Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sayan/secureboot implement ci+jepio #554

Closed
wants to merge 5 commits into from
Closed

Sayan/secureboot implement ci+jepio #554

wants to merge 5 commits into from

Conversation

jepio
Copy link
Member

@jepio jepio commented Sep 4, 2024
edited
Loading

FOR TESTING - PLEASE WAIT

[Title: describe the change in one sentence]

[ describe the change in 1 - 3 paragraphs ]

How to use

[ describe what reviewers need to do in order to validate this PR ]

Testing done

[Describe the testing you have done before submitting this PR. Please include both the commands you issued as well as the output you got.]

  • Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update)
  • Inspected CI output for image differences: /boot and /usr size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.

sayanchowdhury and others added 2 commits September 4, 2024 16:53
@sayanchowdhury @jepio
kola: Add secureboot CI test
8a05eba 
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
@jepio
kola: Tweak ovmfvar/sboot handling
dbe965b 
Continue supporting BIOS by passing `-bios` and only enable `smm=on` when
secure boot is requested, as it requires build of OVMF code. This special build
is required for secure boot support, but non-sboot OVMFs won't support it.
@jepio jepio marked this pull request as ready for review September 4, 2024 15:13
@jepio jepio closed this Sep 4, 2024
@jepio jepio reopened this Sep 4, 2024
@jepio
qemu: Create OVMF vars copy in instance dir
78a4688 
and cleanup on shutdown.

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
@jepio jepio force-pushed the sayan/secureboot-implement-ci+jepio branch from be81954 to 78a4688 Compare September 6, 2024 15:56
@jepio
kola: Add qemu-bios fallback
e9b72ad 
To make this change easier to apply to all channels.

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
@jepio
tests: Skip kmod tests when secure boot is enabled
fd4a4df 
Kernel lockdown blocks loading unsigned kernel modules, so these tests need to
be disabled. Eventually the zfs sysext should ship a signed kernel modules, but
falco is built on the running system and won't work the same way. Falco
suggests running in eBPF mode instead.
@jepio jepio closed this Sep 10, 2024
@github-actions github-actions bot mentioned this pull request Sep 22, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jepio @sayanchowdhury