|
 |
f2fa6b |
From ac356a0e7723662d0a83ca3991088ce346495772 Mon Sep 17 00:00:00 2001
|
|
|
f2fa6b |
From: Peter Jones <pjones@redhat.com>
|
|
|
f2fa6b |
Date: Fri, 14 Feb 2014 14:06:45 -0500
|
|
|
f2fa6b |
Subject: [PATCH 1/3] Add a preliminary test plan.
|
|
|
f2fa6b |
|
|
|
f2fa6b |
Because you know you wanted a test plan. You feel it deeply inside.
|
|
|
f2fa6b |
|
|
|
f2fa6b |
Note that none of the /negative/ cases are tested yet.
|
|
|
f2fa6b |
|
|
|
f2fa6b |
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
f2fa6b |
---
|
|
|
f2fa6b |
testplan.txt | 80 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
|
f2fa6b |
1 file changed, 80 insertions(+)
|
|
|
f2fa6b |
create mode 100644 testplan.txt
|
|
|
f2fa6b |
|
|
|
f2fa6b |
diff --git a/testplan.txt b/testplan.txt
|
|
|
f2fa6b |
new file mode 100644
|
|
|
f2fa6b |
index 0000000..118dfcd
|
|
|
f2fa6b |
--- /dev/null
|
|
|
f2fa6b |
+++ b/testplan.txt
|
|
|
f2fa6b |
@@ -0,0 +1,80 @@
|
|
|
f2fa6b |
+How to test a new shim build for RHEL/fedora:
|
|
|
f2fa6b |
+
|
|
|
f2fa6b |
+1) build pesign-test-app, and sign it with the appropriate key
|
|
|
f2fa6b |
+2) build shim with the appropriate key built in
|
|
|
f2fa6b |
+3) install pesign-test-app and shim-unsigned on the test machine
|
|
|
f2fa6b |
+4) make a lockdown.efi for "Red Hat Test Certificate" and put it in \EFI\test
|
|
|
f2fa6b |
+ mkdir /boot/efi/EFI/test/
|
|
|
f2fa6b |
+ wget http://pjones.fedorapeople.org/shim/LockDown-rhtest.efi
|
|
|
f2fa6b |
+ mv LockDown-rhtest.efi /boot/efi/EFI/test/lockdown.efi
|
|
|
f2fa6b |
+5) sign shim with RHTC and put it in \EFI\test:
|
|
|
f2fa6b |
+ pesign -i /usr/share/shim/shim.efi -o /boot/efi/EFI/test/shim.efi \
|
|
|
f2fa6b |
+ -s -c "Red Hat Test Certificate"
|
|
|
f2fa6b |
+6) put pesign-test-app-signed.efi in \EFI\test as grubx64.efi
|
|
|
f2fa6b |
+ cp /usr/share/pesign-test-app-0.4/pesign-test-app-signed.efi \
|
|
|
f2fa6b |
+ /boot/efi/EFI/test/test.efi
|
|
|
f2fa6b |
+7) sign a copy of grubx64.efi with RHTC and iput it in \EFI\test\:
|
|
|
f2fa6b |
+ pesign -i /boot/efi/EFI/redhat/grubx64.efi -o grubx64-unsigned.efi \
|
|
|
f2fa6b |
+ -r -u 0
|
|
|
f2fa6b |
+ pesign -i grubx64-unsigned.efi -o /boot/efi/EFI/test/grub.efi \
|
|
|
f2fa6b |
+ -s -c "Red Hat Test Certificate"
|
|
|
f2fa6b |
+8) sign a copy of mokmanager with RHTC and put it in \EFI\test:
|
|
|
f2fa6b |
+ pesign -i /usr/share/shim/MokManager.efi \
|
|
|
f2fa6b |
+ -o /boot/efi/EFI/test/MokManager.efi -s \
|
|
|
f2fa6b |
+ -c "Red Hat Test Certificate"
|
|
|
f2fa6b |
+9) copy grub.cfg to our test directory:
|
|
|
f2fa6b |
+ cp /boot/efi/EFI/redhat/grub.cfg /boot/efi/EFI/test/grub.cfg
|
|
|
f2fa6b |
+10) *move* \EFI\redhat\BOOT.CSV to \EFI\test
|
|
|
f2fa6b |
+ mv /boot/efi/EFI/redhat/BOOT.CSV /boot/efi/EFI/test/BOOT.CSV
|
|
|
f2fa6b |
+11) sign a copy of fallback.efi and put it in \EFI\BOOT\fallback.efi
|
|
|
f2fa6b |
+ rm -rf /boot/efi/EFI/BOOT/
|
|
|
f2fa6b |
+ mkdir /boot/efi/EFI/BOOT/
|
|
|
f2fa6b |
+ pesign -i /usr/share/shim/fallback.efi \
|
|
|
f2fa6b |
+ -o /boot/efi/EFI/BOOT/fallback.efi \
|
|
|
f2fa6b |
+ -s -c "Red Hat Test Certificate"
|
|
|
f2fa6b |
+12) put shim.efi there as well
|
|
|
f2fa6b |
+ cp /boot/efi/EFI/test/shim.efi /boot/efi/EFI/BOOT/BOOTX64.EFI
|
|
|
f2fa6b |
+13) enroll the current kernel's certificate with mokutil:
|
|
|
f2fa6b |
+ mokutil --import ~/redhatsecurebootca2.cer
|
|
|
f2fa6b |
+14) put machine in setup mode
|
|
|
f2fa6b |
+15) boot to the UEFI shell
|
|
|
f2fa6b |
+16) run lockdown.efi from #4:
|
|
|
f2fa6b |
+ fs0:\EFI\test\lockdown.efi
|
|
|
f2fa6b |
+17) enable secure boot verification
|
|
|
f2fa6b |
+18) verify it can't run other binaries:
|
|
|
f2fa6b |
+ fs0:\EFI\redhat\grubx64.efi
|
|
|
f2fa6b |
+ result should be an error, probably similar to:
|
|
|
f2fa6b |
+ "fs0:\...\grubx64.efi is not recognized as an internal or external command"
|
|
|
f2fa6b |
+19) copy test.efi to grubx64.efi:
|
|
|
f2fa6b |
+ cp \EFI\test\test.efi \EFI\test\grubx64.efi
|
|
|
f2fa6b |
+20) in the EFI shell, run fs0:\EFI\test\shim.efi
|
|
|
f2fa6b |
+21) you should see MokManager. Enroll the certificate you added in #13, and
|
|
|
f2fa6b |
+ the system will reboot.
|
|
|
f2fa6b |
+22) reboot to the UEFI shell and run fs0:\EFI\test\shim.efi
|
|
|
f2fa6b |
+ result: "This is a test application that should be completely safe."
|
|
|
f2fa6b |
+ If you get the expected result, shim can run things signed by its internal
|
|
|
f2fa6b |
+ key ring. Check a box someplace that says it can do that.
|
|
|
f2fa6b |
+23) from the EFI shell, copy grub to grubx64.efi:
|
|
|
f2fa6b |
+ cp \EFI\test\grubx.efi \EFI\test\grubx64.efi
|
|
|
f2fa6b |
+24) in the EFI shell, run fs0:\EFI\test\shim.efi
|
|
|
f2fa6b |
+ result: this should start grub, which will let you boot a kernel
|
|
|
f2fa6b |
+ If grub starts, it means shim can run things signed by a key in the system's
|
|
|
f2fa6b |
+ db. Check a box someplace that says it can do that.
|
|
|
f2fa6b |
+ If the kernel boots, it means shim can run things from Mok. Check a box
|
|
|
f2fa6b |
+ someplace that says it can do that.
|
|
|
f2fa6b |
+25) remove all boot entries and the BootOrder variable:
|
|
|
f2fa6b |
+ [root@uefi ~]# cd /sys/firmware/efi/efivars/
|
|
|
f2fa6b |
+ [root@uefi efivars]# rm -vf Boot[0123456789]* BootOrder-*
|
|
|
f2fa6b |
+ removed ‘Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c’
|
|
|
f2fa6b |
+ removed ‘Boot0001-8be4df61-93ca-11d2-aa0d-00e098032b8c’
|
|
|
f2fa6b |
+ removed ‘Boot0002-8be4df61-93ca-11d2-aa0d-00e098032b8c’
|
|
|
f2fa6b |
+ removed ‘Boot2001-8be4df61-93ca-11d2-aa0d-00e098032b8c’
|
|
|
f2fa6b |
+ removed ‘BootOrder-8be4df61-93ca-11d2-aa0d-00e098032b8c’
|
|
|
f2fa6b |
+ [root@uefi efivars]#
|
|
|
f2fa6b |
+27) reboot
|
|
|
f2fa6b |
+28) the system should run \EFI\BOOT\BOOTX64.EFI . If it doesn't, you may just
|
|
|
f2fa6b |
+ have an old machine. In that case, go to the EFI shell and run:
|
|
|
f2fa6b |
+ fs0:\EFI\BOOT\BOOTX64.EFI
|
|
|
f2fa6b |
+ If this works, you should see a bit of output very quickly and then the same
|
|
|
f2fa6b |
+ thing as #24. This means shim recognized it was in \EFI\BOOT and ran
|
|
|
f2fa6b |
+ fallback.efi, which worked.
|
|
|
f2fa6b |
--
|
|
|
f2fa6b |
1.8.5.3
|
|
|
f2fa6b |
|