@WiktorG351 I made couple of changes, kw now only checks if given image is available, if not then suite fails with info that sb-img-wrapper.sh script should be used to create images.
Test results with images created from script. Tested on QEMU.
λ robot -b file.txt -L TRACE -v ansible_config:yes -v rte_ip:127.0.0.1 -v snipeit:no -v config:qemu dasharo-security/secure-boot.robot
==============================================================================
Secure-Boot
==============================================================================
SBO001.001 Check Secure Boot default state (firmware) :: This test... | PASS |
------------------------------------------------------------------------------
SBO002.001 UEFI Secure Boot (Ubuntu 22.04) :: This test verifies t... | PASS |
------------------------------------------------------------------------------
SBO002.002 UEFI Secure Boot (Windows 11) :: This test verifies tha... | SKIP |
SBO002.002 not supported
------------------------------------------------------------------------------
SBO003.001 Attempt to boot file with the correct key from Shell (f... | PASS |
------------------------------------------------------------------------------
SBO004.001 Attempt to boot file without the key from Shell (firmwa... | PASS |
------------------------------------------------------------------------------
SBO005.001 Attempt to boot file with the wrong-signed key from She... | PASS |
------------------------------------------------------------------------------
SBO006.001 Reset Secure Boot Keys option availability (firmware) :... | PASS |
------------------------------------------------------------------------------
SBO007.001 Attempt to boot the file after restoring keys to defaul... | PASS |
------------------------------------------------------------------------------
SBO008.001 Attempt to enroll the key in the incorrect format (firm... | PASS |
------------------------------------------------------------------------------
SBO009.001 Attempt to boot file signed for intermediate certificat... | PASS |
------------------------------------------------------------------------------
SBO010.001 Check support for rsa2k signed certificates :: PEM gene... | PASS |
------------------------------------------------------------------------------
SBO010.002 Check support for rsa3k signed certificates :: PEM gene... | PASS |
------------------------------------------------------------------------------
SBO010.003 Check support for rsa4k signed certificates :: PEM gene... | PASS |
------------------------------------------------------------------------------
SBO010.004 Check support for ecdsa256 signed certificates :: PEM g... | FAIL |
'
Command Error Status: Access Denied
FS0:\>' does not contain 'Hello, world!'
------------------------------------------------------------------------------
SBO010.005 Check support for ecdsa384 signed certificates :: PEM g... | FAIL |
'
Command Error Status: Access Denied
FS0:\>' does not contain 'Hello, world!'
------------------------------------------------------------------------------
SBO010.006 Check support for ecdsa521 signed certificates :: PEM g... | FAIL |
'
Command Error Status: Access Denied
FS0:\>' does not contain 'Hello, world!'
------------------------------------------------------------------------------
SBO011.001 Attempt to enroll expired certificate and boot signed i... | FAIL |
'
Hello, world!
FS0:\>' does not contain 'Access Denied'
------------------------------------------------------------------------------
last four can fail, in case of ecdsa BIOS cannot enroll ecdsa certs and with expired image, BIOS still boots it even if certificate is expired - so in this cases we have FAIL.
If one of the images is missing, tests fails immediately.
λ rm scripts/secure-boot/images/GOOD_KEYS.img
λ robot -b file.txt -L TRACE -v ansible_config:yes -v rte_ip:127.0.0.1 -v snipeit:no -v config:qemu dasharo-security/secure-boot.robot
==============================================================================
Secure-Boot
==============================================================================
SBO001.001 Check Secure Boot default state (firmware) :: This test... | FAIL |
Parent suite setup failed:
Image GOOD_KEYS.img does not exist! Please run ./scripts/secure-boot/generate-images/sb-img-wrapper.sh script.
------------------------------------------------------------------------------
@WiktorG351 I made couple of changes, kw now only checks if given image is available, if not then suite fails with info that sb-img-wrapper.sh script should be used to create images.
Test results with images created from script. Tested on QEMU.
last four can fail, in case of ecdsa BIOS cannot enroll ecdsa certs and with expired image, BIOS still boots it even if certificate is expired - so in this cases we have FAIL.
If one of the images is missing, tests fails immediately.