM tests
 // once we figure out how to get the guest to not reboot via IMC or other