aegis-hwsim 0.1.1

QEMU+OVMF+swtpm hardware-persona matrix harness for aegis-boot signed-chain testing
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363

//! Scenario trait — the contract every test scenario implements.
//!
//! A scenario takes a [`ScenarioContext`] (persona + stick + work
//! root + firmware root) and returns a [`ScenarioResult`] indicating
//! whether the persona's signed-chain flow worked, failed in a
//! diagnosable way, or had to be skipped (missing prerequisites,
//! environment not provisioned, etc.).
//!
//! Scenarios MUST NOT panic. Every code path returns `Result`. A
//! scenario that crashes the runner is a defect to fix, not a test
//! failure to report.
//!
//! Registry: scenarios are dispatched by name from
//! [`Registry::default_set`] which the CLI's `run` subcommand
//! consults. Adding a new scenario means: implement [`Scenario`],
//! return it from `default_set`, file an issue. No central enum to
//! update.

use crate::persona::Persona;
use std::path::PathBuf;
use thiserror::Error;

/// Outcome of a scenario run. The runner prints one of these per
/// invocation; CI greps for `PASS:` lines.
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum ScenarioResult {
    /// Every assertion held — signed-chain verification path completed.
    Pass,
    /// At least one assertion didn't hold. `reason` is operator-facing.
    Fail {
        /// Why the scenario failed, in plain English. Will be printed
        /// after the `FAIL:` line.
        reason: String,
    },
    /// Prerequisites weren't met — the run could not be attempted.
    /// CI treats this as neither pass nor fail; it's an honest "not
    /// applicable" signal so green CI doesn't claim coverage we don't
    /// actually have.
    Skip {
        /// Why the scenario was skipped (e.g. "stick fixture not
        /// provisioned", "qemu-system-x86_64 not on PATH").
        reason: String,
    },
}

impl ScenarioResult {
    /// Convenience for CI greps + exit-code mapping.
    #[must_use]
    pub fn label(&self) -> &'static str {
        match self {
            Self::Pass => "PASS",
            Self::Fail { .. } => "FAIL",
            Self::Skip { .. } => "SKIP",
        }
    }

    /// One-line operator-facing reason (or empty for `Pass`).
    #[must_use]
    pub fn reason(&self) -> &str {
        match self {
            Self::Pass => "",
            Self::Fail { reason } | Self::Skip { reason } => reason,
        }
    }
}

/// Inputs every scenario gets. The runner constructs this once per
/// invocation; scenarios borrow it immutably so a malicious scenario
/// can't redirect another scenario's stick or work dir.
#[derive(Debug, Clone)]
pub struct ScenarioContext {
    /// The validated persona under test.
    pub persona: Persona,
    /// Absolute path to the aegis-boot stick image to flash + boot.
    pub stick: PathBuf,
    /// Per-run working directory. Scenarios write logs + per-run state
    /// (`OVMF_VARS` copy, swtpm state, serial.log) under here.
    pub work_dir: PathBuf,
    /// Firmware root (typically `/usr/share/OVMF/`).
    pub firmware_root: PathBuf,
}

/// Failure modes for a scenario *runner* — distinct from
/// [`ScenarioResult::Fail`]. A `ScenarioError` means the runner itself
/// couldn't get far enough to attempt the assertion (bad input, I/O
/// error, missing binary). The CLI surfaces these as a non-zero exit.
#[derive(Debug, Error)]
pub enum ScenarioError {
    /// The persona referenced a feature this scenario doesn't support
    /// (e.g. a TPM 1.2 persona handed to a scenario that requires 2.0).
    #[error("scenario {scenario} cannot run against persona {persona}: {reason}")]
    UnsupportedPersona {
        /// Scenario name.
        scenario: &'static str,
        /// Persona id.
        persona: String,
        /// Why the combination is unsupported.
        reason: String,
    },

    /// QEMU/swtpm/OVMF wiring failure — propagates the underlying
    /// [`crate::qemu::InvocationError`].
    #[error(transparent)]
    Invocation(#[from] crate::qemu::InvocationError),

    /// swtpm couldn't be spawned (binary missing, work dir bad).
    #[error(transparent)]
    Swtpm(#[from] crate::swtpm::SwtpmError),

    /// Serial capture couldn't be set up.
    #[error(transparent)]
    Serial(#[from] crate::serial::SerialError),

    /// A non-recoverable I/O failure during the scenario (e.g. work
    /// dir creation, file copy).
    #[error("scenario I/O error: {kind}: {context}")]
    Io {
        /// Rendered `io::ErrorKind`.
        kind: String,
        /// What the runner was trying to do when it failed.
        context: String,
    },
}

/// The contract every scenario implements.
pub trait Scenario {
    /// Stable kebab-case name. Used by the CLI registry; must NOT
    /// change once published or operator-side scripts will break.
    fn name(&self) -> &'static str;

    /// One-line human-facing description, printed by `aegis-hwsim
    /// list-scenarios` (when that ships).
    fn description(&self) -> &'static str;

    /// Run the scenario. The implementation is responsible for:
    /// - Spawning swtpm + QEMU via the [`crate::qemu`] + [`crate::swtpm`] modules
    /// - Asserting boot-chain landmarks via [`crate::serial::SerialHandle::wait_for_line`]
    /// - Returning a [`ScenarioResult`] (never panicking)
    ///
    /// # Errors
    ///
    /// See [`ScenarioError`] variants — runner-level failures only.
    /// Test-failures are [`ScenarioResult::Fail`].
    fn run(&self, ctx: &ScenarioContext) -> Result<ScenarioResult, ScenarioError>;
}

/// Scenario lookup by name. The registry holds a closed set of
/// scenarios known at build time; `aegis-hwsim run <name>` consults
/// it.
pub struct Registry {
    scenarios: Vec<Box<dyn Scenario + Send + Sync>>,
}

impl Default for Registry {
    fn default() -> Self {
        Self::default_set()
    }
}

impl Registry {
    /// Empty registry — for tests that want to inject a single
    /// scenario without the default set.
    #[must_use]
    pub fn empty() -> Self {
        Self {
            scenarios: Vec::new(),
        }
    }

    /// The default registry shipping in this build. As scenarios
    /// land, add them here.
    #[must_use]
    pub fn default_set() -> Self {
        let mut r = Self::empty();
        r.register(Box::new(crate::scenarios::QemuBootsOvmf));
        r.register(Box::new(crate::scenarios::SignedBootUbuntu));
        r.register(Box::new(crate::scenarios::KexecRefusesUnsigned));
        r.register(Box::new(crate::scenarios::MokEnrollAlpine));
        r.register(Box::new(crate::scenarios::AttestationRoundtrip));
        r
    }

    /// Register a scenario. Used by `default_set` and by tests.
    pub fn register(&mut self, s: Box<dyn Scenario + Send + Sync>) {
        self.scenarios.push(s);
    }

    /// Look up a scenario by name. Returns `None` if no scenario with
    /// that name is registered.
    #[must_use]
    pub fn find(&self, name: &str) -> Option<&(dyn Scenario + Send + Sync)> {
        self.scenarios
            .iter()
            .find(|s| s.name() == name)
            .map(std::convert::AsRef::as_ref)
    }

    /// Iterate over registered (name, description) pairs.
    pub fn iter(&self) -> impl Iterator<Item = (&'static str, &'static str)> + '_ {
        self.scenarios.iter().map(|s| (s.name(), s.description()))
    }

    /// Number of registered scenarios.
    #[must_use]
    pub fn len(&self) -> usize {
        self.scenarios.len()
    }

    /// True when no scenarios are registered.
    #[must_use]
    pub fn is_empty(&self) -> bool {
        self.scenarios.is_empty()
    }
}

#[cfg(test)]
#[allow(clippy::unwrap_used, clippy::expect_used, clippy::panic)]
mod tests {
    use super::*;

    /// A noop scenario that returns whatever result it was constructed
    /// with. Lets us exercise the trait + registry without needing
    /// QEMU.
    struct NoopScenario {
        name: &'static str,
        result: ScenarioResult,
    }

    impl Scenario for NoopScenario {
        fn name(&self) -> &'static str {
            self.name
        }
        fn description(&self) -> &'static str {
            "noop"
        }
        fn run(&self, _ctx: &ScenarioContext) -> Result<ScenarioResult, ScenarioError> {
            Ok(self.result.clone())
        }
    }

    fn fake_ctx() -> ScenarioContext {
        ScenarioContext {
            persona: serde_yaml_ng::from_str(
                r#"
schema_version: 1
id: fake
vendor: QEMU
display_name: Fake
source:
  kind: vendor_docs
  ref_: fake
dmi:
  sys_vendor: QEMU
  product_name: Standard PC
  bios_vendor: EDK II
  bios_version: stable
  bios_date: 01/01/2024
secure_boot:
  ovmf_variant: ms_enrolled
tpm:
  version: "2.0"
"#,
            )
            .unwrap(),
            stick: PathBuf::from("/fake/stick.img"),
            work_dir: PathBuf::from("/fake/work"),
            firmware_root: PathBuf::from("/fake/fw"),
        }
    }

    #[test]
    fn scenario_result_labels_match_expected_strings() {
        assert_eq!(ScenarioResult::Pass.label(), "PASS");
        assert_eq!(ScenarioResult::Fail { reason: "x".into() }.label(), "FAIL");
        assert_eq!(ScenarioResult::Skip { reason: "y".into() }.label(), "SKIP");
    }

    #[test]
    fn scenario_result_reasons_extract_correctly() {
        assert_eq!(ScenarioResult::Pass.reason(), "");
        assert_eq!(
            ScenarioResult::Fail {
                reason: "hi".into()
            }
            .reason(),
            "hi"
        );
        assert_eq!(
            ScenarioResult::Skip {
                reason: "missing dep".into()
            }
            .reason(),
            "missing dep"
        );
    }

    #[test]
    fn registry_default_set_includes_shipped_scenarios() {
        // Pin the shipped scenario set. As more scenarios land,
        // extend this assertion; the goal is to catch a registry
        // regression that silently drops a published scenario name.
        let r = Registry::default_set();
        assert_eq!(r.len(), 5);
        assert!(r.find("qemu-boots-ovmf").is_some());
        assert!(r.find("signed-boot-ubuntu").is_some());
        assert!(r.find("kexec-refuses-unsigned").is_some());
        assert!(r.find("mok-enroll-alpine").is_some());
        assert!(r.find("attestation-roundtrip").is_some());
    }

    #[test]
    fn registry_find_returns_registered_scenario() {
        let mut r = Registry::empty();
        r.register(Box::new(NoopScenario {
            name: "test-noop",
            result: ScenarioResult::Pass,
        }));
        assert!(r.find("test-noop").is_some());
        assert!(r.find("nonexistent").is_none());
    }

    #[test]
    fn registry_find_returns_scenario_that_runs() {
        let mut r = Registry::empty();
        r.register(Box::new(NoopScenario {
            name: "test-pass",
            result: ScenarioResult::Pass,
        }));
        r.register(Box::new(NoopScenario {
            name: "test-fail",
            result: ScenarioResult::Fail {
                reason: "pretend the stick refused to boot".into(),
            },
        }));
        let pass = r.find("test-pass").unwrap();
        assert_eq!(pass.run(&fake_ctx()).unwrap(), ScenarioResult::Pass);

        let fail = r.find("test-fail").unwrap();
        match fail.run(&fake_ctx()).unwrap() {
            ScenarioResult::Fail { reason } => {
                assert!(reason.contains("refused to boot"));
            }
            other => panic!("expected Fail, got {other:?}"),
        }
    }

    #[test]
    fn registry_iter_yields_name_description_pairs() {
        let mut r = Registry::empty();
        r.register(Box::new(NoopScenario {
            name: "alpha",
            result: ScenarioResult::Pass,
        }));
        r.register(Box::new(NoopScenario {
            name: "beta",
            result: ScenarioResult::Pass,
        }));
        let pairs: Vec<_> = r.iter().collect();
        assert_eq!(pairs.len(), 2);
        assert!(pairs.contains(&("alpha", "noop")));
        assert!(pairs.contains(&("beta", "noop")));
    }
}