Project

General

Profile

Actions

action #72037

open

[yast][security][qem][shim] Enable shim testing on baremetal

Added by geor over 3 years ago. Updated 8 months ago.

Status:
Workable
Priority:
Low
Assignee:
-
Category:
New test
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
16.00 h
Difficulty:

Description

Although we do have openQA runs with secure boot, there is need for shim testing on baremetal machine with secure boot.

probably the following would need to be scheduled:

  • security/mokutil_sign.pm
  • console/verify_efi_mok.pm
Actions #1

Updated by tjyrinki_suse over 3 years ago

  • Status changed from New to Workable
Actions #2

Updated by tjyrinki_suse over 3 years ago

  • Subject changed from [qam][shim] Enable shim testing on baremetal to [qe-core][qam][shim] Enable shim testing on baremetal
Actions #3

Updated by tjyrinki_suse over 3 years ago

  • Subject changed from [qe-core][qam][shim] Enable shim testing on baremetal to [qe-core][qem][shim] Enable shim testing on baremetal
Actions #4

Updated by tjyrinki_suse over 3 years ago

  • Category set to New test
Actions #5

Updated by mgrifalconi over 3 years ago

  • Status changed from Workable to In Progress
  • Assignee set to mgrifalconi
Actions #6

Updated by mgrifalconi over 3 years ago

  • Status changed from In Progress to Workable
Actions #7

Updated by mgrifalconi over 3 years ago

  • Assignee deleted (mgrifalconi)
Actions #8

Updated by apappas over 2 years ago

  • Status changed from Workable to Feedback
  • Assignee set to tjyrinki_suse

This ticket was discussed in the qe-core refinement session.

To work on this, we need a UEFI enabled bare metal host connected to openqa. Are there any? Why did George make the ticket?

As you were away for this session and could not answer, Timo I am assigning you to this ticket to give us some feedback.

Actions #9

Updated by geor over 2 years ago

apappas wrote:

This ticket was discussed in the qe-core refinement session.

To work on this, we need a UEFI enabled bare metal host connected to openqa. Are there any? Why did George make the ticket?

Hi, this was requested by Heiko in 2020, a requirement back from when we were part of the Maintenance-Security department.
Given that it has not been re-raised as an issue despite the fact that we haven't implemented an automated testing scenario for shim in nearly 1.5 years I think it is safe to delete this.

Actions #10

Updated by tjyrinki_suse over 2 years ago

  • Subject changed from [qe-core][qem][shim] Enable shim testing on baremetal to [yast][security][qem][shim] Enable shim testing on baremetal
  • Assignee changed from tjyrinki_suse to hrommel1

I think QE Security has done a lot of secure boot related tests (for example for aarch64), although not all might be enabled for maintenance releases.

OTOH tests/console/verify_secure_boot.pm are maintained by QE Yast, maybe because the success of the installation depends on correct functionality of secure boot.

I'll assign this to Heiko once more, maybe to raise as a topic in Wednesday's meeting or if an answer is already known about the baremetal testing status.

Actions #11

Updated by slo-gin over 1 year ago

This ticket was set to Normal priority but was not updated within the SLO period. Please consider picking up this ticket or just set the ticket to the next lower priority.

Actions #12

Updated by tjyrinki_suse about 1 year ago

  • Priority changed from Normal to Low

There hasn't been requests for this ticket lately even though we might want to add more bare metal testing if baremetal machines are reliably available in openQA.

Actions #13

Updated by tjyrinki_suse 8 months ago

  • Status changed from Feedback to Workable
  • Assignee deleted (hrommel1)
  • Start date deleted (2020-09-28)
  • Estimated time set to 16.00 h
  • Parent task set to #136034

We have mokutil_sign executed as part of create_hdd_textmode_ext4_mok_enroll on maintenance, QU and prod_devel on x86_64.

We have verify_efi_mok executed as part of aarch64_secureboot likewise in all job groups.

Next step would be we should make sure those two will be similarly executed as part of our on-demand baremetal testing plans.

Actions #14

Updated by tjyrinki_suse 8 months ago

  • Tags changed from feature to feature, baremetal
Actions

Also available in: Atom PDF