proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-08-06 16:21:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
d89b722ef7
efi-boot-shim/testplan.txt
Peter Jones a2e66ece4d Another testplan error. 
Signed-off-by: Peter Jones <pjones@redhat.com>
2014-10-02 01:01:46 -04:00

88 lines
4.3 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

How to test a new shim build for RHEL/fedora:
1) build pesign-test-app, and sign it with the appropriate key
2) build shim with the appropriate key built in
3) install pesign-test-app and shim-unsigned on the test machine
4) make a lockdown.efi for "Red Hat Test Certificate" and put it in \EFI\test
mkdir /boot/efi/EFI/test/
wget http://pjones.fedorapeople.org/shim/LockDown-rhtest.efi
mv LockDown-rhtest.efi /boot/efi/EFI/test/lockdown.efi
5) sign shim with RHTC and put it in \EFI\test:
pesign -i /usr/share/shim/shim.efi -o /boot/efi/EFI/test/shim.efi \
-s -c "Red Hat Test Certificate"
6) put pesign-test-app-signed.efi in \EFI\test as grubx64.efi
cp /usr/share/pesign-test-app-0.4/pesign-test-app-signed.efi \
/boot/efi/EFI/test/grubx64.efi
7) sign a copy of grubx64.efi with RHTC and iput it in \EFI\test\ . Also
leave an unsigned copy there:
pesign -i /boot/efi/EFI/redhat/grubx64.efi \
-o /boot/efi/EFI/test/grubx64-unsigned.efi \
-r -u 0
pesign -i /boot/efi/EFI/test/grubx64-unsigned.efi \
-o /boot/efi/EFI/test/grub.efi \
-s -c "Red Hat Test Certificate"
8) sign a copy of mokmanager with RHTC and put it in \EFI\test:
pesign -i /usr/share/shim/MokManager.efi \
-o /boot/efi/EFI/test/MokManager.efi -s \
-c "Red Hat Test Certificate"
9) copy grub.cfg to our test directory:
cp /boot/efi/EFI/redhat/grub.cfg /boot/efi/EFI/test/grub.cfg
10) *move* \EFI\redhat\BOOT.CSV to \EFI\test
rm -rf /boot/efi/EFI/BOOT/
mkdir /boot/efi/EFI/BOOT/
mv /boot/efi/EFI/redhat/BOOT.CSV /boot/efi/EFI/test/BOOT.CSV
11) sign a copy of fallback.efi and put it in \EFI\BOOT\fallback.efi
pesign -i /usr/share/shim/fallback.efi \
-o /boot/efi/EFI/BOOT/fallback.efi \
-s -c "Red Hat Test Certificate"
12) put shim.efi there as well
cp /boot/efi/EFI/test/shim.efi /boot/efi/EFI/BOOT/BOOTX64.EFI
13) enroll the current kernel's certificate with mokutil:
# this should be a /different/ cert than the one signing pesign-test-app.
# for instance use a RHEL cert for p-t-a and a fedora cert+kernel here.
mokutil --import ~/fedora-ca.cer
14) put machine in setup mode
15) boot to the UEFI shell
16) run lockdown.efi from #4:
fs0:\EFI\test\lockdown.efi
17) enable secure boot verification
18) verify it can't run other binaries:
fs0:\EFI\test\grubx64.efi
result should be an error, probably similar to:
"fs0:\...\grubx64.efi is not recognized as an internal or external command"
19) in the EFI shell, run fs0:\EFI\test\shim.efi
20) you should see MokManager. Enroll the certificate you added in #13, and
the system will reboot.
21) reboot to the UEFI shell and run fs0:\EFI\test\shim.efi
result: "This is a test application that should be completely safe."
If you get the expected result, shim can run things signed by its internal
key ring. Check a box someplace that says it can do that.
22) from the EFI shell, copy grub to grubx64.efi:
cp \EFI\test\grub.efi \EFI\test\grubx64.efi
23) in the EFI shell, run fs0:\EFI\test\shim.efi
result: this should start grub, which will let you boot a kernel
If grub starts, it means shim can run things signed by a key in the system's
db. Check a box someplace that says it can do that.
If the kernel boots, it means shim can run things from Mok. Check a box
someplace that says it can do that.
24) remove all boot entries and the BootOrder variable:
[root@uefi ~]# cd /sys/firmware/efi/efivars/
[root@uefi efivars]# rm -vf Boot[0123456789]* BootOrder-*
removed Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c
removed Boot0001-8be4df61-93ca-11d2-aa0d-00e098032b8c
removed Boot0002-8be4df61-93ca-11d2-aa0d-00e098032b8c
removed Boot2001-8be4df61-93ca-11d2-aa0d-00e098032b8c
removed BootOrder-8be4df61-93ca-11d2-aa0d-00e098032b8c
[root@uefi efivars]#
25) reboot
26) the system should run \EFI\BOOT\BOOTX64.EFI . If it doesn't, you may just
have an old machine. In that case, go to the EFI shell and run:
fs0:\EFI\BOOT\BOOTX64.EFI
If this works, you should see a bit of output very quickly and then the same
thing as #24. This means shim recognized it was in \EFI\BOOT and ran
fallback.efi, which worked.
27) copy the unsigned grub into place and reboot:
cp /boot/efi/EFI/test/grubx64-unsigned.efi /boot/efi/EFI/test/grubx64.efi
28) reboot again.
result: shim should refuse to load grub.
Reference in New Issue View Git Blame Copy Permalink