Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shim 15.3 for ZeronsoftN #140

Closed
8 tasks done
joseph-zeronsoftn opened this issue Mar 26, 2021 · 4 comments
Closed
8 tasks done

Shim 15.3 for ZeronsoftN #140

joseph-zeronsoftn opened this issue Mar 26, 2021 · 4 comments

Comments

@joseph-zeronsoftn
Copy link

joseph-zeronsoftn commented Mar 26, 2021
edited
Loading

Make sure you have provided the following information:

What organization or people are asking to have this signed:
ZeronsoftN Inc
What product or service is this for:
ZeroUp & ZeroCle
Please create your shim binaries starting with the 15.3 shim release tar file:
https://github.com/rhboot/shim/releases/download/15.3/shim-15.3.tar.bz2
This matches https://github.com/rhboot/shim/releases/tag/15.3 and contains
the appropriate gnu-efi source.
Please confirm this as the origin your shim.
Yes

https://github.com/zeronsoftn/shim-builder/tree/zeron/15.3-0

What's the justification that this really does need to be signed for the whole world to be able to boot it:
ZeroUp is a system recovery solution. Before booting, should be able to enter recovery mode (by grub).

ZeroCle is a disk sanitize solution, booting into Linux is required for sanitize disk.
How do you manage and protect the keys used in your SHIM?
It is managed through SafeNet's HSM Token.
Do you use EV certificates as embedded certificates in the SHIM?
No
If you use new vendor_db functionality, are any hashes allow-listed, and if yes: for what binaries ?
None
Is kernel upstream commit 75b0cea7bf307f362057cc778efe89af4c615354 present in your kernel, if you boot chain includes a Linux kernel ?
Yes, we use alpine kernel-lts (5.10.25).
if SHIM is loading GRUB2 bootloader, are CVEs CVE-2020-14372,
CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779,
CVE-2021-20225, CVE-2021-20233, CVE-2020-10713, CVE-2020-14308,
CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705,
( July 2020 grub2 CVE list + March 2021 grub2 CVE list )
and if you are shipping the shim_lock module CVE-2021-3418
fixed ?
We will use `grub2_2.06~rc1`.
"Please specifically confirm that you add a vendor specific SBAT entry for SBAT header in each binary that supports SBAT metadata
( grub2, fwupd, fwupdate, shim + all child shim binaries )" to shim review doc ?
Please provide exact SBAT entries for all SBAT binaries you are booting or planning to boot directly through shim

SHIM :

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,1,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.zeronsoftn,1,ZeronsoftN,shim,15.3,https://github.com/zeronsoftn/shim-builder/tree/zeron/15.3-0

GRUB

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,1,Free Software Foundation,grub,2.06rc1,https://www.gnu.org/software/grub/
grub.zeronsoftn,1,ZeronsoftN,grub2,grub2_2.06rc1-1zeron01,https://github.com/zeronsoftn/grub2
Were your old SHIM hashes provided to Microsoft ?
We haven't used shims before.
Did you change your certificate strategy, so that affected by CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749,
CVE-2020-27779, CVE-2021-20225, CVE-2021-20233, CVE-2020-10713,
CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705 ( July 2020 grub2 CVE list + March 2021 grub2 CVE list )
grub2 bootloaders can not be verified ?
We will use `grub2_2.06~rc1`.
What exact implementation of Secureboot in grub2 ( if this is your bootloader ) you have ?
* Upstream grub2 shim_lock verifier or * Downstream RHEL/Fedora/Debian/Canonical like implementation ?
Upstream grub2
What is the origin and full version number of your bootloader (GRUB or other)?
grub2_2.06~rc1 (https://github.com/zeronsoftn/grub2/commit/a53e530f8ad3770c3b03c208c08ae4162f68e3b1, a53e530)
If your SHIM launches any other components, please provide further details on what is launched

No

If your GRUB2 launches any other binaries that are not Linux kernel in SecureBoot mode,
please provide further details on what is launched and how it enforces Secureboot lockdown

None

If you are re-using a previously used (CA) certificate, you
will need to add the hashes of the previous GRUB2 binaries
exposed to the CVEs to vendor_dbx in shim in order to prevent
GRUB2 from being able to chainload those older GRUB2 binaries. If
you are changing to a new (CA) certificate, this does not
apply. Please describe your strategy.
We will change the certificate in case of problems in the future.
How do the launched components prevent execution of unauthenticated code?
Make an image that check_signatures enabled, with grub-mkstandalone.
All files, such as settings, must be signed with the gpg key to be read.
Also, only kernels signed through Secure Boot will work.
Does your SHIM load any loaders that support loading unsigned kernels (e.g. GRUB)?
No
What kernel are you using? Which patches does it includes to enforce Secure Boot?
Alpine Linux v3.13 LTS Kernel (Kernel version is 5.10.25)
Yes.
What changes were made since your SHIM was last signed?

(None)

What is the SHA256 hash of your final SHIM binary?
8d7032297ad5c64c94bc46f74eb5633ee75538793a111c18ed615eed1243d745  shimaa64.efi
906ab13a56c3d9f2fae07d8755aaf2a0b17f4f8ad72dc0244c7185468d6f05ba  shimia32.efi
c160ecfaf4431dad90bb9fa7e68263b6385a020704d0f7f08aa80012debb9af8  shimx64.efi

How to reproduce the build:

$ git clone -b zeron/15.3-0 https://github.com/zeronsoftn/shim-builder.git
$ cd shim-builder
$ ./build.sh
$ sha256sum review/*.efi
8d7032297ad5c64c94bc46f74eb5633ee75538793a111c18ed615eed1243d745  review/shimaa64.efi
906ab13a56c3d9f2fae07d8755aaf2a0b17f4f8ad72dc0244c7185468d6f05ba  review/shimia32.efi
c160ecfaf4431dad90bb9fa7e68263b6385a020704d0f7f08aa80012debb9af8  review/shimx64.efi
@joseph-zeronsoftn joseph-zeronsoftn mentioned this issue Mar 26, 2021
Closed
7 tasks
@aburmash
Copy link
Contributor

Hello!

  • Your SBAT entry contains Miray software grub github link
    grub.zeronsoftn,1,ZeronsoftN,grub2,grub2_2.04-1ubuntu28,https://github.com/MiraySoftware/grub2

  • Could you please provide more information on grub version chosen ?
    as far as i can see grub2_2.04-1ubuntu28 was released on 12th of August 2020.
    It obviously does not have the CVE fixes that went live on 2nd March 2021
    On top it does not have SBAT functionality at all
    https://launchpad.net/ubuntu/+source/grub2/2.04-1ubuntu28

  • you have that in README, but not in template, but i think you should clearly state that 3.13 is not the kernel version, but Alpine Linux version.

@joseph-zeronsoftn
Copy link
Author

Thank you for review.
There was a mistake for grub. Content has been modified.
Also added Kernel Version.

@aburmash
Copy link
Contributor

aburmash commented Mar 31, 2021
edited
Loading

Hello!
There was an issue detected with 15.3 so please resubmit with 15.4 release.

Also please provide the exact source of grub2 you are going to be using. Is grub2_2.06~rc1 == upstream source ?
If yes, please provide exact method of building it, since, as far as i remember, you need to set a specific set of verifiers.

Anyway, since you are not using an established trusted source of grub2 ( RHEL/Fedora/Canonical/Debian/SUSE/etc), it would be better if you can provide exact sources of grub2 used + build scripts that you use to actually build it.
Any exact references you can provide will help a lot.

I see
What changes were made since your SHIM was last signed? (None)

There are no changes, or this is your first submission ? If this is NOT a first submission, you can reference the previous one, so we can refer to it if needed. Typically all new vendors go through a detailed review on their first submission.

@joseph-zeronsoftn
Copy link
Author

Updated with 15.4
#147

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joseph-zeronsoftn @aburmash