Project

General

Profile

Actions
Copy link

action #164982

open

[security] Implement check that changes in https://progress.opensuse.org/issues/164150 are not used in official product

Added by jsegitz 9 months ago. Updated 24 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
New test
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:

Description

Slack discussion: https://suse.slack.com/archives/C03G45KTP6W/p1722850993683269

Summary: Stagings for SLFO don't use the official key, so secure boot doesn't work. Fabian came up with a workaround.
For stagings a firmware is used that accepts the components signed with the unofficial key.

Ask: Have a test that ensures that for SLFO non-staging environments these keys are not accepted.

Take one of the binaries signed by the unofficial key and try to use it, it should fail

Related issues 1 (0 open1 closed)

Related to openQA Tests (public) - action #164150: [SLFO] Stagings: official SUSE keys aren't used anymoreResolvedjlausuch2024-07-18

Actions
Actions
Copy link
 #1

Updated by okurz 9 months ago

  • Project changed from openQA Project (public) to openQA Tests (public)
  • Category set to New test
  • Assignee set to jlausuch

@jlausuch this seems to be related to your recent work, isn't it?

Actions
Copy link
 #2

Updated by okurz 9 months ago

  • Related to action #164150: [SLFO] Stagings: official SUSE keys aren't used anymore added
Actions
Copy link
 #3

Updated by szarate 9 months ago

We need to follow up on how to verify that we have the right keys for the Staging and Product Increments

Actions
Copy link
 #4

Updated by jlausuch 24 days ago

  • Assignee deleted (jlausuch)

Un assigning myself. If this is a request for automation, probably qe-security could create a new job that.
@tjyrinki_suse would you please take a look at this and add it to your backlog?

Actions
Copy link
 #5

Updated by tjyrinki_suse 24 days ago

  • Subject changed from Implement check that changes in https://progress.opensuse.org/issues/164150 are not used in official product to [security] Implement check that changes in https://progress.opensuse.org/issues/164150 are not used in official product
  • Start date deleted (2024-08-06)

It's not very clear from the (long) discussion which exact test case is being requested. The last note also mentions it's not clear if this is a request for automation or was a one time request to check the situation remains correct.

If this ticket is a request for automatic regular testing, I'd ask for Johannes (or Jose) to edit the ticket's description with a "this ticket for dummies" approach (no references to old discussions) and answer the questions:

  • "For SLFO non-staging": does this mean "add a new automated test for SLE 16 and future SLFO products"?
  • Which binary is the "take one of the binaries", and what would be a reliable location to always fetch such a binary?
  • "Try to use it?" means what, try to boot SLE 16 installer with a special setting pointing to a special file, and expect a failure?

In other words, for this ticket to become Workable instead of New, we'd need a section:

Acceptance Criteria

  1. With numbered instructions where something is being tested.
  2. What is being tested,
  3. How it's being tested
  4. What is the expected criteria for "test passes" (can be also "booting fails with this error message") and "test fails" (can be for example booting passes)
Actions
Copy link

Also available in: Atom PDF