Performing verification for edk2 on jammy.

Mate Kukri has coded all verification steps in autopkgtests, for the
2022.02-3ubuntu0.22.04.6 version in -proposed:

amd64: pass.
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/amd64/e/edk2/20260609_134713_34573@/log.gz
arm64: pass.
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/arm64/e/edk2/20260609_134755_9334e@/log.gz

If you want to grep, scroll to the bottom and look at:
test_aavmf_secvar_update_appends_2023_certs 
(__main__.SecvarUpdateTest.test_aavmf_secvar_update_appends_2023_certs)
and
test_ovmf_secvar_update_appends_2023_certs 
(__main__.SecvarUpdateTest.test_ovmf_secvar_update_appends_2023_certs)
and
test_ovmf_secvar_update_version_guard 
(__main__.SecvarUpdateTest.test_ovmf_secvar_update_version_guard)

Everything passes in the autopkgtests.

Note, this depends on virt-firmware 24.1.1-2~ubuntu22.04.1 in -proposed, and
needs to be released at the same time.

Manual testing:

I started a jammy VM. Install a full KVM stack:

$ sudo apt-get install qemu-kvm libvirt-daemon-system libvirt-clients 
bridge-utils
$ sudo reboot

The edk2 version in -updates is:

$ apt-cache policy ovmf
ovmf:
  Installed: 2022.02-3ubuntu0.22.04.5
  Candidate: 2022.02-3ubuntu0.22.04.5
  Version table:
 *** 2022.02-3ubuntu0.22.04.5 500
        500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages

In virt-manager on the host, select:

File > Add Connection...
Configure the settings as follows:
    Hypervisor: QEMU/KVM
    Connection: Check the box for "Connect to remote host over SSH"
    Username: ubuntu
    Hostname: IP address of the VM
Click Connect.

Create a VM, make sure to use the remote libvirt connect.
Select "Manual install".
Select "Ubuntu Jammy".
Deselect "Enable storage for this VM".
Select "Customize configuration before install".
Click Finish.
Under "Overview" select "Chipset: Q35". "Firmware: UEFI x86_64: 
/usr/share/OVMF/OVMF_CODE_4M.ms.fd"
Click Apply.
Click Begin Installation.

Boot the VM. Press the 'esc' key once during boot.

If your mouse gets stuck, press ctrl-alt-l.

In the menu, select:
"Device Manager" > "Secure Boot Configuration" > "Secure Boot Mode".
Change <Standard Mode> to <Custom Mode>.
Select "Custom Secure Boot Options".

Unfortunately, the ovmf on jammy doesn't list the pretty names, so we have to
make do with UUIDs.

KEK:
Select "KEK Options" > "Delete KEK".
Scroll through the options. There will be:
- A0BAA8A3-041D-48A8-BC87-C36D121B5E3D
- 77FA9ABD-0359-4D32-BD60-28F4E78F784B

DB:
Select "DB Options" > "Delete Signature".
Scroll through the options. There will be:
- 77FA9ABD-0359-4D32-BD60-28F4E78F784B
- 77FA9ABD-0359-4D32-BD60-28F4E78F784B

Next, on the host system, enable -proposed and install edk2 and virt-
firmware.

$ apt-cache policy ovmf
ovmf:
  Installed: 2022.02-3ubuntu0.22.04.6
  Candidate: 2022.02-3ubuntu0.22.04.6
  Version table:
 *** 2022.02-3ubuntu0.22.04.6 500
        500 http://archive.ubuntu.com/ubuntu jammy-proposed/main amd64 Packages

$ apt-cache policy python3-virt-firmware
python3-virt-firmware:
  Installed: 24.1.1-2~ubuntu22.04.1
  Candidate: 24.1.1-2~ubuntu22.04.1
  Version table:
 *** 24.1.1-2~ubuntu22.04.1 500
        500 http://archive.ubuntu.com/ubuntu jammy-proposed/universe amd64 
Packages

Repeat the steps.

In the menu, select:
"Device Manager" > "Secure Boot Configuration" > "Secure Boot Mode".
Change <Standard Mode> to <Custom Mode>.
Select "Custom Secure Boot Options".

KEK:
Select "KEK Options" > "Delete KEK".
Scroll through the options. There will be:
- A0BAA8A3-041D-48A8-BC87-C36D121B5E3D
- 77FA9ABD-0359-4D32-BD60-28F4E78F784B
- 77FA9ABD-0359-4D32-BD60-28F4E78F784B  <<<<<<<< NEW 

DB:
Select "DB Options" > "Delete Signature".
Scroll through the options. There will be:
- 77FA9ABD-0359-4D32-BD60-28F4E78F784B
- 77FA9ABD-0359-4D32-BD60-28F4E78F784B
- 77FA9ABD-0359-4D32-BD60-28F4E78F784B  <<<<<<<< NEW 
- 77FA9ABD-0359-4D32-BD60-28F4E78F784B  <<<<<<<< NEW 
- 77FA9ABD-0359-4D32-BD60-28F4E78F784B  <<<<<<<< NEW 

Its a real shame that we only get to see UUIDs instead of the friendly key 
names.
Its also a shame they have the <EXACT SAME> UUID? I went and checked the
questing edk2 package and the behaviour is the same there, but they all had
different friendly names.

To make all my doubt go away, I started up an Ubuntu cloud image and installed
efitools and looked at the actual EFI variables.

# sudo efi-readvar -v KEK
Variable KEK, length 3936
KEK: List 0, type X509
    Signature 0, size 842, owner a0baa8a3-041d-48a8-bc87-c36d121b5e3d
        Subject:
            CN=Ubuntu OVMF Secure Boot (PK/KEK key), 
[email protected]
        Issuer:
            CN=Ubuntu OVMF Secure Boot (PK/KEK key), 
[email protected]
KEK: List 1, type X509
    Signature 0, size 1532, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
        Subject:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, 
CN=Microsoft Corporation KEK CA 2011
        Issuer:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, 
CN=Microsoft Corporation Third Party Marketplace Root
KEK: List 2, type X509
    Signature 0, size 1478, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
        Subject:
            C=US, O=Microsoft Corporation, CN=Microsoft Corporation KEK 2K CA 
2023
        Issuer:
            C=US, O=Microsoft Corporation, CN=Microsoft RSA Devices Root CA 2021

# sudo efi-readvar -v db 
Variable db, length 7636
db: List 0, type X509
    Signature 0, size 1515, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
        Subject:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, 
CN=Microsoft Windows Production PCA 2011
        Issuer:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, 
CN=Microsoft Root Certificate Authority 2010
db: List 1, type X509
    Signature 0, size 1572, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
        Subject:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, 
CN=Microsoft Corporation UEFI CA 2011
        Issuer:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, 
CN=Microsoft Corporation Third Party Marketplace Root
db: List 2, type X509
    Signature 0, size 1464, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
        Subject:
            C=US, O=Microsoft Corporation, CN=Microsoft UEFI CA 2023
        Issuer:
            C=US, O=Microsoft Corporation, CN=Microsoft RSA Devices Root CA 2021
db: List 3, type X509
    Signature 0, size 1475, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
        Subject:
            C=US, O=Microsoft Corporation, CN=Microsoft Option ROM UEFI CA 2023
        Issuer:
            C=US, O=Microsoft Corporation, CN=Microsoft RSA Devices Root CA 2021
db: List 4, type X509
    Signature 0, size 1470, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
        Subject:
            C=US, O=Microsoft Corporation, CN=Windows UEFI CA 2023
        Issuer:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, 
CN=Microsoft Root Certificate Authority 2010

Okay, this has eliminated all my doubts. edk2 in -proposed works as intended.
virt-firmware is installable and passed autopkgtests. 

Marking verified for jammy.

** Tags removed: verification-needed-jammy
** Tags added: verification-done-jammy

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2146560

Title:
  [FFe + SRU] edk2: Introduce FirmwareSecvarUpdater for MS 2023 CA
  rollout

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2146560/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to