Project

General

Profile

Actions
Copy link

action #109611

closed

[sle][security][sle15sp4] Verify that if we are "secure booted" that kernel lockdown is enabled

Added by msmeissn about 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
rfan1
Category:
New test
Target version:
-
Start date:
2022-04-07
Due date:
% Done:

100%

Estimated time:
16.00 h
Difficulty:

Description

We have identified cases where we booted in "secure boot" mode, but the kernel was not locked down.

This affected SLES and openSUSE Tumbleweed.

see https://bugzilla.suse.com/show_bug.cgi?id=1198101

$ cat /sys/kernel/security/lockdown
[none] integrity confidentiality

should NOT show [none] here.

Actions
Copy link
 #1

Updated by maritawerner about 2 years ago

  • Subject changed from Verify that if we are "secure booted" that kernel lockdown is enabled to [security] Verify that if we are "secure booted" that kernel lockdown is enabled
Actions
Copy link
 #2

Updated by llzhao about 2 years ago

  • Subject changed from [security] Verify that if we are "secure booted" that kernel lockdown is enabled to [sle][security][sle15sp4] Verify that if we are "secure booted" that kernel lockdown is enabled
  • Category set to New test
  • Assignee set to rfan1
  • Estimated time set to 16.00 h
Actions
Copy link
 #3

Updated by rfan1 about 2 years ago

Thanks I will try to add this tests to both SLE/TW [x86_64 and arm]

Actions
Copy link
 #4

Updated by rfan1 about 2 years ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 30
Actions
Copy link
 #5

Updated by rfan1 about 2 years ago

  • % Done changed from 30 to 50
Actions
Copy link
 #6

Updated by rfan1 about 2 years ago

https://openqa.opensuse.org/tests/2286256#step/kernel_lockdown/12 TW+ x86_64

Seems I can reproduce the issue.

@msmeissn, May I ask for your kindly help add me into the bug cc list? https://bugzilla.suse.com/show_bug.cgi?id=1198101, I CAN NOT access it with permission.

Actions
Copy link
 #7

Updated by msmeissn about 2 years ago

i opened the bug to be suse employee only (from secinternal only)

Actions
Copy link
 #8

Updated by rfan1 about 2 years ago

  • Status changed from In Progress to Feedback
  • % Done changed from 50 to 90
Actions
Copy link
 #9

Updated by rfan1 about 2 years ago

  • Status changed from Feedback to Resolved
  • % Done changed from 90 to 100
Actions
Copy link
 #10

Updated by openqa_review almost 2 years ago

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: secureboot_kernel_lockdown@uefi
https://openqa.opensuse.org/tests/2331170#step/kernel_lockdown/1

To prevent further reminder comments one of the following options should be followed:

  1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
  2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
  3. The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

Expect the next reminder at the earliest in 32 days if nothing changes in this ticket.

Actions
Copy link

Also available in: Atom PDF