Project

General

Profile

Actions
Copy link

action #56768

open

[qe-core][qem] Add the possibility to enroll certificates in edk2 in openQA

Added by ggardet_arm over 4 years ago. Updated almost 2 years ago.

Status:
Feedback
Priority:
Low
Assignee:
-
Category:
Spike/Research
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:

Description

To test signed grub/kernel or to access httpS servers with HTTP(S) boot, we need to enroll certificates.

For this, we need:
A. a filesystem accessible by the firmware (based on edk2), so a vfat filesystem, containing the certificates to enroll.
B. a new test.pm and needles to enroll certificates from this filesystem

--
For A, we could use:

  1. a new hd image, but openQA is not able to use 'mount' as it requires sudo rights, so we cannot build it from openQA
  2. an hd image, containing some *.pem files, built from OBS. It means that required certificates are available on OBS (not the case for openqa.opensuse.org certificate)
  3. use a bind to a local folder, by adding: -drive file=fat:rw:/tmp/pem_folder/ to qemu commandline, but this must be on vfat filesystem
  4. more ideas?

B. will be easy once A is done.

Related issues 1 (1 open0 closed)

Related to openQA Tests - action #50348: [opensuse] Add a new test for UEFI HTTP(S) bootBlockedggardet_arm2019-04-12

Actions
Actions
Copy link
 #1

Updated by ggardet_arm over 4 years ago

  • Subject changed from Add the possibility to enroll certificates in edk2 to Add the possibility to enroll certificates in edk2 in openQA
Actions
Copy link
 #2

Updated by SLindoMansilla over 4 years ago

  • Subject changed from Add the possibility to enroll certificates in edk2 in openQA to [qam} Add the possibility to enroll certificates in edk2 in openQA
Actions
Copy link
 #3

Updated by ggardet_arm over 4 years ago

  • Subject changed from [qam} Add the possibility to enroll certificates in edk2 in openQA to [qam] Add the possibility to enroll certificates in edk2 in openQA
Actions
Copy link
 #4

Updated by ggardet_arm over 4 years ago

  • Related to action #50348: [opensuse] Add a new test for UEFI HTTP(S) boot added
Actions
Copy link
 #5

Updated by tjyrinki_suse almost 4 years ago

  • Status changed from New to Workable
Actions
Copy link
 #6

Updated by tjyrinki_suse over 3 years ago

  • Subject changed from [qam] Add the possibility to enroll certificates in edk2 in openQA to [qe-core][qam] Add the possibility to enroll certificates in edk2 in openQA
Actions
Copy link
 #7

Updated by tjyrinki_suse over 3 years ago

  • Subject changed from [qe-core][qam] Add the possibility to enroll certificates in edk2 in openQA to [qe-core][qem] Add the possibility to enroll certificates in edk2 in openQA
Actions
Copy link
 #8

Updated by tjyrinki_suse almost 3 years ago

  • Status changed from Workable to Feedback
  • Start date deleted (2019-09-10)

This is a really old ticket where also some more concrete planning should be done if it's still needed.

  1. Which certificates are being talked about and where to obtain them to be included on a vfat drive?
  2. How one enrolls the certificates?

I'm just guessing this is related to mokutil and the certificates one sees with Secure Boot enabled during bootup.

In 2020 a test verify_efi_mok.pm was done, is that this being implemented? At one point it creates a new certificate and imports it to mok.

There is also tests/security/mokutil_sign.pm

Actions
Copy link
 #9

Updated by ggardet_arm almost 3 years ago

[note: added empty line for readability -Timo]

tjyrinki_suse wrote:

This is a really old ticket where also some more concrete planning should be done if it's still needed.

  1. Which certificates are being talked about and where to obtain them to be included on a vfat drive?

There was 2 topics:

  1. the server certificate to be able to use http*S*.
  2. a certificate for SecureBoot
  1. How one enrolls the certificates?

We need to do it via UEFI menu.

I'm just guessing this is related to mokutil and the certificates one sees with Secure Boot enabled during bootup.

I am not sure if this the same database or not.

The SecureBoot part seems to be done as I understand the previous comment.
The http*S* server certificate may need to be done.

Actions
Copy link
 #10

Updated by szarate almost 3 years ago

@Martin do you have an idea on how implement this? :)

Comes to mind that os-autoinst needs to be extended to have the the fat disk prepared along with the certificate.

Oli, any thoughts?

Actions
Copy link
 #11

Updated by szarate almost 3 years ago

  • Priority changed from Normal to Low
Actions
Copy link
 #12

Updated by okurz almost 3 years ago

szarate wrote:

Oli, any thoughts?

I am not understanding much here. But ggardet_arm already mentioned "We need to do it via UEFI menu.". We have the code of the function "handle_uefi_boot_disk_workaround" within os-autoinst-distri-opensuse that goes over the UEFI menu of the VM within the test to select a UEFI firmware file manually. Maybe the same menu can be used for that purpose?

Actions
Copy link
 #13

Updated by MDoucha almost 3 years ago

szarate wrote:

@Martin do you have an idea on how implement this? :)

Comes to mind that os-autoinst needs to be extended to have the the fat disk prepared along with the certificate.

I'm not familiar with UEFI firmware. I've only implemented some LTP checks through the /sys/ EFI interface in Linux. But I have two ideas which may or may not work:

  1. Buy a certificate for O3 that will work with UEFI firmware out of the box.
  2. Install a certificate manually and export it using PUBLISH_PFLASH_VARS, then just reuse the QCOW image as needed (not sure whether PFLASH_VARS can contain certs or not)
Actions
Copy link
 #14

Updated by favogt almost 2 years ago

a new hd image, but openQA is not able to use 'mount' as it requires sudo rights, so we cannot build it from openQA

By using mformat+mcopy from mtools, FAT32 images can be created and populated without mounting.

Actions
Copy link

Also available in: Atom PDF