From bbfd2ab18f52600aa41f061b2da9a2afe2a9d6ac Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Fri, 4 Aug 2017 12:10:50 -0400 Subject: Import Upstream version 0.9+1474479173.6c180c6 --- testplan.txt | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 testplan.txt (limited to 'testplan.txt') diff --git a/testplan.txt b/testplan.txt new file mode 100644 index 00000000..0b0569e7 --- /dev/null +++ b/testplan.txt @@ -0,0 +1,87 @@ +How to test a new shim build for RHEL/fedora: + +1) build pesign-test-app, and sign it with the appropriate key +2) build shim with the appropriate key built in +3) install pesign-test-app and shim-unsigned on the test machine +4) make a lockdown.efi for "Red Hat Test Certificate" and put it in \EFI\test + mkdir /boot/efi/EFI/test/ + wget http://pjones.fedorapeople.org/shim/LockDown-rhtest.efi + mv LockDown-rhtest.efi /boot/efi/EFI/test/lockdown.efi +5) sign shim with RHTC and put it in \EFI\test: + pesign -i /usr/share/shim/shim.efi -o /boot/efi/EFI/test/shim.efi \ + -s -c "Red Hat Test Certificate" +6) put pesign-test-app-signed.efi in \EFI\test as grubx64.efi + cp /usr/share/pesign-test-app-0.4/pesign-test-app-signed.efi \ + /boot/efi/EFI/test/grubx64.efi +7) sign a copy of grubx64.efi with RHTC and iput it in \EFI\test\ . Also + leave an unsigned copy there: + pesign -i /boot/efi/EFI/redhat/grubx64.efi \ + -o /boot/efi/EFI/test/grubx64-unsigned.efi \ + -r -u 0 + pesign -i /boot/efi/EFI/test/grubx64-unsigned.efi \ + -o /boot/efi/EFI/test/grub.efi \ + -s -c "Red Hat Test Certificate" +8) sign a copy of mokmanager with RHTC and put it in \EFI\test: + pesign -i /usr/share/shim/MokManager.efi \ + -o /boot/efi/EFI/test/MokManager.efi -s \ + -c "Red Hat Test Certificate" +9) copy grub.cfg to our test directory: + cp /boot/efi/EFI/redhat/grub.cfg /boot/efi/EFI/test/grub.cfg +10) *move* \EFI\redhat\BOOT.CSV to \EFI\test + rm -rf /boot/efi/EFI/BOOT/ + mkdir /boot/efi/EFI/BOOT/ + mv /boot/efi/EFI/redhat/BOOT.CSV /boot/efi/EFI/test/BOOT.CSV +11) sign a copy of fallback.efi and put it in \EFI\BOOT\fallback.efi + pesign -i /usr/share/shim/fallback.efi \ + -o /boot/efi/EFI/BOOT/fallback.efi \ + -s -c "Red Hat Test Certificate" +12) put shim.efi there as well + cp /boot/efi/EFI/test/shim.efi /boot/efi/EFI/BOOT/BOOTX64.EFI +13) enroll the current kernel's certificate with mokutil: + # this should be a /different/ cert than the one signing pesign-test-app. + # for instance use a RHEL cert for p-t-a and a fedora cert+kernel here. + mokutil --import ~/fedora-ca.cer +14) put machine in setup mode +15) boot to the UEFI shell +16) run lockdown.efi from #4: + fs0:\EFI\test\lockdown.efi +17) enable secure boot verification +18) verify it can't run other binaries: + fs0:\EFI\test\grubx64.efi + result should be an error, probably similar to: + "fs0:\...\grubx64.efi is not recognized as an internal or external command" +19) in the EFI shell, run fs0:\EFI\test\shim.efi +20) you should see MokManager. Enroll the certificate you added in #13, and + the system will reboot. +21) reboot to the UEFI shell and run fs0:\EFI\test\shim.efi + result: "This is a test application that should be completely safe." + If you get the expected result, shim can run things signed by its internal + key ring. Check a box someplace that says it can do that. +22) from the EFI shell, copy grub to grubx64.efi: + cp \EFI\test\grub.efi \EFI\test\grubx64.efi +23) in the EFI shell, run fs0:\EFI\test\shim.efi + result: this should start grub, which will let you boot a kernel + If grub starts, it means shim can run things signed by a key in the system's + db. Check a box someplace that says it can do that. + If the kernel boots, it means shim can run things from Mok. Check a box + someplace that says it can do that. +24) remove all boot entries and the BootOrder variable: + [root@uefi ~]# cd /sys/firmware/efi/efivars/ + [root@uefi efivars]# rm -vf Boot[0123456789]* BootOrder-* + removed ‘Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c’ + removed ‘Boot0001-8be4df61-93ca-11d2-aa0d-00e098032b8c’ + removed ‘Boot0002-8be4df61-93ca-11d2-aa0d-00e098032b8c’ + removed ‘Boot2001-8be4df61-93ca-11d2-aa0d-00e098032b8c’ + removed ‘BootOrder-8be4df61-93ca-11d2-aa0d-00e098032b8c’ + [root@uefi efivars]# +25) reboot +26) the system should run \EFI\BOOT\BOOTX64.EFI . If it doesn't, you may just + have an old machine. In that case, go to the EFI shell and run: + fs0:\EFI\BOOT\BOOTX64.EFI + If this works, you should see a bit of output very quickly and then the same + thing as #24. This means shim recognized it was in \EFI\BOOT and ran + fallback.efi, which worked. +27) copy the unsigned grub into place and reboot: + cp /boot/efi/EFI/test/grubx64-unsigned.efi /boot/efi/EFI/test/grubx64.efi +28) reboot again. + result: shim should refuse to load grub. -- cgit v1.2.3