Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

shim 15.8 for opsi #428

Open
8 tasks done
uibmz opened this issue Jun 18, 2024 · 3 comments
Open
8 tasks done

shim 15.8 for opsi #428

uibmz opened this issue Jun 18, 2024 · 3 comments
Labels
blocked Blocked on upstream / other project contacts verified OK Contact verification is complete here (or in an earlier submission)

Comments

@uibmz
Copy link

uibmz commented Jun 18, 2024
edited
Loading

Confirm the following are included in your repo, checking each box:

  • completed README.md file with the necessary information
  • shim.efi to be signed
  • public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
  • binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
  • any extra patches to shim via your own git tree or as files
  • any extra patches to grub via your own git tree or as files
  • build logs
  • a Dockerfile to reproduce the build of the provided shim EFI binaries

What is the link to your tag in a repo cloned from rhboot/shim-review?

https://github.com/opsi-org/shim-review/releases/tag/opsi-shim-x86_64-20240618

What is the SHA256 hash of your final SHIM binary?

9c447ae6ee1010eb19645c9479cb47c35eb4afab8b3b36eda586112c1a68c19e

What is the link to your previous shim review request (if any, otherwise N/A)?

#360
#245
#29

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?

Security contacts haven't changed
#245
@steve-mcintyre steve-mcintyre added the contacts verified OK Contact verification is complete here (or in an earlier submission) label Jun 18, 2024
@THS-on
Copy link
Collaborator

THS-on commented Jul 22, 2024

We generally only accept minimal patches (such as adding more revocations), so let us know once rhboot/shim#666 makes it upstream or gets reviewed by one of the shim developers.

@THS-on THS-on added the blocked Blocked on upstream / other project label Jul 29, 2024
@steve-mcintyre
Copy link
Collaborator

@vathpela could you take a look at the patches here please? (rhboot/shim#666)

@dbnicholson
Copy link

@vathpela could you take a look at the patches here please? (rhboot/shim#666)

I'm obviously not @vathpela, but I did take a look at the patch. I don't know if that's really the best way to handle the problem, but it's addressing a real bug in shim. Currently if you try to load a non-existent second stage from disk, you get EFI_NOT_FOUND and shim automatically tries to load the default second stage (grub). However, if you try fetch a non-existent second stage from a server, you'll get a different error and shim won't try the default second stage.

Since shim is already setup to try the default second stage and it still goes through all the same verification, I don't think there's any harm also trying it when a network server returns an error trying to fetch the specified second stage. The patch has been there for 3 months and received no response.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
blocked Blocked on upstream / other project contacts verified OK Contact verification is complete here (or in an earlier submission)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dbnicholson @THS-on @uibmz @steve-mcintyre