Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

shim 15.4-6 for Uos #201

Closed
9 tasks done
Zeno-sole opened this issue Aug 19, 2021 · 5 comments
Closed
9 tasks done

shim 15.4-6 for Uos #201

Zeno-sole opened this issue Aug 19, 2021 · 5 comments
Labels
bug Problem with the review that must be fixed before it will be accepted

Comments

@Zeno-sole
Copy link

Make sure you have provided the following information:

  • link to your code branch cloned from rhboot/shim-review in the form user/repo@tag
    https://github.com/linuxdeepin/shim-review/tree/uos-shim-15.4-amd64-and-ia32
  • completed README.md file with the necessary information
  • shim.efi to be signed
  • public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
  • binaries, for which hashes are added do vendor_db ( if you use vendor_db and have hashes allow-listed )
  • any extra patches to shim via your own git tree or as files
  • any extra patches to grub via your own git tree or as files
  • build logs
  • a Dockerfile to reproduce the build of the provided shim EFI binaries
What organization or people are asking to have this signed:

UOS V20:https://www.chinauos.com/resource/download-personal

What product or service is this for:

UOS V20.

Please create your shim binaries starting with the 15.4 shim release tar file:
https://github.com/rhboot/shim/releases/download/15.4/shim-15.4.tar.bz2
This matches https://github.com/rhboot/shim/releases/tag/15.4 and contains
the appropriate gnu-efi source.
Please confirm this as the origin your shim.

Yes, we are using the source from https://github.com/rhboot/shim/releases/download/15.4/shim-15.4.tar.bz2

What's the justification that this really does need to be signed for the whole world to be able to boot it:

What's the justification that this really does need to be signed for the whole world to be able to boot it:
UOS is yet another linux distribution based on Debian GNU/Linux. It has been actively maintained since 2019 It is an amazing distribution, and for compatible reason, we here submit our siging request for shim.

How do you manage and protect the keys used in your SHIM?

The key is stored in isolated standalone server which is placed in secure area with limited access.

Do you use EV certificates as embedded certificates in the SHIM?

Yes, we use kernel 4.19 with this patch included

If you use new vendor_db functionality, are any hashes allow-listed, and if yes: for what binaries ?

No.

Is kernel upstream commit 75b0cea7bf307f362057cc778efe89af4c615354 present in your kernel, if you boot chain includes a Linux kernel ?

Yes, we use kernel 4.19 with this patch included

if SHIM is loading GRUB2 bootloader, are CVEs CVE-2020-14372,
CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779,
CVE-2021-20225, CVE-2021-20233, CVE-2020-10713, CVE-2020-14308,
CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705,
( July 2020 grub2 CVE list + March 2021 grub2 CVE list )
and if you are shipping the shim_lock module CVE-2021-3418
fixed ?

Yes

"Please specifically confirm that you add a vendor specific SBAT entry for SBAT header in each binary that supports SBAT metadata
( grub2, fwupd, fwupdate, shim + all child shim binaries )" to shim review doc ?
Please provide exact SBAT entries for all SBAT binaries you are booting or planning to boot directly through shim
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,1,Free Software Foundation,grub,2.04,https://www.gnu.org/software/grub/
grub.uos,1,Uos,grub2,2.04-17,mail:[email protected]

sbat,1,UEFI shim,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
fwupd,1,Firmware update daemon,fwupd,1.5.7,https://github.com/fwupd/fwupd
fwupd-uos,1,Uos,fwupd,1.5.7-3,mail:[email protected]

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,1,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.uos,1,Uos,shim,15.4-6,mail:[email protected]
Were your old SHIM hashes provided to Microsoft ?

Yes

Did you change your certificate strategy, so that affected by CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749,
CVE-2020-27779, CVE-2021-20225, CVE-2021-20233, CVE-2020-10713,
CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705 ( July 2020 grub2 CVE list + March 2021 grub2 CVE list )
grub2 bootloaders can not be verified ?

New grub2 builds with CVE fix will be signed with new signing EV certificate.

What exact implementation of Secureboot in grub2 ( if this is your bootloader ) you have ?
* Upstream grub2 shim_lock verifier or * Downstream RHEL/Fedora/Debian/Canonical like implementation ?

Downstream RHEL/Fedora/Debian/Canonical like implementation

What is the origin and full version number of your bootloader (GRUB or other)?

upstream grub2 2.04-17 , from Debian bullseye

If your SHIM launches any other components, please provide further details on what is launched

It will load fwupdate, fwupd as already mentioned above.

If your GRUB2 launches any other binaries that are not Linux kernel in SecureBoot mode,
please provide further details on what is launched and how it enforces Secureboot lockdown

grub2 launches Linux kernel

If you are re-using a previously used (CA) certificate, you
will need to add the hashes of the previous GRUB2 binaries
exposed to the CVEs to vendor_dbx in shim in order to prevent
GRUB2 from being able to chainload those older GRUB2 binaries. If
you are changing to a new (CA) certificate, this does not
apply. Please describe your strategy.

Not applicable, grub2 leaf certificate rotated in Uos shim

How do the launched components prevent execution of unauthenticated code?

Will not start unsigned programs

Does your SHIM load any loaders that support loading unsigned kernels (e.g. GRUB)?

No

What kernel are you using? Which patches does it includes to enforce Secure Boot?
  1. 19 with secure boot supported.
What changes were made since your SHIM was last signed?

Bug and security fixes.
Changelog (since version 15-4).
Don-t-call-QueryVariableInfo-on-EFI-1.10-machines.patch
fix-broken-ia32-reloc.patch
fix-import_one_mok_state.patch
MOK-BootServicesData.patch
relax_check_for_import_mok_state.patch
fix_arm64_rela_sections.patch

What is the SHA256 hash of your final SHIM binary?

4a57e3345da3e48b18a1bbddfe6c5593cb983566d125b23191ee93e987dda377 shimia32.efi
f906983aeb3bc47ce73be5ef0543beb42715b5e80eaf83e6d6d9e9cda4a29bf3 shimx64.efi
@Zeno-sole
Copy link
Author

My previously accepted SHIM #173

@Zeno-sole
Copy link
Author

Can the submission be reviewed
@steve-mcintyre

@pjbrown4
Copy link

pjbrown4 commented Oct 19, 2021
edited
Loading

Review Notes

  • Build is reproducible
  • Vendor SBAT entries match
  • Certificate validity is OK

@julian-klode
Copy link
Collaborator

Please provide a tag as required. I see the previous submission did not have a tag either, please tag the right commit retroactively (hopefully it still reproduces) such that we can compare the submission against the previous ones.

@julian-klode julian-klode added the bug Problem with the review that must be fixed before it will be accepted label Nov 12, 2021
@Zeno-sole
Copy link
Author

Thank you for your review, I will resubmit based on your comments

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Problem with the review that must be fixed before it will be accepted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@julian-klode @Zeno-sole @pjbrown4