Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shim 15.6 for ChromeOS Flex #256

Closed
8 tasks done
nicholasbishop opened this issue Jun 28, 2022 · 5 comments
Closed
8 tasks done

Shim 15.6 for ChromeOS Flex #256

nicholasbishop opened this issue Jun 28, 2022 · 5 comments
Labels
accepted Submission is ready for sysdev

Comments

@nicholasbishop
Copy link
Contributor

Confirm the following are included in your repo, checking each box:

  • completed README.md file with the necessary information
  • shim.efi to be signed
  • public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
  • binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
  • any extra patches to shim via your own git tree or as files
  • any extra patches to grub via your own git tree or as files
  • build logs
  • a Dockerfile to reproduce the build of the provided shim EFI binaries

What is the link to your tag in a repo cloned from rhboot/shim-review?

https://chromium.googlesource.com/chromiumos/shim-review/+/refs/tags/google-shim-20220627

What is the SHA256 hash of your final SHIM binary?

0fcef16c44af02cf586200c93bccec6c5776591c01f7317b62a45d1d5f91361e  shimia32.efi
bcd526a9a726680f9ac6334c99aa1fb53a6f6228f65251dfda59e18cece0052f  shimx64.efi
@tSU-RooT
Copy link

Disclaimer: I am not an authorized reviewer
Hi, I have checked below points.

  • Reproducibility
    Build is reproducible from Fedora 35.
    Package versions are:
gcc: 11.3.1-2.fc35
binutils: 2.37-17.fc35
  • Content of certificate file
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            5c:88:ba:db:66:21:7a:7a:e6:32:7f:47:90:6c:40:b6:99:fe:45:ac
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = CA, L = Mountain View, O = Google Inc., CN = Google Chrome OS Business Unit
        Validity
            Not Before: Jul 22 15:58:26 2021 GMT
            Not After : Jul 22 15:58:26 2026 GMT
        Subject: C = US, ST = CA, L = Mountain View, O = Google Inc., CN = Google Chrome OS Business Unit

I think OK.
Expiry period is under 5 years.

  • Private key management

Storing private key in HSM looks reasonable.

  • Kernel patches

If your boot chain of trust includes a Linux kernel:
Is upstream commit 1957a85b0032a81e6482ca4aab883643b8dae06e “efi: Restrict efivar_ssdt_load when the kernel is locked down” applied?
Is upstream commit 75b0cea7bf307f362057cc778efe89af4c615354 “ACPI: configfs: Disallow loading ACPI tables when locked down” applied?
Is upstream commit eadb2f47a3ced5c64b23b90fd2a3463f63726066 “lockdown: also lock down previous kgdb use” applied?

Yes, all three commits are in the chromeos-5.10 branch our kernel is built from: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/refs/heads/chromeos-5.10

First 2 commits are included in 5.10 linux kernel.
Last commit, I found backporting commit.
https://chromium.googlesource.com/chromiumos/third_party/kernel/+/a8f4d63142f947cd22fa615b8b3b8921cdaf4991
So I think OK.

  • Grub2 patches looks OK.(almost backporting)
  • SBAT in shim binary looks OK.
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,2,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.chromeos,2,ChromeOS,shim,15.6,https://chromium.googlesource.com/chromiumos/shim-review

Question:
build_log.txt is log of podman on Fedora.
Actual build log of ebuild is not available?

@nicholasbishop
Copy link
Contributor Author

Thanks for your review!

build_log.txt is log of podman on Fedora.
Actual build log of ebuild is not available?

This is the actual build log; we build our shim in that container.

We do have an ebuild that installs shim, but it just downloads the signed files from a bucket. We did it this way because it would be a pain for shim reviewers to set up a ChromeOS build chroot, and in the end the ebuild pretty much has to download a prebuilt file anyway since it needs to be the file signed by Microsoft.

@steve-mcintyre
Copy link
Collaborator

Looking:

  • shim builds reprpduce here ok
  • Embedded CA cert with 5-year expiry
  • SBAT data looks fine
  • shim from upstream, no patches
  • old revocations done ok
  • kernel sounds ok
  • already verified identities on earlier submissions
  • key managed in an HSM
  • tiny list of grub modules included - I'm surprised that's enough!
  • grub patches look ok

Looks good to go

@steve-mcintyre steve-mcintyre added the accepted Submission is ready for sysdev label Aug 15, 2022
@nicholasbishop
Copy link
Contributor Author

Great, thanks for reviewing :)

@nicholasbishop
Copy link
Contributor Author

Closing, we've received the signed shims back.

@nicholasbishop nicholasbishop mentioned this issue Oct 27, 2022
Closed
8 tasks
@nicholasbishop nicholasbishop mentioned this issue Nov 21, 2022
Closed
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
accepted Submission is ready for sysdev
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nicholasbishop @tSU-RooT @steve-mcintyre