testplan.txt 4.31 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14
How to test a new shim build for RHEL/fedora:

1) build pesign-test-app, and sign it with the appropriate key
2) build shim with the appropriate key built in
3) install pesign-test-app and shim-unsigned on the test machine
4) make a lockdown.efi for "Red Hat Test Certificate" and put it in \EFI\test
   mkdir /boot/efi/EFI/test/
   wget http://pjones.fedorapeople.org/shim/LockDown-rhtest.efi
   mv LockDown-rhtest.efi /boot/efi/EFI/test/lockdown.efi
5) sign shim with RHTC and put it in \EFI\test:
   pesign -i /usr/share/shim/shim.efi -o /boot/efi/EFI/test/shim.efi \
        -s -c "Red Hat Test Certificate"
6) put pesign-test-app-signed.efi in \EFI\test as grubx64.efi
   cp /usr/share/pesign-test-app-0.4/pesign-test-app-signed.efi \
15
	/boot/efi/EFI/test/grubx64.efi
16 17 18 19 20 21 22 23
7) sign a copy of grubx64.efi with RHTC and iput it in \EFI\test\ .  Also
   leave an unsigned copy there:
    pesign -i /boot/efi/EFI/redhat/grubx64.efi \
	-o /boot/efi/EFI/test/grubx64-unsigned.efi \
	-r -u 0
    pesign -i /boot/efi/EFI/test/grubx64-unsigned.efi \
	-o /boot/efi/EFI/test/grub.efi \
	-s -c "Red Hat Test Certificate"
24 25
8) sign a copy of mokmanager with RHTC and put it in \EFI\test:
    pesign -i /usr/share/shim/MokManager.efi \
26
	-o /boot/efi/EFI/test/MokManager.efi -s \
27 28 29 30 31 32
	-c "Red Hat Test Certificate"
9) copy grub.cfg to our test directory:
    cp /boot/efi/EFI/redhat/grub.cfg /boot/efi/EFI/test/grub.cfg
10) *move* \EFI\redhat\BOOT.CSV to \EFI\test 
    rm -rf /boot/efi/EFI/BOOT/
    mkdir /boot/efi/EFI/BOOT/
33 34
    mv /boot/efi/EFI/redhat/BOOT.CSV /boot/efi/EFI/test/BOOT.CSV
11) sign a copy of fallback.efi and put it in \EFI\BOOT\fallback.efi
35 36 37 38 39 40
    pesign -i /usr/share/shim/fallback.efi \
	-o /boot/efi/EFI/BOOT/fallback.efi \
	-s -c "Red Hat Test Certificate"
12) put shim.efi there as well
    cp /boot/efi/EFI/test/shim.efi /boot/efi/EFI/BOOT/BOOTX64.EFI
13) enroll the current kernel's certificate with mokutil:
41 42 43
    # this should be a /different/ cert than the one signing pesign-test-app.
    # for instance use a RHEL cert for p-t-a and a fedora cert+kernel here.
    mokutil --import ~/fedora-ca.cer
44 45 46 47 48 49
14) put machine in setup mode
15) boot to the UEFI shell
16) run lockdown.efi from #4:
    fs0:\EFI\test\lockdown.efi
17) enable secure boot verification
18) verify it can't run other binaries:
Peter Jones's avatar
Peter Jones committed
50
    fs0:\EFI\test\grubx64.efi
51 52
    result should be an error, probably similar to:
    "fs0:\...\grubx64.efi is not recognized as an internal or external command"
Peter Jones's avatar
Peter Jones committed
53 54
19) in the EFI shell, run fs0:\EFI\test\shim.efi
20) you should see MokManager.  Enroll the certificate you added in #13, and
55
    the system will reboot.
Peter Jones's avatar
Peter Jones committed
56
21) reboot to the UEFI shell and run fs0:\EFI\test\shim.efi
57 58 59
    result: "This is a test application that should be completely safe."
  If you get the expected result, shim can run things signed by its internal
  key ring.  Check a box someplace that says it can do that.
Peter Jones's avatar
Peter Jones committed
60
22) from the EFI shell, copy grub to grubx64.efi:
61
    cp \EFI\test\grub.efi \EFI\test\grubx64.efi
Peter Jones's avatar
Peter Jones committed
62
23) in the EFI shell, run fs0:\EFI\test\shim.efi
63 64 65 66 67
    result: this should start grub, which will let you boot a kernel
  If grub starts, it means shim can run things signed by a key in the system's
  db.  Check a box someplace that says it can do that.
  If the kernel boots, it means shim can run things from Mok.  Check a box
  someplace that says it can do that.
Peter Jones's avatar
Peter Jones committed
68
24) remove all boot entries and the BootOrder variable:
69 70 71 72 73 74 75 76
    [root@uefi ~]# cd /sys/firmware/efi/efivars/
    [root@uefi efivars]# rm -vf Boot[0123456789]* BootOrder-*
    removed ‘Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c’
    removed ‘Boot0001-8be4df61-93ca-11d2-aa0d-00e098032b8c’
    removed ‘Boot0002-8be4df61-93ca-11d2-aa0d-00e098032b8c’
    removed ‘Boot2001-8be4df61-93ca-11d2-aa0d-00e098032b8c’
    removed ‘BootOrder-8be4df61-93ca-11d2-aa0d-00e098032b8c’
    [root@uefi efivars]# 
Peter Jones's avatar
Peter Jones committed
77 78
25) reboot
26) the system should run \EFI\BOOT\BOOTX64.EFI .  If it doesn't, you may just
79 80 81 82 83
    have an old machine.  In that case, go to the EFI shell and run:
    fs0:\EFI\BOOT\BOOTX64.EFI
  If this works, you should see a bit of output very quickly and then the same
  thing as #24.  This means shim recognized it was in \EFI\BOOT and ran
  fallback.efi, which worked.
Peter Jones's avatar
Peter Jones committed
84
27) copy the unsigned grub into place and reboot:
85
  cp /boot/efi/EFI/test/grubx64-unsigned.efi /boot/efi/EFI/test/grubx64.efi
Peter Jones's avatar
Peter Jones committed
86
28) reboot again.
87
    result: shim should refuse to load grub.