Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shim 15.8 for Blancco #444

Open
8 tasks done
evilteq opened this issue Sep 27, 2024 · 1 comment
Open
8 tasks done

Shim 15.8 for Blancco #444

evilteq opened this issue Sep 27, 2024 · 1 comment
Labels
contacts verified OK Contact verification is complete here (or in an earlier submission)

Comments

@evilteq
Copy link

evilteq commented Sep 27, 2024

Confirm the following are included in your repo, checking each box:

  • completed README.md file with the necessary information
  • shim.efi to be signed
  • public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
  • binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
  • any extra patches to shim via your own git tree or as files
  • any extra patches to grub via your own git tree or as files
  • build logs
  • a Dockerfile to reproduce the build of the provided shim EFI binaries

What is the link to your tag in a repo cloned from rhboot/shim-review?

https://github.com/evilteq/shim-review/tree/blancco-shim-15.8-ia32_x64_aa64-20240927

What is the SHA256 hash of your final SHIM binary?

67e69ba6aa0e789cd14048e9859aa16149d4741a1cff4be8960d4081c2583606  shimia32.efi
7d542b736364c3f614c0f7edb44d6f80f6535032ebee3eb2bcb03001b1953b3e  shimia32.nx.efi
8605e469427de5e75e36adc9a706ce9de1c51f8d0a6bc6259b3a6bcea5517075  shimx64.efi
90290dec09ba33b6bd61c93840dbb0d1355f6fb88c277d041f0c6515ff7f1c1c  shimx64.nx.efi
38a7caf9b5067bc552331ed54d9fb727f6305c26099978add7d663d2eccb51b8  shimaa64.efi
874b81c48dc218c62a5c49e1c23d371b394bc02b090ff38540b384c84a18c961  shimaa64.nx.efi

What is the link to your previous shim review request (if any, otherwise N/A)?

#290 #9

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?

#290
@steve-mcintyre steve-mcintyre added the contacts verified OK Contact verification is complete here (or in an earlier submission) label Sep 29, 2024
@lorddoskias
Copy link

lorddoskias commented Sep 30, 2024
edited
Loading

  • Build reproduces for x86:
#14 0.277 67e69ba6aa0e789cd14048e9859aa16149d4741a1cff4be8960d4081c2583606  /build/output/shimia32.efi
#14 0.278 7d542b736364c3f614c0f7edb44d6f80f6535032ebee3eb2bcb03001b1953b3e  /build/output/shimia32.nx.efi
#14 0.279 8605e469427de5e75e36adc9a706ce9de1c51f8d0a6bc6259b3a6bcea5517075  /build/output/shimx64.efi
#14 0.280 90290dec09ba33b6bd61c93840dbb0d1355f6fb88c277d041f0c6515ff7f1c1c  /build/output/shimx64.nx.efi

  • Includes valid certificate:

    - Subject: CN = Blancco Secure Boot CA 2022, OU = Secure Boot, O = Blancco Technology Group IP Oy, C = FI 
- Validity
      Not Before: Nov 11 12:06:43 2022 GMT
      Not After : Nov  8 12:06:43 2032 GMT

- Certificate is kept from previous review #290

  • Keys are protected in an HSM with restricted physical access

  • SBAT data looks valid

  • The only change is to the build system to preprocess shim.nx.efi, mm.efi, fb.efi with the -n flag

  • Upstream 15.8 shim is used, checksum of downloaded file is verified in the container

  • Security contacts are the same as previous Blancco Shim 15.7 for x64 & ia32 #290 submissions

  • grub2 used has changed since last submission, it's now based off Ubuntu. The modules used as are the same as in Blancco Shim 15.7 for x64 & ia32 #290.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
contacts verified OK Contact verification is complete here (or in an earlier submission)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lorddoskias @evilteq @steve-mcintyre