Shim 15.4 + bugfixes for UOS #173
Labels
accepted
Submission is ready for sysdev
Comments
|
@christopherco Please review the submission again |
|
|
Will just need another reviewer to check and confirm. |
|
@steve-mcintyre Please review the submission again, thank you |
|
How does the PC storing you key meet FIPS 140-2 Level 2 security standards? |
Purchase a certified HSM |
|
All looks good here - checked patches, SBAT, reproduces OK. |
This was referenced Sep 5, 2022
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Make sure you have provided the following information:
https://github.com/uos-secureboot/shim-review/tree/uos-shim-15.4
https://github.com/uos-secureboot/shim-review/blob/uos-shim-15.4/README.md
https://github.com/uos-secureboot/shim-review/blob/uos-shim-15.4/shimx64.efi
https://github.com/uos-secureboot/shim-review/blob/uos-shim-15.4/UOS-UEFI-RSA.cer
Not used
N/A
N/A
https://github.com/uos-secureboot/shim-review/blob/uos-shim-15.4/logs.txt
What organization or people are asking to have this signed:
UOS V20:https://www.chinauos.com/resource/download-personal
What product or service is this for:
UOS V20.
Please create your shim binaries starting with the 15.4 shim release tar file:
https://github.com/rhboot/shim/releases/download/15.4/shim-15.4.tar.bz2
This matches https://github.com/rhboot/shim/releases/tag/15.4 and contains
the appropriate gnu-efi source.
Please confirm this as the origin your shim.
Yes, we are using the source from https://github.com/rhboot/shim/releases/download/15.4/shim-15.4.tar.bz2
What's the justification that this really does need to be signed for the whole world to be able to boot it:
What's the justification that this really does need to be signed for the whole world to be able to boot it:
UOS is yet another linux distribution based on Debian GNU/Linux. It has been actively maintained since 2019 It is an amazing distribution, and for compatible reason, we here submit our siging request for shim.
How do you manage and protect the keys used in your SHIM?
The key is stored in isolated standalone server which is placed in secure area with limited access.
Do you use EV certificates as embedded certificates in the SHIM?
No.
If you use new vendor_db functionality, are any hashes allow-listed, and if yes: for what binaries ?
No.
Is kernel upstream commit 75b0cea7bf307f362057cc778efe89af4c615354 present in your kernel, if you boot chain includes a Linux kernel ?
Yes, we use kernel 4.19 with this patch included
if SHIM is loading GRUB2 bootloader, are CVEs CVE-2020-14372,
CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779,
CVE-2021-20225, CVE-2021-20233, CVE-2020-10713, CVE-2020-14308,
CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705,
( July 2020 grub2 CVE list + March 2021 grub2 CVE list )
and if you are shipping the shim_lock module CVE-2021-3418
fixed ?
Yes
"Please specifically confirm that you add a vendor specific SBAT entry for SBAT header in each binary that supports SBAT metadata
( grub2, fwupd, fwupdate, shim + all child shim binaries )" to shim review doc ?
Please provide exact SBAT entries for all SBAT binaries you are booting or planning to boot directly through shim
We keep all upstream SBAT entries and also append Uos specific.
Since most packages in Uos are based on Debian we also keep Debian specific entries.
All new UEFI binaries that are yet to be built with SBAT support will
follow the agreed SBAT variable pattern and we will add Uos specific
entries for them.
Were your old SHIM hashes provided to Microsoft ?
This is the first submission
Did you change your certificate strategy, so that affected by CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749,
CVE-2020-27779, CVE-2021-20225, CVE-2021-20233, CVE-2020-10713,
CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705 ( July 2020 grub2 CVE list + March 2021 grub2 CVE list )
grub2 bootloaders can not be verified ?
New grub2 builds with CVE fix will be signed with new signing EV certificate.
What exact implementation of Secureboot in grub2 ( if this is your bootloader ) you have ?
* Upstream grub2 shim_lock verifier or * Downstream RHEL/Fedora/Debian/Canonical like implementation ?
Downstream RHEL/Fedora/Debian/Canonical like implementation
What is the origin and full version number of your bootloader (GRUB or other)?
upstream Debian Bullseye 2.04 version
If your SHIM launches any other components, please provide further details on what is launched
It will load fwupdate, fwupd as already mentioned above.
If your GRUB2 launches any other binaries that are not Linux kernel in SecureBoot mode,
please provide further details on what is launched and how it enforces Secureboot lockdown
grub2 launches Linux kernel
If you are re-using a previously used (CA) certificate, you
will need to add the hashes of the previous GRUB2 binaries
exposed to the CVEs to vendor_dbx in shim in order to prevent
GRUB2 from being able to chainload those older GRUB2 binaries. If
you are changing to a new (CA) certificate, this does not
apply. Please describe your strategy.
Not applicable, grub2 leaf certificate rotated in Uos shim
How do the launched components prevent execution of unauthenticated code?
Will not start unsigned programs
Does your SHIM load any loaders that support loading unsigned kernels (e.g. GRUB)?
No
What kernel are you using? Which patches does it includes to enforce Secure Boot?
What changes were made since your SHIM was last signed?
Bug and security fixes.
Changelog (since version 15-4).
Don-t-call-QueryVariableInfo-on-EFI-1.10-machines.patch
fix-broken-ia32-reloc.patch
fix-import_one_mok_state.patch
MOK-BootServicesData.patch
What is the SHA256 hash of your final SHIM binary?
9ed42ee3903b37f07548855b29b95b62b11f64863022faeee2374470ad3db0f7 shimx64.efi
The text was updated successfully, but these errors were encountered: