Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kola: cork: Handle QCOW2 EFI firmare images and fix arm64 Secure Boot #560

Merged
merged 3 commits into from
Oct 11, 2024

Conversation

chewi
Copy link
Contributor

@chewi chewi commented Oct 3, 2024

Handle QCOW2 EFI firmare images and fix Secure Boot

Forthcoming Flatcar releases will use QCOW2 instead of raw .fd images.

Only pass SMM-related arguments to QEMU for amd64-usr. EDK2 doesn't have SMM for arm64 yet and these arguments break it when Secure Boot is enabled.

Skip tests that change the verity hash when Secure Boot is enabled. Changing the verity hash breaks Secure Boot verification, causing GRUB to error and then just sit at the menu forever. It's not clear why these tests worked before we applied the Red Hat patches to GRUB, but it's now behaving as it should.

How to use

Run tests against one of the new Flatcar Secure Boot builds.

Testing done

Jenkins without qemu_uefi_secure is all green. I'm running qemu_uefi_secure now.

Forthcoming Flatcar releases will use QCOW2 instead of raw .fd images.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
@chewi chewi self-assigned this Oct 3, 2024
EDK2 doesn't have SMM for arm64 yet and these arguments break it.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
@chewi chewi changed the title kola: cork: Handle QCOW2 EFI firmare images and use them by default kola: cork: Handle QCOW2 EFI firmare images and fix arm64 Secure Boot Oct 4, 2024
@chewi chewi marked this pull request as ready for review October 8, 2024 09:32
@chewi chewi requested a review from a team October 8, 2024 09:32
@ader1990
Copy link
Contributor

ader1990 commented Oct 8, 2024

Can you please link the PR that changes the production of the artifact flatcar_production_qemu_uefi_efi_code.qcow2?

@chewi
Copy link
Contributor Author

chewi commented Oct 8, 2024

There is no Flatcar PR yet because the changes are still being finalised, but you see the relevant commit at flatcar/scripts@577cd06.

There is a Gentoo PR though, as the change stems from there. See gentoo/gentoo#38813.

Changing the verity hash breaks Secure Boot verification, causing GRUB
to error and then just sit at the menu forever. It's not clear why these
tests worked before we applied the Red Hat patches to GRUB, but it's now
behaving as it should.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
@chewi
Copy link
Contributor Author

chewi commented Oct 8, 2024

Turns out qemu_uefi_secure was failing due to another Kola issue, so I've added another commit. This change is not arm64-specific, rather it broke once we started applying Red Hat's patches to GRUB.

Copy link
Contributor

@ader1990 ader1990 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small note: currently, this PR will not change the behaviour regarding the usage of flatcar_production_qemu_uefi_efi_code.qcow2 as the CI will override the values and does not need the gentoo/gentoo#38813.

When Flatcar/scripts is updated with the upstream gentoo/gentoo#38813, then it will be used.

@chewi chewi merged commit 02348d6 into flatcar-master Oct 11, 2024
2 checks passed
@chewi chewi deleted the chewi/fw-qcow2 branch October 11, 2024 12:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants