Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AmZetta Technologies, LLC shim-15.6 x64 #280

Closed
8 tasks done
amzdev0401 opened this issue Aug 30, 2022 · 10 comments
Closed
8 tasks done

AmZetta Technologies, LLC shim-15.6 x64 #280

amzdev0401 opened this issue Aug 30, 2022 · 10 comments
Labels
bug Problem with the review that must be fixed before it will be accepted

Comments

@amzdev0401
Copy link

amzdev0401 commented Aug 30, 2022

Confirm the following are included in your repo, checking each box:


What is the link to your tag in a repo cloned from rhboot/shim-review?


https://github.com/amzdev0401/shim-review-15.6/tree/AmZetta-shim-x86_64-20220803


What is the SHA256 hash of your final SHIM binary?


4fcf295b69db20e35918745ad7bc91b257698437e61a2b43191fec0890b29ee1 shimx64.efi


What is the link to your previous shim review request (if any, otherwise N/A)?


[N/A]

@frozencemetery
Copy link
Member

Surely you were also responsible for #211?

@amzdev0401
Copy link
Author

Yes, We are waiting for the product release with the secure boot, your quick review would be really helpful to us.

@steve-mcintyre
Copy link
Collaborator

Looking:

  • shim build reproduces here
  • contact verification has already been done in SHIM 15.4 for AmZetta Technologies, LLC #211
  • shim from upstream. no patches
  • self-signed cert embedded, expires 2032 (but see below!)
  • SBAT handling is broken (see below)
  • no previous signed shim, so no revocation to worry about
  • question about kernel (see below)
  • HSM for key management
  • grub needs patches (see below)

Quite a few issues to fix here :-(

  • your embedded cert is very basic, I'd expect you to have trouble
    with it. You've set none of the options that we'd normally expect to
    see. I'd suggest you use openssl x509 to have a look at the
    options set on the certs used by other distributors.
  • You're not doing the right thing with shim SBAT data. You've added a
    sbast.csv which overrides the built-in sbat data, so you end up with
    SBAT level 1 rather than 2.
  • In the kernel patch questions, you've just said "no" about commit
    eadb2f47a3ced5c64b23b90fd2a3463f63726066. Please exmplain how you're
    not vulnerable to the related security problem here.
  • If you're using grub 2.06 straight from upstream with no additional
    patches, then you're still vulnerable to the latest set of grub
    security issues from June 2022. That needs fixing.
  • do you not support fwupd or similar?

@amzdev0401
Copy link
Author

amzdev0401 commented Sep 13, 2022

Thank you for the review. I have updated the changes you mentioned.
Please let us know if any changes needed.

your embedded cert is very basic, I'd expect you to have trouble
with it. You've set none of the options that we'd normally expect to
see. I'd suggest you use openssl x509 to have a look at the
options set on the certs used by other distributors.
- New openssl certificate has been generated and used in SHIM build.

You're not doing the right thing with shim SBAT data. You've added a
sbast.csv which overrides the built-in sbat data, so you end up with
SBAT level 1 rather than 2.
- SBAT level 2 file has been used and respective change done in docker file also.

In the kernel patch questions, you've just said "no" about commit
eadb2f47a3ced5c64b23b90fd2a3463f63726066. Please exmplain how you're
not vulnerable to the related security problem here.
- CONFIG_DEBUG_KERNEL flag is not enabled in our linux kernel, So this patch is not applied.

If you're using grub 2.06 straight from upstream with no additional
patches, then you're still vulnerable to the latest set of grub
security issues from June 2022. That needs fixing.
- GRUB2 clone https://github.com/rhboot/grub2.git and latest
commit 69edb31205602c29293a8c6e67363bba2a4a1e66 used, 11 August 2022 is used to build the GRUB2.

do you not support fwupd or similar?
- No

@amzdev0401
Copy link
Author

Hello team, We have been waiting for a long time to get SHIM approval. Can you please expedite the review process?

@amzdev0401
Copy link
Author

Hello team, We have been waiting for a long time to get SHIM approval. Can you please expedite the review process? I product release being delayed.

@amzdev0401
Copy link
Author

@julian-klode , Can you please review the shim. Is there anything do we need to do from our side. Please let us know. Thank you.

@amzdev0401
Copy link
Author

@steve-mcintyre Could you please review this shim? We have been waiting for this shim's approval for our product release.

@frozencemetery
Copy link
Member

Please note #307

@frozencemetery frozencemetery added the bug Problem with the review that must be fixed before it will be accepted label Feb 16, 2023
@steve-mcintyre
Copy link
Collaborator

Superseded by #321

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Problem with the review that must be fixed before it will be accepted
Projects
None yet
Development

No branches or pull requests

3 participants