This was based on the secureboot selftests in meta-refkit:
It had to be modified a bit to work in meta-intel, as we can't depend on
efivar which resides in meta-openembedded. Instead, in order to test
that secureboot is enabled, we first try to boot with an unsigned, then
image signed with incorrect keys, and search for a "Security Violation"
error message in each log. If the image booted successfully or that
error did not occur, something went wrong and the third test becomes
invalid. The third test is simply booting an image that is signed with
the enrolled keys, getting to a login screen and running a simple
Note that these tests can be quite time consuming, as we have to wait
for the first two tests to timeout, and the timeout values have to be
somewhat high as it sometimes takes a while for the ovmf firmware to
Original work by Mikko Ylinen and Patrick Ohly.
Signed-off-by: California Sullivan <firstname.lastname@example.org>
Signed-off-by: Saul Wold <email@example.com>