Import Upstream version 0.9+1474479173.6c180c6upstream/0.9+1474479173.6c180c6

1 files changed, 87 insertions, 0 deletions

diff --git a/testplan.txt b/testplan.txt
new file mode 100644
index 00000000..0b0569e7
--- /dev/null
+++ b/testplan.txt
@@ -0,0 +1,87 @@
+How to test a new shim build for RHEL/fedora:
+
+1) build pesign-test-app, and sign it with the appropriate key
+2) build shim with the appropriate key built in
+3) install pesign-test-app and shim-unsigned on the test machine
+4) make a lockdown.efi for "Red Hat Test Certificate" and put it in \EFI\test
+   mkdir /boot/efi/EFI/test/
+   wget http://pjones.fedorapeople.org/shim/LockDown-rhtest.efi
+   mv LockDown-rhtest.efi /boot/efi/EFI/test/lockdown.efi
+5) sign shim with RHTC and put it in \EFI\test:
+   pesign -i /usr/share/shim/shim.efi -o /boot/efi/EFI/test/shim.efi \
+        -s -c "Red Hat Test Certificate"
+6) put pesign-test-app-signed.efi in \EFI\test as grubx64.efi
+   cp /usr/share/pesign-test-app-0.4/pesign-test-app-signed.efi \
+	/boot/efi/EFI/test/grubx64.efi
+7) sign a copy of grubx64.efi with RHTC and iput it in \EFI\test\ .  Also
+   leave an unsigned copy there:
+    pesign -i /boot/efi/EFI/redhat/grubx64.efi \
+	-o /boot/efi/EFI/test/grubx64-unsigned.efi \
+	-r -u 0
+    pesign -i /boot/efi/EFI/test/grubx64-unsigned.efi \
+	-o /boot/efi/EFI/test/grub.efi \
+	-s -c "Red Hat Test Certificate"
+8) sign a copy of mokmanager with RHTC and put it in \EFI\test:
+    pesign -i /usr/share/shim/MokManager.efi \
+	-o /boot/efi/EFI/test/MokManager.efi -s \
+	-c "Red Hat Test Certificate"
+9) copy grub.cfg to our test directory:
+    cp /boot/efi/EFI/redhat/grub.cfg /boot/efi/EFI/test/grub.cfg
+10) *move* \EFI\redhat\BOOT.CSV to \EFI\test 
+    rm -rf /boot/efi/EFI/BOOT/
+    mkdir /boot/efi/EFI/BOOT/
+    mv /boot/efi/EFI/redhat/BOOT.CSV /boot/efi/EFI/test/BOOT.CSV
+11) sign a copy of fallback.efi and put it in \EFI\BOOT\fallback.efi
+    pesign -i /usr/share/shim/fallback.efi \
+	-o /boot/efi/EFI/BOOT/fallback.efi \
+	-s -c "Red Hat Test Certificate"
+12) put shim.efi there as well
+    cp /boot/efi/EFI/test/shim.efi /boot/efi/EFI/BOOT/BOOTX64.EFI
+13) enroll the current kernel's certificate with mokutil:
+    # this should be a /different/ cert than the one signing pesign-test-app.
+    # for instance use a RHEL cert for p-t-a and a fedora cert+kernel here.
+    mokutil --import ~/fedora-ca.cer
+14) put machine in setup mode
+15) boot to the UEFI shell
+16) run lockdown.efi from #4:
+    fs0:\EFI\test\lockdown.efi
+17) enable secure boot verification
+18) verify it can't run other binaries:
+    fs0:\EFI\test\grubx64.efi
+    result should be an error, probably similar to:
+    "fs0:\...\grubx64.efi is not recognized as an internal or external command"
+19) in the EFI shell, run fs0:\EFI\test\shim.efi
+20) you should see MokManager.  Enroll the certificate you added in #13, and
+    the system will reboot.
+21) reboot to the UEFI shell and run fs0:\EFI\test\shim.efi
+    result: "This is a test application that should be completely safe."
+  If you get the expected result, shim can run things signed by its internal
+  key ring.  Check a box someplace that says it can do that.
+22) from the EFI shell, copy grub to grubx64.efi:
+    cp \EFI\test\grub.efi \EFI\test\grubx64.efi
+23) in the EFI shell, run fs0:\EFI\test\shim.efi
+    result: this should start grub, which will let you boot a kernel
+  If grub starts, it means shim can run things signed by a key in the system's
+  db.  Check a box someplace that says it can do that.
+  If the kernel boots, it means shim can run things from Mok.  Check a box
+  someplace that says it can do that.
+24) remove all boot entries and the BootOrder variable:
+    [root@uefi ~]# cd /sys/firmware/efi/efivars/
+    [root@uefi efivars]# rm -vf Boot[0123456789]* BootOrder-*
+    removed ‘Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c’
+    removed ‘Boot0001-8be4df61-93ca-11d2-aa0d-00e098032b8c’
+    removed ‘Boot0002-8be4df61-93ca-11d2-aa0d-00e098032b8c’
+    removed ‘Boot2001-8be4df61-93ca-11d2-aa0d-00e098032b8c’
+    removed ‘BootOrder-8be4df61-93ca-11d2-aa0d-00e098032b8c’
+    [root@uefi efivars]# 
+25) reboot
+26) the system should run \EFI\BOOT\BOOTX64.EFI .  If it doesn't, you may just
+    have an old machine.  In that case, go to the EFI shell and run:
+    fs0:\EFI\BOOT\BOOTX64.EFI
+  If this works, you should see a bit of output very quickly and then the same
+  thing as #24.  This means shim recognized it was in \EFI\BOOT and ran
+  fallback.efi, which worked.
+27) copy the unsigned grub into place and reboot:
+  cp /boot/efi/EFI/test/grubx64-unsigned.efi /boot/efi/EFI/test/grubx64.efi
+28) reboot again.
+    result: shim should refuse to load grub.