TestPlan

Test plan for shim updates

Regression testing

  • Verify that LP: #1792575 in grub has been fixed first for the corresponding release.
    • Check that MAAS can succesfully deploy a system
    • Check that Windows 7 dual-booting works in UEFI mode -- grub can chainload Windows 7
    • Check that Windows 10 dual-booting works in UEFI mode -- grub can chainload Windows 10

shim booting

  1. Verify that Secure Boot is enabled in the firmware
    • On recent Ubuntu releases, you can use sudo mokutil --sb-state for that purpose.

  2. Update to new shim and shim-signed packages.
  3. Reboot.
  4. Validate that the system still boots and validates the shim image as well as the grub binary.
    • If you can boot to a desktop or a login prompt, shim validated the grub binary.

netboot

  1. Install a boot server
    • DHCP server with next-server IP set; tftp server enabled that serves bootx64.efi (the new shim), and a grubnetx64.efi installed (most recent grub or new grub) as grubx64.efi.

  2. Boot a separate machine on the network served by the boot server.
  3. Validate that you can reach a grub prompt, or that you can boot to a desktop or login prompt if testing grub as well.

MAAS netboot

  1. Install a MAAS server on a network.
  2. Deploy an UEFI system using the MAAS server.
  3. Ensure that the system is able to boot and deploy successfully.
    • MAAS should say the system is in "Deployed" state with the right Ubuntu release, and the system is booted and reachable.

MokManager

Enrolling a certificate

  1. Generate a new self-signed certificate.
    • You can use "sudo update-secureboot-policy --new-mok" for that purpose, the generated DER file will be in /var/lib/shim-signed/mok.
  2. Run 'sudo mokutil --enable-validation'
  3. Follow prompts on screen to enable validation if applicable.
  4. Run 'sudo mokutil --import <certificate.der>'

  5. Follow the prompts on screen to import a new certificate.
  6. Reboot
  7. Follow prompts to import the new certificate and enable validation.
  8. Validate that the system boots all the way to userland.
  9. Verify that the certificate has been correctly imported, it should be listed in the output of 'sudo mokutil --list-enrolled'.

Enrolling a certificate

  1. Run 'sudo mokutil --enable-validation'
  2. Follow prompts on screen to enable validation if applicable.
  3. Reboot
  4. Validate that the system is booted and validation is enabled.
    • Run 'sudo mokutil --sb-state'
  5. Run 'sudo mokutil --disable-validation'
  6. Follow prompts on screen to enable validation if applicable.
  7. Reboot
  8. Validate that the system is booted and validation is disabled.
    • Run 'sudo mokutil --sb-state'
  9. Run 'sudo mokutil --enable-validation'
  10. Follow prompts on screen to enable validation if applicable.
  11. Reboot
  12. Validate that the system is booted and validation is enabled.
    • Run 'sudo mokutil --sb-state'

Resetting MOK keys

  1. Run 'sudo mokutil --reset'.
  2. Reboot.
  3. Validate that the MokManager prompt happens and displays a menu of tasks that could be done in MokManager.

    • This should include the "Reset MOK" task.
  4. Complete the "Reset MOK" task in MokManager.

  5. Pick 'Reboot'.
  6. After the system has booted, verify that the keys only include the Canonical certificate embedded in shim.
    • Use 'sudo mokutil --list-enrolled' to validate the keys that are available.

mokutil

Arbitrary timeout values

  1. Run 'sudo mokutil --timeout 666' (or any other arbitrary value).
  2. Run 'sudo mokutil --reset'.
  3. Reboot.
  4. Validate that the MokManager prompt happens and shows a timeout appropriate for the timeout value set using the mokutil command.

Removing mok timeout

  1. Run 'sudo mokutil --timeout -1'
  2. Run 'sudo mokutil --reset'.
  3. Reboot.
  4. Validate that the MokManager prompt happens, does not show a timeout screen, and displays a menu of tasks that could be done in MokManager.

    • This should include the "Reset MOK" task.

fwupd

  1. Reboot and check that Linux firmware updater entry still works

UEFI/SecureBoot/ShimUpdateProcess/TestPlan (last edited 2020-03-03 08:24:45 by juliank)