-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lernstick shim-15.4-6 x64 (20210729) #196
Comments
Hi, I have tried a review based on the reviewer's guidelines.
|
Thank you very much for the positive review! Is there anything we can do to speed things up? It's been 4 months now and many schools are waiting for our secure exam environment... |
I think many distributers(include us) has same problem of secure boot.
It is helping other distro's submission by cross-review. Reviewing other's submission will makes down core reviewers load and faster review process probably. |
@ronnystandtke I'm gonna send you two some encrypted emails with words, I'm going to need the words pasted back here. |
I've not done a full review yet, sorry. but: I have verified that the commit the tag points to builds reproducibly.
and I'd like to know:
Who has access to the YubiKey? |
@julian-klode Thank you very much for the review!
Kundgebungen fachgemäßeste bestbewährt Fernsehtheater immergrünes vorgreifender unermüdlichsten amerikanisierte eingetrocknetes Kloster |
Only I have access to it. |
Sorry for the late reply, below the words from the email:
Alkali zahlungsunwilligerer anständig Hellsichtigkeit archiviert gelagerter Schuldlosigkeit beifolgt zuredendem munkelndes |
The words are correct, emails and keys hence verified. |
I went through the check list and answers, and this all looks fine from my side too, marking as accepted. Please close the bug once you received a signed shim back from MS. |
This submission was accepted 2 months ago, has this been signed yet? If so please close it. |
The process of getting an EV certificate is a surprisingly long and kafkaesque process, especially if your team is part of a university. Ours is still going on, so please keep this issue open. |
Make sure you have provided the following information:
https://github.com/Lernstick/shim-review/tree/lernstick-shim-amd64-20210729
https://github.com/Lernstick/shim-review/blob/lernstick-shim-amd64-20210729/lernstick-uefi-ca.der
What organization or people are asking to have this signed:
Lernstick Team part of the Research Center for Digital Sustainability at University of Bern (https://lernstick.ch)
What product or service is this for:
Lernstick and Lernstick Exam
Please create your shim binaries starting with the 15.4 shim release tar file:
https://github.com/rhboot/shim/releases/download/15.4/shim-15.4.tar.bz2
This matches https://github.com/rhboot/shim/releases/tag/15.4 and contains
the appropriate gnu-efi source.
Please confirm this as the origin your shim.
We confirm that we are using the source from
https://github.com/rhboot/shim/releases/download/15.4/shim-15.4.tar.bz2.
What's the justification that this really does need to be signed for the whole world to be able to boot it:
Lernstick is a distribution for schools and universities for BYOD (bring your own device) use cases and exams. It is currently mainly used in Switzerland, Austria and Germany.
How do you manage and protect the keys used in your SHIM?
The keys are stored on a FIPS 140-2 certified SmartCard (YubiKey FIPS Model 0010).
Do you use EV certificates as embedded certificates in the SHIM?
No.
If you use new vendor_db functionality, are any hashes allow-listed, and if yes: for what binaries ?
No, we don't use the new vendor_db functionality.
Is kernel upstream commit 75b0cea7bf307f362057cc778efe89af4c615354 present in your kernel, if you boot chain includes a Linux kernel ?
Yes,
75b0cea7bf307f362057cc778efe89af4c615354
is present.if SHIM is loading GRUB2 bootloader, are CVEs CVE-2020-14372,
CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779,
CVE-2021-20225, CVE-2021-20233, CVE-2020-10713, CVE-2020-14308,
CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705,
( July 2020 grub2 CVE list + March 2021 grub2 CVE list )
and if you are shipping the shim_lock module CVE-2021-3418
fixed ?
Yes, we are using the downstream GRUB2 version from Debian which has those CVEs fixed.
"Please specifically confirm that you add a vendor specific SBAT entry for SBAT header in each binary that supports SBAT metadata
( grub2, fwupd, fwupdate, shim + all child shim binaries )" to shim review doc ?
Please provide exact SBAT entries for all SBAT binaries you are booting or planning to boot directly through shim
Yes, we add vendor specific SBAT entries to every binary that supports SBAT metadata.
We also include the SBAT entries from upstream (in our case Debian).
shim
grub2
Were your old SHIM hashes provided to Microsoft ?
No. First submisssion.
Did you change your certificate strategy, so that affected by CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749,
CVE-2020-27779, CVE-2021-20225, CVE-2021-20233, CVE-2020-10713,
CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705 ( July 2020 grub2 CVE list + March 2021 grub2 CVE list )
grub2 bootloaders can not be verified ?
N/A. First submission.
What exact implementation of Secureboot in grub2 ( if this is your bootloader ) you have ?
* Upstream grub2 shim_lock verifier or * Downstream RHEL/Fedora/Debian/Canonical like implementation ?
We are using the downstream GRUB2 from Debian.
What is the origin and full version number of your bootloader (GRUB or other)?
Our GRUB2 is based on the 2.04-20 version from Debian which is based on the 2.04 upstream version. We do not apply any patches on top.
Source can be found here: https://github.com/Lernstick/grub
If your SHIM launches any other components, please provide further details on what is launched
The Shim only launches GRUB2.
If your GRUB2 launches any other binaries that are not Linux kernel in SecureBoot mode,
please provide further details on what is launched and how it enforces Secureboot lockdown
We only launch the Linux kernel.
If you are re-using a previously used (CA) certificate, you
will need to add the hashes of the previous GRUB2 binaries
exposed to the CVEs to vendor_dbx in shim in order to prevent
GRUB2 from being able to chainload those older GRUB2 binaries. If
you are changing to a new (CA) certificate, this does not
apply. Please describe your strategy.
N/A. We are using a new CA.
How do the launched components prevent execution of unauthenticated code?
Does your SHIM load any loaders that support loading unsigned kernels (e.g. GRUB)?
No.
What kernel are you using? Which patches does it includes to enforce Secure Boot?
We are using kernel version 5.10 with Debian's lockdown patches applied and kernel version 5.13 (latest stable kernel) with
Secure Boot enabled and lockdown always enforced.
What changes were made since your SHIM was last signed?
N/A.
What is the SHA256 hash of your final SHIM binary?
The text was updated successfully, but these errors were encountered: