Performing verification for edk2 on questing.

Mate Kukri has coded all verification steps in autopkgtests, for the
edk2/2025.02-8ubuntu3.2 version in -proposed:

amd64: pass.
https://autopkgtest.ubuntu.com/results/autopkgtest-questing/questing/amd64/e/edk2/20260605_130512_dc430@/log.gz
arm64: pass.
https://autopkgtest.ubuntu.com/results/autopkgtest-questing/questing/arm64/e/edk2/20260612_051811_8f193@/log.gz

If you want to grep, scroll to the bottom and look at:
test_aavmf_secvar_update_appends_2023_certs 
(__main__.SecvarUpdateTest.test_aavmf_secvar_update_appends_2023_certs)
and
test_ovmf_secvar_update_appends_2023_certs 
(__main__.SecvarUpdateTest.test_ovmf_secvar_update_appends_2023_certs)
and
test_ovmf_secvar_update_version_guard 
(__main__.SecvarUpdateTest.test_ovmf_secvar_update_version_guard)

Manual testing:

I started a questing VM. Install a full KVM stack:

$ sudo apt-get install qemu-kvm libvirt-daemon-system libvirt-clients 
bridge-utils
$ sudo reboot

The edk2 version in -updates is:

$ apt-cache policy ovmf
ovmf:
  Installed: 2025.02-8ubuntu3.1
  Candidate: 2025.02-8ubuntu3.1
  Version table:
 *** 2025.02-8ubuntu3.1 500
        500 http://archive.ubuntu.com/ubuntu questing-updates/main amd64 
Packages

In virt-manager on the host, select:

File > Add Connection...
Configure the settings as follows:
    Hypervisor: QEMU/KVM
    Connection: Check the box for "Connect to remote host over SSH"
    Username: ubuntu
    Hostname: IP address of the VM
Click Connect.

Create a VM, make sure to use the remote libvirt connect.
Select "Manual install".
Select "Ubuntu Questing".
Deselect "Enable storage for this VM".
Select "Customize configuration before install".
Click Finish.
Under "Overview" select "Chipset: Q35". "Firmware: UEFI x86_64: 
/usr/share/OVMF/OVMF_CODE_4M.ms.fd"
Click Apply.
Click Begin Installation.

Boot the VM. Press the 'esc' key once during boot./;''''''/

If your mouse gets stuck, press ctrl-alt-l.

In the menu, select:
"Device Manager" > "Secure Boot Configuration" > "Secure Boot Mode".
Change <Standard Mode> to <Custom Mode>.
Select "Custom Secure Boot Options".

KEK:
Select "KEK Options" > "Delete KEK".
Scroll through the options. There will be:
- CM = Ubuntu OVMF Secure Boot (PK/KEK key)
- CM = Microsoft Corportate KEK CA 2011

DB:
Select "DB Options" > "Delete Signature".
Scroll through the options. There will be:
- CM = Microsoft Windows Production PCA 2011
- CM = Microsoft Corportation UEFI CA 2011

Next, on the host system, enable -proposed and install edk2.

$ apt-cache policy ovmf
ovmf:
  Installed: 2025.02-8ubuntu3.2
  Candidate: 2025.02-8ubuntu3.2
  Version table:
 *** 2025.02-8ubuntu3.2 100
        100 http://archive.ubuntu.com/ubuntu questing-proposed/main amd64 
Packages
        100 /var/lib/dpkg/status

Repeat the steps.

In the menu, select:
"Device Manager" > "Secure Boot Configuration" > "Secure Boot Mode".
Change <Standard Mode> to <Custom Mode>.
Select "Custom Secure Boot Options".

KEK:
Select "KEK Options" > "Delete KEK".
Scroll through the options. There will be:
- CM = Ubuntu OVMF Secure Boot (PK/KEK key)
- CM = Microsoft Corportate KEK CA 2011
- CM = Microsoft Corporation KEK 2K CA 2023  <<<<<<<< NEW 

DB:
Select "DB Options" > "Delete Signature".
Scroll through the options. There will be:
- CM = Microsoft Windows Production PCA 2011
- CM = Microsoft Corportation UEFI CA 2011
- CM = Windows UEFI CA 2023                  <<<<<<<< NEW 
- CM = Microsoft UEFI CA 2023                <<<<<<<< NEW 
- CM = Microsoft Option ROM UEFI CA 2023     <<<<<<<< NEW 

Everything looks good to me. Marking verified for questing.

** Tags removed: verification-needed-questing
** Tags added: verification-done-questing

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2146560

Title:
  [FFe + SRU] edk2: Introduce FirmwareSecvarUpdater for MS 2023 CA
  rollout

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2146560/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to