TestPlan

Test plan for shim updates

Verify that LP: #1792575 in grub has been fixed first for the corresponding release.
- Check that MAAS can succesfully deploy a system
- Check that Windows 7 dual-booting works in UEFI mode -- grub can chainload Windows 7
- Check that Windows 10 dual-booting works in UEFI mode -- grub can chainload Windows 10

Verify that Secure Boot is enabled in the firmware
- On recent Ubuntu releases, you can use sudo mokutil --sb-state for that purpose.
Update to new shim and shim-signed packages.
Reboot.
Validate that the system still boots and validates the shim image as well as the grub binary.
- If you can boot to a desktop or a login prompt, shim validated the grub binary.

Install a boot server
- DHCP server with next-server IP set; tftp server enabled that serves bootx64.efi (the new shim), and a grubnetx64.efi installed (most recent grub or new grub) as grubx64.efi.
Boot a separate machine on the network served by the boot server.
Validate that you can reach a grub prompt, or that you can boot to a desktop or login prompt if testing grub as well.

Install a MAAS server on a network.
Deploy an UEFI system using the MAAS server.
Ensure that the system is able to boot and deploy successfully.
- MAAS should say the system is in "Deployed" state with the right Ubuntu release, and the system is booted and reachable.

Examples would be to load Ubuntu's shim+grub and chainload to Debian's shim on a different drive, and boot debian's grub & kernel.

Generate a new self-signed certificate.
- You can use "sudo update-secureboot-policy --new-mok" for that purpose, the generated DER file will be in /var/lib/shim-signed/mok.
Run 'sudo mokutil --enable-validation'
Follow prompts on screen to enable validation if applicable.
Run 'sudo mokutil --import <certificate.der>'
Follow the prompts on screen to import a new certificate.
Reboot
Follow prompts to import the new certificate and enable validation.
Validate that the system boots all the way to userland.
Verify that the certificate has been correctly imported, it should be listed in the output of 'sudo mokutil --list-enrolled'.

Run 'sudo mokutil --enable-validation'
Follow prompts on screen to enable validation if applicable.
Reboot
Validate that the system is booted and validation is enabled.
- Run 'sudo mokutil --sb-state'
Run 'sudo mokutil --disable-validation'
Follow prompts on screen to enable validation if applicable.
Reboot
Validate that the system is booted and validation is disabled.
- Run 'sudo mokutil --sb-state'
Run 'sudo mokutil --enable-validation'
Follow prompts on screen to enable validation if applicable.
Reboot
Validate that the system is booted and validation is enabled.
- Run 'sudo mokutil --sb-state'

Run 'sudo mokutil --reset'.
Reboot.
Validate that the MokManager prompt happens and displays a menu of tasks that could be done in MokManager.
- This should include the "Reset MOK" task.
Complete the "Reset MOK" task in MokManager.
Pick 'Reboot'.
After the system has booted, verify that the keys only include the Canonical certificate embedded in shim.
- Use 'sudo mokutil --list-enrolled' to validate the keys that are available.

Run 'sudo mokutil --timeout 666' (or any other arbitrary value).
Run 'sudo mokutil --reset'.
Reboot.
Validate that the MokManager prompt happens and shows a timeout appropriate for the timeout value set using the mokutil command.

Run 'sudo mokutil --timeout -1'
Run 'sudo mokutil --reset'.
Reboot.
Validate that the MokManager prompt happens, does not show a timeout screen, and displays a menu of tasks that could be done in MokManager.
- This should include the "Reset MOK" task.

UEFI/SecureBoot/ShimUpdateProcess/TestPlan (last edited 2021-03-31 17:06:35 by xnox)