action #109611
closed[sle][security][sle15sp4] Verify that if we are "secure booted" that kernel lockdown is enabled
100%
Description
We have identified cases where we booted in "secure boot" mode, but the kernel was not locked down.
This affected SLES and openSUSE Tumbleweed.
see https://bugzilla.suse.com/show_bug.cgi?id=1198101
$ cat /sys/kernel/security/lockdown
[none] integrity confidentiality
should NOT show [none] here.
Updated by maritawerner about 2 years ago
- Subject changed from Verify that if we are "secure booted" that kernel lockdown is enabled to [security] Verify that if we are "secure booted" that kernel lockdown is enabled
Updated by llzhao about 2 years ago
- Subject changed from [security] Verify that if we are "secure booted" that kernel lockdown is enabled to [sle][security][sle15sp4] Verify that if we are "secure booted" that kernel lockdown is enabled
- Category set to New test
- Assignee set to rfan1
- Estimated time set to 16.00 h
Updated by rfan1 about 2 years ago
Thanks I will try to add this tests to both SLE/TW [x86_64 and arm]
Updated by rfan1 about 2 years ago
- Status changed from New to In Progress
- % Done changed from 0 to 30
Updated by rfan1 about 2 years ago
https://openqa.opensuse.org/tests/2286256#step/kernel_lockdown/12 TW+ x86_64
Seems I can reproduce the issue.
@msmeissn, May I ask for your kindly help add me into the bug cc list? https://bugzilla.suse.com/show_bug.cgi?id=1198101, I CAN NOT access it with permission.
Updated by msmeissn about 2 years ago
i opened the bug to be suse employee only (from secinternal only)
Updated by rfan1 about 2 years ago
- Status changed from In Progress to Feedback
- % Done changed from 50 to 90
Updated by rfan1 about 2 years ago
- Status changed from Feedback to Resolved
- % Done changed from 90 to 100
Updated by openqa_review almost 2 years ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: secureboot_kernel_lockdown@uefi
https://openqa.opensuse.org/tests/2331170#step/kernel_lockdown/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 32 days if nothing changes in this ticket.