Skip to content

Secure boot state checking for Classic and Core no matter if the enable or disable (New) #1998

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
seankingyang wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Secure boot state checking for Classic and Core no matter if the enable or disable (New) #1998

seankingyang wants to merge 9 commits into from

Conversation

@seankingyang
Copy link
Contributor

@seankingyang seankingyang commented Jul 4, 2025
edited
Loading

WARNING: This modifies com.canonical.certification::sru-server

Description

Current secure boot testing only validates enabled states, missing checkpoints when systems have secure boot disabled. This can allow systems to pass certification with configurations that don't match manifest expectations.

1. Dual Job Coverage

  • secure-boot-enabled: Validates when manifest.has_secure_boot == 'True'
  • secure-boot-disabled: Validates when manifest.has_secure_boot != 'True'

2. Enhanced Detection

  • UEFI Systems: Detects /sys/firmware/efi/ path, uses mokutil
  • FIT Image Systems: Falls back to dumpimage for image signature analysis
  • Automatic Selection: Script chooses appropriate method automatically

Files Modified

  • providers/base/units/miscellanea/jobs.pxu - Job definitions
  • providers/base/bin/check_secure_boot_state.py - Script improvements
  • Test plans - Added job references

Usage

# Manual script usage
check_secure_boot_state.py --enable --verbose
check_secure_boot_state.py --disabled --verbose

# checkbox
checkbox-cli run com.canonical.certification::miscellanea/secure-boot-enabled
checkbox-cli run com.canonical.certification::miscellanea/secure-boot-disabled

Resolved issues

Documentation

https://warthogs.atlassian.net/browse/OEMQA-6211

Tests

Testing on My Laptop: Ubuntu 22.04 Desktop Image with Secure Boot Enabled

  • Add the manifest on it, and copy the base’s unitand bin folder provider to /usr/lib|share/checkbox-provider/.
  • Add the manifest to test it. (when the has_secure_boot set to True and false)
{
  "com.canonical.certification::has_secure_boot": True
}
  • Run the command: checkbox-cli run com.canonical.certification::miscellanea/secure-boot-enabled com.canonical.certification::miscellanea/secure-boot-disabled
  • The result shows the manifest is set to True and matches my laptop's secure boot settings:
==============[ Running job 2 / 3. Estimated time left: 0:00:01 ]===============
-------[ Verify secure boot is enabled when manifest indicates support ]--------
ID: com.canonical.certification::miscellanea/secure-boot-enabled
Category: com.canonical.plainbox::miscellanea
... 8< -------------------------------------------------------------------------
Detected Ubuntu Classic via hostnamectl
Initialized UEFISecureBootChecker with hostfs_prefix='', ubuntu_variant='UbuntuVariant.CLASSIC'
Running mokutil --sb-state
mokutil reports secure boot enabled
=== Secure Boot State Check ===
Checker: UEFI (mokutil)
Current state: enabled
PASS: Secure boot is enabled
------------------------------------------------------------------------- >8 ---
Outcome: job passed
==============[ Running job 3 / 3. Estimated time left: 0:00:00 ]===============
-----[ Verify secure boot is disabled when manifest indicates no support ]------
ID: com.canonical.certification::miscellanea/secure-boot-disabled
Category: com.canonical.plainbox::miscellanea
Job cannot be started because:
 - resource expression "manifest.has_secure_boot == 'False'" evaluates to false
Outcome: job cannot be started
  • If I set an incorrect manifest that differs from my Secure Boot settings, or do not set it, the result will be:
{
  "com.canonical.certification::has_secure_boot": False
}
==============[ Running job 2 / 3. Estimated time left: 0:00:01 ]===============
-------[ Verify secure boot is enabled when manifest indicates support ]--------
ID: com.canonical.certification::miscellanea/secure-boot-enabled
Category: com.canonical.plainbox::miscellanea
Job cannot be started because:
 - resource expression "manifest.has_secure_boot == 'True'" evaluates to false
Outcome: job cannot be started
==============[ Running job 3 / 3. Estimated time left: 0:00:00 ]===============
-----[ Verify secure boot is disabled when manifest indicates no support ]------
ID: com.canonical.certification::miscellanea/secure-boot-disabled
Category: com.canonical.plainbox::miscellanea
... 8< -------------------------------------------------------------------------
Detected Ubuntu Classic via hostnamectl
Initialized UEFISecureBootChecker with hostfs_prefix='', ubuntu_variant='UbuntuVariant.CLASSIC'
Running mokutil --sb-state
mokutil reports secure boot enabled
=== Secure Boot State Check ===
Checker: UEFI (mokutil)
Current state: enabled
FAIL: Secure boot is not disabled (current state: SecureBootState.ENABLED)
------------------------------------------------------------------------- >8 ---
Outcome: job failed

Testing on Baoshan: UC 22 Image with Secure Boot Disabled (UBOOT + UKI image with UEFI)

  • To test sideload functionality, remove the manifest requirement (sideloading cannot test the manifest setting).
  • Run the command: checkbox-baoshan.checkbox-cli run com.canonical.certification::miscellanea/secure-boot-enabled com.canonical.certification::miscellanea/secure-boot-disabled
  • If the manifest works, the test for Verify secure boot is enabled when manifest indicates support will be skipped. It will run now since the manifest requirement is removed.
===========================[ Running Selected Jobs ]============================
==============[ Running job 1 / 2. Estimated time left: 0:00:01 ]===============
-------[ Verify secure boot is enabled when manifest indicates support ]--------
ID: com.canonical.certification::miscellanea/secure-boot-enabled
Category: com.canonical.plainbox::miscellanea
... 8< -------------------------------------------------------------------------
Detected Ubuntu Core via hostnamectl
Initialized UEFISecureBootChecker with hostfs_prefix='/var/lib/snapd/hostfs', ubuntu_variant='UbuntuVariant.CORE'
Running mokutil --sb-state
mokutil reports secure boot disabled
=== Secure Boot State Check ===
Checker: UEFI (mokutil)
Current state: disabled
FAIL: Secure boot is not enable (current state: SecureBootState.DISABLED)
------------------------------------------------------------------------- >8 ---
Outcome: job failed
==============[ Running job 2 / 2. Estimated time left: 0:00:00 ]===============
-----[ Verify secure boot is disabled when manifest indicates no support ]------
ID: com.canonical.certification::miscellanea/secure-boot-disabled
Category: com.canonical.plainbox::miscellanea
... 8< -------------------------------------------------------------------------
Detected Ubuntu Core via hostnamectl
Initialized UEFISecureBootChecker with hostfs_prefix='/var/lib/snapd/hostfs', ubuntu_variant='UbuntuVariant.CORE'
Running mokutil --sb-state
mokutil reports secure boot disabled
=== Secure Boot State Check ===
Checker: UEFI (mokutil)
Current state: disabled
PASS: Secure boot is disabled
------------------------------------------------------------------------- >8 ---
Outcome: job passed

Testing on Baoshan: Ubuntu 22 Image with Secure Boot Enabled

  • To test sideload functionality, remove the manifest requirement (sideloading cannot test the manifest setting).
  • Run the command: checkbox-baoshan.checkbox-cli run com.canonical.certification::miscellanea/secure-boot-enabled com.canonical.certification::miscellanea/secure-boot-disabled
  • If the manifest works, the test for Verify secure boot is disabled when manifest indicates no support will be skipped. It will run now since the manifest requirement is removed.
===========================[ Running Selected Jobs ]============================
==============[ Running job 1 / 2. Estimated time left: 0:00:01 ]===============
-------[ Verify secure boot is enabled when manifest indicates support ]--------
ID: com.canonical.certification::miscellanea/secure-boot-enabled
Category: com.canonical.plainbox::miscellanea
... 8< -------------------------------------------------------------------------
Detected Ubuntu Classic via hostnamectl
Initialized UEFISecureBootChecker with hostfs_prefix='/var/lib/snapd/hostfs', ubuntu_variant='UbuntuVariant.CLASSIC'
Running mokutil --sb-state
mokutil reports secure boot enabled
=== Secure Boot State Check ===
Checker: UEFI (mokutil)
Current state: enabled
PASS: Secure boot is enabled
------------------------------------------------------------------------- >8 ---
Outcome: job passed
==============[ Running job 2 / 2. Estimated time left: 0:00:00 ]===============
-----[ Verify secure boot is disabled when manifest indicates no support ]------
ID: com.canonical.certification::miscellanea/secure-boot-disabled
Category: com.canonical.plainbox::miscellanea
... 8< -------------------------------------------------------------------------
Detected Ubuntu Classic via hostnamectl
Initialized UEFISecureBootChecker with hostfs_prefix='/var/lib/snapd/hostfs', ubuntu_variant='UbuntuVariant.CLASSIC'
Running mokutil --sb-state
mokutil reports secure boot enabled
=== Secure Boot State Check ===
Checker: UEFI (mokutil)
Current state: enabled
FAIL: Secure boot is not disabled (current state: SecureBootState.ENABLED)
------------------------------------------------------------------------- >8 ---
Outcome: job failed

@codecov
Copy link

codecov bot commented Jul 4, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 98.77676% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 53.16%. Comparing base (e44d8a3) to head (349d87f).

Files with missing lines Patch % Lines
providers/base/bin/check_secure_boot_state.py 98.77% 1 Missing and 3 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1998      +/-   ##
==========================================
+ Coverage   52.84%   53.16%   +0.31%     
==========================================
  Files         395      396       +1     
  Lines       42623    42941     +318     
  Branches     7902     7970      +68     
==========================================
+ Hits        22526    22831     +305     
- Misses      19295    19305      +10     
- Partials      802      805       +3
Flag Coverage Δ
provider-base 30.70% <98.77%> (+1.37%) ⬆️
provider-certification-client 57.14% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@seankingyang seankingyang changed the title Secure boot state checking for Classic and Core nomatter if the enable or disable Secure boot state checking for Classic and Core nomatter if the enable or disable (New) Jul 4, 2025
@seankingyang seankingyang marked this pull request as ready for review July 9, 2025 06:49
@rickwu666666
Copy link
Contributor

rickwu666666 commented Jul 10, 2025

I've tried with my project which is ARM64/secure boot enable/FIT image/ubuntu core20. And everything works as expected.
pass result:

==============[ Running job 2 / 3. Estimated time left: 0:00:01 ]===============
-------[ Verify secure boot is enabled when manifest indicates support ]--------
ID: com.canonical.certification::miscellanea/secure-boot-enabled
Category: com.canonical.plainbox::miscellanea
... 8< -------------------------------------------------------------------------
Detected Ubuntu Core via hostnamectl
Initialized FITImageSecureBootChecker with hostfs_prefix='/var/lib/snapd/hostfs', ubuntu_variant='UbuntuVariant.CORE'
Detected Ubuntu variant: UbuntuVariant.CORE
Running in snap environment, using hostfs prefix: /var/lib/snapd/hostfs
No boot kernel found in common locations: ['/boot/vmlinuz', '/boot/vmlinuz-5.4.0-1079-shiner-devel', '/boot/kernel.img', '/boot/Image']
Search patterns (hostfs prioritized): ['/var/lib/snapd/hostfs/snap/*/current/kernel.img', '/var/lib/snapd/hostfs/snap/*/*/kernel.img', '/var/lib/snapd/hostfs/var/lib/snapd/seed/systems/*/kernel/kernel.img', '/var/lib/snapd/hostfs/run/mnt/ubuntu-boot/uboot/ubuntu/*/kernel.img', '/var/lib/snapd/hostfs/boot/uboot/*/kernel.img', '/snap/*/current/kernel.img', '/snap/*/*/kernel.img', '/var/lib/snapd/seed/systems/*/kernel/kernel.img', '/run/mnt/ubuntu-boot/uboot/ubuntu/*/kernel.img', '/boot/uboot/*/kernel.img']
Using snap kernel: /var/lib/snapd/hostfs/snap/hbt-imx-kernel/current/kernel.img
Checking image: /var/lib/snapd/hostfs/snap/hbt-imx-kernel/current/kernel.img
Checking signature of image: /var/lib/snapd/hostfs/snap/hbt-imx-kernel/current/kernel.img
Image /var/lib/snapd/hostfs/snap/hbt-imx-kernel/current/kernel.img is signed
Image /var/lib/snapd/hostfs/snap/hbt-imx-kernel/current/kernel.img is signed
=== Secure Boot State Check ===
Checker: FIT Image (dumpimage)
Current state: enabled
PASS: Secure boot is enabled
------------------------------------------------------------------------- >8 ---
Outcome: job passed
==============[ Running job 3 / 3. Estimated time left: 0:00:00 ]===============
-----[ Verify secure boot is disabled when manifest indicates no support ]------
ID: com.canonical.certification::miscellanea/secure-boot-disabled
Category: com.canonical.plainbox::miscellanea
Job cannot be started because:
 - resource expression "manifest.has_secure_boot == 'False'" evaluates to false
Outcome: job cannot be started

fail result

==============[ Running job 2 / 3. Estimated time left: 0:00:01 ]===============
-------[ Verify secure boot is enabled when manifest indicates support ]--------
ID: com.canonical.certification::miscellanea/secure-boot-enabled
Category: com.canonical.plainbox::miscellanea
Job cannot be started because:
 - resource expression "manifest.has_secure_boot == 'True'" evaluates to false
Outcome: job cannot be started
==============[ Running job 3 / 3. Estimated time left: 0:00:00 ]===============
-----[ Verify secure boot is disabled when manifest indicates no support ]------
ID: com.canonical.certification::miscellanea/secure-boot-disabled
Category: com.canonical.plainbox::miscellanea
... 8< -------------------------------------------------------------------------
Detected Ubuntu Core via hostnamectl
Initialized FITImageSecureBootChecker with hostfs_prefix='/var/lib/snapd/hostfs', ubuntu_variant='UbuntuVariant.CORE'
Detected Ubuntu variant: UbuntuVariant.CORE
Running in snap environment, using hostfs prefix: /var/lib/snapd/hostfs
No boot kernel found in common locations: ['/boot/vmlinuz', '/boot/vmlinuz-5.4.0-1079-shiner-devel', '/boot/kernel.img', '/boot/Image']
Search patterns (hostfs prioritized): ['/var/lib/snapd/hostfs/snap/*/current/kernel.img', '/var/lib/snapd/hostfs/snap/*/*/kernel.img', '/var/lib/snapd/hostfs/var/lib/snapd/seed/systems/*/kernel/kernel.img', '/var/lib/snapd/hostfs/run/mnt/ubuntu-boot/uboot/ubuntu/*/kernel.img', '/var/lib/snapd/hostfs/boot/uboot/*/kernel.img', '/snap/*/current/kernel.img', '/snap/*/*/kernel.img', '/var/lib/snapd/seed/systems/*/kernel/kernel.img', '/run/mnt/ubuntu-boot/uboot/ubuntu/*/kernel.img', '/boot/uboot/*/kernel.img']
Using snap kernel: /var/lib/snapd/hostfs/snap/hbt-imx-kernel/current/kernel.img
Checking image: /var/lib/snapd/hostfs/snap/hbt-imx-kernel/current/kernel.img
Checking signature of image: /var/lib/snapd/hostfs/snap/hbt-imx-kernel/current/kernel.img
Image /var/lib/snapd/hostfs/snap/hbt-imx-kernel/current/kernel.img is signed
Image /var/lib/snapd/hostfs/snap/hbt-imx-kernel/current/kernel.img is signed
=== Secure Boot State Check ===
Checker: FIT Image (dumpimage)
Current state: enabled
FAIL: Secure boot is not disabled (current state: SecureBootState.ENABLED)
------------------------------------------------------------------------- >8 ---
Outcome: job failed

rickwu666666
rickwu666666 previously approved these changes Jul 10, 2025
View reviewed changes
Copy link
Contributor

@rickwu666666 rickwu666666 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

tomli380576
tomli380576 requested changes Jul 10, 2025
View reviewed changes
Copy link
Contributor

@tomli380576 tomli380576 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm overall just small things that can help simplify enum usage

@seankingyang @tomli380576
Update providers/base/bin/check_secure_boot_state.py
94aa88d 
Co-authored-by: Zhongning Li <60045212+tomli380576@users.noreply.github.com>
seankingyang
seankingyang commented Jul 11, 2025
View reviewed changes
@zongminl zongminl changed the title Secure boot state checking for Classic and Core nomatter if the enable or disable (New) Secure boot state checking for Classic and Core no matter if the enable or disable (New) Jul 25, 2025
@rickwu666666
Copy link
Contributor

rickwu666666 commented Sep 16, 2025

Tried with uc24/arm64/secure boot enabled platform. And test result were expected.

pass result

==============[ Running job 2 / 3. Estimated time left: 0:00:01 ]===============
-------[ Verify secure boot is enabled when manifest indicates support ]--------
ID: com.canonical.certification::miscellanea/secure-boot-enabled
Category: com.canonical.plainbox::miscellanea
... 8< -------------------------------------------------------------------------
Detected Ubuntu Core via hostnamectl
Initialized FITImageSecureBootChecker with hostfs_prefix='/var/lib/snapd/hostfs', ubuntu_variant='UbuntuVariant.CORE'
Detected Ubuntu variant: UbuntuVariant.CORE
Running in snap environment, using hostfs prefix: /var/lib/snapd/hostfs
No boot kernel found in common locations: ['/boot/vmlinuz', '/boot/vmlinuz-6.8.0-1007-renesas', '/boot/kernel.img', '/boot/Image']
Search patterns (hostfs prioritized): ['/var/lib/snapd/hostfs/snap/*/current/kernel.img', '/var/lib/snapd/hostfs/snap/*/*/kernel.img', '/var/lib/snapd/hostfs/var/lib/snapd/seed/systems/*/kernel/kernel.img', '/var/lib/snapd/hostfs/run/mnt/ubuntu-boot/uboot/ubuntu/*/kernel.img', '/var/lib/snapd/hostfs/boot/uboot/*/kernel.img', '/snap/*/current/kernel.img', '/snap/*/*/kernel.img', '/var/lib/snapd/seed/systems/*/kernel/kernel.img', '/run/mnt/ubuntu-boot/uboot/ubuntu/*/kernel.img', '/boot/uboot/*/kernel.img']
Using snap kernel: /var/lib/snapd/hostfs/snap/renesas-kernel/current/kernel.img
Checking image: /var/lib/snapd/hostfs/snap/renesas-kernel/current/kernel.img
Checking signature of image: /var/lib/snapd/hostfs/snap/renesas-kernel/current/kernel.img
Image /var/lib/snapd/hostfs/snap/renesas-kernel/current/kernel.img is signed
Image /var/lib/snapd/hostfs/snap/renesas-kernel/current/kernel.img is signed
=== Secure Boot State Check ===
Checker: FIT Image (dumpimage)
Current state: enabled
PASS: Secure boot is enabled
------------------------------------------------------------------------- >8 ---
Outcome: job passed
==============[ Running job 3 / 3. Estimated time left: 0:00:00 ]===============
-----[ Verify secure boot is disabled when manifest indicates no support ]------
ID: com.canonical.certification::miscellanea/secure-boot-disabled
Category: com.canonical.plainbox::miscellanea
Job cannot be started because:
 - resource expression "manifest.has_secure_boot == 'False'" evaluates to false
Outcome: job cannot be started

Failed result

==============[ Running job 2 / 3. Estimated time left: 0:00:01 ]===============
-------[ Verify secure boot is enabled when manifest indicates support ]--------
ID: com.canonical.certification::miscellanea/secure-boot-enabled
Category: com.canonical.plainbox::miscellanea
Job cannot be started because:
 - resource expression "manifest.has_secure_boot == 'True'" evaluates to false
Outcome: job cannot be started
==============[ Running job 3 / 3. Estimated time left: 0:00:00 ]===============
-----[ Verify secure boot is disabled when manifest indicates no support ]------
ID: com.canonical.certification::miscellanea/secure-boot-disabled
Category: com.canonical.plainbox::miscellanea
... 8< -------------------------------------------------------------------------
Detected Ubuntu Core via hostnamectl
Initialized FITImageSecureBootChecker with hostfs_prefix='/var/lib/snapd/hostfs', ubuntu_variant='UbuntuVariant.CORE'
Detected Ubuntu variant: UbuntuVariant.CORE
Running in snap environment, using hostfs prefix: /var/lib/snapd/hostfs
No boot kernel found in common locations: ['/boot/vmlinuz', '/boot/vmlinuz-6.8.0-1007-renesas', '/boot/kernel.img', '/boot/Image']
Search patterns (hostfs prioritized): ['/var/lib/snapd/hostfs/snap/*/current/kernel.img', '/var/lib/snapd/hostfs/snap/*/*/kernel.img', '/var/lib/snapd/hostfs/var/lib/snapd/seed/systems/*/kernel/kernel.img', '/var/lib/snapd/hostfs/run/mnt/ubuntu-boot/uboot/ubuntu/*/kernel.img', '/var/lib/snapd/hostfs/boot/uboot/*/kernel.img', '/snap/*/current/kernel.img', '/snap/*/*/kernel.img', '/var/lib/snapd/seed/systems/*/kernel/kernel.img', '/run/mnt/ubuntu-boot/uboot/ubuntu/*/kernel.img', '/boot/uboot/*/kernel.img']
Using snap kernel: /var/lib/snapd/hostfs/snap/renesas-kernel/current/kernel.img
Checking image: /var/lib/snapd/hostfs/snap/renesas-kernel/current/kernel.img
Checking signature of image: /var/lib/snapd/hostfs/snap/renesas-kernel/current/kernel.img
Image /var/lib/snapd/hostfs/snap/renesas-kernel/current/kernel.img is signed
Image /var/lib/snapd/hostfs/snap/renesas-kernel/current/kernel.img is signed
=== Secure Boot State Check ===
Checker: FIT Image (dumpimage)
Current state: enabled
FAIL: Secure boot is not disabled (current state: SecureBootState.ENABLED)
------------------------------------------------------------------------- >8 ---
Outcome: job failed

rickwu666666
rickwu666666 previously approved these changes Sep 16, 2025
View reviewed changes
Copy link
Contributor

@rickwu666666 rickwu666666 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rickwu666666 rickwu666666 mentioned this pull request Dec 9, 2025
Open
1 task
rickwu666666
rickwu666666 approved these changes Dec 11, 2025
View reviewed changes
Copy link
Contributor

@rickwu666666 rickwu666666 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@pieqq pieqq self-assigned this Jan 23, 2026
@pieqq pieqq requested review from Copilot and removed request for LiaoU3 January 23, 2026 08:57
Copilot AI reviewed Jan 23, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces comprehensive secure boot state checking for both Ubuntu Classic and Core systems, validating both enabled and disabled states against manifest expectations. The implementation adds dual job coverage to prevent certification mismatches where systems might pass despite incorrect secure boot configurations.

Changes:

  • Added two new secure boot validation jobs (secure-boot-enabled and secure-boot-disabled) that check against manifest expectations
  • Enhanced secure boot detection with automatic fallback from UEFI (mokutil) to FIT image (dumpimage) methods
  • Created comprehensive test coverage (1438 lines) for the new secure boot checking functionality

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
providers/certification-client/units/client-cert-iot-ubuntucore-24.pxu Added secure-boot-enabled and secure-boot-disabled job references to Ubuntu Core 24 test plan
providers/certification-client/units/client-cert-iot-server-24-04.pxu Added secure-boot-enabled and secure-boot-disabled job references to IoT Server 24.04 test plan
providers/certification-client/units/client-cert-iot-desktop-24-04.pxu Added secure-boot-enabled and secure-boot-disabled job references to IoT Desktop 24.04 test plan
providers/base/units/miscellanea/test-plan.pxu Added both new secure boot jobs to base miscellanea test plan with blocker certification status
providers/base/units/miscellanea/jobs.pxu Defined two new shell jobs for validating secure boot enabled/disabled states with manifest-based requirements
providers/base/tests/test_check_secure_boot_state.py Added comprehensive unit test suite covering all classes, methods, and edge cases for secure boot state checking

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

providers/base/units/miscellanea/jobs.pxu
The test automatically detects and uses the appropriate checking method:
- UEFI-based secure boot using mokutil
- FIT image-based secure boot using dumpimage

Copy link

Copilot AI Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Trailing whitespace at the end of the file. Remove the unnecessary whitespace on line 675.

Suggested change

Copilot uses AI. Check for mistakes.
pieqq
pieqq requested changes Jan 23, 2026
View reviewed changes
Copy link
Collaborator

@pieqq pieqq left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this PR. I especially appreciate the explanations and the tests run (so this extends to @rickwu666666, thanks for testing on your project!)

I got a recent certificate request for a project where the secure_boot_mode_* was failing, and suggesting to use this instead, so I had a look.

One actionable request is: since the word disabled is used when running the command, could the opposite be enabled and not enable to be more symmetrical?

I have a few questions:

  • Does this come in addition to the secure_boot_mode_* job, or to replace it?
  • Is it intended only for IoT projects?

I had a look at the code as well. To be honest I'm worried about PR that add thousands of lines of code. Some parts are re-inventing the wheel (like all the helper functions to log things, or the implementation of a timeout), some don't follow the guidance in place for python tests...

I understand the need to have better secure boot checks, but I'm sure this can be done in a more simple way. Could you revisit this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pieqq pieqq pieqq requested changes

@rickwu666666 rickwu666666 rickwu666666 approved these changes

@stanley31huang stanley31huang Awaiting requested review from stanley31huang

@weizhenwu weizhenwu Awaiting requested review from weizhenwu

@zongminl zongminl Awaiting requested review from zongminl

@tomli380576 tomli380576 Awaiting requested review from tomli380576

Requested changes must be addressed to merge this pull request.

Assignees

@pieqq pieqq

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@seankingyang @rickwu666666 @pieqq @tomli380576