-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shim 15.4 for ThinPro 7 (HPI-shim-x64-20210603) #179
Comments
Could you please add the missing information from the current ISSUE Template? At a quick glance at least the following sections are missing or incomplete: Please create your shim binaries starting with the 15.4 shim release tar file:https://github.com/rhboot/shim/releases/download/15.4/shim-15.4.tar.bz2This matches https://github.com/rhboot/shim/releases/tag/15.4 and containsthe appropriate gnu-efi source.Please confirm this as the origin your shim.[your text here] if SHIM is loading GRUB2 bootloader, are CVEs CVE-2020-14372,CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779,CVE-2021-20225, CVE-2021-20233, CVE-2020-10713, CVE-2020-14308,CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705,( July 2020 grub2 CVE list + March 2021 grub2 CVE list )and if you are shipping the shim_lock module CVE-2021-3418fixed ?[your text here] "Please specifically confirm that you add a vendor specific SBAT entry for SBAT header in each binary that supports SBAT metadata( grub2, fwupd, fwupdate, shim + all child shim binaries )" to shim review doc ?Please provide exact SBAT entries for all SBAT binaries you are booting or planning to boot directly through shim[your text here] Did you change your certificate strategy, so that affected by CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749,CVE-2020-27779, CVE-2021-20225, CVE-2021-20233, CVE-2020-10713,CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705 ( July 2020 grub2 CVE list + March 2021 grub2 CVE list )grub2 bootloaders can not be verified ?[your text here] What exact implementation of Secureboot in grub2 ( if this is your bootloader ) you have ?* Upstream grub2 shim_lock verifier or * Downstream RHEL/Fedora/Debian/Canonical like implementation ?[your text here] |
ShimShim is branch 15.4 with no additional patches sha256 checksum c3615588e7ba3d9c52a60014d4b84eb440b86404b3213c6a650e273965268a8f of shim256 Rebuilds with supplied docker file Grubgrub2_2.04-1ubuntu45 was accepted in review #167 so that looks good to me SBat:Shim sbat entry matches information in README.md
Grub sbat entry information from README.md
looks sensible.
to the Grub sbat section. product name 'thinpro' looks unique: A quick web search for thinpro only returned HP ThinPro related hits. LinuxPlease validate that linux upstream commit 75b0cea7bf307f362057cc778efe89af4c615354 is included in your kernel. Summary
Questions / Open Issues:
Notes:gnu-efi package is no longer necessary, so you can remove it from the docker file |
Does this work for you?
https://github.com/eniaczhp/ThinProShim/tree/HPI-shim-x64-20210603
From: Steve McIntyre ***@***.***>
Sent: Tuesday, June 22, 2021 1:22 PM
To: rhboot/shim-review ***@***.***>
Cc: Zhang, Eniac ***@***.***>; Author ***@***.***>
Subject: Re: [rhboot/shim-review] Shim 15.4 for ThinPro 7 (HPI-shim-x64-20210603) (#179)
Please give a link to your fork of the shim-review repo, as asked for as the first link...
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#179 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AKGV732F3MUHLEOA6VULU6TTUDPDVANCNFSM46DTVPAQ>.
|
I saw that your tag looks ok - thanks! |
|
steve-mcintyre EZ: we don't plan to support 32bit cpu, or ARM, or MAC so i am ok not including these patches. i could include rhboot/shim#361 only if it's causing real issues. i don't mind if all it does is an extra warning in dmesg. this is the response for @miray-tf Please create your shim binaries starting with the 15.4 shim release tar file: EZ: Correct. That's the upstream source we use. if SHIM is loading GRUB2 bootloader, are CVEs CVE-2020-14372, EZ: We uses https://launchpad.net/ubuntu/+source/grub2/2.04-1ubuntu45, it has all the grub2 patches needed as far as i can tell. We don't ship shim_lock modules with our signed grub binary. "Please specifically confirm that you add a vendor specific SBAT entry for SBAT header in each binary that supports SBAT metadata EZ: the only binary that carries SBAT today is grub2 and shim, their sbat are provided in the repo: Did you change your certificate strategy, so that affected by CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, EZ: we uses https://launchpad.net/ubuntu/+source/grub2/2.04-1ubuntu45, it has all the grub2 patches needed as far as i can tell. What exact implementation of Secureboot in grub2 ( if this is your bootloader ) you have ?
EZ: we uses https://launchpad.net/ubuntu/+source/grub2/2.04-1ubuntu45, it has all the grub2 patches needed as far as i can tell. |
regarding kernel patches, yes we do have patch for CVE-2020-15780: here're all the kernel CVE patches we applied on top of 5.6.8: |
@steve-mcintyre |
@eniaczhp thanks for answering the kernel question, I think all looks good now. Marking accepted |
thanks @steve-mcintyre |
Make sure you have provided the following information:
[ x ] link to your code branch cloned from rhboot/shim-review in the form user/repo@tag
https://github.com/eniaczhp/ThinProShim/releases/tag/HPI-shim-x64-20210603
[ x ] completed README.md file with the necessary information
https://github.com/eniaczhp/ThinProShim/blob/HPI-shim-x64-20210603/README.md
[ x ] shim.efi to be signed
https://github.com/eniaczhp/ThinProShim/blob/HPI-shim-x64-20210603/shimx64.efi
[ x ] public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
https://github.com/eniaczhp/ThinProShim/blob/HPI-shim-x64-20210603/thinpro-secureboot-masterca-2021.cer
[ x ] binaries, for which hashes are added do vendor_db ( if you use vendor_db and have hashes allow-listed )
n/a, we don't use vendor_db
[ x ] any extra patches to shim via your own git tree or as files
none
[ x ] any extra patches to grub via your own git tree or as files
none
[ x ] build logs
https://github.com/eniaczhp/ThinProShim/blob/HPI-shim-x64-20210603/build.log
[ x ] a Dockerfile to reproduce the build of the provided shim EFI binaries
https://github.com/eniaczhp/ThinProShim/blob/HPI-shim-x64-20210603/hpishim.docker
What organization or people are asking to have this signed:
What product or service is this for:
What is the origin and full version number of your shim?
What's the justification that this really does need to be signed for the whole world to be able to boot it:
be signed by MS UEFI key for it to be bootable there.
How do you manage and protect the keys used in your SHIM?
Do you use EV certificates as embedded certificates in the SHIM?
If you use new vendor_db functionality, are any hashes whitelisted, and if yes: for what binaries ?
Is kernel upstream commit 75b0cea7bf307f362057cc778efe89af4c615354 present in your kernel, if you boot chain includes a linux kernel ?
if SHIM is loading grub2 bootloader, is CVE CVE-2020-10713 fixed ?
Were your old SHIM hashes provided to Microsoft ?
Did you change your certificate strategy, so that affected by CVE CVE-2020-10713 grub2 bootloaders can not be verified ?
What is the origin and full version number of your bootloader (GRUB or other)?
If your SHIM launches any other components, please provide further details on what is launched
How do the launched components prevent execution of unauthenticated code?
Does your SHIM load any loaders that support loading unsigned kernels (e.g. GRUB)?
What kernel are you using? Which patches does it includes to enforce Secure Boot?
What changes were made since your SHIM was last signed?
What is the hash of your final SHIM binary?
$ sha256sum shimx64.efi
c3615588e7ba3d9c52a60014d4b84eb440b86404b3213c6a650e273965268a8f shimx64.efi
$ sha1sum shimx64.efi
5f33fb7c60b5548e49abbc2bc5d0f9ddfab9aab2 shimx64.efi
The text was updated successfully, but these errors were encountered: