action #30186
closed[sle][functional][qam][research][medium] crosscheck "secure boot" test scenarios for SLE and openSUSE and bring them back
0%
Description
Motivation¶
Heiko Rommel (QAM) asked about "secure boot testing" in openQA and we have that support in os-autoinst-distri-opensuse but maybe not currently running for our SLE tests and/or openSUSE and should crosscheck that.
Further details¶
In https://openqa.suse.de/admin/test_suites I can find the test suite "minimal_x+uefi" specifying "EXTRABOOTPARAMS=secureboot_enable=1" which I am not sure what benefit it will provide. os-autoinst-distri-opensuse mentions get_var("SECUREBOOT") which is not mentioned in any test suite on neither osd nor o3. Checking with https://github.com/okurz/scripts/blob/master/openqa-db_query_last_use_of_module I could not find the test module "installation/secure_boot" being called anywhere on neither osd nor o3 so we certainly miss something here.
Tasks¶
- Research what is the current state of test scenarios, if secure boot is used anywhere
- Research what has to be done to enable such a scenario and either add it if trivial, or create another ticket with proper description and findings
Updated by okurz over 6 years ago
@lnussel can you comment on the current state of "secure boot" tests in openQA on either osd or o3? https://openqa.opensuse.org/tests/578965#step/bootloader_uefi/1 is secure boot but what about the boot parameter "secureboot_enable=1" or the test variable "SECUREBOOT" as described in the ticket description?
Updated by pluskalm over 6 years ago
- Subject changed from [sle][functional]crosscheck "secure boot" test scenarios for SLE and openSUSE and bring them back to [sle][functional][qam]crosscheck "secure boot" test scenarios for SLE and openSUSE and bring them back
Updated by lnussel over 6 years ago
I have no idea what those parameters are about. Whether or not secure boot is enabled depends only on the uefi firmware used. See rpm -ql qemu-ovmf-
x86_64
*-{ms,opensuse,suse} are firmwares that have secure boot on and require signed bootloaders.
The plain ovmf-x86_64.bin is the only one without secure boot. In openQA there are various machines that have UEFI enabled. By default the ms firmware is used. So you can schedule any test also a UEFI machine.
Updated by riafarov about 6 years ago
- Subject changed from [sle][functional][qam]crosscheck "secure boot" test scenarios for SLE and openSUSE and bring them back to [sle][functional][qam][research] crosscheck "secure boot" test scenarios for SLE and openSUSE and bring them back
- Description updated (diff)
- Status changed from New to Workable
Updated by riafarov about 6 years ago
- Subject changed from [sle][functional][qam][research] crosscheck "secure boot" test scenarios for SLE and openSUSE and bring them back to [sle][functional][qam][research][medium] crosscheck "secure boot" test scenarios for SLE and openSUSE and bring them back
Updated by riafarov about 6 years ago
- Status changed from Workable to In Progress
Updated by riafarov about 6 years ago
- Status changed from In Progress to Resolved
MACHINE uefi indeed does the job, the only scenario we had for openSUSE and not for SLE was cryptlmv. I've enabled it also for crypt_no_lvm for sle15. This can be used for other scenarios by just adding machine.
Here are the runs on osd:
https://openqa.suse.de/tests/1478960#
https://openqa.suse.de/tests/1478959#
https://openqa.suse.de/tests/1478943#
Updated by pluskalm about 6 years ago
I am afraid that original question was not answered (its kind of yes/no) question - its nice that cryptlvm was enabled for SLE-15 of course ...
Updated by pluskalm about 6 years ago
In other words, for uefi* tests is secure boot enabled or not?
Updated by osukup about 6 years ago
in o.o.o tests using uefi (bootloader_uefi.pm) have https://openqa.opensuse.org/tests/611003#step/bootloader_uefi/1 shown shim question ( so SecureBoot enabled) .. SLE12SPx minimal tests have one @uefi test used with same perl code and same omvf.bin --> https://openqa.suse.de/tests/1475333#step/bootloader_uefi/1
Updated by coolo about 6 years ago
it does not depend on the test suite but on the machine - if the machine is uefi, it's secure boot.
But if you look at https://openqa.suse.de/admin/job_templates/108 it's all 64bit machine