Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

shim-15.6 for Isoo (2022-08-02) #246

Closed
8 tasks done
haobinnan opened this issue Jun 13, 2022 · 9 comments
Closed
8 tasks done

shim-15.6 for Isoo (2022-08-02) #246

haobinnan opened this issue Jun 13, 2022 · 9 comments
Labels
accepted Submission is ready for sysdev

Comments

@haobinnan
Copy link

haobinnan commented Jun 13, 2022
edited
Loading

Confirm the following are included in your repo, checking each box:

  • completed README.md file with the necessary information
  • shim.efi to be signed
  • public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
  • binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
  • any extra patches to shim via your own git tree or as files
  • any extra patches to grub via your own git tree or as files
  • build logs
  • a Dockerfile to reproduce the build of the provided shim EFI binaries

What is the link to your tag in a repo cloned from rhboot/shim-review?

https://github.com/haobinnan/shim-review/tree/isoo-shim-20220802

What is the SHA256 hash of your final SHIM binary?

shimia32.efi.sha256sum: 5306c91274b4678e6ad76345904064a61cf4c79fa389b7e0a101904600ada68d
shimx64.efi.sha256sum: 787e59f2c49e0a7e0ab2f3748c4213b98e2445f2500b0bed4f158d9d3468ef62
@haobinnan
Copy link
Author

My previously accepted SHIM:
#192

@tSU-RooT
Copy link

tSU-RooT commented Aug 1, 2022

Disclaimer: I am not an authorized reviewer

Hi, I have checked below points.

  • What was being reviewed?
    isoo-shim-20220613-3 currently points at the following commit:
commit ec41ae18be9d9af1b32e8304c61022d5d7eaacda (HEAD, tag: isoo-shim-20220613-3)
Author: haobinnan <haobinnan@gmail.com>
Date:   Mon Jun 13 19:59:51 2022 +0800

    SHIM review 2022-06-13-3
  • Reproducibility
    Build is reproducible from Debian bullseye.
    OK.
gcc: 10.2.1-6
binutils: 2.35.2-2

Each packages are latest version of debian bullseye.

  • Content of certificate file
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            18:14:56:86:42:3d:7c:f2:f0:b5:da:98:00:9c:69:7a:a5:3a:d5:6c
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = Hebei, L = Qinhuangdao, O = "Isoo Software Development Co., Ltd.", CN = "Isoo Software Development Co., Ltd. CA"
        Validity
            Not Before: Jun 13 06:09:33 2022 GMT
            Not After : Jun 12 06:09:33 2052 GMT
        Subject: C = CN, ST = Hebei, L = Qinhuangdao, O = "Isoo Software Development Co., Ltd.", CN = "Isoo Software Development Co., Ltd. CA"
[snip]
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                91:15:9E:D0:80:50:82:C9:E6:DF:D8:D7:75:AE:45:2E:E8:24:17:B6
            X509v3 Authority Key Identifier: 
                91:15:9E:D0:80:50:82:C9:E6:DF:D8:D7:75:AE:45:2E:E8:24:17:B6
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            Netscape Comment: 
                Isoo CA Certificate

Serial number:
Previous accepted(#192) SHIM's certificate: 3e:52:5c:d1:a8:53:ae:96:c4:27:f9:16:ed:79:3d:8a:25:17:38:f0
new CA certificate: 18:14:56:86:42:3d:7c:f2:f0:b5:da:98:00:9c:69:7a:a5:3a:d5:6c

Surely, switched to new certificate.
NOTE: New file has 30 years lifetime. I'm not sure it's OK on guideline.

  • Private key management

Looks ok to me: Storing private key in HSM and restriction for usable only while production build.

  • Kernel patches

I think OK.
1957a85b0032a81e6482ca4aab883643b8dae06e had merged to 5.4
75b0cea7bf307f362057cc778efe89af4c615354 had merged to 5.8

eadb2f47a3ced5c64b23b90fd2a3463f63726066 is fresh commit for 5.19
Linux 5.15.44 backported kgdb lock down commit.
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/include/linux/security.h?id=v5.15.44

I have reviewed source of 2.06-2ubuntu7, I found not fixed vulnerability of June 7th 2022 grub2 CVE list.

For a sample, CVE-2021-3695 fix "Drop greyscale support" is not patched on Ubuntu 22.04.
Ubuntu's official status of this CVE is 'Needs triage'.
https://ubuntu.com/security/CVE-2021-3695

Maybe to wait for ubuntu's new release is reasonable.

@julian-klode julian-klode added the bug Problem with the review that must be fixed before it will be accepted label Aug 1, 2022
@julian-klode
Copy link
Collaborator

This is very concerning, stating that the issues are fixed but then using Ubuntu's grub which does not have the bug fixes yet due to complex process issues. You want to make sure you have not signed any of the existing grubs with the key trusted in this shim, wait for a new grub to be made available on the Ubuntu side, and then update the submission.

@haobinnan haobinnan changed the title shim-15.6 for Isoo (2022-06-13) shim-15.6 for Isoo (2022-08-02) Aug 2, 2022
@haobinnan
Copy link
Author

@julian-klode @tSU-RooT
I have replaced ubuntu grub2 with debian grub2, and debian grub2 has fixed this vulnerability.

https://github.com/haobinnan/shim-review/tree/isoo-shim-20220802

@tSU-RooT
Copy link

tSU-RooT commented Aug 3, 2022

I think debian sid's grub is OK to pass.
2.06-3 is back-porting following fixes.

SBAT had increased component_generation to revoke old grub binary.
https://salsa.debian.org/grub-team/grub/-/commit/589570fe0e0998aeeb9c31704bb3949f56ed1d75

Attention: Just in case, please make sure there is no harm switching ubuntu's grub to debian's grub.

Would someone(has authority) review this?

@haobinnan
Copy link
Author

I think debian sid's grub is OK to pass. 2.06-3 is back-porting following fixes.

SBAT had increased component_generation to revoke old grub binary. https://salsa.debian.org/grub-team/grub/-/commit/589570fe0e0998aeeb9c31704bb3949f56ed1d75

Attention: Just in case, please make sure there is no harm switching ubuntu's grub to debian's grub.

Would someone(has authority) review this?

thanks

@steve-mcintyre
Copy link
Collaborator

steve-mcintyre commented Aug 8, 2022
edited
Loading

Quick skim here:

  • build reproduces fine
  • very long CA cert duration, but meh
  • SBAT entries look ok
  • I'm happy that you're using Debian's grub 2.06-3 as a base
  • no shim patches, so fine there

You're good to go here.

@steve-mcintyre steve-mcintyre added accepted Submission is ready for sysdev and removed bug Problem with the review that must be fixed before it will be accepted labels Aug 8, 2022
@haobinnan
Copy link
Author

Thank you very much for your quick response and review!

@julian-klode julian-klode added accepted Submission is ready for sysdev and removed accepted Submission is ready for sysdev labels Aug 9, 2022
@julian-klode
Copy link
Collaborator

Steve you scared me for a bit because you wrote 2.06-2 :D

@haobinnan haobinnan mentioned this issue Aug 22, 2023
Closed
8 tasks
@SherifNagy SherifNagy mentioned this issue Mar 13, 2024
Closed
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
accepted Submission is ready for sysdev
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tSU-RooT @julian-klode @haobinnan @steve-mcintyre