-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
baramundi shim 15.4 20210811 #198
Comments
Previous review was #130 |
Apologies for the noise. Here's my actual review: Things okay:
Things not okay:
Questions:
|
Hi, thanks a lot for reviewing and for your feedback. We corrected SBAT entries for the grub2 and updated this issue. Our private key for the ev-certificate is stored on a hardware dongle, protected with a password. The dongle is securely stored in a safe. Only the devs working on the bootloader have access to it. |
I'm unable to verify emails - PGP keys are not available. |
Hi again, you're right, I added the pgp key to the review-repository and updated the readme. Name: Simon Förg Thanks a lot and best regards. |
Okay, I see key fingerprints, but only Felix's has been pushed to a keyserver. Yours should be as well. |
Hi and sorry for keep you waiting. Best regards. |
Checking today, I see Felix's key, but still not Simon's. Possibly keyserver.pgp.com doesn't sync, or maybe it choked on the umlaut - I'm not familiar with the server, and when I went to dig further, it required a captcha. |
Hmm, I see. Today I published my public key to https://pgp.mit.edu/ |
I do see a key there, but that has a different fingerprint than what is specified in README.md. |
Great, glad to hear and thanks for the fast response. |
The contact information is not yet in the format that is expected and described in README.md. It is stated that for both security contacts, the PGP public key fingerprint should be listed README.md (missing for |
Hi and thanks a lot for your support. We have created new pgp keys, signed them and published them on keyserver.ubuntu.com. We have also updated the thumbprints in the readme. Hopefully we did everything right this time. |
Disclaimer: I am not an authorized reviewer but review other shims to reduce the workload of the authorized reviewers and speed up the process for everyone. Review was conducted in accordance to the reviewer guidelines (https://github.com/rhboot/shim/wiki/reviewer-guidelines)
|
Closing outdated request due to the recent round of CVEs in grub and shim requiring a new submission with fixes for all these CVEs. |
Make sure you have provided the following information:
baramundisoftware/shim-review@baramundi-shim-review_2021
https://github.com/baramundisoftware/shim-review/blob/baramundi-shim-20210811/README.md
https://github.com/baramundisoftware/shim-review/blob/baramundi-shim-20210811/shim_x64.efi
https://github.com/baramundisoftware/shim-review/blob/baramundi-shim-20210811/bsAG_EV_productive_2020.cer
not used
No extra patches
https://github.com/baramundisoftware/grub2
https://github.com/baramundisoftware/shim-review/blob/baramundi-shim-20210811/shim_x64_build.log
https://github.com/baramundisoftware/shim-review/blob/baramundi-shim-20210811/Dockerfile
What organization or people are asking to have this signed:
baramundi software AG
What product or service is this for:
baramundi Management Suite
Please create your shim binaries starting with the 15.4 shim release tar file:
https://github.com/rhboot/shim/releases/download/15.4/shim-15.4.tar.bz2
This matches https://github.com/rhboot/shim/releases/tag/15.4 and contains
the appropriate gnu-efi source.
Please confirm this as the origin your shim.
Yes
What's the justification that this really does need to be signed for the whole world to be able to boot it:
The SHIM bootloader starts a grub2 which decides if it should boot the local installed windows operating system or netboot a windows PE image.
This is necessary to support remote operating system installation on clients in the LAN.
With a signed SHIM bootloader we are able to support clients with enabled secure boot feature.
How do you manage and protect the keys used in your SHIM?
Private key is stored in hardware module with controlled access.
Do you use EV certificates as embedded certificates in the SHIM?
Yes
If you use new vendor_db functionality, are any hashes allow-listed, and if yes: for what binaries ?
vendor_db not used, no hashes allow-listed
Is kernel upstream commit 75b0cea7bf307f362057cc778efe89af4c615354 present in your kernel, if you boot chain includes a Linux kernel ?
No Linux kernel is used
if SHIM is loading GRUB2 bootloader, are CVEs CVE-2020-14372,
CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779,
CVE-2021-20225, CVE-2021-20233, CVE-2020-10713, CVE-2020-14308,
CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705,
( July 2020 grub2 CVE list + March 2021 grub2 CVE list )
and if you are shipping the shim_lock module CVE-2021-3418
fixed ?
Yes
The grub2 sources we use have it's origin in the commit https://git.launchpad.net/ubuntu/+source/grub2/tag/?h=applied/2.04-1ubuntu44
"Please specifically confirm that you add a vendor specific SBAT entry for SBAT header in each binary that supports SBAT metadata
( grub2, fwupd, fwupdate, shim + all child shim binaries )" to shim review doc ?
Please provide exact SBAT entries for all SBAT binaries you are booting or planning to boot directly through shim
shim:
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,1,UEFI shim,shim,1,https://github.com/rhboot/shim
grub:
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,1,Free Software Foundation,grub,2.04,https://www.gnu.org/software/grub/
grub.ubuntu,1,Ubuntu,grub2,2.04-1ubuntu44.2,https://www.ubuntu.com/
grub.baramundi,1,Baramundi,grub2,2.04-1ubuntu44.2-bblefi1,https://github.com/baramundisoftware/grub2
Were your old SHIM hashes provided to Microsoft ?
No. We changed the EV certificate embedded in the shim, so the old shim can only start grubs signed with the old ev certificate.
Did you change your certificate strategy, so that affected by CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749,
CVE-2020-27779, CVE-2021-20225, CVE-2021-20233, CVE-2020-10713,
CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705 ( July 2020 grub2 CVE list + March 2021 grub2 CVE list )
grub2 bootloaders can not be verified ?
We used a new EV certificate which is only used for the new grub 2.04 which origin is the commit https://git.launchpad.net/ubuntu/+source/grub2/tag/?h=applied/2.04-1ubuntu44
What exact implementation of Secureboot in grub2 ( if this is your bootloader ) you have ?
* Upstream grub2 shim_lock verifier or * Downstream RHEL/Fedora/Debian/Canonical like implementation ?
Downstream RHEL/Fedora/Debian/Canonical like implementation
see: https://github.com/baramundisoftware/grub2
What is the origin and full version number of your bootloader (GRUB or other)?
grub 2.04 (extended) see: https://github.com/baramundisoftware/grub2
The grub2 sources we use have it's origin in the commit https://git.launchpad.net/ubuntu/+source/grub2/tag/?h=applied/2.04-1ubuntu44
If your SHIM launches any other components, please provide further details on what is launched
Our shim only launches the mentioned grub 2.04
If your GRUB2 launches any other binaries that are not Linux kernel in SecureBoot mode,
please provide further details on what is launched and how it enforces Secureboot lockdown
The SHIM bootloader starts a grub2 which decides if it should boot the local installed windows operating system or netboot a windows PE image.
This is necessary to support remote operating system installation on clients in the LAN.
With a signed SHIM bootloader we are able to support clients with enabled secure boot feature.
If you are re-using a previously used (CA) certificate, you
will need to add the hashes of the previous GRUB2 binaries
exposed to the CVEs to vendor_dbx in shim in order to prevent
GRUB2 from being able to chainload those older GRUB2 binaries. If
you are changing to a new (CA) certificate, this does not
apply. Please describe your strategy.
No certificate got reused. The EV certificate used for the shim is new. No need for vendor_dbx entry.
How do the launched components prevent execution of unauthenticated code?
with standard grub 2.04 functionality, we prevent to start any unsigned bootloader
Does your SHIM load any loaders that support loading unsigned kernels (e.g. GRUB)?
No
What kernel are you using? Which patches does it includes to enforce Secure Boot?
We launch Windows and Windows PE loader and kernel
What changes were made since your SHIM was last signed?
no changes were made to the original shim
What is the SHA256 hash of your final SHIM binary?
shim_x64.efi SHA256 Hash:
397E6D03A862C6D269F6E27B93A2C39B0652F5FF203158FDDA7C8CB057AC1654
The text was updated successfully, but these errors were encountered: