]>
Commit | Line | Data |
---|---|---|
a4c3653d PJ |
1 | How to test a new shim build for RHEL/fedora: |
2 | ||
3 | 1) build pesign-test-app, and sign it with the appropriate key | |
4 | 2) build shim with the appropriate key built in | |
5 | 3) install pesign-test-app and shim-unsigned on the test machine | |
6 | 4) make a lockdown.efi for "Red Hat Test Certificate" and put it in \EFI\test | |
7 | mkdir /boot/efi/EFI/test/ | |
8 | wget http://pjones.fedorapeople.org/shim/LockDown-rhtest.efi | |
9 | mv LockDown-rhtest.efi /boot/efi/EFI/test/lockdown.efi | |
10 | 5) sign shim with RHTC and put it in \EFI\test: | |
11 | pesign -i /usr/share/shim/shim.efi -o /boot/efi/EFI/test/shim.efi \ | |
12 | -s -c "Red Hat Test Certificate" | |
13 | 6) put pesign-test-app-signed.efi in \EFI\test as grubx64.efi | |
14 | cp /usr/share/pesign-test-app-0.4/pesign-test-app-signed.efi \ | |
e258243e | 15 | /boot/efi/EFI/test/grubx64.efi |
a5d135bd PJ |
16 | 7) sign a copy of grubx64.efi with RHTC and iput it in \EFI\test\ . Also |
17 | leave an unsigned copy there: | |
18 | pesign -i /boot/efi/EFI/redhat/grubx64.efi \ | |
19 | -o /boot/efi/EFI/test/grubx64-unsigned.efi \ | |
20 | -r -u 0 | |
21 | pesign -i /boot/efi/EFI/test/grubx64-unsigned.efi \ | |
22 | -o /boot/efi/EFI/test/grub.efi \ | |
23 | -s -c "Red Hat Test Certificate" | |
a4c3653d PJ |
24 | 8) sign a copy of mokmanager with RHTC and put it in \EFI\test: |
25 | pesign -i /usr/share/shim/MokManager.efi \ | |
a5d135bd | 26 | -o /boot/efi/EFI/test/MokManager.efi -s \ |
a4c3653d PJ |
27 | -c "Red Hat Test Certificate" |
28 | 9) copy grub.cfg to our test directory: | |
29 | cp /boot/efi/EFI/redhat/grub.cfg /boot/efi/EFI/test/grub.cfg | |
30 | 10) *move* \EFI\redhat\BOOT.CSV to \EFI\test | |
a4c3653d PJ |
31 | rm -rf /boot/efi/EFI/BOOT/ |
32 | mkdir /boot/efi/EFI/BOOT/ | |
a5d135bd PJ |
33 | mv /boot/efi/EFI/redhat/BOOT.CSV /boot/efi/EFI/test/BOOT.CSV |
34 | 11) sign a copy of fallback.efi and put it in \EFI\BOOT\fallback.efi | |
a4c3653d PJ |
35 | pesign -i /usr/share/shim/fallback.efi \ |
36 | -o /boot/efi/EFI/BOOT/fallback.efi \ | |
37 | -s -c "Red Hat Test Certificate" | |
38 | 12) put shim.efi there as well | |
39 | cp /boot/efi/EFI/test/shim.efi /boot/efi/EFI/BOOT/BOOTX64.EFI | |
40 | 13) enroll the current kernel's certificate with mokutil: | |
e258243e PJ |
41 | # this should be a /different/ cert than the one signing pesign-test-app. |
42 | # for instance use a RHEL cert for p-t-a and a fedora cert+kernel here. | |
43 | mokutil --import ~/fedora-ca.cer | |
a4c3653d PJ |
44 | 14) put machine in setup mode |
45 | 15) boot to the UEFI shell | |
46 | 16) run lockdown.efi from #4: | |
47 | fs0:\EFI\test\lockdown.efi | |
48 | 17) enable secure boot verification | |
49 | 18) verify it can't run other binaries: | |
597dd839 | 50 | fs0:\EFI\test\grubx64.efi |
a4c3653d PJ |
51 | result should be an error, probably similar to: |
52 | "fs0:\...\grubx64.efi is not recognized as an internal or external command" | |
597dd839 PJ |
53 | 19) in the EFI shell, run fs0:\EFI\test\shim.efi |
54 | 20) you should see MokManager. Enroll the certificate you added in #13, and | |
a4c3653d | 55 | the system will reboot. |
597dd839 | 56 | 21) reboot to the UEFI shell and run fs0:\EFI\test\shim.efi |
a4c3653d PJ |
57 | result: "This is a test application that should be completely safe." |
58 | If you get the expected result, shim can run things signed by its internal | |
59 | key ring. Check a box someplace that says it can do that. | |
597dd839 | 60 | 22) from the EFI shell, copy grub to grubx64.efi: |
a5d135bd | 61 | cp \EFI\test\grub.efi \EFI\test\grubx64.efi |
597dd839 | 62 | 23) in the EFI shell, run fs0:\EFI\test\shim.efi |
a4c3653d PJ |
63 | result: this should start grub, which will let you boot a kernel |
64 | If grub starts, it means shim can run things signed by a key in the system's | |
65 | db. Check a box someplace that says it can do that. | |
66 | If the kernel boots, it means shim can run things from Mok. Check a box | |
67 | someplace that says it can do that. | |
597dd839 | 68 | 24) remove all boot entries and the BootOrder variable: |
a4c3653d PJ |
69 | [root@uefi ~]# cd /sys/firmware/efi/efivars/ |
70 | [root@uefi efivars]# rm -vf Boot[0123456789]* BootOrder-* | |
71 | removed ‘Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c’ | |
72 | removed ‘Boot0001-8be4df61-93ca-11d2-aa0d-00e098032b8c’ | |
73 | removed ‘Boot0002-8be4df61-93ca-11d2-aa0d-00e098032b8c’ | |
74 | removed ‘Boot2001-8be4df61-93ca-11d2-aa0d-00e098032b8c’ | |
75 | removed ‘BootOrder-8be4df61-93ca-11d2-aa0d-00e098032b8c’ | |
76 | [root@uefi efivars]# | |
597dd839 PJ |
77 | 25) reboot |
78 | 26) the system should run \EFI\BOOT\BOOTX64.EFI . If it doesn't, you may just | |
a4c3653d PJ |
79 | have an old machine. In that case, go to the EFI shell and run: |
80 | fs0:\EFI\BOOT\BOOTX64.EFI | |
81 | If this works, you should see a bit of output very quickly and then the same | |
82 | thing as #24. This means shim recognized it was in \EFI\BOOT and ran | |
83 | fallback.efi, which worked. | |
597dd839 | 84 | 27) copy the unsigned grub into place and reboot: |
a5d135bd | 85 | cp /boot/efi/EFI/test/grubx64-unsigned.efi /boot/efi/EFI/test/grubx64.efi |
597dd839 | 86 | 28) reboot again. |
a5d135bd | 87 | result: shim should refuse to load grub. |