|
| 1 | +// Copyright IBM Corp. 2013, 2025 |
| 2 | +// SPDX-License-Identifier: MPL-2.0 |
| 3 | + |
| 4 | +package common |
| 5 | + |
| 6 | +import ( |
| 7 | + "os" |
| 8 | + "path/filepath" |
| 9 | + "testing" |
| 10 | + |
| 11 | + "github.com/stretchr/testify/assert" |
| 12 | +) |
| 13 | + |
| 14 | +// When no Secure Boot signature inputs are configured, the helper must return |
| 15 | +// a nil *InitialStateConfig so the caller does not attach an empty |
| 16 | +// shieldedInstanceInitialState to the image insert request. Attaching an |
| 17 | +// empty value overrides the PK/KEKs/db/dbx that would otherwise be inherited |
| 18 | +// from the source disk and breaks Secure Boot on the resulting image. |
| 19 | +func TestCreateShieldedVMStateConfig_NoInputsReturnsNil(t *testing.T) { |
| 20 | + cfg, err := CreateShieldedVMStateConfig("", nil, nil, nil) |
| 21 | + assert.NoError(t, err) |
| 22 | + assert.Nil(t, cfg, "expected nil config when no signature inputs are configured") |
| 23 | + |
| 24 | + cfg, err = CreateShieldedVMStateConfig("", []string{}, []string{}, []string{}) |
| 25 | + assert.NoError(t, err) |
| 26 | + assert.Nil(t, cfg, "expected nil config when signature inputs are empty slices") |
| 27 | +} |
| 28 | + |
| 29 | +func TestCreateShieldedVMStateConfig_PopulatesFieldsWhenInputsProvided(t *testing.T) { |
| 30 | + dir := t.TempDir() |
| 31 | + keyPath := filepath.Join(dir, "fake-key") |
| 32 | + if err := os.WriteFile(keyPath, []byte("fake key data"), 0600); err != nil { |
| 33 | + t.Fatalf("failed to write fake key: %v", err) |
| 34 | + } |
| 35 | + |
| 36 | + testcases := []struct { |
| 37 | + name string |
| 38 | + pk string |
| 39 | + keks []string |
| 40 | + dbs []string |
| 41 | + dbxs []string |
| 42 | + }{ |
| 43 | + {name: "platform key only", pk: keyPath}, |
| 44 | + {name: "kek only", keks: []string{keyPath}}, |
| 45 | + {name: "db only", dbs: []string{keyPath}}, |
| 46 | + {name: "dbx only", dbxs: []string{keyPath}}, |
| 47 | + } |
| 48 | + |
| 49 | + for _, tt := range testcases { |
| 50 | + t.Run(tt.name, func(t *testing.T) { |
| 51 | + cfg, err := CreateShieldedVMStateConfig(tt.pk, tt.keks, tt.dbs, tt.dbxs) |
| 52 | + assert.NoError(t, err) |
| 53 | + assert.NotNil(t, cfg) |
| 54 | + |
| 55 | + assert.Equal(t, tt.pk != "", cfg.Pk != nil, "Pk presence should match input") |
| 56 | + assert.Len(t, cfg.Keks, len(tt.keks)) |
| 57 | + assert.Len(t, cfg.Dbs, len(tt.dbs)) |
| 58 | + assert.Len(t, cfg.Dbxs, len(tt.dbxs)) |
| 59 | + }) |
| 60 | + } |
| 61 | +} |
0 commit comments