Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Shim 15.6 for Cisco PuzzleOS #262

Closed
8 tasks done
joylatten opened this issue Jul 8, 2022 · 21 comments
Closed
8 tasks done

Shim 15.6 for Cisco PuzzleOS #262

joylatten opened this issue Jul 8, 2022 · 21 comments
Labels
accepted Submission is ready for sysdev custom second-stage Second-stage image is not GRUB

Comments

@joylatten
Copy link

joylatten commented Jul 8, 2022

Confirm the following are included in your repo, checking each box:

  • completed README.md file with the necessary information
  • shim.efi to be signed
  • public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
  • binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
  • any extra patches to shim via your own git tree or as files
  • any extra patches to grub via your own git tree or as files
  • build logs
  • a Dockerfile to reproduce the build of the provided shim EFI binaries

What is the link to your tag in a repo cloned from rhboot/shim-review?


https://github.com/puzzleos/shim-review/tree/puzzleos-shim-x86_64-20220706


What is the SHA256 hash of your final SHIM binary?


c44d3bff9c43a24b443a8ba48cf8963441291b48e44c6e427d628e8a05a64e46 shimx64.efi

@frozencemetery frozencemetery added the custom second-stage Second-stage image is not GRUB label Jul 8, 2022
@steve-mcintyre
Copy link
Collaborator

Following on from #182 and #212. presumably

@steve-mcintyre
Copy link
Collaborator

Looking:

  • ID already done in Shim 15.4+patches for Cisco PuzzleOS #212
  • shim reproduces here
  • shim from upstream, no patches
  • SBAT data looks ok for shim
  • no issues with revocation, new certs
  • Complicated set of 3 embedded CA certs, each with huge lifetime (2071!) Thanks for at least showing how you generate the .esl file here!
  • HSM for key management
  • I remember looking at stubby before, looks ok
  • linux setup sounds ok
  • no grub

Queries:

  • You appear to be embedding multiple CA keys. I think I understand why you have multiple keys, but why is the CA bit set?

@steve-mcintyre steve-mcintyre added the question Reviewer(s) waiting on response label Aug 16, 2022
@joylatten
Copy link
Author

Hi @steve-mcintyre,
That CA bit was set because of how certs were generated. The 3 certs will not be used as CAs.

@steve-mcintyre
Copy link
Collaborator

Sorry, but that's a little disconcerting here for me. I'm always a bit worried to see things open wider than they need to be in this context.

@frozencemetery @julian-klode @vathpela what do you think here please?

@joylatten
Copy link
Author

Sorry, meant to say they were generated as 3 self-signed CA certificates.

@frozencemetery
Copy link
Member

At the very least I'd want it documented in the submission, which it currently isn't.

That CA bit was set because of how certs were generated.

I mean, sure, but why though? Why not generate them without that?

The 3 certs will not be used as CAs.

I would think this presents an auditability problem: sure, you don't want to, but they can be - nothing stops them from signing another cert.

Sorry, but that's a little disconcerting here for me. I'm always a bit worried to see things open wider than they need to be in this context.

I think I share this concern.

@joylatten
Copy link
Author

joylatten commented Aug 29, 2022

We used self signed CA certificates in the proposed shim simply out of convention and consistency. Most of the accepted shim requests we looked at had CA certificates.
We would like to continue the review with CA in place. If doing so is not an option, then we can patch our shim to embed self signed certificates without CA bit set.
Also, all 3 certs are generated and maintained via a corporate HSM with the same signing controls on each.

@joylatten
Copy link
Author

joylatten commented Sep 2, 2022

@steve-mcintyre, @frozencemetery ,
I have patched (an additional commit) our shim to include our 3 self-signed certificates with the CA bit set to FALSE. This resulted in a new vendor_db.esl as well as a new shim hash which I have edited in the above checklist as well as in the ISSUE_TEMPLATE.md and in the README.md. I also included a sentence in the README.md referencing they are 3 self-signed certs with no CA.
Otherwise, nothing else changed.
Thanks for the review and feedback.

@joylatten
Copy link
Author

Hi. Any new status?

@steve-mcintyre
Copy link
Collaborator

Sorry to keep you waiting...

  • verified new shim build checksum
  • certs look good now, thanks

All done!

@steve-mcintyre steve-mcintyre added accepted Submission is ready for sysdev and removed question Reviewer(s) waiting on response labels Sep 7, 2022
@joylatten
Copy link
Author

Thanks!

@frozencemetery
Copy link
Member

@joylatten Did you receive a signed shim?

@frozencemetery
Copy link
Member

Well, closing in any case due to #307

@joylatten
Copy link
Author

@frozencemetery , unfortunately, we are waiting on Microsoft to sign our shim.
Is #307 going to be an issue for us in 15.6?

@joylatten
Copy link
Author

joylatten commented Feb 17, 2023

oh gosh, @frozencemetery do I need to resubmit and use 15.7 with NX?

@steve-mcintyre
Copy link
Collaborator

If you have to re-submit then yes, you'll need to do NX with 15.7. What state is your submission in on the MS partner site?

@joylatten
Copy link
Author

joylatten commented Feb 17, 2023

@steve-mcintyre its in the review state
i first submitted 10/25/2022, but the Ev cert was incorrect and so by the time I got that corrected and re-submitted it was January.

@steve-mcintyre
Copy link
Collaborator

I think you may need to prod folks at MS about this then - normally things in "review" state get signed within a few days of the "accepted" label here,

@joylatten
Copy link
Author

@steve-mcintyre , thanks, I will give it a try and cross my fingers. It has been in review for a few weeks now.
do you think they may accept it with it being 15.6? I am assuming 15.6 did not have NX enabled...?

@steve-mcintyre
Copy link
Collaborator

They have been happy to continue to sign things without nx, so long as they were submitted before the deadline.

@joylatten
Copy link
Author

@steve-mcintyre ok, thanks. Hopefully they will consider my first submission is the same as the 2nd one, just the EV
cert was incorrect.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
accepted Submission is ready for sysdev custom second-stage Second-stage image is not GRUB
Projects
None yet
Development

No branches or pull requests

3 participants