-
Notifications
You must be signed in to change notification settings - Fork 51
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add UEFI Secure Boot with unsigned kernel case (New) (#1440)
* Add UEFI Secure Boot with unsigned kernel case
- Loading branch information
Showing
4 changed files
with
49 additions
and
0 deletions.
There are no files selected for viewing
28 changes: 28 additions & 0 deletions
28
contrib/checkbox-ce-oem/checkbox-provider-ce-oem/units/secure-boot/jobs.pxu
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| plugin: manual | ||
| category_id: com.canonical.certification::security | ||
| id: ce-oem-secure-boot/uefi-secure-boot-unsigned-kernel | ||
| estimated_duration: 120.0 | ||
| imports: | ||
| from com.canonical.plainbox import manifest | ||
| from com.canonical.certification import lsb | ||
| from com.canonical.certification import bootloader | ||
| requires: | ||
| manifest.has_uefi_secure_boot_support == 'True' | ||
| "Ubuntu Core" not in lsb.description | ||
| bootloader.name == "grub" | ||
| _summary: | ||
| Verify UEFI Secure Boot by replacing signed kernel with unsigned kernel | ||
| _purpose: | ||
| Check device fails to load unsigned kernel due to security protection | ||
| _steps: | ||
| 1. Enable the Secure Boot feature in UEFI firmware | ||
| - Enroll UEFI Keys (PK.auth, KEK.auth and db.auth) | ||
| 2. Boot into Ubuntu | ||
| 3. Find any unsigned generic kernel through command "apt search linux-image-unsigned | grep generic" | ||
| 4. Install an unsigned generic kernel through command like "sudo apt install linux-image-unsigned-6.8.0-40-generic" | ||
| 5. Reboot device and when the grub boot menu is displayed, choose the unsigned kernel and try to boot into Ubuntu | ||
| 6. Verify the expected outcome and choose the original signed kernel then boot into Ubuntu | ||
| _verification: | ||
| Do you see the following messages be displayed and system stucks here? | ||
| error: bad shim signature | ||
| error: you need to load the kernel first |
5 changes: 5 additions & 0 deletions
5
contrib/checkbox-ce-oem/checkbox-provider-ce-oem/units/secure-boot/manifest.pxu
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| unit: manifest entry | ||
| id: has_uefi_secure_boot_support | ||
| _prompt: Does this machine have the following secure boot features? | ||
| _name: UEFI Secure Boot Support | ||
| value-type: bool |
15 changes: 15 additions & 0 deletions
15
contrib/checkbox-ce-oem/checkbox-provider-ce-oem/units/secure-boot/test-plan.pxu
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| id: ce-oem-secure-boot-full | ||
| unit: test plan | ||
| _name: Secure Boot test | ||
| _description: Secure Boot tests for devices | ||
| include: | ||
| nested_part: | ||
| ce-oem-secure-boot-manual | ||
|
|
||
| id: ce-oem-secure-boot-manual | ||
| unit: test plan | ||
| _name: Secure Boot manual Tests (Manual) | ||
| _description: Secure Boot manual Tests (Manual) | ||
| bootstrap_include: | ||
| include: | ||
| ce-oem-secure-boot/uefi-secure-boot-unsigned-kernel |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters