From 463b124c7153c2d2adf6b82bdbf09312ddbe0429 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= Date: Wed, 20 Aug 2025 17:10:05 +0200 Subject: [PATCH 1/2] os-config/ansible: Add efitools package MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michał Żygowski --- os-config/ansible/linux-packages-playbook.yaml | 1 + os-config/ansible/vars/201-packages.yaml | 1 + os-config/ansible/vars/202-packages.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/os-config/ansible/linux-packages-playbook.yaml b/os-config/ansible/linux-packages-playbook.yaml index 4b562dd550..f465fb3217 100644 --- a/os-config/ansible/linux-packages-playbook.yaml +++ b/os-config/ansible/linux-packages-playbook.yaml @@ -29,6 +29,7 @@ - "{{package_usbutils}}" - "{{package_tpm2_tools}}" - "{{package_pulseaudio_utils}}" + - "{{package_efitools}}" state: present - name: Install coreboot tools files ansible.builtin.copy: diff --git a/os-config/ansible/vars/201-packages.yaml b/os-config/ansible/vars/201-packages.yaml index df8f129139..8db9087047 100644 --- a/os-config/ansible/vars/201-packages.yaml +++ b/os-config/ansible/vars/201-packages.yaml @@ -22,3 +22,4 @@ package_tpm2_tools: tpm2-tools package_ethtool: ethtool package_stress_ng: stress-ng package_pulseaudio_utils: pulseaudio-utils +package_efitools: efitools diff --git a/os-config/ansible/vars/202-packages.yaml b/os-config/ansible/vars/202-packages.yaml index 578dfe7d9b..1df58057c1 100644 --- a/os-config/ansible/vars/202-packages.yaml +++ b/os-config/ansible/vars/202-packages.yaml @@ -22,3 +22,4 @@ package_tpm2_tools: tpm2-tools package_ethtool: ethtool package_stress_ng: stress-ng package_pulseaudio_utils: pulseaudio-utils +package_efitools: efitools From b43697c39e0f01c85d8e0859c144b4b540a78ca7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= Date: Wed, 20 Aug 2025 17:11:25 +0200 Subject: [PATCH 2/2] dasharo-security/secure-boot.robot: Add OS Secure Boot PK enrollment test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michał Żygowski --- dasharo-security/secure-boot.robot | 127 ++++++++++++++++++++++++-- lib/secure-boot-lib.robot | 140 +++++++++++++++++++++++++++++ test_cases.json | 21 +++++ 3 files changed, 279 insertions(+), 9 deletions(-) diff --git a/dasharo-security/secure-boot.robot b/dasharo-security/secure-boot.robot index 34175cbb16..70aab40af0 100644 --- a/dasharo-security/secure-boot.robot +++ b/dasharo-security/secure-boot.robot @@ -43,7 +43,6 @@ SBO001.001 Check Secure Boot default state (firmware) [Documentation] This test aims to verify that Secure Boot state after ... flashing the platform with the Dasharo firmware is ... correct. - Skip If not ${TESTS_IN_FIRMWARE_SUPPORT} SBO001.001 not supported Skip If not ${TESTS_IN_UBUNTU_SUPPORT} SBO001.001 not supported Power On ${setup_menu}= Enter Setup Menu Tianocore And Return Construction @@ -60,7 +59,6 @@ SBO002.001 UEFI Secure Boot (Ubuntu) [Documentation] This test verifies that Secure Boot can be enabled from ... boot menu and, after the DUT reset, it is seen from ... the OS. - Skip If not ${TESTS_IN_FIRMWARE_SUPPORT} SBO002.001 not supported Skip If not ${TESTS_IN_UBUNTU_SUPPORT} SBO002.001 not supported # 1. Make sure that SB is enabled @@ -97,7 +95,6 @@ SBO002.002 UEFI Secure Boot (Windows) [Documentation] This test verifies that Secure Boot can be enabled from ... boot menu and, after the DUT reset, it is seen from ... the OS. - Skip If not ${TESTS_IN_FIRMWARE_SUPPORT} SBO002.002 not supported Skip If not ${TESTS_IN_WINDOWS_SUPPORT} SBO002.002 not supported # 1. Make sure that SB is enabled @@ -133,7 +130,6 @@ SBO002.002 UEFI Secure Boot (Windows) SBO003.001 Attempt to boot file with the correct key from Boot Maintenance Manager (firmware) [Documentation] This test verifies that Secure Boot allows booting a ... signed file with a correct key. - Skip If not ${TESTS_IN_FIRMWARE_SUPPORT} SBO004.001 not supported Skip If not ${TESTS_IN_UBUNTU_SUPPORT} SBO004.001 not supported Power On ${sb_menu}= Enter Secure Boot Menu And Return Construction @@ -158,7 +154,6 @@ SBO003.001 Attempt to boot file with the correct key from Boot Maintenance Manag SBO004.001 Attempt to boot file without the key from Boot Maintenance Manager (firmware) [Documentation] This test verifies that Secure Boot blocks booting a file ... without a key. - Skip If not ${TESTS_IN_FIRMWARE_SUPPORT} SBO004.001 not supported Skip If not ${TESTS_IN_UBUNTU_SUPPORT} SBO004.001 not supported # 1. Make sure that SB is enabled Power On @@ -176,7 +171,6 @@ SBO004.001 Attempt to boot file without the key from Boot Maintenance Manager (f SBO005.001 Attempt to boot file with the wrong-signed key from Boot Maintenance Manager (firmware) [Documentation] This test verifies that Secure Boot disallows booting ... a signed file with a wrong-signed key. - Skip If not ${TESTS_IN_FIRMWARE_SUPPORT} SBO005.001 not supported Skip If not ${TESTS_IN_UBUNTU_SUPPORT} SBO005.001 not supported # 1. Make sure that SB is enabled Power On @@ -194,7 +188,6 @@ SBO005.001 Attempt to boot file with the wrong-signed key from Boot Maintenance SBO006.001 Reset Secure Boot Keys option availability (firmware) [Documentation] This test verifies that the Reset Secure Boot Keys ... option is available - Skip If not ${TESTS_IN_FIRMWARE_SUPPORT} SBO006.001 not supported Skip If not ${TESTS_IN_UBUNTU_SUPPORT} SBO006.001 not supported Power On ${setup_menu}= Enter Setup Menu Tianocore And Return Construction @@ -210,7 +203,6 @@ SBO006.001 Reset Secure Boot Keys option availability (firmware) SBO007.001 Attempt to boot the file after restoring keys to default (firmware) [Documentation] This test verifies that restoring the keys to default ... removes any custom added certificates. - Skip If not ${TESTS_IN_FIRMWARE_SUPPORT} SBO007.001 not supported Skip If not ${TESTS_IN_UBUNTU_SUPPORT} SBO007.001 not supported Power On ${sb_menu}= Enter Secure Boot Menu And Return Construction @@ -249,7 +241,6 @@ SBO007.001 Attempt to boot the file after restoring keys to default (firmware) SBO008.001 Attempt to enroll the key in the incorrect format (firmware) [Documentation] This test verifies that it is impossible to load ... a certificate in the wrong file format. - Skip If not ${TESTS_IN_FIRMWARE_SUPPORT} SBO008.001 not supported Skip If not ${TESTS_IN_UBUNTU_SUPPORT} SBO008.001 not supported # 1. Make sure that SB is enabled Power On @@ -264,6 +255,124 @@ SBO008.001 Attempt to enroll the key in the incorrect format (firmware) Select File In File Explorer cert_fake.der Read From Terminal Until ERROR: Unsupported file type! +SBO009.201 Attempt to enroll and delete new PK key in OS (Ubuntu) + [Documentation] This test verifies that it is impossible to load + ... a certificate in the wrong file format. + Skip If not ${TESTS_IN_UBUNTU_SUPPORT} SBO009.001 not supported + # 1. Make sure that SB is enabled and default keys enrolled. + Power On + ${sb_menu}= Enter Secure Boot Menu And Return Construction + ${advanced_menu}= Enter Advanced Secure Boot Keys Management And Return Construction ${sb_menu} + Reset To Default Secure Boot Keys ${advanced_menu} + # 2. Delete PK so that we can enroll a new one in OS + Enter PK Options And Delete PK ${advanced_menu} + # Let the flash operation be finished before resetting + Sleep 1 + Tianocore Reset System + # Now boot to the OS + Boot System Or From Connected Disk ${ENV_ID_UBUNTU} + Login To Linux + Switch To Root User + # The magic starts here... + # Check if we are in SetupMode + ${out}= Read Secure Boot Variable SetupMode + ${setup_mode}= Convert To Integer ${out} + IF ${setup_mode} != 1 Fail Secure Boot not in setup mode + # Generate a new PK key and enroll the new PK. Setup mode should be cleared + Generate New PK Key Set + ${status}= Enroll New PK From OS + IF ${status} != 0 Fail Could not enroll new PK from OS + ${out}= Read Secure Boot Variable SetupMode + ${setup_mode}= Convert To Integer ${out} + IF ${setup_mode} != 0 Fail Secure Boot not in user mode + # Attempt to delete PK. We should get back to Setup Mode + ${status}= Enroll New PK From OS noPK.auth + IF ${status} != 0 Fail Could not delete PK from OS + ${out}= Read Secure Boot Variable SetupMode + ${setup_mode}= Convert To Integer ${out} + IF ${setup_mode} != 1 Fail Secure Boot not in setup mode + +SBO010.201 Attempt to change existing PK key in OS (Ubuntu) + [Documentation] This test verifies that it is impossible to load + ... a certificate in the wrong file format. + Skip If not ${TESTS_IN_UBUNTU_SUPPORT} SBO009.002 not supported + # 1. Make sure that SB is enabled and default keys enrolled. + Power On + ${sb_menu}= Enter Secure Boot Menu And Return Construction + ${advanced_menu}= Enter Advanced Secure Boot Keys Management And Return Construction ${sb_menu} + Reset To Default Secure Boot Keys ${advanced_menu} + # 2. Delete PK so that we can enroll a new one in OS + Enter PK Options And Delete PK ${advanced_menu} + # Let the flash operation be finished before resetting + Sleep 1 + Tianocore Reset System + # Now boot to the OS + Boot System Or From Connected Disk ${ENV_ID_UBUNTU} + Login To Linux + Switch To Root User + # The magic starts here... + # Check if we are in SetupMode + ${out}= Read Secure Boot Variable SetupMode + ${setup_mode}= Convert To Integer ${out} + IF ${setup_mode} != 1 Fail Secure Boot not in setup mode + # Generate a new PK key and enroll the new PK. Setup mode should be cleared + Generate New PK Key Set + ${status}= Enroll New PK From OS + IF ${status} != 0 Fail Could not enroll new PK from OS + ${out}= Read Secure Boot Variable SetupMode + ${setup_mode}= Convert To Integer ${out} + IF ${setup_mode} != 0 Fail Secure Boot not in user mode + # Attempt to change PK. + Generate New PK Key Set newPK + # Sign the new PK signature list with existing PK + Execute Command In Terminal + ... sign-efi-sig-list -k PK.key -c PK.crt PK newPK.esl newPK.auth + ${status}= Enroll New PK From OS newPK.auth + IF ${status} != 0 Fail Could not change PK from OS + ${out}= Read Secure Boot Variable SetupMode + ${setup_mode}= Convert To Integer ${out} + IF ${setup_mode} != 0 Fail Secure Boot not in user mode + +SBO011.201 Attempt to change PK with incorrectly signed PK in OS (Ubuntu) + [Documentation] This test verifies that it is impossible to load + ... a certificate in the wrong file format. + Skip If not ${TESTS_IN_UBUNTU_SUPPORT} SBO009.003 not supported + # 1. Make sure that SB is enabled and default keys enrolled. + Power On + ${sb_menu}= Enter Secure Boot Menu And Return Construction + ${advanced_menu}= Enter Advanced Secure Boot Keys Management And Return Construction ${sb_menu} + Reset To Default Secure Boot Keys ${advanced_menu} + # 2. Delete PK so that we can enroll a new one in OS + Enter PK Options And Delete PK ${advanced_menu} + # Let the flash operation be finished before resetting + Sleep 1 + Tianocore Reset System + # Now boot to the OS + Boot System Or From Connected Disk ${ENV_ID_UBUNTU} + Login To Linux + Switch To Root User + # The magic starts here... + # Check if we are in SetupMode + ${out}= Read Secure Boot Variable SetupMode + ${setup_mode}= Convert To Integer ${out} + IF ${setup_mode} != 1 Fail Secure Boot not in setup mode + # Generate a new PK key and enroll the new PK. Setup mode should be cleared + Generate New PK Key Set + ${status}= Enroll New PK From OS + IF ${status} != 0 Fail Could not enroll new PK from OS + ${out}= Read Secure Boot Variable SetupMode + ${setup_mode}= Convert To Integer ${out} + IF ${setup_mode} != 0 Fail Secure Boot not in user mode + # Attempt to change PK but do not sign it with current PK. + Generate New PK Key Set newPK + ${status}= Enroll New PK From OS newPK.auth + IF ${status} == 0 + Fail Unauthorized PK has been enrolled successfully + END + ${out}= Read Secure Boot Variable SetupMode + ${setup_mode}= Convert To Integer ${out} + IF ${setup_mode} != 0 Fail Secure Boot not in user mode + *** Keywords *** Set Secure Boot State To Disabled diff --git a/lib/secure-boot-lib.robot b/lib/secure-boot-lib.robot index 6d89a56a37..53615e4962 100644 --- a/lib/secure-boot-lib.robot +++ b/lib/secure-boot-lib.robot @@ -18,6 +18,56 @@ ${BAD_FORMAT_URL}= https://cloud.3mdeb.com/index.php/s/AsBnATiHTZQ6jae/ ${BAD_FORMAT_NAME}= bad_format.img ${BAD_FORMAT_SHA256}= 59d17bc120dfd0f2e6948a2bfdbdf5fb06eddcb44f9a053a8e7b8f677e21858c +${EFIVARFS}= /sys/firmware/efi/efivars +${EFI_GLOBAL_VAR_GUID}= 8be4df61-93ca-11d2-aa0d-00e098032b8c +${SECURE_BOOT_DB_GUID}= d719b2cb-3d3a-4596-a3bc-dad00e67656f + +&{PK_VAR}= varname=PK +... guid=${EFI_GLOBAL_VAR_GUID} +... length=0 +&{KEK_VAR}= varname=KEK +... guid=${EFI_GLOBAL_VAR_GUID} +... length=0 +&{DB_VAR}= varname=db +... guid=${SECURE_BOOT_DB_GUID} +... length=0 +&{DBX_VAR}= varname=dbx +... guid=${SECURE_BOOT_DB_GUID} +... length=0 +&{DBT_VAR}= varname=dbt +... guid=${SECURE_BOOT_DB_GUID} +... length=0 +&{PK_DEFAULT_VAR}= varname=PKDefault +... guid=${EFI_GLOBAL_VAR_GUID} +... length=0 +&{KEK_DEFAULT_VAR}= varname=KEKDefault +... guid=${EFI_GLOBAL_VAR_GUID} +... length=0 +&{DB_DEFAULT_VAR}= varname=dbDefault +... guid=${SECURE_BOOT_DB_GUID} +... length=0 +&{DBX_DEFAULT_VAR}= varname=dbxDefault +... guid=${SECURE_BOOT_DB_GUID} +... length=0 +&{DBT_DEFAULT_VAR}= varname=dbtDefault +... guid=${SECURE_BOOT_DB_GUID} +... length=0 +&{SECURE_BOOT_VAR}= varname=SecureBoot +... guid=${EFI_GLOBAL_VAR_GUID} +... length=1 +&{SETUP_MODE_VAR}= varname=SetupMode +... guid=${EFI_GLOBAL_VAR_GUID} +... length=1 +&{VENDOR_KEYS_VAR}= varname=VendorKeys +... guid=${EFI_GLOBAL_VAR_GUID} +... length=1 + +@{SB_VAR_LIST}= &{PK_VAR} &{KEK_VAR} &{DB_VAR} &{DBX_VAR} +... &{PK_DEFAULT_VAR} &{KEK_DEFAULT_VAR} +... &{DB_DEFAULT_VAR} &{DBX_DEFAULT_VAR} +... &{SECURE_BOOT_VAR} &{SETUP_MODE_VAR} +... &{VENDOR_KEYS_VAR} + *** Keywords *** Get Secure Boot Menu Construction @@ -276,3 +326,93 @@ Restore Secure Boot Defaults Enable Secure Boot ${sb_menu} END # Changes to Secure Boot take action immediately, so we can just continue + +Enter PK Options And Delete PK + [Documentation] Enters Advanced Secure Boot Keys Management menu and + ... then PK Options, and deletes PK. Keyword assumes PK is present. + [Arguments] ${advanced_menu} + ${pk_opts_menu}= Enter Submenu From Snapshot And Return Construction + ... ${advanced_menu} + ... PK Options + ... opt_only=${TRUE} + Should Contain ${pk_opts_menu} > Enroll PK + # Bug in EDK2, 'K' in Pk is small in this string + Should Contain Match ${pk_opts_menu} Delete Pk [* + # Select Delete PK + Press Key N Times And Enter 1 ${ARROW_DOWN} + # Consume pop-up and confirm action + Read From Terminal Until Are you sure you want to delete PK? + Read From Terminal Until discard change and return + Write Bare Into Terminal y + +Generate New PK Key Set + [Documentation] Creates a set of file required to manage PK via OS. + [Arguments] ${basename}=PK + VAR ${keygen_cmd}= + ... openssl req -new -x509 -newkey rsa:2048 -subj \"/CN\=PK/\" + ... -keyout ${basename}.key -out ${basename}.crt -days 3650 -nodes -sha256 + ... separator=${SPACE} + VAR ${pk_sign_cmd}= + ... sign-efi-sig-list -t "$(date --date\='1 second' +'%Y-%m-%d %H:%M:%S')" + ... -k ${basename}.key -c ${basename}.crt PK ${basename}.esl ${basename}.auth + ... separator=${SPACE} + VAR ${no_pk_sign_cmd}= + ... sign-efi-sig-list -t "$(date --date\='1 second' +'%Y-%m-%d %H:%M:%S')" + ... -k ${basename}.key -c ${basename}.crt PK /dev/null no${basename}.auth + ... separator=${SPACE} + Execute Command In Terminal ${keygen_cmd} + Execute Command In Terminal cert-to-efi-sig-list ${basename}.crt ${basename}.esl + # Enrolling new keys may fail if we try to use these files too quickly. + # Timestamp verification may fail. + Sleep 2s + Execute Command In Terminal ${pk_sign_cmd} + Sleep 2s + Execute Command In Terminal ${no_pk_sign_cmd} + Sleep 3s + +Get SB Variable Info + [Documentation] Returns the GUID for given Secure Boot variable name. + [Arguments] ${varname} + FOR ${var} IN @{SB_VAR_LIST} + IF '${var.varname}' == '${varname}' RETURN ${var} + END + Fail Invalid Secure Boot Variable Name + +Read Secure Boot Variable + [Documentation] Reads a Secure Boot variable via efivarfs + [Arguments] ${var} ${n_bytes}=0 + ${var_info}= Get SB Variable Info ${var} + # Check if the file even exists + ${status}= Execute Command In Terminal + ... test -f ${EFIVARFS}/${var}-${var_info.guid}; echo $? + ${status}= Convert To Integer ${status} + IF ${status} != 0 RETURN ${EMPTY} + # If 0 bytes to read, read whole file, skipping the 4 first bytes + # indicating attribute + IF ${n_bytes} == 0 + ${ret}= Execute Command In Terminal + ... xxd -p -s +4 ${EFIVARFS}/${var}-${var_info.guid} + ELSE + # It is safe to read more than the length of the variable. 'tail' will + # simply return all bytes of the variable, including attribute. + ${ret}= Execute Command In Terminal + ... tail -c ${n_bytes} ${EFIVARFS}/${var}-${var_info.guid} | xxd -p + END + RETURN ${ret} + +Enroll New PK From OS + [Documentation] Enrolls a new PK from file. + [Arguments] ${pk_auth_file}=PK.auth + ${status}= Execute Command In Terminal + ... test -f ${EFIVARFS}/${PK_VAR.varname}-${PK_VAR.guid}; echo $? + ${status}= Convert To Integer ${status} + # Disable immutability attribute of the file in OS + IF ${status} == 0 + Execute Command In Terminal + ... chattr -i ${EFIVARFS}/${PK_VAR.varname}-${PK_VAR.guid} + END + ${out}= Execute Command In Terminal + ... efi-updatevar -f ${pk_auth_file} PK + ${status}= Execute Command In Terminal echo $? + ${status}= Convert To Integer ${status} + RETURN ${status} diff --git a/test_cases.json b/test_cases.json index f00320ccd1..18f845d949 100644 --- a/test_cases.json +++ b/test_cases.json @@ -5788,6 +5788,27 @@ "module": "Dasharo Security" } }, + { + "doc": { + "_id": "SBO009.201", + "name": "Attempt to enroll and delete new PK key in OS (Ubuntu)", + "module": "Dasharo Security" + } + }, + { + "doc": { + "_id": "SBO010.201", + "name": "Attempt to change existing PK key in OS (Ubuntu)", + "module": "Dasharo Security" + } + }, + { + "doc": { + "_id": "SBO011.201", + "name": "Attempt to change PK with incorrectly signed PK in OS (Ubuntu)", + "module": "Dasharo Security" + } + }, { "doc": { "_id": "SDC001.001",