Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

shim 15.6 for MIRACLE LINUX 9 #264

Closed
8 tasks done
tSU-RooT opened this issue Jul 19, 2022 · 9 comments
Closed
8 tasks done

shim 15.6 for MIRACLE LINUX 9 #264

tSU-RooT opened this issue Jul 19, 2022 · 9 comments
Labels
accepted Submission is ready for sysdev

Comments

@tSU-RooT
Copy link

Confirm the following are included in your repo, checking each box:

  • completed README.md file with the necessary information
  • shim.efi to be signed
  • public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
  • binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
  • any extra patches to shim via your own git tree or as files
  • any extra patches to grub via your own git tree or as files
  • build logs
  • a Dockerfile to reproduce the build of the provided shim EFI binaries

What is the link to your tag in a repo cloned from rhboot/shim-review?

https://github.com/miraclelinux/shim-review/tree/miraclelinux-shim-x64-20220715

What is the SHA256 hash of your final SHIM binary?

eff340b0165a2bddf95ffa387bc71aea3bcee4102a2dc081a53f0dcbb3dd7152  shimx64.efi
@frozencemetery
Copy link
Member

  • Contact verification previously completed
  • build reproduced

I didn't see anything that seemed major, but do have a couple questions:

  • your shim-review repository is gigantic (1.9 GB) - do you know why? (Is it related to the grub2 checkin?)
  • grub.miracle has bumped sbat to 2. What happened here? (If you're copying what I did in RHEL/Fedora: I accidentally bumped the version and you don't need to do that, but if there's something else that happened we need to know.)

On a more meta level, I'm struggling with what seems to be your position as a RHEL rebuild and the response to the question about exact code that says "Our build environment is only available from inner.". Indeed, you appear to have checked in the grub2 and shim sources from RHEL 9.0... if you're going to do that, why not just skip the checkin and just wget the .srpms during build? This is how we do the RHEL/Fedora shim reviews: there's an srpm that gets downloaded during build. When describing your patches, it's also okay to say for instance "it's RHEL's grub/shim but we apply this additional patch(es)".

But maybe I'm jumping ahead too far. In previous review, Julian asked about your corporate identity, and you responded with (among other things) " We are building RHEL-derivative distribution as MIRACLE LINUX(ex-Asianux) in Japan for 19 years.". It would be good to update the README with this information.

@frozencemetery frozencemetery added the question Reviewer(s) waiting on response label Aug 15, 2022
@tSU-RooT
Copy link
Author

Hi, thank you for your review.
I will answer questions.

your shim-review repository is gigantic (1.9 GB) - do you know why? (Is it related to the grub2 checkin?)

Sorry for inconvenience, other branches includes splitted tarballs(saved rootfs as tarball when mock build).
We stopped checkin tarballs to git branches since it's not smart.
I deleted old branches at just now.

grub.miracle has bumped sbat to 2. What happened here? (If you're copying what I did in RHEL/Fedora: I accidentally bumped the version and you don't need to do that, but if there's something else that happened we need to know.)

Right.
In actually, we haven't released grub.miracle,1 of grub2 (either grub.miracle,2 is not released too, because we are pre-β stage now)
so we don't need to number grub.miracle,2 for grub2.
The reason of why we numbered grub.miracle's component_generation to 2, same as upstream is to intent simplifying management.

Indeed, you appear to have checked in the grub2 and shim sources from RHEL 9.0... if you're going to do that,
why not just skip the checkin and just wget the .srpms during build?

Yes, just wget upstream srpm seems to be reasonable.(when I write this forms, I thought checkin srpm is simpler than pointing external URL)
I can rewrite Dockerfile in this way(fetch from Fedora('kojipkgs.fedoraproject.org') or CentOS Stream('mirror.stream.centos.org'))

In previous review, Julian asked about your corporate identity, and you responded with (among other things) " We are building RHEL-derivative distribution as MIRACLE LINUX(ex-Asianux) in Japan for 19 years.". It would be good to update the README with this information.

Thank you advice, I will update.

@frozencemetery
Copy link
Member

Wrong SBAT field, I think. That is the generation number, not the version. There's some reference docs on how those work in SBAT.md and SBAT.example.md.

@frozencemetery frozencemetery added bug Problem with the review that must be fixed before it will be accepted and removed question Reviewer(s) waiting on response labels Aug 17, 2022
@tSU-RooT
Copy link
Author

@frozencemetery
We updated grub2's SBAT, Dockerfile and README.
New tag is: https://github.com/miraclelinux/shim-review/tree/miraclelinux-shim-x64-20220919

@frozencemetery frozencemetery removed the bug Problem with the review that must be fixed before it will be accepted label Aug 24, 2022
@frozencemetery
Copy link
Member

I didn't mean that you had to use the Fedora shims, but it definitely does make review easier if that works for you :)

  • Build reproduces
  • Source code is RHEL/Fedora; has all relevant CVE fixes
  • Cert is non-CA; 5 year lifetime
  • Key is HSM
  • SBAT looks okay

My only remaining questions are about the kernel... are you just using the RHEL kernel? If not, we'd like more information on what patches are applied for lockdown. (Please add more information on this to your README either way.)

@frozencemetery frozencemetery added the question Reviewer(s) waiting on response label Aug 24, 2022
@tSU-RooT
Copy link
Author

My only remaining questions are about the kernel... are you just using the RHEL kernel?

Yes, just one debrand patch is applied for RHEL kernel.
No harm for functionality.

New tag is: https://github.com/miraclelinux/shim-review/tree/miraclelinux-shim-x64-20220925
Compare is: https://github.com/miraclelinux/shim-review/compare/miraclelinux-shim-x64-20220919..miraclelinux-shim-x64-20220925

@frozencemetery frozencemetery removed the question Reviewer(s) waiting on response label Aug 25, 2022
@frozencemetery
Copy link
Member

Alright, looks good to me.

@frozencemetery frozencemetery added the accepted Submission is ready for sysdev label Aug 25, 2022
@tSU-RooT
Copy link
Author

thanks for reviewing.

@tSU-RooT tSU-RooT mentioned this issue Sep 1, 2022
Closed
8 tasks
@tSU-RooT
Copy link
Author

We have received signed shim from Microsoft Hardware Developer Program.
close.

@nicholasbishop nicholasbishop mentioned this issue Nov 29, 2022
Closed
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
accepted Submission is ready for sysdev
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@frozencemetery @tSU-RooT