action #164150
closed[SLFO] Stagings: official SUSE keys aren't used anymore
0%
Description
Hi,
on SLFO Stagings (and upcoming SP7 as well, as communicated via mail), the official SUSE signing keys aren't used anymore.
At least one change should be made, which is disabling Secure Boot. Using /usr/share/qemu/ovmf-x86_64-code.bin boots the
current staging images fine, as verified by @fcrozat.
I kept the title generic as we're unsure of the full implications of this change.
Updated by okurz 7 months ago
- Related to action #164183: [Micro] [ Staging] Allow enrolling a test kernel in SecureBoot added
Updated by jlausuch 7 months ago
- Status changed from New to In Progress
Current state:
If we want to boot the systems with UEFI + secure boot, then the current default ovmf (code|vars) files we have in all the workers are not valid. We need new ones.
Fabian pointed me to some RPM where we can extract the ovmf file:
https://build.suse.de/projects/SUSE:SLFO:Main:Staging:Rings:1-MinimalX/packages/ovmf/repositories/standard/binaries
So, the rpm called ovmf-202305-slfo.1.3.17.x86_64.rpm contains the files we need to extract:
- ovmf-x86_64-devel-vars.bin
- ovmf-x86_64-devel-code.bin
I have extracted them and changed the namehttps://bugzilla.suse.com/show_bug.cgi?id=1228897https://bugzilla.suse.com/show_bug.cgi?id=1228897 to :
- ovmf-x86_64-staging-vars.bin
- ovmf-x86_64-staging-code.bin
And uploaded them to wotan.suse.de: https://w3.nue.suse.com/~jalausuch/ovmf/
Oliver has copied these files to all workers.
I have tried to boot a VM from a staging image but it doesn't boot, after telling RMs, Fabian created this bug:
https://bugzilla.suse.com/show_bug.cgi?id=1228897
So, we are now waiting for new uefi files to be used.
For now, I have disabled secure-boot in stagings using the following machine type: uefi-no-secboot which uses boot files without enabling secure-boot. This is a workaround to unblock the testing but not the final goal of this ticket.
The ideal case is that Release Managers provide a repository where Salt can pull the RPM from to install those files in the workers. Fabian suggested that this one could be used: https://build.suse.de/projects/SUSE:SLFO:Main:Staging:Rings:1-MinimalX/packages/ovmf/repositories/standard/binaries
Related slack threads:
- https://suse.slack.com/archives/C03G45KTP6W/p1722850993683269 -> this is where I am asking RMs to provide a tailored ovmf file for stagings
- https://suse.slack.com/archives/C02CANHLANP/p1722332804758019 -> asking tools team to copy the files to all the workers
Updated by jlausuch 7 months ago
Fabian created some new ovmf files
https://download.suse.de/ibs/home:/favogt:/stagingovmf/15.5/noarch/ (qemu-ovmf-x86_64-202402-Virt.150500.293.1.noarch.rpm)
I have downloaded them, added to my home https://w3.nue.suse.com/~jalausuch/ovmf/ and I have ran the following command in OSD to spread those files in the workers:
for i in code vars; do sudo salt -C 'G@roles:worker and G@osarch:x86_64' cmd.run "curl -sS https://w3.nue.suse.com/~jalausuch/ovmf/ovmf-x86_64-unsupported+ms-$i.bin > /usr/share/qemu/ovmf-x86_64-unsupported+ms-$i.bin"; done
Updated by jlausuch 7 months ago
I have update the machine uefi-staging with the following variables:
UEFI_PFLASH_CODE=/usr/share/qemu/ovmf-x86_64-unsupported+ms-code.bin
UEFI_PFLASH_VARS=/usr/share/qemu/ovmf-x86_64-unsupported+ms-vars.bin
This is the machine that should be used in 6.0 and 6.1 stagings (maybe also 15-SP7).
Updated by okurz 7 months ago
- Related to action #164982: Implement check that changes in https://progress.opensuse.org/issues/164150 are not used in official product added
Updated by okurz 7 months ago
I created https://gitlab.suse.de/openqa/salt-states-openqa/-/merge_requests/1245 to add staging OVMF image repositories.