[PATCH 1/1] test: uninstall PK after secboot tests

Heinrich Schuchardt heinrich.schuchardt at canonical.com
Fri Oct 10 22:29:26 CEST 2025 

The EFI secure boot tests install a security data base.
Other EFI tests assume that secure boot is not enabled.
Add the missing tear-down at the end of each secboot test sequence.

Reported-by: Tom Rini <trini at konsulko.com>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>
---
 test/py/tests/test_efi_secboot/conftest.py          | 5 ++++-
 test/py/tests/test_efi_secboot/test_signed.py       | 9 +++++++++
 test/py/tests/test_efi_secboot/test_signed_intca.py | 9 +++++++++
 test/py/tests/test_efi_secboot/test_unsigned.py     | 9 +++++++++
 4 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py
index aa9a3536296..76b8f9fa0a3 100644
--- a/test/py/tests/test_efi_secboot/conftest.py
+++ b/test/py/tests/test_efi_secboot/conftest.py
@@ -162,9 +162,12 @@ def efi_boot_env_intca(request, ubman):
         # PK
         check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_PK/ -keyout PK.key -out PK.crt -nodes -days 365'
                    % mnt_point, shell=True)
-        check_call('cd %s; %scert-to-efi-sig-list -g %s PK.crt PK.esl; %ssign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth'
+        check_call('cd %s; %scert-to-efi-sig-list -g %s PK.crt PK.esl; %ssign-efi-sig-list -t "2020-04-01" -c PK.crt -k PK.key PK PK.esl PK.auth'
                    % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
                    shell=True)
+        # PK_null for deletion
+        check_call('cd %s; touch PK_null.esl; %ssign-efi-sig-list -c PK.crt -k PK.key PK PK_null.esl PK_null.auth'
+                   % (mnt_point, EFITOOLS_PATH), shell=True)
         # KEK
         check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_KEK/ -keyout KEK.key -out KEK.crt -nodes -days 365'
                    % mnt_point, shell=True)
diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py
index e8aaef7090c..9e6d3fdf8d8 100644
--- a/test/py/tests/test_efi_secboot/test_signed.py
+++ b/test/py/tests/test_efi_secboot/test_signed.py
@@ -369,3 +369,12 @@ class TestEfiSignedImage(object):
             assert(not 'hELLO, world!' in ''.join(output))
             assert('\'HELLO1\' failed' in ''.join(output))
             assert('efi_bootmgr_load() returned: 26' in ''.join(output))
+
+        with ubman.log.section('Test Case 8c'):
+            # Test Case 8c, Uninstall PK
+            output = ubman.run_command_list([
+                'fatload host 0:1 4000000 PK_null.auth',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
+                'printenv -e -n PK'])
+            assert 'Failed to set EFI variable' not in ''.join(output)
+            assert '\"PK\" not defined' in ''.join(output)
diff --git a/test/py/tests/test_efi_secboot/test_signed_intca.py b/test/py/tests/test_efi_secboot/test_signed_intca.py
index 58f7be03b8b..06d86baef19 100644
--- a/test/py/tests/test_efi_secboot/test_signed_intca.py
+++ b/test/py/tests/test_efi_secboot/test_signed_intca.py
@@ -133,3 +133,12 @@ class TestEfiSignedImageIntca(object):
                 'efidebug test bootmgr'])
             assert '\'HELLO_abc\' failed' in ''.join(output)
             assert 'efi_bootmgr_load() returned: 26' in ''.join(output)
+
+        with ubman.log.section('Test Case 3c'):
+            # Test Case 3c, Uninstall PK
+            output = ubman.run_command_list([
+                'fatload host 0:1 4000000 PK_null.auth',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
+                'printenv -e -n PK'])
+            assert 'Failed to set EFI variable' not in ''.join(output)
+            assert '\"PK\" not defined' in ''.join(output)
diff --git a/test/py/tests/test_efi_secboot/test_unsigned.py b/test/py/tests/test_efi_secboot/test_unsigned.py
index bd6e1b2dadd..2b86dc44cff 100644
--- a/test/py/tests/test_efi_secboot/test_unsigned.py
+++ b/test/py/tests/test_efi_secboot/test_unsigned.py
@@ -115,3 +115,12 @@ class TestEfiUnsignedImage(object):
                 'efidebug test bootmgr'])
             assert 'efi_bootmgr_load() returned: 26' in ''.join(output)
             assert 'Hello, world!' not in ''.join(output)
+
+        with ubman.log.section('Test Case 3c'):
+            # Test Case 3c, Uninstall PK
+            output = ubman.run_command_list([
+                'fatload host 0:1 4000000 PK_null.auth',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
+                'printenv -e -n PK'])
+            assert 'Failed to set EFI variable' not in ''.join(output)
+            assert '\"PK\" not defined' in ''.join(output)
-- 
2.51.0

More information about the U-Boot mailing list