Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

c9s: Secure Boot tests failing #1237

Open
travier opened this issue Apr 4, 2023 · 11 comments
Open

c9s: Secure Boot tests failing #1237

travier opened this issue Apr 4, 2023 · 11 comments
Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.

Comments

@travier
Copy link
Member

travier commented Apr 4, 2023

See: #1238

Needs investigation and opening a Bugzilla for the kernel in C9S.

We currently have to hardcode skipping the Secure Boot tests for C9S until we have coreos/coreos-assembler#3418.

@dustymabe
Copy link
Member

Once we figure out the secureboot problem with c9s we should revert f779213 and db54842

@aaradhak
Copy link
Contributor

aaradhak commented Jun 9, 2023

The tests iso-live-login.uefi-secure & iso-as-disk.uefi-secure fail with c9s

[coreos-assembler]$ kola testiso -S iso-live-login.uefi-secure iso-as-disk.uefi-secure --output-dir tmp/kola-metal
⚠️  Skipping kola test pattern "ext.config.rpm-ostree.replace-rt-kernel":
  👉 https://github.com/openshift/os/issues/1099
Ignoring verification of signature on metal image
Running test: iso-as-disk.uefi-secure
FAIL: iso-as-disk.uefi-secure (10m0.002s)
    timed out after 10m0s
Running test: iso-live-login.uefi-secure
FAIL: iso-live-login.uefi-secure (10m0.002s)
    timed out after 10m0s
Error: harness: test suite failed
2023-06-09T17:21:53Z cli: harness: test suite failed

Console log output:

^[[2J^[[01;01H^[[=3h^[[2J^[[01;01H^[[2J^[[01;01H^[[=3h^[[2J^[[01;01HBdsDxe: loading Boot0001 "UEFI Misc Device" from PciRoot(0x0)/Pci(0x3,0x0)
BdsDxe: failed to load Boot0001 "UEFI Misc Device" from PciRoot(0x0)/Pci(0x3,0x0): Access Denied
BdsDxe: No bootable option or device was found.
BdsDxe: Press any key to enter the Boot Manager Menu.

@LorbusChris
Copy link
Member

Not sure if related, but SCOS still pulls this ancient version of shim from the C9S repos:

Earliest changed package: shim-x64-15-15.el8_2.x86_64 at 2020-08-01 01:55:42 UTC

@dustymabe
Copy link
Member

There may be something to this. I built with shim-x64-15.6-1.el9.x86_64.rpm from internal RHEL repos and it gets past the Access Denied. I wonder if the dbx in qemu in F38 (current COSA is based on F38) denies the older stuff from CentOS (similar to coreos/fedora-coreos-tracker#1452)

@dustymabe
Copy link
Member

I opened this bug: https://bugzilla.redhat.com/show_bug.cgi?id=2213901

Let's see if that leads us anywhere.

@travier
Copy link
Member Author

travier commented Jun 12, 2023

The old shim from RHEL 8 is "expected": https://bugzilla.redhat.com/show_bug.cgi?id=2115815

@dustymabe
Copy link
Member

Talked to bstinson, he said they would take care of it. We'll wait on that before enabling signing for c9s.

@openshift-bot
Copy link

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci openshift-ci bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 11, 2023
@dustymabe dustymabe removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 11, 2023
@JanGutter
Copy link

I'm not 100% sure it's related, but I found out that I can't do secureboot in VM's in CentOS 9 Stream with the current edk2-ovmf firmware. There's a workaround available by installing the rpm from Rocky Linux, but the problem could definitely be elsewhere. I filed a bug on https://issues.redhat.com/browse/RHEL-11768

@travier
Copy link
Member Author

travier commented Oct 5, 2023

/remove-lifecycle stale
/lifecycle frozen

@openshift-ci openshift-ci bot added the lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. label Oct 5, 2023
@LorbusChris
Copy link
Member

travier added a commit to travier/os that referenced this issue Feb 26, 2024
…tream

Until openshift#1237 is resolved, we need
to skip Secure Boot tests for CentOS Stream based variants.

As we now use CentOS Stream packages for other variants than the `scos`
one for pre-testing, we can not rely on the variant name and instead
have to look at the list of included packages to differentiate between
RHEL and CentOS Stream based builds.
travier added a commit to travier/os that referenced this issue Apr 17, 2024
Update kola denylist with the new tests names.

See: openshift#1237
See: coreos/coreos-assembler#3652
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.
Projects
None yet
Development

No branches or pull requests

6 participants