shim-15.5 for Isoo (2022-03-11) #229
Comments
|
#202 was not accepted, any review needs to read the backlog in there and figure out if the issues there were resolved. |
|
That's not what I wrote. I wrote that reviewers will have to check that the open issues raised there were resolved in this submission. Please do not interact when not asked a question. |
|
Disclaimer: I am not an authorized reviewer but review other shims to reduce the workload of the authorized reviewers and speed up the process for everyone. Review was conducted in accordance to the reviewer guidelines (https://github.com/rhboot/shim/wiki/reviewer-guidelines)
Looks okay apart from the issues with reproducibility and the secure storage of keys. The authorized reviewers will have to decide about the second aspect. |
haobinnan
changed the title
|
Yes, the sha256 checksums is indeed different, because the related codes in the docker environment changed. I just built it again and got the same result as yours. So I updated the "issues". Could you please have a check of the newly updated one? Thank you! |
|
I can confirm that the updated efi files and checksums now match the ones built via the Dockerfile. That leaves the part regarding HSM and secure key storage for an authorized reviewer. |
|
It has been more than half a year since #202. I know all reviewers volunteer their time on this, but the shim I am currently using has bugs. So I submit the shim 15.5. I desperately hope the shim 15.5 can be reviewed soon. Thank you! |
|
In my opinion, the first step towards getting your shim reviewed faster should be to review the shim requests of other vendors so that the official reviewers have less work processing already peer-reviewed requests. That should speed up the process for all vendors. |
|
Can the submission be reviewed |
|
Can the submission be reviewed |
Make sure you have provided the following information:
https://github.com/haobinnan/shim-review/tree/isoo-shim-20220311
What organization or people are asking to have this signed:
What product or service is this for:
Please create your shim binaries starting with the 15.5 shim release tar file:
https://github.com/rhboot/shim/releases/download/15.5/shim-15.5.tar.bz2
This matches https://github.com/rhboot/shim/releases/tag/15.5 and contains
the appropriate gnu-efi source.
Please confirm this as the origin your shim.
What's the justification that this really does need to be signed for the whole world to be able to boot it:
How do you manage and protect the keys used in your SHIM?
Do you use EV certificates as embedded certificates in the SHIM?
If you use new vendor_db functionality, are any hashes allow-listed, and if yes: for what binaries ?
Is kernel upstream commit 75b0cea7bf307f362057cc778efe89af4c615354 present in your kernel, if you boot chain includes a Linux kernel ?
if SHIM is loading GRUB2 bootloader, are CVEs CVE-2020-14372,
CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779,
CVE-2021-20225, CVE-2021-20233, CVE-2020-10713, CVE-2020-14308,
CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705,
( July 2020 grub2 CVE list + March 2021 grub2 CVE list )
and if you are shipping the shim_lock module CVE-2021-3418
fixed ?
"Please specifically confirm that you add a vendor specific SBAT entry for SBAT header in each binary that supports SBAT metadata
( grub2, fwupd, fwupdate, shim + all child shim binaries )" to shim review doc ?
Please provide exact SBAT entries for all SBAT binaries you are booting or planning to boot directly through shim
Where your code is only slightly modified from an upstream vendor's, please also preserve their SBAT entries to simplify revocation
Were your old SHIM hashes provided to Microsoft ?
Did you change your certificate strategy, so that affected by CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749,
CVE-2020-27779, CVE-2021-20225, CVE-2021-20233, CVE-2020-10713,
CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705 ( July 2020 grub2 CVE list + March 2021 grub2 CVE list )
grub2 bootloaders can not be verified ?
What exact implementation of Secureboot in grub2 ( if this is your bootloader ) you have ?
* Upstream grub2 shim_lock verifier or * Downstream RHEL/Fedora/Debian/Canonical like implementation ?
Which modules are built into your signed grub image?
newc / memdisk / cpio / part_gpt / part_msdos / msdospart / ntfs / ntfscomp / fat / exfat / normal / chain / boot / configfile / linux / multiboot / png / all_video / search / blocklist / iso9660 / udf / minicmd / loopback / gfxmenu / gfxterm / reboot / romfs / procfs / sleep / ls / cat / echo / halt / test / probe / linux / cpuid / scsi / lsefi / lsefimmap / efifwsetup / efinet / backtrace / font / loadenv / syslinuxcfg / video
What is the origin and full version number of your bootloader (GRUB or other)?
If your SHIM launches any other components, please provide further details on what is launched
If your GRUB2 launches any other binaries that are not Linux kernel in SecureBoot mode,
please provide further details on what is launched and how it enforces Secureboot lockdown
If you are re-using a previously used (CA) certificate, you
will need to add the hashes of the previous GRUB2 binaries
exposed to the CVEs to vendor_dbx in shim in order to prevent
GRUB2 from being able to chainload those older GRUB2 binaries. If
you are changing to a new (CA) certificate, this does not
apply. Please describe your strategy.
How do the launched components prevent execution of unauthenticated code?
Does your SHIM load any loaders that support loading unsigned kernels (e.g. GRUB)?
What kernel are you using? Which patches does it includes to enforce Secure Boot?
What changes were made since your SHIM was last signed?
What is the SHA256 hash of your final SHIM binary?
The text was updated successfully, but these errors were encountered: