Skip to content

Sb key protection test #1023

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
miczyg1 wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

Sb key protection test #1023

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
463b124
os-config/ansible: Add efitools package
miczyg1 Aug 20, 2025
b43697c
dasharo-security/secure-boot.robot: Add OS Secure Boot PK enrollment …
miczyg1 Aug 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
127 changes: 118 additions & 9 deletions dasharo-security/secure-boot.robot
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,6 @@ SBO001.001 Check Secure Boot default state (firmware)
[Documentation] This test aims to verify that Secure Boot state after
... flashing the platform with the Dasharo firmware is
... correct.
Skip If not ${TESTS_IN_FIRMWARE_SUPPORT} SBO001.001 not supported
Skip If not ${TESTS_IN_UBUNTU_SUPPORT} SBO001.001 not supported
Power On
${setup_menu}= Enter Setup Menu Tianocore And Return Construction
Expand All @@ -60,7 +59,6 @@ SBO002.001 UEFI Secure Boot (Ubuntu)
[Documentation] This test verifies that Secure Boot can be enabled from
... boot menu and, after the DUT reset, it is seen from
... the OS.
Skip If not ${TESTS_IN_FIRMWARE_SUPPORT} SBO002.001 not supported
Skip If not ${TESTS_IN_UBUNTU_SUPPORT} SBO002.001 not supported

# 1. Make sure that SB is enabled
Expand Down Expand Up @@ -97,7 +95,6 @@ SBO002.002 UEFI Secure Boot (Windows)
[Documentation] This test verifies that Secure Boot can be enabled from
... boot menu and, after the DUT reset, it is seen from
... the OS.
Skip If not ${TESTS_IN_FIRMWARE_SUPPORT} SBO002.002 not supported
Skip If not ${TESTS_IN_WINDOWS_SUPPORT} SBO002.002 not supported

# 1. Make sure that SB is enabled
Expand Down Expand Up @@ -133,7 +130,6 @@ SBO002.002 UEFI Secure Boot (Windows)
SBO003.001 Attempt to boot file with the correct key from Boot Maintenance Manager (firmware)
[Documentation] This test verifies that Secure Boot allows booting a
... signed file with a correct key.
Skip If not ${TESTS_IN_FIRMWARE_SUPPORT} SBO004.001 not supported
Copy link
Contributor

@matmacieje matmacieje Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How is this TC (& following, up to SBO008) going to work without entering FW setup menu?

Copy link
Contributor

@philipanda philipanda Dec 14, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It almost got me too 😆
This skip is already in the Suite Setup so @miczyg1 has just removed the redundant duplicates repeated in every keyword

Skip If not ${TESTS_IN_UBUNTU_SUPPORT} SBO004.001 not supported
Power On
${sb_menu}= Enter Secure Boot Menu And Return Construction
Expand All @@ -158,7 +154,6 @@ SBO003.001 Attempt to boot file with the correct key from Boot Maintenance Manag
SBO004.001 Attempt to boot file without the key from Boot Maintenance Manager (firmware)
[Documentation] This test verifies that Secure Boot blocks booting a file
... without a key.
Skip If not ${TESTS_IN_FIRMWARE_SUPPORT} SBO004.001 not supported
Skip If not ${TESTS_IN_UBUNTU_SUPPORT} SBO004.001 not supported
# 1. Make sure that SB is enabled
Power On
Expand All @@ -176,7 +171,6 @@ SBO004.001 Attempt to boot file without the key from Boot Maintenance Manager (f
SBO005.001 Attempt to boot file with the wrong-signed key from Boot Maintenance Manager (firmware)
[Documentation] This test verifies that Secure Boot disallows booting
... a signed file with a wrong-signed key.
Skip If not ${TESTS_IN_FIRMWARE_SUPPORT} SBO005.001 not supported
Skip If not ${TESTS_IN_UBUNTU_SUPPORT} SBO005.001 not supported
# 1. Make sure that SB is enabled
Power On
Expand All @@ -194,7 +188,6 @@ SBO005.001 Attempt to boot file with the wrong-signed key from Boot Maintenance
SBO006.001 Reset Secure Boot Keys option availability (firmware)
[Documentation] This test verifies that the Reset Secure Boot Keys
... option is available
Skip If not ${TESTS_IN_FIRMWARE_SUPPORT} SBO006.001 not supported
Skip If not ${TESTS_IN_UBUNTU_SUPPORT} SBO006.001 not supported
Power On
${setup_menu}= Enter Setup Menu Tianocore And Return Construction
Expand All @@ -210,7 +203,6 @@ SBO006.001 Reset Secure Boot Keys option availability (firmware)
SBO007.001 Attempt to boot the file after restoring keys to default (firmware)
[Documentation] This test verifies that restoring the keys to default
... removes any custom added certificates.
Skip If not ${TESTS_IN_FIRMWARE_SUPPORT} SBO007.001 not supported
Skip If not ${TESTS_IN_UBUNTU_SUPPORT} SBO007.001 not supported
Power On
${sb_menu}= Enter Secure Boot Menu And Return Construction
Expand Down Expand Up @@ -249,7 +241,6 @@ SBO007.001 Attempt to boot the file after restoring keys to default (firmware)
SBO008.001 Attempt to enroll the key in the incorrect format (firmware)
[Documentation] This test verifies that it is impossible to load
... a certificate in the wrong file format.
Skip If not ${TESTS_IN_FIRMWARE_SUPPORT} SBO008.001 not supported
Skip If not ${TESTS_IN_UBUNTU_SUPPORT} SBO008.001 not supported
# 1. Make sure that SB is enabled
Power On
Expand All @@ -264,6 +255,124 @@ SBO008.001 Attempt to enroll the key in the incorrect format (firmware)
Select File In File Explorer cert_fake.der
Read From Terminal Until ERROR: Unsupported file type!

SBO009.201 Attempt to enroll and delete new PK key in OS (Ubuntu)
[Documentation] This test verifies that it is impossible to load
... a certificate in the wrong file format.
Skip If not ${TESTS_IN_UBUNTU_SUPPORT} SBO009.001 not supported
# 1. Make sure that SB is enabled and default keys enrolled.
Power On
${sb_menu}= Enter Secure Boot Menu And Return Construction
${advanced_menu}= Enter Advanced Secure Boot Keys Management And Return Construction ${sb_menu}
Reset To Default Secure Boot Keys ${advanced_menu}
# 2. Delete PK so that we can enroll a new one in OS
Enter PK Options And Delete PK ${advanced_menu}
# Let the flash operation be finished before resetting
Sleep 1
Tianocore Reset System
# Now boot to the OS
Boot System Or From Connected Disk ${ENV_ID_UBUNTU}
Login To Linux
Switch To Root User
# The magic starts here...
# Check if we are in SetupMode
${out}= Read Secure Boot Variable SetupMode
${setup_mode}= Convert To Integer ${out}
IF ${setup_mode} != 1 Fail Secure Boot not in setup mode
# Generate a new PK key and enroll the new PK. Setup mode should be cleared
Generate New PK Key Set
${status}= Enroll New PK From OS
IF ${status} != 0 Fail Could not enroll new PK from OS
${out}= Read Secure Boot Variable SetupMode
${setup_mode}= Convert To Integer ${out}
IF ${setup_mode} != 0 Fail Secure Boot not in user mode
# Attempt to delete PK. We should get back to Setup Mode
${status}= Enroll New PK From OS noPK.auth
IF ${status} != 0 Fail Could not delete PK from OS
${out}= Read Secure Boot Variable SetupMode
${setup_mode}= Convert To Integer ${out}
IF ${setup_mode} != 1 Fail Secure Boot not in setup mode

SBO010.201 Attempt to change existing PK key in OS (Ubuntu)
[Documentation] This test verifies that it is impossible to load
... a certificate in the wrong file format.
Skip If not ${TESTS_IN_UBUNTU_SUPPORT} SBO009.002 not supported
# 1. Make sure that SB is enabled and default keys enrolled.
Power On
${sb_menu}= Enter Secure Boot Menu And Return Construction
${advanced_menu}= Enter Advanced Secure Boot Keys Management And Return Construction ${sb_menu}
Reset To Default Secure Boot Keys ${advanced_menu}
# 2. Delete PK so that we can enroll a new one in OS
Enter PK Options And Delete PK ${advanced_menu}
# Let the flash operation be finished before resetting
Sleep 1
Tianocore Reset System
# Now boot to the OS
Boot System Or From Connected Disk ${ENV_ID_UBUNTU}
Login To Linux
Switch To Root User
# The magic starts here...
# Check if we are in SetupMode
${out}= Read Secure Boot Variable SetupMode
${setup_mode}= Convert To Integer ${out}
IF ${setup_mode} != 1 Fail Secure Boot not in setup mode
# Generate a new PK key and enroll the new PK. Setup mode should be cleared
Generate New PK Key Set
${status}= Enroll New PK From OS
IF ${status} != 0 Fail Could not enroll new PK from OS
${out}= Read Secure Boot Variable SetupMode
${setup_mode}= Convert To Integer ${out}
IF ${setup_mode} != 0 Fail Secure Boot not in user mode
# Attempt to change PK.
Generate New PK Key Set newPK
# Sign the new PK signature list with existing PK
Execute Command In Terminal
... sign-efi-sig-list -k PK.key -c PK.crt PK newPK.esl newPK.auth
${status}= Enroll New PK From OS newPK.auth
IF ${status} != 0 Fail Could not change PK from OS
${out}= Read Secure Boot Variable SetupMode
${setup_mode}= Convert To Integer ${out}
IF ${setup_mode} != 0 Fail Secure Boot not in user mode

SBO011.201 Attempt to change PK with incorrectly signed PK in OS (Ubuntu)
[Documentation] This test verifies that it is impossible to load
... a certificate in the wrong file format.
Skip If not ${TESTS_IN_UBUNTU_SUPPORT} SBO009.003 not supported
# 1. Make sure that SB is enabled and default keys enrolled.
Power On
${sb_menu}= Enter Secure Boot Menu And Return Construction
${advanced_menu}= Enter Advanced Secure Boot Keys Management And Return Construction ${sb_menu}
Reset To Default Secure Boot Keys ${advanced_menu}
# 2. Delete PK so that we can enroll a new one in OS
Enter PK Options And Delete PK ${advanced_menu}
# Let the flash operation be finished before resetting
Sleep 1
Tianocore Reset System
# Now boot to the OS
Boot System Or From Connected Disk ${ENV_ID_UBUNTU}
Login To Linux
Switch To Root User
# The magic starts here...
# Check if we are in SetupMode
${out}= Read Secure Boot Variable SetupMode
${setup_mode}= Convert To Integer ${out}
IF ${setup_mode} != 1 Fail Secure Boot not in setup mode
# Generate a new PK key and enroll the new PK. Setup mode should be cleared
Generate New PK Key Set
${status}= Enroll New PK From OS
IF ${status} != 0 Fail Could not enroll new PK from OS
${out}= Read Secure Boot Variable SetupMode
${setup_mode}= Convert To Integer ${out}
IF ${setup_mode} != 0 Fail Secure Boot not in user mode
# Attempt to change PK but do not sign it with current PK.
Generate New PK Key Set newPK
${status}= Enroll New PK From OS newPK.auth
IF ${status} == 0
Fail Unauthorized PK has been enrolled successfully
END
${out}= Read Secure Boot Variable SetupMode
${setup_mode}= Convert To Integer ${out}
IF ${setup_mode} != 0 Fail Secure Boot not in user mode


*** Keywords ***
Set Secure Boot State To Disabled
Expand Down
140 changes: 140 additions & 0 deletions lib/secure-boot-lib.robot
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,56 @@ ${BAD_FORMAT_URL}= https://cloud.3mdeb.com/index.php/s/AsBnATiHTZQ6jae/
${BAD_FORMAT_NAME}= bad_format.img
${BAD_FORMAT_SHA256}= 59d17bc120dfd0f2e6948a2bfdbdf5fb06eddcb44f9a053a8e7b8f677e21858c

${EFIVARFS}= /sys/firmware/efi/efivars
${EFI_GLOBAL_VAR_GUID}= 8be4df61-93ca-11d2-aa0d-00e098032b8c
${SECURE_BOOT_DB_GUID}= d719b2cb-3d3a-4596-a3bc-dad00e67656f

&{PK_VAR}= varname=PK
... guid=${EFI_GLOBAL_VAR_GUID}
... length=0
&{KEK_VAR}= varname=KEK
... guid=${EFI_GLOBAL_VAR_GUID}
... length=0
&{DB_VAR}= varname=db
... guid=${SECURE_BOOT_DB_GUID}
... length=0
&{DBX_VAR}= varname=dbx
... guid=${SECURE_BOOT_DB_GUID}
... length=0
&{DBT_VAR}= varname=dbt
... guid=${SECURE_BOOT_DB_GUID}
... length=0
&{PK_DEFAULT_VAR}= varname=PKDefault
... guid=${EFI_GLOBAL_VAR_GUID}
... length=0
&{KEK_DEFAULT_VAR}= varname=KEKDefault
... guid=${EFI_GLOBAL_VAR_GUID}
... length=0
&{DB_DEFAULT_VAR}= varname=dbDefault
... guid=${SECURE_BOOT_DB_GUID}
... length=0
&{DBX_DEFAULT_VAR}= varname=dbxDefault
... guid=${SECURE_BOOT_DB_GUID}
... length=0
&{DBT_DEFAULT_VAR}= varname=dbtDefault
... guid=${SECURE_BOOT_DB_GUID}
... length=0
&{SECURE_BOOT_VAR}= varname=SecureBoot
... guid=${EFI_GLOBAL_VAR_GUID}
... length=1
&{SETUP_MODE_VAR}= varname=SetupMode
... guid=${EFI_GLOBAL_VAR_GUID}
... length=1
&{VENDOR_KEYS_VAR}= varname=VendorKeys
... guid=${EFI_GLOBAL_VAR_GUID}
... length=1

@{SB_VAR_LIST}= &{PK_VAR} &{KEK_VAR} &{DB_VAR} &{DBX_VAR}
... &{PK_DEFAULT_VAR} &{KEK_DEFAULT_VAR}
... &{DB_DEFAULT_VAR} &{DBX_DEFAULT_VAR}
... &{SECURE_BOOT_VAR} &{SETUP_MODE_VAR}
... &{VENDOR_KEYS_VAR}


*** Keywords ***
Get Secure Boot Menu Construction
Expand Down Expand Up @@ -276,3 +326,93 @@ Restore Secure Boot Defaults
Enable Secure Boot ${sb_menu}
END
# Changes to Secure Boot take action immediately, so we can just continue

Enter PK Options And Delete PK
[Documentation] Enters Advanced Secure Boot Keys Management menu and
... then PK Options, and deletes PK. Keyword assumes PK is present.
[Arguments] ${advanced_menu}
${pk_opts_menu}= Enter Submenu From Snapshot And Return Construction
... ${advanced_menu}
... PK Options
... opt_only=${TRUE}
Should Contain ${pk_opts_menu} > Enroll PK
# Bug in EDK2, 'K' in Pk is small in this string
Should Contain Match ${pk_opts_menu} Delete Pk [*
# Select Delete PK
Press Key N Times And Enter 1 ${ARROW_DOWN}
# Consume pop-up and confirm action
Read From Terminal Until Are you sure you want to delete PK?
Read From Terminal Until discard change and return
Write Bare Into Terminal y

Generate New PK Key Set
[Documentation] Creates a set of file required to manage PK via OS.
[Arguments] ${basename}=PK
VAR ${keygen_cmd}=
... openssl req -new -x509 -newkey rsa:2048 -subj \"/CN\=PK/\"
... -keyout ${basename}.key -out ${basename}.crt -days 3650 -nodes -sha256
... separator=${SPACE}
VAR ${pk_sign_cmd}=
... sign-efi-sig-list -t "$(date --date\='1 second' +'%Y-%m-%d %H:%M:%S')"
... -k ${basename}.key -c ${basename}.crt PK ${basename}.esl ${basename}.auth
... separator=${SPACE}
VAR ${no_pk_sign_cmd}=
... sign-efi-sig-list -t "$(date --date\='1 second' +'%Y-%m-%d %H:%M:%S')"
... -k ${basename}.key -c ${basename}.crt PK /dev/null no${basename}.auth
... separator=${SPACE}
Execute Command In Terminal ${keygen_cmd}
Execute Command In Terminal cert-to-efi-sig-list ${basename}.crt ${basename}.esl
# Enrolling new keys may fail if we try to use these files too quickly.
# Timestamp verification may fail.
Sleep 2s
Execute Command In Terminal ${pk_sign_cmd}
Sleep 2s
Execute Command In Terminal ${no_pk_sign_cmd}
Sleep 3s

Get SB Variable Info
[Documentation] Returns the GUID for given Secure Boot variable name.
[Arguments] ${varname}
FOR ${var} IN @{SB_VAR_LIST}
IF '${var.varname}' == '${varname}' RETURN ${var}
END
Fail Invalid Secure Boot Variable Name

Read Secure Boot Variable
[Documentation] Reads a Secure Boot variable via efivarfs
[Arguments] ${var} ${n_bytes}=0
${var_info}= Get SB Variable Info ${var}
# Check if the file even exists
${status}= Execute Command In Terminal
... test -f ${EFIVARFS}/${var}-${var_info.guid}; echo $?
${status}= Convert To Integer ${status}
IF ${status} != 0 RETURN ${EMPTY}
# If 0 bytes to read, read whole file, skipping the 4 first bytes
# indicating attribute
IF ${n_bytes} == 0
${ret}= Execute Command In Terminal
... xxd -p -s +4 ${EFIVARFS}/${var}-${var_info.guid}
ELSE
# It is safe to read more than the length of the variable. 'tail' will
# simply return all bytes of the variable, including attribute.
${ret}= Execute Command In Terminal
... tail -c ${n_bytes} ${EFIVARFS}/${var}-${var_info.guid} | xxd -p
END
RETURN ${ret}

Enroll New PK From OS
[Documentation] Enrolls a new PK from file.
[Arguments] ${pk_auth_file}=PK.auth
${status}= Execute Command In Terminal
... test -f ${EFIVARFS}/${PK_VAR.varname}-${PK_VAR.guid}; echo $?
${status}= Convert To Integer ${status}
# Disable immutability attribute of the file in OS
IF ${status} == 0
Execute Command In Terminal
... chattr -i ${EFIVARFS}/${PK_VAR.varname}-${PK_VAR.guid}
END
${out}= Execute Command In Terminal
... efi-updatevar -f ${pk_auth_file} PK
${status}= Execute Command In Terminal echo $?
${status}= Convert To Integer ${status}
RETURN ${status}
1 change: 1 addition & 0 deletions os-config/ansible/linux-packages-playbook.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
- "{{package_usbutils}}"
- "{{package_tpm2_tools}}"
- "{{package_pulseaudio_utils}}"
- "{{package_efitools}}"
state: present
- name: Install coreboot tools files
ansible.builtin.copy:
Expand Down
1 change: 1 addition & 0 deletions os-config/ansible/vars/201-packages.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,4 @@ package_tpm2_tools: tpm2-tools
package_ethtool: ethtool
package_stress_ng: stress-ng
package_pulseaudio_utils: pulseaudio-utils
package_efitools: efitools
1 change: 1 addition & 0 deletions os-config/ansible/vars/202-packages.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,4 @@ package_tpm2_tools: tpm2-tools
package_ethtool: ethtool
package_stress_ng: stress-ng
package_pulseaudio_utils: pulseaudio-utils
package_efitools: efitools
21 changes: 21 additions & 0 deletions test_cases.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5788,6 +5788,27 @@
"module": "Dasharo Security"
}
},
{
"doc": {
"_id": "SBO009.201",
"name": "Attempt to enroll and delete new PK key in OS (Ubuntu)",
"module": "Dasharo Security"
}
},
{
"doc": {
"_id": "SBO010.201",
"name": "Attempt to change existing PK key in OS (Ubuntu)",
"module": "Dasharo Security"
}
},
{
"doc": {
"_id": "SBO011.201",
"name": "Attempt to change PK with incorrectly signed PK in OS (Ubuntu)",
"module": "Dasharo Security"
}
},
{
"doc": {
"_id": "SDC001.001",
Expand Down
Loading