Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pick a testing platform #18

Open
2 tasks
crichez opened this issue Aug 7, 2024 · 2 comments · May be fixed by #19
Open
2 tasks

Pick a testing platform #18

crichez opened this issue Aug 7, 2024 · 2 comments · May be fixed by #19
Assignees
@crichez
Labels
enhancement New feature or request
Milestone
v1.0.0

Comments

@crichez
Copy link
Owner

crichez commented Aug 7, 2024
edited
Loading

Background

This project does not include any tests, things are run on my machine before commits which is error-prone and not exhaustive. The main reason for this is our dependency on secure boot. I simply don't know how to automate secure boot configuration. Right now the uki_config role asks for an admin on a serial console to validate machine owner key (MOK) enrollment, which means testing also requires manual intervention.

Solution

We either need a way to automate MOK enrollment, or we need to run tests on a VM image that comes with a usable MOK pre-enrolled. We can also accept a little manual labor and run all other tests automatically.

Automating MOK enrollment

It should be totally possible to stream the output of a libvirt guest's console to a program that will execute the required input for enrollment. This would be similar to expect in a sense that we would wait for the output to match the pattern that corresponds to the MokManager welcome screen, and script inputs from there. There are some unknowns here:

  1. MokManager is really a GUI, so simple text-based regex might not work
  2. This isn't a stable API, so could break on minor MokManager relases (or maybe even platform differences?)

We can run the following tests to clarify these points:

  • Capture a guest's console output to a file, and examine it manually to see how pattern-matchable it is
  • Depend on the hash of a specific MokManager.efi binary, and require manual output if it isn't satisfied

Enrolling a MOK out-of-band

When it comes to RedHat's shim documentation, there is absolutely no support provided for out-of-band MOK enrollment. If we look at secure boot more broadly, there may actually be tools to do this:

Isolating manual labor

We can run the test suite locally and accept a little bit of manual labor. The only task that needs this sort of attention is MOK enrollment. We can run both pre and post-enrollment tests on the same machine by testing for different keys, but the actual enrollment will need to be demonstrated manually before we can consider the entire test suite as passed.
@crichez crichez added the enhancement New feature or request label Aug 7, 2024
@crichez crichez self-assigned this Aug 7, 2024
@crichez
Copy link
Owner Author

crichez commented Dec 29, 2024
edited
Loading

It seems we have a working testing platform on branch fix/dont-enroll-mok (poorly named), using libvirt, qemu, and virt-firmware. Sadly we can't get certificates enrolled by virt-firmware to be recognized as enrolled by mokutil. Need to investigate some more.

@crichez crichez linked a pull request Jan 5, 2025 that will close this issue
Draft
@crichez crichez added this to the v1.0.0 milestone Jan 5, 2025
@crichez
Copy link
Owner Author

crichez commented Jan 5, 2025

PR #19 includes working automatic MOK enrollment for virtual machines only. Libvirt is now our selected testing platorm.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@crichez crichez

Labels
enhancement New feature or request
Projects
None yet
Milestone
v1.0.0
Development

Successfully merging a pull request may close this issue.

WIP: Assume MOK is already enrolled, add tests crichez/crichez.secureboot
1 participant
@crichez