Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shim 15.8 for ZeronsoftN #408

Closed
8 tasks done
joseph-zeronsoftn opened this issue Apr 4, 2024 · 10 comments
Closed
8 tasks done

Shim 15.8 for ZeronsoftN #408

joseph-zeronsoftn opened this issue Apr 4, 2024 · 10 comments
Labels
accepted Submission is ready for sysdev contacts verified OK Contact verification is complete here (or in an earlier submission)

Comments

@joseph-zeronsoftn
Copy link

joseph-zeronsoftn commented Apr 4, 2024
edited
Loading

Confirm the following are included in your repo, checking each box:

  • completed README.md file with the necessary information
  • shim.efi to be signed
  • public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
  • binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
  • any extra patches to shim via your own git tree or as files
  • any extra patches to grub via your own git tree or as files
  • build logs
  • a Dockerfile to reproduce the build of the provided shim EFI binaries

What is the link to your tag in a repo cloned from rhboot/shim-review?

https://github.com/zeronsoftn/shim-review/tree/zeronsoftn-shim-x86_64_ia32_aarch64-20240409

What is the SHA256 hash of your final SHIM binary?

f6be6f0ab0bfe8896b19785143cc9595b9d8b0f124492537a02034ea3e6a75df  shimaa64.efi
f903dab7a5a95157f9d68c5d8dddfe835b2fa03d9f63797a4b0c464265662429  shimia32.efi
6d16b244f8901cdf3c2abc27172390a3e7bf752bbb096c62b12eac4f3917c8f4  shimx64.efi

What is the link to your previous shim review request (if any, otherwise N/A)?

#147
@es-fabricemarie
Copy link

I'm not an official review, but I just want to help official reviewer with some of the load

  • build uses official 15.8 tarball and no patch

  • build is reproducible

  • shim shasums match:

    6d16b244f8901cdf3c2abc27172390a3e7bf752bbb096c62b12eac4f3917c8f4  shimx64.efi
f903dab7a5a95157f9d68c5d8dddfe835b2fa03d9f63797a4b0c464265662429  shimia32.efi
f6be6f0ab0bfe8896b19785143cc9595b9d8b0f124492537a02034ea3e6a75df  shimaa64.efi

  • certificate:

    • valid for 7 years, 2048 bit RSA
    • issued to CN = ZeronsoftN Secure Boot Signing (2022), OU = Secure Boot, O = ZeronsoftN, C = KR

  • shim sbat section looks appropriate

    objcopy -j .sbat -O binary review/shimx64.efi /dev/stdout

    sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.zeronsoftn,1,ZeronsoftN,shim,15.8-0zeron1,https://github.com/zeronsoftn/shim-release

  • grub sbat section mentioned looks appropriate

  • NX compat is disabled

    objdump -p review/shimx64.efi  | grep DllCharacteristics

    DllCharacteristics      00000000

@aronowski aronowski self-assigned this May 13, 2024
@aronowski
Copy link
Collaborator

Huge thanks to @es-fabricemarie for the help!

The application itself seems alright and I'm willing to accept it, but the contact verification thing worries me - here I can see the information that security contacts haven't changed since the last review, but I can't find the application, where the current public keys have been verified. Can you point me to that one?

@steve-mcintyre
Copy link
Collaborator

steve-mcintyre commented May 29, 2024
edited
Loading

I accepted the previous shim in #147, but we never did formal contact verification. Let's do it now.

  • Mail on the way to Joseph
  • The key for Hyunduk Choi is problematic - it's expired, and it does not include support for encryption, so we can't verify. Please update or generate a new key to fix these issues

@steve-mcintyre steve-mcintyre added contact verification pending Contact verification emails have been sent, waiting on response bug Problem with the review that must be fixed before it will be accepted labels May 29, 2024
@jclab-joseph
Copy link

@steve-mcintyre

Penney codicils smells invalidity Washingtonian credulous Peterson godhood nags rajah

Note that, I received the email below:

Please quote the following words in
#423

choi updated its expiration date.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: User-ID:	hdchoi <hyunduk.choi@gmail.com>
Comment: Created:	2019-07-03 오후 3:41
Comment: Expires:	2030-01-26 오후 12:00
Comment: Type:	2048-bit RSA (secret key available)
Comment: Usage:	Signing, Certifying User-IDs
Comment: Fingerprint:	9EB34B7D9C9F81A3E8484EF0229E2B9F84ECE2AC


mQENBF0cTgcBCADBwbBoLNHoIpEjv0NCCENgwqG3z0vE4gmlS1nt+dTZfNNFvto/
aFvYIho0DLjU3r6bqWZ34qbuqLGANx4r1He0swOqRd8qdip6TC3h+f42vXgvWK/E
5EESMk07wLbMKzl8hbU8JtlgZUqVvbQ99sKLIx3rc1ZV0beDNK9PjKgx2zrAU+6U
8FZwyuPnGlPcNelqmMzSqKWkRRjp2M6McxTblye82YgLUFOc92Xkv8Q3v5A1UbUM
dgPajQxyawQmRAY/YjTAn8ijG/wXdSNBAprFkqcLrhPTSSusr+VvDQP3UF+x0MyI
ixD8lx38xnHyZZc45EN1mDu5l5PTQIh7811nABEBAAG0H2hkY2hvaSA8aHl1bmR1
ay5jaG9pQGdtYWlsLmNvbT6JAVQEEwEIAD4CGwMFCwkIBwIGFQoJCAsCBBYCAwEC
HgECF4AWIQSes0t9nJ+Bo+hITvAiniufhOzirAUCZlfJIwUJE+CqKQAKCRAiniuf
hOzirGHIB/wItOoPHBhp9UYGyfEi5o8JkFidaxj3ZTTT2H89kbAV4s6kpj+btjiF
574NcVjVwlqTyRMaVwyUS8IoMbdLA75+XGdXPtrDQgxC7xE35e4yBo7uSjsmteV5
oJIylVrTzsRq0zH9CxemWQxAdDvok/PJuuP+s9XOuYV+YtDkRpsoiVA77CilbuCW
pkBkmL8CBKz4dcdehkrJCV2fGwc6H89Z2bcOJhjYaZsSIhubLxSSQZvX4XH8ss95
XR8DeaejmVS/RMGly78XzoTWaKB8dHvXd/j1jLc0M30zLtUJavm648uBlvXDANdj
dZSPQSN+BSx3rvPuhML7jvqjBW+xt5TBuQENBF0cTgcBCADbM/WlMydFoGEZ7VEO
E00+VahAmvUAN2C5Jc5KcLS5SGGchdM3GQMVGZyCtsOLv/aP6QmHj+I+kjkyLGmd
3HafPfv+lYIfqH8m68ofnf9XJMm3slU/f8DEiuqHBn14r+ZjUGiGsd4GfDFf8e03
EqY/y57fLCLSE9GTgbDoHmwToc1POchCYT4Il85GftdvZpKurRZufmZM/5UbDT+y
/VeVpsOW7KUY98BVkIhDxvpQ5N3inqM8uIus4RmYHScAljCkAjuG9NoPKEng1XtR
XghHCRvUP/mXCEA178AgJY2IM+TxtyMWVLRXaxFMoAGYXJppk+XNyZ+02Ttozljd
jhSLABEBAAGJATwEGAEIACYWIQSes0t9nJ+Bo+hITvAiniufhOzirAUCXRxOBwIb
DAUJA8OEqQAKCRAiniufhOzirKMLB/0elTXiJSFbqVa4NewmqIv/mbLtIqO8v73n
qr208speC0Qzg9upVabs2EovpYRY7NdAJCnea5cD4o6WT8OoOOg1DaBVKNkkvnhg
JTVrYGr09dj0g8payL/c+OmYfFWW3cDQ/ik1X5CGISLeKoBWT5vdEo+Q3OJ6zXN6
2vuRBbQB85vGd6cmR1AmhWbN6AzG2XcyfanZFaWXqPr+2sAVOok+6XZk04yqa31u
gC4+uGxoKZ4YiZEZ9lwDkqmurczJhVhEPaL0o5C5/sgR9t5K8SLhePlZOAjAfQoG
GKmKdDXD05I0qOeFZTVWkN39QOqp1ZadzGxXD7hMHaV9Wh9vNcgn
=cS/z
-----END PGP PUBLIC KEY BLOCK-----

@steve-mcintyre
Copy link
Collaborator

@jclab-joseph your words are correct, thanks.

I still can't send encrypted mail to choi - they need to add an encryption subkey too

@jclab-joseph
Copy link

@steve-mcintyre

-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: User-ID:	hdchoi <hyunduk.choi@gmail.com>
Comment: Created:	2019-07-03 오후 3:41
Comment: Expires:	2030-01-26 오후 12:00
Comment: Type:	2048-bit RSA (secret key available)
Comment: Usage:	Signing, Encryption, Certifying User-IDs
Comment: Fingerprint:	9EB34B7D9C9F81A3E8484EF0229E2B9F84ECE2AC


mQENBF0cTgcBCADBwbBoLNHoIpEjv0NCCENgwqG3z0vE4gmlS1nt+dTZfNNFvto/
aFvYIho0DLjU3r6bqWZ34qbuqLGANx4r1He0swOqRd8qdip6TC3h+f42vXgvWK/E
5EESMk07wLbMKzl8hbU8JtlgZUqVvbQ99sKLIx3rc1ZV0beDNK9PjKgx2zrAU+6U
8FZwyuPnGlPcNelqmMzSqKWkRRjp2M6McxTblye82YgLUFOc92Xkv8Q3v5A1UbUM
dgPajQxyawQmRAY/YjTAn8ijG/wXdSNBAprFkqcLrhPTSSusr+VvDQP3UF+x0MyI
ixD8lx38xnHyZZc45EN1mDu5l5PTQIh7811nABEBAAG0H2hkY2hvaSA8aHl1bmR1
ay5jaG9pQGdtYWlsLmNvbT6JAVQEEwEIAD4CGwMFCwkIBwIGFQoJCAsCBBYCAwEC
HgECF4AWIQSes0t9nJ+Bo+hITvAiniufhOzirAUCZlfJIwUJE+CqKQAKCRAiniuf
hOzirGHIB/wItOoPHBhp9UYGyfEi5o8JkFidaxj3ZTTT2H89kbAV4s6kpj+btjiF
574NcVjVwlqTyRMaVwyUS8IoMbdLA75+XGdXPtrDQgxC7xE35e4yBo7uSjsmteV5
oJIylVrTzsRq0zH9CxemWQxAdDvok/PJuuP+s9XOuYV+YtDkRpsoiVA77CilbuCW
pkBkmL8CBKz4dcdehkrJCV2fGwc6H89Z2bcOJhjYaZsSIhubLxSSQZvX4XH8ss95
XR8DeaejmVS/RMGly78XzoTWaKB8dHvXd/j1jLc0M30zLtUJavm648uBlvXDANdj
dZSPQSN+BSx3rvPuhML7jvqjBW+xt5TBuQENBF0cTgcBCADbM/WlMydFoGEZ7VEO
E00+VahAmvUAN2C5Jc5KcLS5SGGchdM3GQMVGZyCtsOLv/aP6QmHj+I+kjkyLGmd
3HafPfv+lYIfqH8m68ofnf9XJMm3slU/f8DEiuqHBn14r+ZjUGiGsd4GfDFf8e03
EqY/y57fLCLSE9GTgbDoHmwToc1POchCYT4Il85GftdvZpKurRZufmZM/5UbDT+y
/VeVpsOW7KUY98BVkIhDxvpQ5N3inqM8uIus4RmYHScAljCkAjuG9NoPKEng1XtR
XghHCRvUP/mXCEA178AgJY2IM+TxtyMWVLRXaxFMoAGYXJppk+XNyZ+02Ttozljd
jhSLABEBAAGJATwEGAEIACYWIQSes0t9nJ+Bo+hITvAiniufhOzirAUCXRxOBwIb
DAUJA8OEqQAKCRAiniufhOzirKMLB/0elTXiJSFbqVa4NewmqIv/mbLtIqO8v73n
qr208speC0Qzg9upVabs2EovpYRY7NdAJCnea5cD4o6WT8OoOOg1DaBVKNkkvnhg
JTVrYGr09dj0g8payL/c+OmYfFWW3cDQ/ik1X5CGISLeKoBWT5vdEo+Q3OJ6zXN6
2vuRBbQB85vGd6cmR1AmhWbN6AzG2XcyfanZFaWXqPr+2sAVOok+6XZk04yqa31u
gC4+uGxoKZ4YiZEZ9lwDkqmurczJhVhEPaL0o5C5/sgR9t5K8SLhePlZOAjAfQoG
GKmKdDXD05I0qOeFZTVWkN39QOqp1ZadzGxXD7hMHaV9Wh9vNcgnuQENBGZYWdUB
CADSxCtucoN3d3K/NOsvl2d783adlaZ48pfHSq7BkKkbL9YrRB8QnrYemVvG451K
jt7vOv/FCgPw7bG3A40djrj42bJtYEc2dSKVZqKRvbAJ6rk/5eqK2tC5sMzalkUI
+RCx0KnjZJYJUKDlovmtLUj+YV1blzb6owXE7ZgO68+gfF0jyJUnkBZtSYQlwQFU
h7Sx6WFGwmdv+yBHzo2bI4OoOrIsOMwycgx8oKJaihejywMF012xhvIOSG+MauPt
B+ZNKCtvQ5IHv4pOmpe0gTjFzdpChYV+wKIBPYa+HW6j4Z7/N2boBUddhs6V8eHL
57V6Ny6/y1sD9iFEiMhPlgqVABEBAAGJATwEGAEIACYWIQSes0t9nJ+Bo+hITvAi
niufhOzirAUCZlhZ1QIbDAUJC0c1AAAKCRAiniufhOzirP6HB/4oV1CsUKNVohJB
im6n+LcTwEurAvKIC9mctXtAJOCUU0D2Bgo6wm8XEMFg5/kxTzoTP3fMPNb3+Hpo
BxreoD7g31EVmJpb++tyhAO4No+jfjAEkVm2uSf9my6Jxgh8xQlFT4tFQ+9He72z
rK5FZIKs/+nhTWD75zto14Za2uN+hv7H8kZo+2g2212YeA+jPhHamXidv4kW1Y4x
votbny3b1IdbEWv2ViFDm8nNApIeVznIcsvyUnx9wQNF2DVmYXlEBhfFV5lcRqd4
iY9QPC1dDh45RkD+Cl8tTVIPywE8SnyjzTxk444Xc3tIS69HMBLzJ+PhE49EcuSO
Crk7Dvdk
=yZXM
-----END PGP PUBLIC KEY BLOCK-----

https://keyserver.ubuntu.com/pks/lookup?search=9EB34B7D9C9F81A3E8484EF0229E2B9F84ECE2AC&fingerprint=on&op=index

@steve-mcintyre
Copy link
Collaborator

Mail sent to choi now

@jclab-joseph
Copy link

jclab-joseph commented May 31, 2024
edited
Loading

@steve-mcintyre Choi said: interring Anthony captivation recompensed appalls plaint degenerates seabird tempestuous anesthetizes

@steve-mcintyre steve-mcintyre added contacts verified OK Contact verification is complete here (or in an earlier submission) and removed contact verification pending Contact verification emails have been sent, waiting on response bug Problem with the review that must be fixed before it will be accepted labels May 31, 2024
@aronowski aronowski added the accepted Submission is ready for sysdev label Jun 10, 2024
@aronowski aronowski removed their assignment Jun 10, 2024
@aronowski
Copy link
Collaborator

Pinging for a notification on the accepted label.

@jclab-joseph
Copy link

@aronowski @steve-mcintyre @es-fabricemarie
Thank you so much everyone!

@joseph-zeronsoftn joseph-zeronsoftn mentioned this issue Jul 30, 2024
Open
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
accepted Submission is ready for sysdev contacts verified OK Contact verification is complete here (or in an earlier submission)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@steve-mcintyre @joseph-zeronsoftn @es-fabricemarie @jclab-joseph @aronowski