Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

shim-15.6 for opsi #245

Closed
8 tasks done
uibmz opened this issue Jun 10, 2022 · 15 comments
Closed
8 tasks done

shim-15.6 for opsi #245

uibmz opened this issue Jun 10, 2022 · 15 comments
Labels
accepted Submission is ready for sysdev

Comments

@uibmz
Copy link

uibmz commented Jun 10, 2022
edited
Loading

Confirm the following are included in your repo, checking each box:

What is the link to your tag in a repo cloned from rhboot/shim-review?

https://github.com/opsi-org/shim-review/releases/tag/opsi-shim-x86_64-20220624

What is the SHA256 hash of your final SHIM binary?

03d6dab2afd15b969af65e3d33416032382bec6d03ea952e0fc37f82830ac2ee
˝
@uibmz
Copy link
Author

uibmz commented Jun 14, 2022

Our previously accepted shim
#29

@frozencemetery
Copy link
Member

@cyphermox was contact verification previously carried out for opsi?

@uibmz
Copy link
Author

uibmz commented Jul 7, 2022

No the contact verification was not carried out @frozencemetery
Our last submission that the "contact verification needed" tag but was closed because of the last CVEs

@frozencemetery frozencemetery added the contact verification needed Contact verification is needed for this review label Jul 7, 2022
@frozencemetery
Copy link
Member

frozencemetery commented Jul 7, 2022
edited
Loading

Thanks, looks like that was #224. I'm sending some words to yinz; please post them here once you receive them.

@uibmz
Copy link
Author

uibmz commented Jul 7, 2022

The words [email protected] received were

fjernavlese
orddelingsposisjonenes
frihandelsområda
klosterkjerkene
objektivert
formannskapsflertallet
arbeidsmarkedspolitikk
sangkonkurransen
gjennomsnittsøkningens
kildestoffets
eneomsorgen
minstesikringen
klattmalerer

@uibmz
Copy link
Author

uibmz commented Jul 7, 2022

the words [email protected] received were

frokostserveringer
dispersjons
miljøterapeutiske
svaberg
overdekkende
mammakjole
fagforeningsfløyene
underlivsundersøkelsen
konkursjegeren
forhåndsinnstillinga
sjansefattigere
dekorasjonen
kurse

@frozencemetery
Copy link
Member

Those are the correct words; verified for both.

@frozencemetery frozencemetery removed the contact verification needed Contact verification is needed for this review label Jul 7, 2022
@uibmz
Copy link
Author

uibmz commented Aug 3, 2022

Anything we can to to aid with the whole process?
Any more information needed?

@steve-mcintyre
Copy link
Collaborator

Looking at this, lots of good stuff:

  • build reproduces fine
  • SBAT entries look ok to me
  • embedded CA cert runs to 2032, looks ok
  • grub taken from Debian's 2.06-3, which is OK AFAIK!
  • trivial shim patch looks ok
  • kernels sound ok

Some things to follow up on:

  • tell us more about your replacement bootloader please

@uibmz
Copy link
Author

uibmz commented Aug 8, 2022

For the time being, we still use Grub 2.06.
We are tinkering around with iPXE currently as it has HTTPS support and we would like to ditch TFTP for large files like our bootimage. For now this is just some experimental work. We just wanted to change the name, in case we will change the bootloader. So customers and users won't be annoyed by reading grubx64.efi and seeing another bootloader configs or menus.

@julian-klode
Copy link
Collaborator

julian-klode commented Aug 8, 2022
edited
Loading

I can tell you right now that it's very unlikely you'd get a shim signed that can load iPXE.

Many grub vendors (Ubuntu, Fedora, openSUSE) have incorporated the patches from openSUSE to enable UEFI network protocols into grub, which gives you HTTPS support (on UEFI platforms). That's a signable secure boot HTTPS boot path.

I don't think anybody has asked for that in Debian yet, I certainly haven't pushed it there from Ubuntu yet. I guess I could.

I think all grubs support HTTP which is still better than TFTP. Presumably better than HTTPS as it makes it clear where the security boundaries are. With HTTPS it's unclear how much trust is placed in certificates, where they come from, or if they are validated at all.

@uibmz
Copy link
Author

uibmz commented Aug 8, 2022
edited
Loading

Thank you for the info @julian-klode. We will look into this.

As said, For now this is just some tinkering and no final decisions have been made. We are still running with grub2 though.

@steve-mcintyre
Copy link
Collaborator

I have to agree with @julian-klode here. Until people have done a full SB review of the ipxe codebase, I'm afraid it's not an option from the shim-review point of view. If you acknowledge that, we can progress here.

Apologies if that sounds harsh, but we're responsible for maintaining the SB security chain for everybody. :-/

@uibmz
Copy link
Author

uibmz commented Aug 9, 2022

If there is no option, then yes we acknowledge this fact. We can then progress and we will use grub2 only.

We understand that the security chain has to be maintained and secured.

@steve-mcintyre
Copy link
Collaborator

ok, then I think you're ready to go

@steve-mcintyre steve-mcintyre added the accepted Submission is ready for sysdev label Aug 11, 2022
@uibmz uibmz closed this as completed Sep 6, 2022
@uibmz uibmz mentioned this issue Jan 9, 2023
Closed
6 tasks
@uibmz uibmz mentioned this issue Dec 21, 2023
Closed
8 tasks
@uibmz uibmz mentioned this issue Jun 18, 2024
Closed
8 tasks
@uibmz uibmz mentioned this issue Jan 28, 2025
Open
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
accepted Submission is ready for sysdev
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@frozencemetery @julian-klode @uibmz @steve-mcintyre