-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shim 15.6 for ECOS Technology GmbH #243
Comments
Regarding your use of 'ENABLE_SHIM_CERT=1': As I understand it the MokManager and fallback binaries still need a valid signature that shim trusts. Or am I missing something here? |
@miray-tf You are right, the I removed the |
The current shimx64.efi duplicates the first 2 sbat lines: sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md The reason is most likely that the shim binary already supplies the first 2 lines and your sbat.ecos.csv adds them again. |
@miray-tf Thank you again for your feedback. I removed the duplicate lines from |
Disclaimer: I am not an authorized reviewer This Review is for tag 'ECOS_Technology_GmbH-shim-x64-20220628', sha1: df5dbae Remaining Steps:
Questions (Answer in a comment should be sufficient):
The vendor had a shim signed by Microsoft before, the shim is linked in #228:
Security contacts have a email address at the company and the PGP keys are cross-signed. Shim is build from 15.6 with additional patches. The additional patches force the use of the default loader, disable whitelists and force shim to always run secureboot checks. All questions were ansered in ISSUE and README.md Embedded certificate matches organisation name SBAT is present and matches values in README Grub is build based on grub:2.06-r2 from Gentoo Used Linux kernels: 4.14, 5.4, 5.14, 5.17. Current Shim is built with a new certificate, so previous Grub versions will not be loaded. |
@miray-tf Thank you for your extensive review!
The GRUB verifier framework allows the use of multiple verifier modules in parallel. While it is possible for a verifier module to defer verification to another verifier and skip its own verification, the
Lockdown is supported by our kernels as they are built with
Gentoo as source-only distribution only supplies the definition for building. GRUBs built on Gentoo by default do not include any |
Until Gentoo chooses a SBAT entry for their distribution it not really possible to add a SBAT entry for a Grub based on their patch set. So I think it is ok to leave that out. |
I am going to send you some words. Please post them here once you receive them. |
Thank you. I received the words
|
Gerald Richter received the words
|
Those are the correct words; verified on both. |
Small update regarding CVE-2022-21505, a kernel lockdown bypass bug using It should not affect secure boot assuming that IMA prevents setting
Regardless, we will incorporate the fix with the next kernel updates. |
@frozencemetery I am sorry to ask for your time but would you please consider conducting a final review for our shim? @miray-tf kindly conducted a thorough review which lead to two small issues being resolved. We started the review process for a new shim in February (#225) with the goal to receive a signed version of our updated shim before the EV certificate embedded in our old shim expired. As a company with a certification from the German Federal Office of Information Security, our business directly depends on being able to quickly deploy security fixes to our customers. Unfortunately, the old EV certificate expired at the end of May. This prevents us from shipping shim and GRUB security updates to our customers and leaves us in a tight spot. |
Good stuff:
Stuff to follow up on:
|
@steve-mcintyre Thank you very much for your review! Most of our GRUB patches are customized for our usage and disable functionality that other people may need. However, I will take another look at generic patches like The |
Cool. :-) I was totally confused why you might have iorw, and it's something I'd be a little worried about from from a SB perspective. It's just too open to random (ab)use AFAICS. But if you have lockdown enabled then it's fine. I think you're good to go, marking as accepted. |
Thank you very much! I will close this issue when we have received the signed shim from Microsoft. Out of curiosity, I did some digging regarding |
We received the signed shim back from Microsoft. Thanks to anyone involved in making this possible! |
Updates:
ENABLE_SHIM_CERT=1
Confirm the following are included in your repo, checking each box:
vendor_db
is not usedWhat is the link to your tag in a repo cloned from rhboot/shim-review?
https://github.com/ecos-platypus/shim-review/tree/ECOS_Technology_GmbH-shim-x64-20220627
What is the SHA256 hash of your final SHIM binary?
54b18f8114d41c1488204fd91d3df3d902b505ebdf40aacf39f639eb3dc75e3e
The text was updated successfully, but these errors were encountered: