Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement secure boot kernel lockdown check #14689

Merged
merged 3 commits into from Apr 11, 2022
Merged

Implement secure boot kernel lockdown check #14689

merged 3 commits into from Apr 11, 2022

Conversation

rfan1
Copy link
Contributor

@rfan1 rfan1 commented Apr 11, 2022
edited

Verify that if we are "secure booted" that kernel lockdown is enabled

@lilyeyes
Copy link
Contributor

Test should fail as [none] found:
https://openqa.suse.de/tests/8490287#step/kernel_lockdown/12

lilyeyes
lilyeyes approved these changes Apr 11, 2022
View reviewed changes
Copy link
Contributor

@lilyeyes lilyeyes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@jouyingbin
Copy link
Contributor

@rfan1 will you provide the TW VR here for reference?

@rfan1
Copy link
Contributor Author

rfan1 commented Apr 11, 2022

Test should fail as [none] found: https://openqa.suse.de/tests/8490287#step/kernel_lockdown/12

Seems it should fail if getting [] at none only.

@rfan1 will you provide the TW VR here for reference?

Done

Vogtinator
Vogtinator reviewed Apr 11, 2022
View reviewed changes
Copy link
Member

@Vogtinator Vogtinator left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please also test that kernel lockdown is effective, e.g. by running dd if=/dev/mem count=1, which needs to fail.

@rfan1
Copy link
Contributor Author

rfan1 commented Apr 11, 2022

Please also test that kernel lockdown is effective, e.g. by running dd if=/dev/mem count=1, which needs to fail.

Thanks much! will do

@rfan1 rfan1 force-pushed the secureboot_kernel_lockdown branch 2 times, most recently from 15c91ce to 333d0b5 Compare April 11, 2022 10:18
@rfan1
Implement secure boot kernel lockdown check
333d0b5 
Verify that if we are "secure booted" that kernel lockdown is enabled
@rfan1
Copy link
Contributor Author

rfan1 commented Apr 11, 2022

New VRs:
https://openqa.opensuse.org/tests/2291439#step/kernel_lockdown/28
https://openqa.suse.de/tests/8503919#step/kernel_lockdown/27

@rfan1 @Vogtinator
Update tests/security/secureboot/kernel_lockdown.pm
dd2fe1e 
Co-authored-by: Fabian Vogt <fabian@ritter-vogt.de>
@rfan1
Copy link
Contributor Author

rfan1 commented Apr 11, 2022

https://openqa.suse.de/tests/8504416#
https://openqa.opensuse.org/tests/2291927#

Vogtinator
Vogtinator approved these changes Apr 11, 2022
View reviewed changes
Copy link
Member

@Vogtinator Vogtinator left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just another suggestion for simplifying the code

@rfan1 @Vogtinator
Update tests/security/secureboot/kernel_lockdown.pm
f110d04 
Co-authored-by: Fabian Vogt <fabian@ritter-vogt.de>
@Vogtinator Vogtinator merged commit 8c09291 into os-autoinst:master Apr 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Vogtinator Vogtinator Vogtinator approved these changes

@lilyeyes lilyeyes lilyeyes approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@rfan1 @lilyeyes @jouyingbin @Vogtinator