From 27781da42449297c1397ace3eb5bdf8388edcbce Mon Sep 17 00:00:00 2001 From: linl Date: Thu, 2 Apr 2026 14:04:30 +0800 Subject: [PATCH 1/2] Add case for checking default secure db --- os_tests/tests/test_general_check.py | 44 +++++++++++++++++++++++++++- 1 file changed, 43 insertions(+), 1 deletion(-) diff --git a/os_tests/tests/test_general_check.py b/os_tests/tests/test_general_check.py index 1ea246e6..9e9f27e9 100644 --- a/os_tests/tests/test_general_check.py +++ b/os_tests/tests/test_general_check.py @@ -2381,7 +2381,7 @@ def test_check_product_key(self): Check there is only 1 product key in the system. key_steps: 1. ls /etc/pki/product && ls /etc/pki/product-default/ - 2. subscription-manager release --set=8.10 + 2. subscription-manager release --set=8.10 expect_result: 1. There is only 1 product key in the system. 2. Release set to the target version. @@ -2392,6 +2392,48 @@ def test_check_product_key(self): #check product key before rhsm registration utils_lib.run_cmd(self, "sudo ls /etc/pki/product*", expect_ret=0) + def test_check_secureboot(self): + """ + case_tag: + test_check_secureboot + case_name: + test_check_secureboot + case_file: + os_tests.tests.test_general_check.test_check_secureboot + component: + secureboot + bugzilla_id: + N/A + is_customer_case: + False + customer_case_id: + N/A + testplan: + N/A + maintainer: + linl@redhat.com + description: | + Check secure boot status and certs. + key_steps: + 1. run command "sudo mokutil --sb-state" to check the secure boot status. + 2. check the installed shim package with command: "sudo rpm -qa | grep shim" + 3. check the default certs in DB: "sudo mokutil --db --short" + 4. Check default PK value: "sudo mokutil --pk | grep -E '(Subject:|Not After)' | head -2" + 5. check default KEK value: "sudo mokutil --kek --short" + expect_result: + Secure boot is enabled and certs are valid. + debug_want: + N/A + """ + ret = utils_lib.run_cmd(self, "sudo mokutil --sb-state") + if "SecureBoot enabled" not in ret: + self.log.info("SecureBoot is not enabled") + + utils_lib.run_cmd(self, "sudo rpm -qa | grep shim", expect_ret=0, msg="Check installed shim package") + utils_lib.run_cmd(self, "sudo mokutil --db --short", expect_ret=0, msg="Check default certs in DB") + utils_lib.run_cmd(self, "sudo mokutil --pk | grep -E '(Subject:|Not After)' | head -2", expect_ret=0, msg="Check default PK value") + utils_lib.run_cmd(self, "sudo mokutil --kek --short", expect_ret=0, msg="Check default KEK value") + def tearDown(self): utils_lib.finish_case(self) From 0e5abd5e46f6e9482bbd1bbbc28b4632acab90c3 Mon Sep 17 00:00:00 2001 From: linl Date: Thu, 2 Apr 2026 14:40:05 +0800 Subject: [PATCH 2/2] Add case for checking default secure db --- os_tests/tests/test_general_check.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/os_tests/tests/test_general_check.py b/os_tests/tests/test_general_check.py index 9e9f27e9..78520161 100644 --- a/os_tests/tests/test_general_check.py +++ b/os_tests/tests/test_general_check.py @@ -2427,7 +2427,7 @@ def test_check_secureboot(self): """ ret = utils_lib.run_cmd(self, "sudo mokutil --sb-state") if "SecureBoot enabled" not in ret: - self.log.info("SecureBoot is not enabled") + self.skipTest("SecureBoot is not enabled") utils_lib.run_cmd(self, "sudo rpm -qa | grep shim", expect_ret=0, msg="Check installed shim package") utils_lib.run_cmd(self, "sudo mokutil --db --short", expect_ret=0, msg="Check default certs in DB")