action #56768
open
[qe-core][qem] Add the possibility to enroll certificates in edk2 in openQA
Added by ggardet_arm over 4 years ago.
Updated almost 2 years ago.
Description
To test signed grub/kernel or to access httpS servers with HTTP(S) boot, we need to enroll certificates.
For this, we need:
A. a filesystem accessible by the firmware (based on edk2), so a vfat filesystem, containing the certificates to enroll.
B. a new test.pm and needles to enroll certificates from this filesystem
--
For A, we could use:
- a new hd image, but openQA is not able to use 'mount' as it requires sudo rights, so we cannot build it from openQA
- an hd image, containing some
*.pem files, built from OBS. It means that required certificates are available on OBS (not the case for openqa.opensuse.org certificate)
- use a bind to a local folder, by adding:
-drive file=fat:rw:/tmp/pem_folder/ to qemu commandline, but this must be on vfat filesystem
- more ideas?
B. will be easy once A is done.
Related issues
1 (1 open — 0 closed)
- Subject changed from Add the possibility to enroll certificates in edk2 to Add the possibility to enroll certificates in edk2 in openQA
- Subject changed from Add the possibility to enroll certificates in edk2 in openQA to [qam} Add the possibility to enroll certificates in edk2 in openQA
- Subject changed from [qam} Add the possibility to enroll certificates in edk2 in openQA to [qam] Add the possibility to enroll certificates in edk2 in openQA
- Related to action #50348: [opensuse] Add a new test for UEFI HTTP(S) boot added
- Status changed from New to Workable
- Subject changed from [qam] Add the possibility to enroll certificates in edk2 in openQA to [qe-core][qam] Add the possibility to enroll certificates in edk2 in openQA
- Subject changed from [qe-core][qam] Add the possibility to enroll certificates in edk2 in openQA to [qe-core][qem] Add the possibility to enroll certificates in edk2 in openQA
- Status changed from Workable to Feedback
- Start date deleted (
2019-09-10)
This is a really old ticket where also some more concrete planning should be done if it's still needed.
- Which certificates are being talked about and where to obtain them to be included on a vfat drive?
- How one enrolls the certificates?
I'm just guessing this is related to mokutil and the certificates one sees with Secure Boot enabled during bootup.
In 2020 a test verify_efi_mok.pm was done, is that this being implemented? At one point it creates a new certificate and imports it to mok.
There is also tests/security/mokutil_sign.pm
[note: added empty line for readability -Timo]
tjyrinki_suse wrote:
This is a really old ticket where also some more concrete planning should be done if it's still needed.
- Which certificates are being talked about and where to obtain them to be included on a vfat drive?
There was 2 topics:
- the server certificate to be able to use http*S*.
- a certificate for SecureBoot
- How one enrolls the certificates?
We need to do it via UEFI menu.
I'm just guessing this is related to mokutil and the certificates one sees with Secure Boot enabled during bootup.
I am not sure if this the same database or not.
The SecureBoot part seems to be done as I understand the previous comment.
The http*S* server certificate may need to be done.
@Martin do you have an idea on how implement this? :)
Comes to mind that os-autoinst needs to be extended to have the the fat disk prepared along with the certificate.
Oli, any thoughts?
- Priority changed from Normal to Low
szarate wrote:
Oli, any thoughts?
I am not understanding much here. But ggardet_arm already mentioned "We need to do it via UEFI menu.". We have the code of the function "handle_uefi_boot_disk_workaround" within os-autoinst-distri-opensuse that goes over the UEFI menu of the VM within the test to select a UEFI firmware file manually. Maybe the same menu can be used for that purpose?
szarate wrote:
@Martin do you have an idea on how implement this? :)
Comes to mind that os-autoinst needs to be extended to have the the fat disk prepared along with the certificate.
I'm not familiar with UEFI firmware. I've only implemented some LTP checks through the /sys/ EFI interface in Linux. But I have two ideas which may or may not work:
- Buy a certificate for O3 that will work with UEFI firmware out of the box.
- Install a certificate manually and export it using
PUBLISH_PFLASH_VARS, then just reuse the QCOW image as needed (not sure whether PFLASH_VARS can contain certs or not)
a new hd image, but openQA is not able to use 'mount' as it requires sudo rights, so we cannot build it from openQA
By using mformat+mcopy from mtools, FAT32 images can be created and populated without mounting.
Also available in: Atom
PDF