Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

shim 15.8 for CentOS Stream 10 #454

Open
8 tasks done
bstinsonmhk opened this issue Nov 20, 2024 · 7 comments
Open
8 tasks done

shim 15.8 for CentOS Stream 10 #454

bstinsonmhk opened this issue Nov 20, 2024 · 7 comments
Assignees
@aronowski
Labels
2 reviews needed Needs 2 (additional) successful reviews before being accepted Accredited review needed Needs a successful review by an accredited reviewer contacts verified OK Contact verification is complete here (or in an earlier submission) incomplete This submission is missing required bits

Comments

@bstinsonmhk
Copy link

bstinsonmhk commented Nov 20, 2024
edited
Loading

Confirm the following are included in your repo, checking each box:

  • completed README.md file with the necessary information
  • shim.efi to be signed
  • public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
  • binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
  • any extra patches to shim via your own git tree or as files
  • any extra patches to grub via your own git tree or as files
  • build logs
  • a Dockerfile to reproduce the build of the provided shim EFI binaries

What is the link to your tag in a repo cloned from rhboot/shim-review?

https://github.com/CentOS/shim-review/releases/tag/centos-stream-10-shim-x86-20250213

What is the SHA256 hash of your final SHIM binary?

1f79899df33ba605e65a2eb431cf23f48a2c3832cf2220f74eb295b469c4ba3d shimx64.efi

What is the link to your previous shim review request (if any, otherwise N/A)?

#399 (Abandoned)

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?

Contact info was verified in #399

Other Comments

I plan to submit a new CentOS Stream 9 review after this one. To address some of the commentary in the previous review: we don't have plans to add additional sbat entries to grub2, so the entries listed in the review represent the current state.
@steve-mcintyre steve-mcintyre added the contacts verified OK Contact verification is complete here (or in an earlier submission) label Nov 25, 2024
@steve-mcintyre
Copy link
Collaborator

Contacts verified previously in #399

@jkonecny12 jkonecny12 mentioned this issue Nov 26, 2024
Merged
1 task
@steve-mcintyre steve-mcintyre added 2 reviews needed Needs 2 (additional) successful reviews before being accepted Accredited review needed Needs a successful review by an accredited reviewer labels Dec 3, 2024
@steve-mcintyre
Copy link
Collaborator

Please link to tags on yoursubmissions here, not commit hashes

@arrfab
Copy link

arrfab commented Jan 21, 2025

I see that @bstinsonmhk adusted branch name and tag : https://github.com/CentOS/shim-review/releases/tag/centos-stream-10-shim-x86-20241120

Myself I just rebuilt through Dockerfile (with podman) shim and I confirm that checksums match :

STEP 20/20: RUN sha256sum ./usr/share/shim/15.8-3.el10.centos/x64/shimx64.efi /shimx64.efi
1f79899df33ba605e65a2eb431cf23f48a2c3832cf2220f74eb295b469c4ba3d  ./usr/share/shim/15.8-3.el10.centos/x64/shimx64.efi
1f79899df33ba605e65a2eb431cf23f48a2c3832cf2220f74eb295b469c4ba3d  /shimx64.efi

@aronowski aronowski self-assigned this Jan 26, 2025
@aronowski
Copy link
Collaborator

The application form is incomplete and missing some questions - please rebase it to the newest README.md revision.

@aronowski aronowski added the incomplete This submission is missing required bits label Jan 26, 2025
@Eonfge
Copy link

Eonfge commented Feb 6, 2025

It would be nice if this Shim could be supported soon. Now that EPEL if also ready, we want to set-up the first testing environments

@asamalik
Copy link

asamalik commented Feb 10, 2025
edited
Loading

Hey there, I know I'm no one in this process, but I took the liberty to do a diff between the latest readme in this repo, and the readme referenced from this issue. Maybe it'll be helpful.

The missing questions are:

What exact implementation of Secure Boot in GRUB2 do you have? (Either Upstream GRUB2 shim_lock verifier or Downstream RHEL/Fedora/Debian/Canonical-like implementation)

This is answered, the question in the attached review is just phrased differently:

"If shim is loading GRUB2 bootloader what exact implementation of Secureboot in GRUB2 do you have? (Either Upstream GRUB2 shim_lock verifier or Downstream RHEL/Fedora/Debian/Canonical-like implementation)"

Answer:

RHEL Like

Do you have fixes for all the following GRUB2 CVEs applied?

Skip this, if you're not using GRUB2, otherwise make sure these are present and confirm with yes.

This is answered, the question in the attached review is just phrased differently:

"If shim is loading GRUB2 bootloader and your previously released shim booted a version of GRUB2 affected by any of the CVEs in the July 2020, the March 2021, the June 7th 2022, the November 15th 2022, or 3rd of October 2023 GRUB2 CVE list, have fixes for all these CVEs been applied?"

(Edit: I checked the listed CVEs in both readme's and they match.)

Answer:

Same source code as RHEL

If your boot chain of trust includes a Linux kernel:

Is upstream commit 1957a85b0032a81e6482ca4aab883643b8dae06e "efi: Restrict efivar_ssdt_load when the kernel is locked down" applied?

Is upstream commit 75b0cea7bf307f362057cc778efe89af4c615354 "ACPI: configfs: Disallow loading ACPI tables when locked down" applied?

Is upstream commit eadb2f47a3ced5c64b23b90fd2a3463f63726066 "lockdown: also lock down previous kgdb use" applied?

The middle part about commit 75b0cea7bf307f362057cc778efe89af4c615354 is missing.

Needs answer / confirm the given answer includes the commit.

How does your signed kernel enforce lockdown when your system runs

with Secure Boot enabled?

Missing.

Do you build your signed kernel with additional local patches? What do they do?

Missing.

Do you use an ephemeral key for signing kernel modules?

If not, please describe how you ensure that one kernel build does not load modules built for another kernel.

Missing.

If you are re-using the CA certificate from your last shim binary, you will need to add the hashes of the previous GRUB2 binaries exposed to the CVEs mentioned earlier to vendor_dbx in shim. Please describe your strategy.

Missing.

Is the Dockerfile in your repository the recipe for reproducing the building of your shim binary?

Missing.

Which files in this repo are the logs for your build?

Missing.

What contributions have you made to help us review the applications of other applicants?

Missing.

@bstinsonmhk
Copy link
Author

I updated with the best answers I have. Note: I updated the tag in the description to point at a new git tag in our repo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aronowski aronowski

Labels
2 reviews needed Needs 2 (additional) successful reviews before being accepted Accredited review needed Needs a successful review by an accredited reviewer contacts verified OK Contact verification is complete here (or in an earlier submission) incomplete This submission is missing required bits
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@bstinsonmhk @arrfab @asamalik @Eonfge @steve-mcintyre @aronowski