kola: cork: Handle QCOW2 EFI firmare images and fix arm64 Secure Boot

[chewi]

Handle QCOW2 EFI firmare images and fix Secure Boot

Forthcoming Flatcar releases will use QCOW2 instead of raw .fd images.

Only pass SMM-related arguments to QEMU for amd64-usr. EDK2 doesn't have SMM for arm64 yet and these arguments break it when Secure Boot is enabled.

Skip tests that change the verity hash when Secure Boot is enabled. Changing the verity hash breaks Secure Boot verification, causing GRUB to error and then just sit at the menu forever. It's not clear why these tests worked before we applied the Red Hat patches to GRUB, but it's now behaving as it should.

How to use

Run tests against one of the new Flatcar Secure Boot builds.

Testing done

Jenkins without qemu_uefi_secure is all green. I'm running qemu_uefi_secure now.

[ader1990]

Can you please link the PR that changes the production of the artifact flatcar_production_qemu_uefi_efi_code.qcow2?

[chewi]

There is no Flatcar PR yet because the changes are still being finalised, but you see the relevant commit at flatcar/scripts@577cd06.

There is a Gentoo PR though, as the change stems from there. See gentoo/gentoo#38813.

[chewi]

Turns out qemu_uefi_secure was failing due to another Kola issue, so I've added another commit. This change is not arm64-specific, rather it broke once we started applying Red Hat's patches to GRUB.

[ader1990]

Small note: currently, this PR will not change the behaviour regarding the usage of flatcar_production_qemu_uefi_efi_code.qcow2 as the CI will override the values and does not need the gentoo/gentoo#38813.

When Flatcar/scripts is updated with the upstream gentoo/gentoo#38813, then it will be used.