-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shim 15.4 for EuroLinux #226
Comments
We have not received emails verifying contacts and keys. |
@frozencemetery, When are you planning to process Shim for Eurolinux? We're using Eurolinux and want to use secure boot asap. |
Hi, |
Our client is using this distribution and currently we need to turn secure boot off to install. It would be benefical for client's security compliance to get it fixed. TIA |
shim reviews are intended to be collaboratively done amongst distro vendors. The idea is that we provide a check on each other to ensure quality. This is not a service that "you" pay "us" for: there is no separation between the two. Most of us are overworked, and badgering those who can find time to do reviews at all only punishes us for trying - without offering any assistance of your own. If you want your submission done sooner, the best thing to do is make sure it is of good quality, and to |
Disclaimer: I am not an authorized reviewer but review other shims to reduce the workload of the authorized reviewers and speed up the process for everyone. Review was conducted in accordance to the reviewer guidelines (https://github.com/rhboot/shim/wiki/reviewer-guidelines)
|
I just reviewed a submission by RedHat that also downloads a custom rpm file from a remote server. Their shim sbat entry is also somehow appended to the base shim during the build. So I guess this part is fine. |
Let me clarify the answers as requested.
The file from the repository and the file from the remote server are exactly the same, which you can easily check here:
Regarding the question:
We decided to answer the question a bit thoroughly rather than simply: "yes, they are fixed". More on that in a moment.
The whole process is described by Red Hat - summary:
How does this translate into a potential contradiction? |
Closing outdated request due to the recent round of CVEs in grub and shim requiring a new submission with fixes for all these CVEs. |
Make sure you have provided the following information:
EuroLinux/shim-review@EuroLinux-shim-x86_64-20220214
What organization or people are asking to have this signed:
EuroLinux Sp. z o.o.
https://en.euro-linux.com
What product or service is this for:
EuroLinux 8
Please create your shim binaries starting with the 15.4 shim release tar file:
https://github.com/rhboot/shim/releases/download/15.4/shim-15.4.tar.bz2
This matches https://github.com/rhboot/shim/releases/tag/15.4 and contains
the appropriate gnu-efi source.
Please confirm this as the origin your shim.
Yes, we are using the source from: https://github.com/rhboot/shim/releases/download/15.4/shim-15.4.tar.bz2
What's the justification that this really does need to be signed for the whole world to be able to boot it:
EuroLinux is an enterprise-class Linux operating system based on Red Hat Enterprise Linux source code. It has been actively maintained since 2015. EuroLinux is present in the top 100 on DistroWatch. EuroLinux Sp. z o.o. is a company founded by people, who originally formed the Open Source market in Central Europe.
How do you manage and protect the keys used in your SHIM?
The keys are stored on a FIPS 140-2 certified module (YubiHSM 2 FIPS). Access to machine used to sign binaries is restricted physically. Only 2 trusted individuals have access to it.
Do you use EV certificates as embedded certificates in the SHIM?
No.
If you use new vendor_db functionality, are any hashes allow-listed, and if yes: for what binaries ?
We don't use vendor_db functionality in this build.
Is kernel upstream commit 75b0cea7bf307f362057cc778efe89af4c615354 present in your kernel, if you boot chain includes a Linux kernel ?
Yes, this commit is applied in our kernel.
if SHIM is loading GRUB2 bootloader, are CVEs CVE-2020-14372,
CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779,
CVE-2021-20225, CVE-2021-20233, CVE-2020-10713, CVE-2020-14308,
CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705,
( July 2020 grub2 CVE list + March 2021 grub2 CVE list )
and if you are shipping the shim_lock module CVE-2021-3418
fixed ?
All of those CVEs are fixed in GRUB 2.03 - we're using this version. EuroLinux doesn't ship the shim_lock mechanism - according to RHEL.
"Please specifically confirm that you add a vendor specific SBAT entry for SBAT header in each binary that supports SBAT metadata
( grub2, fwupd, fwupdate, shim + all child shim binaries )" to shim review doc ?
Please provide exact SBAT entries for all SBAT binaries you are booting or planning to boot directly through shim
Where your code is only slightly modified from an upstream vendor's, please also preserve their SBAT entries to simplify revocation
shim
grub2
fwupd
Were your old SHIM hashes provided to Microsoft ?
This is our first shim submission.
Did you change your certificate strategy, so that affected by CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749,
CVE-2020-27779, CVE-2021-20225, CVE-2021-20233, CVE-2020-10713,
CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705 ( July 2020 grub2 CVE list + March 2021 grub2 CVE list )
grub2 bootloaders can not be verified ?
This is our first shim submission.
What exact implementation of Secureboot in grub2 ( if this is your bootloader ) you have ?
* Upstream grub2 shim_lock verifier or * Downstream RHEL/Fedora/Debian/Canonical like implementation ?
RHEL like implementation.
Which modules are built into your signed grub image?
What is the origin and full version number of your bootloader (GRUB or other)?
Same version as RHEL - with RHEL patches, our certs and SBAT data: grub2-2.02-107.
If your SHIM launches any other components, please provide further details on what is launched
It also launches fwupd.
If your GRUB2 launches any other binaries that are not Linux kernel in SecureBoot mode,
please provide further details on what is launched and how it enforces Secureboot lockdown
GRUB2 is only used to load Linux kernel.
If you are re-using a previously used (CA) certificate, you
will need to add the hashes of the previous GRUB2 binaries
exposed to the CVEs to vendor_dbx in shim in order to prevent
GRUB2 from being able to chainload those older GRUB2 binaries. If
you are changing to a new (CA) certificate, this does not
apply. Please describe your strategy.
This is our first shim submission.
How do the launched components prevent execution of unauthenticated code?
Everything validates signatures using shim's protocol.
Does your SHIM load any loaders that support loading unsigned kernels (e.g. GRUB)?
No.
What kernel are you using? Which patches does it includes to enforce Secure Boot?
RHEL version of Linux kernel 4.18.0-348 RHEL patches only.
What changes were made since your SHIM was last signed?
This is our first shim submission.
What is the SHA256 hash of your final SHIM binary?
fd1be8773a77adc3cf809d232d8984b5668b90d3f568a616f919581af9468766
The text was updated successfully, but these errors were encountered: