action #56768
closed[qe-core][qem] Add the possibility to enroll certificates in edk2 in openQA
0%
Description
To test signed grub/kernel or to access httpS servers with HTTP(S) boot, we need to enroll certificates.
For this, we need:
A. a filesystem accessible by the firmware (based on edk2), so a vfat filesystem, containing the certificates to enroll.
B. a new test.pm and needles to enroll certificates from this filesystem
--
For A, we could use:
- a new hd image, but openQA is not able to use 'mount' as it requires sudo rights, so we cannot build it from openQA
- an hd image, containing some
*.pemfiles, built from OBS. It means that required certificates are available on OBS (not the case for openqa.opensuse.org certificate) - use a bind to a local folder, by adding:
-drive file=fat:rw:/tmp/pem_folder/to qemu commandline, but this must be on vfat filesystem - more ideas?
B. will be easy once A is done.
Updated by ggardet_arm over 5 years ago
- Subject changed from Add the possibility to enroll certificates in edk2 to Add the possibility to enroll certificates in edk2 in openQA
Updated by SLindoMansilla over 5 years ago
- Subject changed from Add the possibility to enroll certificates in edk2 in openQA to [qam} Add the possibility to enroll certificates in edk2 in openQA
Updated by ggardet_arm over 5 years ago
- Subject changed from [qam} Add the possibility to enroll certificates in edk2 in openQA to [qam] Add the possibility to enroll certificates in edk2 in openQA
Updated by ggardet_arm over 5 years ago
- Related to action #50348: [opensuse] Add a new test for UEFI HTTP(S) boot added
Updated by tjyrinki_suse over 4 years ago
- Subject changed from [qam] Add the possibility to enroll certificates in edk2 in openQA to [qe-core][qam] Add the possibility to enroll certificates in edk2 in openQA
Updated by tjyrinki_suse over 4 years ago
- Subject changed from [qe-core][qam] Add the possibility to enroll certificates in edk2 in openQA to [qe-core][qem] Add the possibility to enroll certificates in edk2 in openQA
Updated by tjyrinki_suse about 4 years ago
- Status changed from Workable to Feedback
- Start date deleted (
2019-09-10)
This is a really old ticket where also some more concrete planning should be done if it's still needed.
- Which certificates are being talked about and where to obtain them to be included on a vfat drive?
- How one enrolls the certificates?
I'm just guessing this is related to mokutil and the certificates one sees with Secure Boot enabled during bootup.
In 2020 a test verify_efi_mok.pm was done, is that this being implemented? At one point it creates a new certificate and imports it to mok.
There is also tests/security/mokutil_sign.pm
Updated by ggardet_arm almost 4 years ago
[note: added empty line for readability -Timo]
tjyrinki_suse wrote:
This is a really old ticket where also some more concrete planning should be done if it's still needed.
- Which certificates are being talked about and where to obtain them to be included on a vfat drive?
There was 2 topics:
- the server certificate to be able to use httpS.
- a certificate for SecureBoot
- How one enrolls the certificates?
We need to do it via UEFI menu.
I'm just guessing this is related to mokutil and the certificates one sees with Secure Boot enabled during bootup.
I am not sure if this the same database or not.
The SecureBoot part seems to be done as I understand the previous comment.
The httpS server certificate may need to be done.
Updated by szarate almost 4 years ago
@Martin do you have an idea on how implement this? :)
Comes to mind that os-autoinst needs to be extended to have the the fat disk prepared along with the certificate.
Oli, any thoughts?
Updated by okurz almost 4 years ago
szarate wrote:
Oli, any thoughts?
I am not understanding much here. But ggardet_arm already mentioned "We need to do it via UEFI menu.". We have the code of the function "handle_uefi_boot_disk_workaround" within os-autoinst-distri-opensuse that goes over the UEFI menu of the VM within the test to select a UEFI firmware file manually. Maybe the same menu can be used for that purpose?
Updated by MDoucha almost 4 years ago
szarate wrote:
@Martin do you have an idea on how implement this? :)
Comes to mind that os-autoinst needs to be extended to have the the fat disk prepared along with the certificate.
I'm not familiar with UEFI firmware. I've only implemented some LTP checks through the /sys/ EFI interface in Linux. But I have two ideas which may or may not work:
- Buy a certificate for O3 that will work with UEFI firmware out of the box.
- Install a certificate manually and export it using
PUBLISH_PFLASH_VARS, then just reuse the QCOW image as needed (not sure whether PFLASH_VARS can contain certs or not)
Updated by favogt almost 3 years ago
a new hd image, but openQA is not able to use 'mount' as it requires sudo rights, so we cannot build it from openQA
By using mformat+mcopy from mtools, FAT32 images can be created and populated without mounting.
Updated by mgrifalconi about 1 year ago
- Tags set to qecore-cleanup
- Status changed from Feedback to Rejected
Nothing really happened and seems unclear what and how to do things. Please reopen with detailed info and escalate for priority if you thing is necessary. Not much will ever happen otherwise