Performing verification for edk2 on noble. Mate Kukri has coded all verification steps in autopkgtests, for the edk2/2024.02-2ubuntu0.9 version in -proposed:
amd64: pass. https://autopkgtest.ubuntu.com/results/autopkgtest-noble/noble/amd64/e/edk2/20260611_172056_e1a8f@/log.gz arm64: pass. https://autopkgtest.ubuntu.com/results/autopkgtest-noble/noble/arm64/e/edk2/20260605_132430_d7853@/log.gz Unfortunately, the log.gz file is truncated and you can't see the full test results. Instead, if you download the artifacts tarball: amd64: pass https://autopkgtest.ubuntu.com/results/autopkgtest-noble/noble/amd64/e/edk2/20260611_172056_e1a8f@/artifacts.tar.gz arm64: pass https://autopkgtest.ubuntu.com/results/autopkgtest-noble/noble/arm64/e/edk2/20260605_132430_d7853@/artifacts.tar.gz Extract it, and go to command2-stderr, you will see the results. If you want to grep, scroll to the bottom and look at: test_aavmf_secvar_update_appends_2023_certs (__main__.SecvarUpdateTest.test_aavmf_secvar_update_appends_2023_certs) and test_ovmf_secvar_update_appends_2023_certs (__main__.SecvarUpdateTest.test_ovmf_secvar_update_appends_2023_certs) and test_ovmf_secvar_update_version_guard (__main__.SecvarUpdateTest.test_ovmf_secvar_update_version_guard) Everything passes in the autopkgtests. Manual testing: I started a noble VM. Install a full KVM stack: $ sudo apt-get install qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils $ sudo reboot The edk2 version in -updates is: $ apt-cache policy ovmf ovmf: Installed: 2024.02-2ubuntu0.8 Candidate: 2024.02-2ubuntu0.8 Version table: *** 2024.02-2ubuntu0.8 500 500 http://archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages In virt-manager on the host, select: File > Add Connection... Configure the settings as follows: Hypervisor: QEMU/KVM Connection: Check the box for "Connect to remote host over SSH" Username: ubuntu Hostname: IP address of the VM Click Connect. Create a VM, make sure to use the remote libvirt connect. Select "Manual install". Select "Ubuntu Noble". Deselect "Enable storage for this VM". Select "Customize configuration before install". Click Finish. Under "Overview" select "Chipset: Q35". "Firmware: UEFI x86_64: /usr/share/OVMF/OVMF_CODE_4M.ms.fd" Click Apply. Click Begin Installation. Boot the VM. Press the 'esc' key once during boot. If your mouse gets stuck, press ctrl-alt-l. In the menu, select: "Device Manager" > "Secure Boot Configuration" > "Secure Boot Mode". Change <Standard Mode> to <Custom Mode>. Select "Custom Secure Boot Options". Unfortunately, the ovmf on noble doesn't list the pretty names, so we have to make do with UUIDs. KEK: Select "KEK Options" > "Delete KEK". Scroll through the options. There will be: - A0BAA8A3-041D-48A8-BC87-C36D121B5E3D - 77FA9ABD-0359-4D32-BD60-28F4E78F784B DB: Select "DB Options" > "Delete Signature". Scroll through the options. There will be: - 77FA9ABD-0359-4D32-BD60-28F4E78F784B - 77FA9ABD-0359-4D32-BD60-28F4E78F784B Next, on the host system, enable -proposed and install edk2. $ apt-cache policy ovmf ovmf: Installed: 2024.02-2ubuntu0.9 Candidate: 2024.02-2ubuntu0.9 Version table: *** 2024.02-2ubuntu0.9 100 100 http://archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages Repeat the steps. In the menu, select: "Device Manager" > "Secure Boot Configuration" > "Secure Boot Mode". Change <Standard Mode> to <Custom Mode>. Select "Custom Secure Boot Options". KEK: Select "KEK Options" > "Delete KEK". Scroll through the options. There will be: - A0BAA8A3-041D-48A8-BC87-C36D121B5E3D - 77FA9ABD-0359-4D32-BD60-28F4E78F784B - 77FA9ABD-0359-4D32-BD60-28F4E78F784B <<<<<<<< NEW DB: Select "DB Options" > "Delete Signature". Scroll through the options. There will be: - 77FA9ABD-0359-4D32-BD60-28F4E78F784B - 77FA9ABD-0359-4D32-BD60-28F4E78F784B - 77FA9ABD-0359-4D32-BD60-28F4E78F784B <<<<<<<< NEW - 77FA9ABD-0359-4D32-BD60-28F4E78F784B <<<<<<<< NEW - 77FA9ABD-0359-4D32-BD60-28F4E78F784B <<<<<<<< NEW Its a real shame that we only get to see UUIDs instead of the friendly key names. Its also a shame they have the <EXACT SAME> UUID? I went and checked the questing edk2 package and the behaviour is the same there, but they all had different friendly names. To make all my doubt go away, I started up an Ubuntu cloud image and installed efitools and looked at the actual EFI variables. # sudo efi-readvar -v KEK Variable KEK, length 3936 KEK: List 0, type X509 Signature 0, size 842, owner a0baa8a3-041d-48a8-bc87-c36d121b5e3d Subject: CN=Ubuntu OVMF Secure Boot (PK/KEK key), [email protected] Issuer: CN=Ubuntu OVMF Secure Boot (PK/KEK key), [email protected] KEK: List 1, type X509 Signature 0, size 1532, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011 Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root KEK: List 2, type X509 Signature 0, size 1478, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b Subject: C=US, O=Microsoft Corporation, CN=Microsoft Corporation KEK 2K CA 2023 Issuer: C=US, O=Microsoft Corporation, CN=Microsoft RSA Devices Root CA 2021 # sudo efi-readvar -v db Variable db, length 7636 db: List 0, type X509 Signature 0, size 1515, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011 Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010 db: List 1, type X509 Signature 0, size 1572, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011 Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root db: List 2, type X509 Signature 0, size 1464, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b Subject: C=US, O=Microsoft Corporation, CN=Microsoft UEFI CA 2023 Issuer: C=US, O=Microsoft Corporation, CN=Microsoft RSA Devices Root CA 2021 db: List 3, type X509 Signature 0, size 1475, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b Subject: C=US, O=Microsoft Corporation, CN=Microsoft Option ROM UEFI CA 2023 Issuer: C=US, O=Microsoft Corporation, CN=Microsoft RSA Devices Root CA 2021 db: List 4, type X509 Signature 0, size 1470, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b Subject: C=US, O=Microsoft Corporation, CN=Windows UEFI CA 2023 Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010 Okay, this has eliminated all my doubts. edk2 in -proposed works as intended. Marking verified for noble. ** Tags removed: verification-needed-noble ** Tags added: verification-done-noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2146560 Title: [FFe + SRU] edk2: Introduce FirmwareSecvarUpdater for MS 2023 CA rollout To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2146560/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
