[Bug 1137216] New: ovmf package misses binaries signed with keys for secureboot testing
http://bugzilla.opensuse.org/show_bug.cgi?id=1137216 Bug ID: 1137216 Summary: ovmf package misses binaries signed with keys for secureboot testing Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.1 Hardware: aarch64 OS: Linux Status: NEW Severity: Normal Priority: P5 - None Component: Virtualization:Tools Assignee: virt-bugs@suse.de Reporter: guillaume.gardet@arm.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- ovmf package in Leap15.1/SLE15-SP1 misses binaries signed with keys for secureboot testing. The required update is https://build.opensuse.org/request/show/701042 While at it, we should add this update https://build.opensuse.org/request/show/686880 to fix aarch32 packaging. Could we add those updates for :Update, please? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1137216 Guillaume GARDET <guillaume.gardet@arm.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |afaerber@suse.com, | |dmueller@suse.com, | |glin@suse.com, | |guillaume.gardet@arm.com, | |mbrugger@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1137216 http://bugzilla.opensuse.org/show_bug.cgi?id=1137216#c1 Gary Ching-Pang Lin <glin@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(afaerber@suse.com | |) --- Comment #1 from Gary Ching-Pang Lin <glin@suse.com> --- Andreas, Will we release an ovmf/aavmf with embedded keys for AArch64 in SLE15-SP1? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1137216 http://bugzilla.opensuse.org/show_bug.cgi?id=1137216#c2 Andreas Färber <afaerber@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jsegitz@suse.com, | |mchang@suse.com Flags| |needinfo?(guillaume.gardet@ | |arm.com) --- Comment #2 from Andreas Färber <afaerber@suse.com> --- Guillaume, what's the use case for this? I understood that this would only allow to boot into our installation medium but not into the installed system's GRUB? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1137216 http://bugzilla.opensuse.org/show_bug.cgi?id=1137216#c3 Guillaume GARDET <guillaume.gardet@arm.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(guillaume.gardet@ | |arm.com) | --- Comment #3 from Guillaume GARDET <guillaume.gardet@arm.com> --- (In reply to Andreas Färber from comment #2)
Guillaume, what's the use case for this? I understood that this would only allow to boot into our installation medium but not into the installed system's GRUB?
The use case is openQA. Our aarch64 worker runs Leap 15.1 and we would need those firmware to follow/test the current status of SecureBoot. It is currently broken after installation, as signed Grub is not installed properly yet. But at least we can monitor progress/regressions. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1137216 Santiago Zarate <santiago.zarate@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |santiago.zarate@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1137216 Oliver Kurz <okurz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |okurz@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1137216 http://bugzilla.opensuse.org/show_bug.cgi?id=1137216#c4 --- Comment #4 from Oliver Kurz <okurz@suse.com> --- so could you simply create a MR for Leap 15.1 (and potentially 15.0) with the changes corresponding to https://build.opensuse.org/request/show/701162 ? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1137216 http://bugzilla.opensuse.org/show_bug.cgi?id=1137216#c5 --- Comment #5 from Guillaume GARDET <guillaume.gardet@arm.com> --- (In reply to Oliver Kurz from comment #4)
so could you simply create a MR for Leap 15.1 (and potentially 15.0) with the changes corresponding to https://build.opensuse.org/request/show/701162 ?
ovmf is a package inherited from SLE, so updates must go through SLE. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1137216 http://bugzilla.opensuse.org/show_bug.cgi?id=1137216#c6 --- Comment #6 from Oliver Kurz <okurz@suse.com> --- well, ok, the result should be the same though :) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1137216 Andreas Färber <afaerber@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nsinger@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1137216 Oliver Kurz <okurz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1137216 http://bugzilla.opensuse.org/show_bug.cgi?id=1137216#c9 --- Comment #9 from Gary Ching-Pang Lin <glin@suse.com> --- If it's just for test, it would be fine to extract the "code" and "vars" files from ovmf in Factory and configure openQA to use the specific firmware files. BTW, for the incoming update of ovmf/edk2 201905stable, I'm planning to drop the key embedding patch and use the upstream EnrollDefaulyKeys.efi to generate the varstore with preloaded keys. So in the future, the keys will not be in the "code" files anymore but in the "vars" files. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1137216 http://bugzilla.opensuse.org/show_bug.cgi?id=1137216#c10 --- Comment #10 from Guillaume GARDET <guillaume.gardet@arm.com> --- (In reply to Gary Ching-Pang Lin from comment #9)
If it's just for test, it would be fine to extract the "code" and "vars" files from ovmf in Factory and configure openQA to use the specific firmware files.
This is what okurz did yesterday on aarch64 openQA worker. But it would be better to provide it to SLE/Leap users directly, if possible. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1137216 http://bugzilla.opensuse.org/show_bug.cgi?id=1137216#c11 Guillaume GARDET <guillaume.gardet@arm.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |WONTFIX --- Comment #11 from Guillaume GARDET <guillaume.gardet@arm.com> --- 15.1 is EOL and this is fixed in 15.2+. -- You are receiving this mail because: You are on the CC list for the bug.
participants (2)
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com