sbchooser: test with a padded security directory

vathpela · vathpela · commit ac9cc700b782 · 2026-03-17T16:30:06.000-04:00
This test submits the following shims, each listed twice, in a random
order:

  shim-16.1-6.x64.onesig.efi
  shim-16.1-6.x64.onesig.efi

Against a "db" which includes:
  The 2011 UEFI CA cert

and a "dbx" which includes:
  nothing

This should produce the following output:

shim-16.1-6.x64.onesig.efi is trusted because cert "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher" is trusted by "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011" in db
shim-16.1-6.x64.onesig.efi is trusted because cert "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher" is trusted by "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011" in db

Signed-off-by: Peter Jones &lt;pjones@redhat.com&gt;
diff --git a/tests/Makefile b/tests/Makefile
@@ -31,6 +31,7 @@ TESTS = test.dmpstore.export \
 	test.sbchooser.identical.secbits.explain \
 	test.sbchooser.first.sig.only \
 	test.sbchooser.first.sig.only.explain \
+	test.sbchooser.padded.secdir.explain \
 
 all: clean $(TESTS)
 
@@ -632,6 +633,25 @@ test.sbchooser.first.sig.only.explain:
 	$(quiet)rm -f test.sbchooser.first.sig.only.explain.result
 	$(quiet)echo passed
 
+test.sbchooser.padded.secdir.explain.result:
+	$(quiet)ls -1 shim-16.1-6.x64.onesig.efi shim-16.1-6.x64.onesig.efi \
+		| sort -R | MALLOC_PERTURB_=$(MALLOC_PERTURB_) LD_LIBRARY_PATH=../src \
+			    ../src/sbchooser --explain \
+					     -d db.msft2011 \
+					     --no-system-dbx \
+		> "$@"
+
+test.sbchooser.padded.secdir.explain:
+	$(quiet)echo testing sbchooser explanation with a padded security directory
+	$(quiet)$(MAKE) $(makequiet) test.sbchooser.padded.secdir.explain.result
+	$(quiet)if ! cmp test.sbchooser.padded.secdir.explain.goal.txt test.sbchooser.padded.secdir.explain.result ; then \
+		diff -U 200 test.sbchooser.padded.secdir.explain.goal.txt test.sbchooser.padded.secdir.explain.result ; \
+		exit 1 ; \
+	fi
+	$(quiet)cmp test.sbchooser.padded.secdir.explain.goal.txt test.sbchooser.padded.secdir.explain.result
+	$(quiet)rm -f test.sbchooser.padded.secdir.explain.result
+	$(quiet)echo passed
+
 .PHONY: all clean $(TESTS)
 
 # vim:ft=make
diff --git a/tests/shim-16.1-6.x64.onesig.efi b/tests/shim-16.1-6.x64.onesig.efi
diff --git a/tests/test.sbchooser.padded.secdir.explain.goal.txt b/tests/test.sbchooser.padded.secdir.explain.goal.txt
@@ -0,0 +1,2 @@
+shim-16.1-6.x64.onesig.efi is trusted because cert "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher" is trusted by "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011" in db
+shim-16.1-6.x64.onesig.efi is trusted because cert "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher" is trusted by "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011" in db

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+shim-16.1-6.x64.onesig.efi is trusted because cert "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher" is trusted by "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011" in db`
	`2`	`+shim-16.1-6.x64.onesig.efi is trusted because cert "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher" is trusted by "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011" in db`