TestPlan
Test plan for shim updates
Regression testing
- Verify that LP: #1792575 in grub has been fixed first for the corresponding release.
- Check that MAAS can succesfully deploy a system
- Check that Windows 7 dual-booting works in UEFI mode -- grub can chainload Windows 7
- Check that Windows 10 dual-booting works in UEFI mode -- grub can chainload Windows 10
shim booting
- Verify that Secure Boot is enabled in the firmware
On recent Ubuntu releases, you can use sudo mokutil --sb-state for that purpose.
- Update to new shim and shim-signed packages.
- Reboot.
- Validate that the system still boots and validates the shim image as well as the grub binary.
- If you can boot to a desktop or a login prompt, shim validated the grub binary.
netboot
- Install a boot server
DHCP server with next-server IP set; tftp server enabled that serves bootx64.efi (the new shim), and a grubnetx64.efi installed (most recent grub or new grub) as grubx64.efi.
- Boot a separate machine on the network served by the boot server.
- Validate that you can reach a grub prompt, or that you can boot to a desktop or login prompt if testing grub as well.
MAAS netboot
- Install a MAAS server on a network.
- Deploy an UEFI system using the MAAS server.
- Ensure that the system is able to boot and deploy successfully.
- MAAS should say the system is in "Deployed" state with the right Ubuntu release, and the system is booted and reachable.
shim-to-shim chainloading
- Check that in secureboot one can boot shim+grub
- chainload a different shim which will load a different grub
- And for said shim to successfully boot
Examples would be to load Ubuntu's shim+grub and chainload to Debian's shim on a different drive, and boot debian's grub & kernel.
MokManager
Enrolling a certificate
- Generate a new self-signed certificate.
- You can use "sudo update-secureboot-policy --new-mok" for that purpose, the generated DER file will be in /var/lib/shim-signed/mok.
- Run 'sudo mokutil --enable-validation'
- Follow prompts on screen to enable validation if applicable.
Run 'sudo mokutil --import <certificate.der>'
- Follow the prompts on screen to import a new certificate.
- Reboot
- Follow prompts to import the new certificate and enable validation.
- Validate that the system boots all the way to userland.
- Verify that the certificate has been correctly imported, it should be listed in the output of 'sudo mokutil --list-enrolled'.
Enrolling a certificate
- Run 'sudo mokutil --enable-validation'
- Follow prompts on screen to enable validation if applicable.
- Reboot
- Validate that the system is booted and validation is enabled.
- Run 'sudo mokutil --sb-state'
- Run 'sudo mokutil --disable-validation'
- Follow prompts on screen to enable validation if applicable.
- Reboot
- Validate that the system is booted and validation is disabled.
- Run 'sudo mokutil --sb-state'
- Run 'sudo mokutil --enable-validation'
- Follow prompts on screen to enable validation if applicable.
- Reboot
- Validate that the system is booted and validation is enabled.
- Run 'sudo mokutil --sb-state'
Resetting MOK keys
- Run 'sudo mokutil --reset'.
- Reboot.
Validate that the MokManager prompt happens and displays a menu of tasks that could be done in MokManager.
- This should include the "Reset MOK" task.
Complete the "Reset MOK" task in MokManager.
- Pick 'Reboot'.
- After the system has booted, verify that the keys only include the Canonical certificate embedded in shim.
- Use 'sudo mokutil --list-enrolled' to validate the keys that are available.
mokutil
Arbitrary timeout values
- Run 'sudo mokutil --timeout 666' (or any other arbitrary value).
- Run 'sudo mokutil --reset'.
- Reboot.
Validate that the MokManager prompt happens and shows a timeout appropriate for the timeout value set using the mokutil command.
Removing mok timeout
- Run 'sudo mokutil --timeout -1'
- Run 'sudo mokutil --reset'.
- Reboot.
Validate that the MokManager prompt happens, does not show a timeout screen, and displays a menu of tasks that could be done in MokManager.
- This should include the "Reset MOK" task.
fwupd
- Reboot and check that Linux firmware updater entry still works
UEFI/SecureBoot/ShimUpdateProcess/TestPlan (last edited 2021-03-31 17:06:35 by xnox)