[efi-boot-shim.git] / testplan.txt

How to test a new shim build for RHEL/fedora:

1) build pesign-test-app, and sign it with the appropriate key
2) build shim with the appropriate key built in
3) install pesign-test-app and shim-unsigned on the test machine
4) make a lockdown.efi for "Red Hat Test Certificate" and put it in \EFI\test
   mkdir /boot/efi/EFI/test/
   wget http://pjones.fedorapeople.org/shim/LockDown-rhtest.efi
   mv LockDown-rhtest.efi /boot/efi/EFI/test/lockdown.efi
5) sign shim with RHTC and put it in \EFI\test:
   pesign -i /usr/share/shim/shim.efi -o /boot/efi/EFI/test/shim.efi \
        -s -c "Red Hat Test Certificate"
6) put pesign-test-app-signed.efi in \EFI\test as grubx64.efi
   cp /usr/share/pesign-test-app-0.4/pesign-test-app-signed.efi \
	/boot/efi/EFI/test/grubx64.efi
7) sign a copy of grubx64.efi with RHTC and iput it in \EFI\test\ .  Also
   leave an unsigned copy there:
    pesign -i /boot/efi/EFI/redhat/grubx64.efi \
	-o /boot/efi/EFI/test/grubx64-unsigned.efi \
	-r -u 0
    pesign -i /boot/efi/EFI/test/grubx64-unsigned.efi \
	-o /boot/efi/EFI/test/grub.efi \
	-s -c "Red Hat Test Certificate"
8) sign a copy of mokmanager with RHTC and put it in \EFI\test:
    pesign -i /usr/share/shim/MokManager.efi \
	-o /boot/efi/EFI/test/MokManager.efi -s \
	-c "Red Hat Test Certificate"
9) copy grub.cfg to our test directory:
    cp /boot/efi/EFI/redhat/grub.cfg /boot/efi/EFI/test/grub.cfg
10) *move* \EFI\redhat\BOOT.CSV to \EFI\test
    rm -rf /boot/efi/EFI/BOOT/
    mkdir /boot/efi/EFI/BOOT/
    mv /boot/efi/EFI/redhat/BOOT.CSV /boot/efi/EFI/test/BOOT.CSV
11) sign a copy of fallback.efi and put it in \EFI\BOOT\fallback.efi
    pesign -i /usr/share/shim/fallback.efi \
	-o /boot/efi/EFI/BOOT/fallback.efi \
	-s -c "Red Hat Test Certificate"
12) put shim.efi there as well
    cp /boot/efi/EFI/test/shim.efi /boot/efi/EFI/BOOT/BOOTX64.EFI
13) enroll the current kernel's certificate with mokutil:
    # this should be a /different/ cert than the one signing pesign-test-app.
    # for instance use a RHEL cert for p-t-a and a fedora cert+kernel here.
    mokutil --import ~/fedora-ca.cer
14) put machine in setup mode
15) boot to the UEFI shell
16) run lockdown.efi from #4:
    fs0:\EFI\test\lockdown.efi
17) enable secure boot verification
18) verify it can't run other binaries:
    fs0:\EFI\test\grubx64.efi
    result should be an error, probably similar to:
    "fs0:\...\grubx64.efi is not recognized as an internal or external command"
19) in the EFI shell, run fs0:\EFI\test\shim.efi
20) you should see MokManager.  Enroll the certificate you added in #13, and
    the system will reboot.
21) reboot to the UEFI shell and run fs0:\EFI\test\shim.efi
    result: "This is a test application that should be completely safe."
  If you get the expected result, shim can run things signed by its internal
  key ring.  Check a box someplace that says it can do that.
22) from the EFI shell, copy grub to grubx64.efi:
    cp \EFI\test\grub.efi \EFI\test\grubx64.efi
23) in the EFI shell, run fs0:\EFI\test\shim.efi
    result: this should start grub, which will let you boot a kernel
  If grub starts, it means shim can run things signed by a key in the system's
  db.  Check a box someplace that says it can do that.
  If the kernel boots, it means shim can run things from Mok.  Check a box
  someplace that says it can do that.
24) remove all boot entries and the BootOrder variable:
    [root@uefi ~]# cd /sys/firmware/efi/efivars/
    [root@uefi efivars]# rm -vf Boot[0123456789]* BootOrder-*
    removed ‘Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c’
    removed ‘Boot0001-8be4df61-93ca-11d2-aa0d-00e098032b8c’
    removed ‘Boot0002-8be4df61-93ca-11d2-aa0d-00e098032b8c’
    removed ‘Boot2001-8be4df61-93ca-11d2-aa0d-00e098032b8c’
    removed ‘BootOrder-8be4df61-93ca-11d2-aa0d-00e098032b8c’
    [root@uefi efivars]#
25) reboot
26) the system should run \EFI\BOOT\BOOTX64.EFI .  If it doesn't, you may just
    have an old machine.  In that case, go to the EFI shell and run:
    fs0:\EFI\BOOT\BOOTX64.EFI
  If this works, you should see a bit of output very quickly and then the same
  thing as #24.  This means shim recognized it was in \EFI\BOOT and ran
  fallback.efi, which worked.
27) copy the unsigned grub into place and reboot:
  cp /boot/efi/EFI/test/grubx64-unsigned.efi /boot/efi/EFI/test/grubx64.efi
28) reboot again.
    result: shim should refuse to load grub.
Commit	Line	Data
ac356a0e PJ	1	How to test a new shim build for RHEL/fedora:
	2
	3	1) build pesign-test-app, and sign it with the appropriate key
	4	2) build shim with the appropriate key built in
	5	3) install pesign-test-app and shim-unsigned on the test machine
	6	4) make a lockdown.efi for "Red Hat Test Certificate" and put it in \EFI\test
	7	mkdir /boot/efi/EFI/test/
	8	wget http://pjones.fedorapeople.org/shim/LockDown-rhtest.efi
	9	mv LockDown-rhtest.efi /boot/efi/EFI/test/lockdown.efi
	10	5) sign shim with RHTC and put it in \EFI\test:
	11	pesign -i /usr/share/shim/shim.efi -o /boot/efi/EFI/test/shim.efi \
	12	-s -c "Red Hat Test Certificate"
	13	6) put pesign-test-app-signed.efi in \EFI\test as grubx64.efi
	14	cp /usr/share/pesign-test-app-0.4/pesign-test-app-signed.efi \
aa818fe6	15	/boot/efi/EFI/test/grubx64.efi
a0bb7822 PJ	16	7) sign a copy of grubx64.efi with RHTC and iput it in \EFI\test\ . Also
	17	leave an unsigned copy there:
	18	pesign -i /boot/efi/EFI/redhat/grubx64.efi \
	19	-o /boot/efi/EFI/test/grubx64-unsigned.efi \
	20	-r -u 0
	21	pesign -i /boot/efi/EFI/test/grubx64-unsigned.efi \
	22	-o /boot/efi/EFI/test/grub.efi \
	23	-s -c "Red Hat Test Certificate"
ac356a0e PJ	24	8) sign a copy of mokmanager with RHTC and put it in \EFI\test:
ac356a0e PJ	25	pesign -i /usr/share/shim/MokManager.efi \
a0bb7822	26	-o /boot/efi/EFI/test/MokManager.efi -s \
ac356a0e PJ	27	-c "Red Hat Test Certificate"
	28	9) copy grub.cfg to our test directory:
	29	cp /boot/efi/EFI/redhat/grub.cfg /boot/efi/EFI/test/grub.cfg
a6c726fc	30	10) move \EFI\redhat\BOOT.CSV to \EFI\test
ac356a0e PJ	31	rm -rf /boot/efi/EFI/BOOT/
ac356a0e PJ	32	mkdir /boot/efi/EFI/BOOT/
a0bb7822 PJ	33	mv /boot/efi/EFI/redhat/BOOT.CSV /boot/efi/EFI/test/BOOT.CSV
a0bb7822 PJ	34	11) sign a copy of fallback.efi and put it in \EFI\BOOT\fallback.efi
ac356a0e PJ	35	pesign -i /usr/share/shim/fallback.efi \
	36	-o /boot/efi/EFI/BOOT/fallback.efi \
	37	-s -c "Red Hat Test Certificate"
	38	12) put shim.efi there as well
	39	cp /boot/efi/EFI/test/shim.efi /boot/efi/EFI/BOOT/BOOTX64.EFI
	40	13) enroll the current kernel's certificate with mokutil:
aa818fe6 PJ	41	# this should be a /different/ cert than the one signing pesign-test-app.
	42	# for instance use a RHEL cert for p-t-a and a fedora cert+kernel here.
	43	mokutil --import ~/fedora-ca.cer
ac356a0e PJ	44	14) put machine in setup mode
	45	15) boot to the UEFI shell
	46	16) run lockdown.efi from #4:
	47	fs0:\EFI\test\lockdown.efi
	48	17) enable secure boot verification
	49	18) verify it can't run other binaries:
a2e66ece	50	fs0:\EFI\test\grubx64.efi
ac356a0e PJ	51	result should be an error, probably similar to:
ac356a0e PJ	52	"fs0:\...\grubx64.efi is not recognized as an internal or external command"
a2e66ece PJ	53	19) in the EFI shell, run fs0:\EFI\test\shim.efi
a2e66ece PJ	54	20) you should see MokManager. Enroll the certificate you added in #13, and
ac356a0e	55	the system will reboot.
a2e66ece	56	21) reboot to the UEFI shell and run fs0:\EFI\test\shim.efi
ac356a0e PJ	57	result: "This is a test application that should be completely safe."
	58	If you get the expected result, shim can run things signed by its internal
	59	key ring. Check a box someplace that says it can do that.
a2e66ece	60	22) from the EFI shell, copy grub to grubx64.efi:
a0bb7822	61	cp \EFI\test\grub.efi \EFI\test\grubx64.efi
a2e66ece	62	23) in the EFI shell, run fs0:\EFI\test\shim.efi
ac356a0e PJ	63	result: this should start grub, which will let you boot a kernel
	64	If grub starts, it means shim can run things signed by a key in the system's
	65	db. Check a box someplace that says it can do that.
	66	If the kernel boots, it means shim can run things from Mok. Check a box
	67	someplace that says it can do that.
a2e66ece	68	24) remove all boot entries and the BootOrder variable:
ac356a0e PJ	69	[root@uefi ~]# cd /sys/firmware/efi/efivars/
	70	[root@uefi efivars]# rm -vf Boot[0123456789]* BootOrder-*
	71	removed ‘Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c’
	72	removed ‘Boot0001-8be4df61-93ca-11d2-aa0d-00e098032b8c’
	73	removed ‘Boot0002-8be4df61-93ca-11d2-aa0d-00e098032b8c’
	74	removed ‘Boot2001-8be4df61-93ca-11d2-aa0d-00e098032b8c’
	75	removed ‘BootOrder-8be4df61-93ca-11d2-aa0d-00e098032b8c’
a6c726fc	76	[root@uefi efivars]#
a2e66ece PJ	77	25) reboot
a2e66ece PJ	78	26) the system should run \EFI\BOOT\BOOTX64.EFI . If it doesn't, you may just
ac356a0e PJ	79	have an old machine. In that case, go to the EFI shell and run:
	80	fs0:\EFI\BOOT\BOOTX64.EFI
	81	If this works, you should see a bit of output very quickly and then the same
	82	thing as #24. This means shim recognized it was in \EFI\BOOT and ran
	83	fallback.efi, which worked.
a2e66ece	84	27) copy the unsigned grub into place and reboot:
a0bb7822	85	cp /boot/efi/EFI/test/grubx64-unsigned.efi /boot/efi/EFI/test/grubx64.efi
a2e66ece	86	28) reboot again.
a0bb7822	87	result: shim should refuse to load grub.