Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NewStartOS V4 shim-15.6 x64 and ia32 #303

Closed
8 tasks done
LiangJianNSDL opened this issue Dec 3, 2022 · 8 comments
Closed
8 tasks done

NewStartOS V4 shim-15.6 x64 and ia32 #303

LiangJianNSDL opened this issue Dec 3, 2022 · 8 comments
Labels
bug Problem with the review that must be fixed before it will be accepted contact verification needed Contact verification is needed for this review new vendor This is a new vendor question Reviewer(s) waiting on response

Comments

@LiangJianNSDL
Copy link

LiangJianNSDL commented Dec 3, 2022

Confirm the following are included in your repo, checking each box:

  • completed README.md file with the necessary information
  • shim.efi to be signed
  • public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
  • binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
  • any extra patches to shim via your own git tree or as files
  • any extra patches to grub via your own git tree or as files
  • build logs
  • a Dockerfile to reproduce the build of the provided shim EFI binaries

What is the link to your tag in a repo cloned from rhboot/shim-review?


https://github.com/LiangJianNSDL/shim-review/tree/nsdl-v4-shim-amd64-i386-20230306


What is the SHA256 hash of your final SHIM binary?


sha256sum shimia32.efi
a3ff0cc4313616cb3dfb0784b75c66481ec1625735ea912215f9f403c0d6cedf shimia32.efi
sha256sum shimx64.efi
a9ee49df074e4edce671c60090c8223c7aa0be872c32565ce4d497136629db28 shimx64.efi


What is the link to your previous shim review request (if any, otherwise N/A)?


#289

@frozencemetery
Copy link
Member

Please note #307

@frozencemetery frozencemetery added bug Problem with the review that must be fixed before it will be accepted new vendor This is a new vendor contact verification needed Contact verification is needed for this review labels Feb 16, 2023
@LiangJianNSDL
Copy link
Author

Please note #307
Hi, frozencemetery. I have applied NX.patch to shim, you can check the build.log to find relevant information, and I have updated shimia32.efi shimx64.efi NX.patch and other related files, you can find them in the link above. Thank you for your reply.

@frozencemetery
Copy link
Member

frozencemetery commented Mar 3, 2023

It is written:

Were these binaries created from the 15.6 shim release tar?

This is the unmodified shim-15.6 release.

and

What patches are being applied and why:

None.

@LiangJianNSDL
Copy link
Author

It is written:

Were these binaries created from the 15.6 shim release tar?

This is the unmodified shim-15.6 release.

and

What patches are being applied and why:

None.
Thanks for your reminding, I have updated the README.md. Thanks again.

@frozencemetery frozencemetery removed the bug Problem with the review that must be fixed before it will be accepted label Mar 6, 2023
@LiangJianNSDL
Copy link
Author

Hi,frozencemetery
What does "contact verification needed" label mean? What do I need to do.
Looking forward to your reply. @frozencemetery

@steve-mcintyre
Copy link
Collaborator

Picking up on this review now, apologies for the delay. :-(

I've just mailed both of your contact addresses now to start contact verification. Please follow the instructions there.

@steve-mcintyre
Copy link
Collaborator

Review of NewStartOS V4 shim-15.6 x64 and ia32 nsdl-v4-shim-amd64-i386-20230306

OK

  • No previous shims signed, so revocation is easy
  • Shim builds reproduce fine for ia32 and x64
  • Shim from 15.6 upstream, with the NX patch applied.
  • SBAT data looks fine
  • Grub looks ok, borrowed from RH/Rocky
  • List of grub modules looks OK for now
  • Kernel lockdown sounds ok

Issues / queries / outstanding

  • Contact verification reequired - mails sent
  • This is a shim 15.6 submission - you must move forwards to a current
    version if you're going to get a signed shim now.
  • The cert you've embedded looks bogus (please fill in some sensible
    details!), and it has already expired.
  • Key split up and managed separately. How are you signing kernel and
    grub builds?
  • Do you not include fwupd in your distribution?

@steve-mcintyre steve-mcintyre added bug Problem with the review that must be fixed before it will be accepted question Reviewer(s) waiting on response labels Sep 6, 2023
@steve-mcintyre
Copy link
Collaborator

It's been a few weeks without comment. Need to move forwards from 15.6.

@steve-mcintyre steve-mcintyre closed this as not planned Won't fix, can't repro, duplicate, stale Nov 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Problem with the review that must be fixed before it will be accepted contact verification needed Contact verification is needed for this review new vendor This is a new vendor question Reviewer(s) waiting on response
Projects
None yet
Development

No branches or pull requests

3 participants