-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shim 15.8 for UOS Linux (x86_64) #431
Comments
verification emails sent |
@steve-mcintyre Sorry for the late reply, but I want to confirm what went wrong. I did not receive the verification email about "shim review". The contact email is [email protected]. |
Review of reproducibility for uos-shim-15.8-amd64-20240711review helper : https://github.com/jclab-joseph/other-shim-reviews/tree/master/20240730-uos-shim-15.8-amd64-20240711 shim
certificate
grub
|
Re-sent verification mails to |
And also sending to [email protected] Not sure where I found the yanbowen mail - maybe an older review. Sorry. |
Contact verification for [email protected]: gages schoolboy raving preview diagramming holds results cicatrix linger sulphuring |
Just waiting on the response from [email protected] now. |
The old key has expired. Can I use a new key? |
The mail I sent was encrypted to this key, which does not appear to have expired:
The new key you're suggesting I use does not match the email address
Please fix this. Could you also please explain for us: what is the relationship between:
Some consistency in UIDs and keys here is necessary. |
I apologize for any confusion regarding the names. Please allow me to clarify: |
@steve-mcintyre I have updated the secondary contact email address to keep the email address consistent with the UID. Please use the new key for contact verification. Looking forward to hearing from you, thanks! |
Mail on the way. As you've updated your submission in git, please also add a new tag and update the issue here with that new tag. |
I have created a new tag and updated the issue. |
By the way, the tags uos-shim-15.8-amd64-20240711 and uos-shim-15.8-amd64-20240806 are associated with the same commit (kyrie-z/shim-review@02e5eb2). I believe that jclab-joseph's review #431 (comment) is very useful, so I'm mentioning this to avoid duplicate review efforts. |
Contact verification for [email protected]: puritan segregate expatriating Alnitak homily daffodils Avalon bountiful blurted Hecuba |
@steve-mcintyre hello, Can you help review |
Pretty clean and by-the-book.
Not much else to review from our side, 👍 |
I'm not an official reviewer, but I want to help speed up reviewing.
All looks good from my perspective!👍 |
Review for
|
Sorry for my carelessness when review the certificate in #431 (comment) , I missed the simple
|
Here is an end-entity certificate, which is used solely for signing verification of the Grub and kernel code. It is not intended to issue certificates, so it does not have CA signing authority. |
The deepin_gfxmode module is used to accurately obtain the resolution at which Grub runs, helping the system better adjust the GRUB display settings.
Previously, many modules were added to ensure Grub had the latest features and support, but now it appears that some of these modules are outdated. We plan to gradually remove them in the future. |
Thanks for the reminder. we'll take it on board next.
UOS was based on Debian 10 before Debian 10 reached EOL. After that, it transitioned to being based on the Deepin system. It is currently using GRUB version 2.06, and GRUB will be updated to version 2.12 in the future.
The two functions of secure boot and lockdown are independent of each other. Enabling secure boot does not force lockdown. |
Technically these are two separately features, but not enabling lockdown when booting in secure boot allows the user to circumvent the protections assumed by secure boot easily. The consensus is that no kernels should be signed that not force lockdown when booted with secure boot enabled. |
Thanks for your suggestion, @THS-on . We will try to incorporate CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT into the kernel and ensure that no kernel without this feature will be signed. |
@kyrie-z once you incorporated this, can you update the submission, so that we can have another look? Please also include a strategy that older kernels cannot be booted with the new shim. |
@THS-on The CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT patch has been merged and enabled by default, see: deepin-community/kernel#533 .
The shim submitted this time contains a new embedded certificate. Before the shim is approved, the certificate is not activated and has not been used to sign any kernels or bootloaders. Older kernels and bootloaders were signed with the old certificate. Due to the certificate mismatch, older kernels cannot be loaded or executed by the submitted shim. |
@kyrie-z thanks for the update. I still would like one other reviewer have a look at it before accepting. |
Helper review for Shim 15.8 for UOS Linux (x86_64) by UnionTech, tag uos-shim-15.8-amd64-20240806
Certificate
Buildis reproducible:
NX bitis not set
SBAT
matches the document in their repo. Kernel patches
Link goes to their repo, but does not provide explicit patches/diffs to review. It remains unclear to me what the security features are exactly and what they do. Key storageSigning key is stored in a "red zone" room, but apparently not on an HSM. As reviewers previously mentioned, the suggestion is move to an HSM, and generate a new certificate on that. |
Confirm the following are included in your repo, checking each box:
What is the link to your tag in a repo cloned from rhboot/shim-review?
https://github.com/kyrie-z/shim-review/tree/uos-shim-15.8-amd64-20240711https://github.com/kyrie-z/shim-review/tree/uos-shim-15.8-amd64-20240806
What is the SHA256 hash of your final SHIM binary?
958987f06da4438ab43a873e2c0dd65478299b284ad6e53ca2528524e3a069dd shimx64.efi
What is the link to your previous shim review request (if any, otherwise N/A)?
[UOS shim 15.4 for x86_64 #173 ]
If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?
N/A
The text was updated successfully, but these errors were encountered: