-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SUSE Liberty Linux 7 #450
Comments
The repository isn't a direct for fork because LFS doesn't work for forks. |
Contact verification already completed previously |
Sorry to bump this issue, but is there anything missing that we need to provide from our side? |
Review of
|
Thank you for your review!
CentOS7 is EOL now and won't receive any updates, publicly available container images of it had URLs to CentOS repos broken (as it had been moved to the vault). That's why we decided to use our own chroot inside podman.
Versions of fwupd/fwupdate currently used in SLL7 match CentOS7 and are legacy pre-SBAT ones
SUSE is maintaining this kernel in the scope of the LTSS program for SUSE Liberty Linux 7. |
@jsegitz thanks for the clarifications.
Are you currently signing those? Do you have a strategy to revoke them easily, i.e. separate signing certificate? |
@jason-rodri @iokomin can maybe you or one from your team have a look at this, as you are probably the ones most familiar with this? |
Unfortunately, SLL7 is using the single certificate for everything UEFI related. Thus, for now we may either ban the binaries via DBX or rotate the signatures. It's LTS for an old distro, so some of the choices are not in line with current best practices anymore |
@jsegitz I'm not sure I understand your concern and why DBX/certificate rotation would be needed. |
SUSE is a well known Linux vendor ShimUses upstream 15.8 and source hashes matches original hashes
Includes one patch: Build is reproducible:
NX is not enabled
slesecurebootca.cer
GrubSBAT looks fine (keeps upstream centos grub2) KernelEphemeral keys are used for signing kernel modules |
(Back from the holidays) Thanks for the second review. Looks to me like we're good here, correct? Regarding @iokomin comments: Yes, that should work |
Confirm the following are included in your repo, checking each box:
What is the link to your tag in a repo cloned from rhboot/shim-review?
https://github.com/jsegitz/shim-review-nonfork/tree/SUSE-SLL7-x64-ia32-20241112
What is the SHA256 hash of your final SHIM binary?
Output from sha256sum:
$ sha256sum shimia32.efi
7620c859572a45524f36ef89bedaa05b05f0f3a9daefca4566b19516cef4ae9c ./shimia32.efi
$ sha256sum shimx64.efi
36b17db9300b8e90c11e86ec646b5b3975bfaf834ec10ecb2954bd49136fa8c1 ./shimx64.efi
Output from pesign:
$ pesign --hash --padding --in=shimia32.efi
hash: 800377346f8461fa5f85a41aebc1c41f4dab86f7356f3b43f82277f26a4c622d
$ pesign --hash --padding --in=shimx64.efi
hash: 8ed0ca1a25fd7bf38f03a9cdb350673f3dc62ea9e18daee365c9024df381abf1
What is the link to your previous shim review request (if any, otherwise N/A)?
#183
If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?
#419
The text was updated successfully, but these errors were encountered: