@@ -51,6 +51,8 @@ def test_clear_custom_pool_certificates(self, host):
5151 for h in host .pool .hosts :
5252 logging .info (f"Check host { h } )
5353 assert h .is_symlink (host .varstore_dir ())
54+ logging .info (f"Check host { h } )
55+ assert h .ssh (['ls' , '/var/lib/varstored/' ]) == 'PK.auth'
5456
5557@pytest .mark .small_vm
5658@pytest .mark .usefixtures ("host_at_least_8_3" )
@@ -116,10 +118,24 @@ def test_start_vm_without_uefi_vars(self, uefi_vm):
116118 pool_auths = generate_keys (as_dict = True )
117119 vm .host .pool .install_custom_uefi_certs ([pool_auths [key ] for key in ['PK' , 'KEK' , 'db' , 'dbx' ]])
118120 vm .start ()
119- logging .info ("Check that the VM certs were updated" )
121+ logging .info ("Check that the VM certs were updated: PK, KEK, db, dbx " )
120122 for key in ['PK' , 'KEK' , 'db' , 'dbx' ]:
121123 check_vm_cert_md5sum (vm , key , pool_auths [key ].auth )
122124
125+ def test_start_vm_without_uefi_vars_on_pool_with_only_pk (self , uefi_vm ):
126+ # When a VM first starts but the pool doesn't have certs configured,
127+ # this used, until late in 8.3 development, to *not* propagate the certs to the VM
128+ # and we had no test that detected this situation.
129+ # We have now changed the behaviour, propagating the certs even if just PK is present.
130+ vm = uefi_vm
131+ vm .clear_uefi_variables ()
132+ vm .host .pool .clear_custom_uefi_certs ()
133+ vm .start ()
134+ logging .info ("Check that the VM certs were updated: PK only" )
135+ assert vm .is_cert_present ('PK' )
136+ for key in ['KEK' , 'db' , 'dbx' ]:
137+ assert not vm .is_cert_present (key )
138+
123139 def test_start_vm_in_setup_mode (self , uefi_vm ):
124140 # In setup mode, no cert is set, but other UEFI variables are present.
125141 # varstored will *not* propagate the certs in this case.
0 commit comments