You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What organization or people are asking to have this signed:
Stellar Information Technology Pvt Ltd
What product or service is this for:
BitRaser Data Eraser Software
What is the origin and full version number of your shim?
https://github.com/rhboot/shim/archive/15.2.zip
What's the justification that this really does need to be signed for the whole world to be able to boot it:
Stellar requires to employ secure boot for building trusted operating system. This OS has to be capable of booting every machine so that it can be used with BitRaser Data Eraser software
How do you manage and protect the keys used in your SHIM?
Cryptographic USB Token
Do you use EV certificates as embedded certificates in the SHIM?
YES
If you use new vendor_db functionality, are any hashes whitelisted, and if yes: for what binaries ?
No vendor_db is used (this is first time submission)
Is kernel upstream commit 75b0cea7bf307f362057cc778efe89af4c615354 present in your kernel, if you boot chain includes a linux kernel ?
Yes
if SHIM is loading grub2 bootloader, is CVE CVE-2020-10713 fixed ?
Yes
Did you change your certificate strategy, so that affected by CVE CVE-2020-10713 grub2 bootloaders can not be verified ?
This is the first time submission of SHIM
What is the origin and full version number of your bootloader (GRUB or other)?
@bitraser sorry you've had a bad experience here. Especially in the last few months we've had a massive amount of work to do on shim upstream. That has cumlminated in latest 15.4 release, and even then there are a few recommended patches on top (see #165). We're catching up on a lot of reviews now.
As others have said, a build of 15.2 will not meet the requirements for signing any more so I'm afraid you'll have to move forwards to 15.4. I'm therefore closing this review now - please open a new one when you have a 15.4 build ready.
Make sure you have provided the following information:
https://github.com/bitraser/shim/releases/tag/bitraser
https://github.com/bitraser/shim-review/blob/master/README.md
https://github.com/bitraser/bitraser-shim/blob/main/shimx64.efi
https://github.com/bitraser/bitraser-shim/blob/main/Stellar-Information-Technology-Private-Limited.cer
NA
not applied any extra patch
not applied any extra patch
https://github.com/bitraser/bitraser-shim/blob/main/build.log
What organization or people are asking to have this signed:
Stellar Information Technology Pvt Ltd
What product or service is this for:
BitRaser Data Eraser Software
What is the origin and full version number of your shim?
https://github.com/rhboot/shim/archive/15.2.zip
What's the justification that this really does need to be signed for the whole world to be able to boot it:
Stellar requires to employ secure boot for building trusted operating system. This OS has to be capable of booting every machine so that it can be used with BitRaser Data Eraser software
How do you manage and protect the keys used in your SHIM?
Cryptographic USB Token
Do you use EV certificates as embedded certificates in the SHIM?
YES
If you use new vendor_db functionality, are any hashes whitelisted, and if yes: for what binaries ?
No vendor_db is used (this is first time submission)
Is kernel upstream commit 75b0cea7bf307f362057cc778efe89af4c615354 present in your kernel, if you boot chain includes a linux kernel ?
Yes
if SHIM is loading grub2 bootloader, is CVE CVE-2020-10713 fixed ?
Yes
Did you change your certificate strategy, so that affected by CVE CVE-2020-10713 grub2 bootloaders can not be verified ?
This is the first time submission of SHIM
What is the origin and full version number of your bootloader (GRUB or other)?
GRUB 2.05 https://github.com/rhboot/grub2/archive/master.zip
If your SHIM launches any other components, please provide further details on what is launched
SHIM will only launch GRUB. No other component will be launched by the SHIM
How do the launched components prevent execution of unauthenticated code?
SHIM WILL ONLY LAUNCH SIGNED GRUB AND KERNEL,grub verifies signatures on booted kernels
Does your SHIM load any loaders that support loading unsigned kernels (e.g. GRUB)?
No
What kernel are you using? Which patches does it includes to enforce Secure Boot?
Kernel Version is 5.7.11 it included enforce secure boot
What changes were made since your SHIM was last signed?
This is first time submission
What is the hash of your final SHIM binary?
SHA512 has is f6c7c3de781285dfab0a229e118cc736c08c64a823b11e145e272b6b1b90595fe5bc6b1103f91abe6dcf4b09bb91d10ad5029f9e388317bfb355e09282151232
The text was updated successfully, but these errors were encountered: