ddstreetmicrosoft
commented
5 months ago Hi, just checking if anything else is needed for this review.
Closed ddstreetmicrosoft closed 1 week ago
ddstreetmicrosoft
commented
5 months ago Hi, just checking if anything else is needed for this review.
THS-on
commented
5 months ago @ddstreetmicrosoft no don't think so. I gave it just an initial read and will do a complete review in the next few days. In the meantime it really helps us to speed up the queue if submitters review also other submissions.
THS-on
commented
4 months ago There seems something wrong with the gcc installation in the Dockerfile:
> [3/5] RUN <<-EOF (set -ex...):
0.287 ++ rpm -E %_arch
0.294 + export ARCH=x86_64
0.294 + ARCH=x86_64
0.294 + case $ARCH in
0.294 + PKGNAME=shim-unsigned-x64
0.294 + SHIMDIR=/usr/share/shim/15.8/x64
0.294 + SHIM=shimx64.efi
0.294 + tdnf install -y binutils-0:2.41-2.azl3 dos2unix-0:7.5.1-1.azl3 efivar-devel-0:39-1.azl3 gcc-0:13.2.0-4.azl3 git-0:2.42.0-2.azl3 glibc-devel-0:2.38-3.azl3 kernel-headers-0:6.6.29.1-3.azl3 make-0:4.4.1-1.azl3 openssl-devel-0:3.3.0-1.azl3 pesign-0:116-3.azl3 rpm-build-0:4.18.2-1.azl3 vim-extra-0:9.0.2190-2.azl3
0.306 Loaded plugin: tdnfrepogpgcheck
0.330 Refreshing metadata for: 'Azure Linux Official Microsoft Non-Open-Source Preview 3.0 x86_64'
2.054 Refreshing metadata for: 'Azure Linux Official Preview 3.0 x86_64'
6.143 gcc-0:13.2.0-4.azl3 package not found or not installed
6.143 Error(1011) : No matching packages
------
Dockerfile:4
--------------------
3 |
4 | >>> RUN <<-EOF
5 | >>> set -ex
6 | >>>
7 | >>> export ARCH=$(rpm -E %_arch)
8 | >>> case $ARCH in
9 | >>> x86_64)
10 | >>> PKGNAME=shim-unsigned-x64
11 | >>> SHIMDIR=/usr/share/shim/15.8/x64
12 | >>> SHIM=shimx64.efi
13 | >>> ;;
14 | >>> aarch64)
15 | >>> PKGNAME=shim-unsigned-aarch64
16 | >>> SHIMDIR=/usr/share/shim/15.8/aa64
17 | >>> SHIM=shimaa64.efi
18 | >>> ;;
19 | >>> *)
20 | >>> echo "Invalid arch: $ARCH"
21 | >>> false
22 | >>> ;;
23 | >>> esac
24 | >>>
25 | >>> tdnf install -y binutils-0:2.41-2.azl3 \
26 | >>> dos2unix-0:7.5.1-1.azl3 \
27 | >>> efivar-devel-0:39-1.azl3 \
28 | >>> gcc-0:13.2.0-4.azl3 \
29 | >>> git-0:2.42.0-2.azl3 \
30 | >>> glibc-devel-0:2.38-3.azl3 \
31 | >>> kernel-headers-0:6.6.29.1-3.azl3 \
32 | >>> make-0:4.4.1-1.azl3 \
33 | >>> openssl-devel-0:3.3.0-1.azl3 \
34 | >>> pesign-0:116-3.azl3 \
35 | >>> rpm-build-0:4.18.2-1.azl3 \
36 | >>> vim-extra-0:9.0.2190-2.azl3
37 | >>>
38 | >>> rpm -iv /${PKGNAME}-*.src.rpm
39 | >>> rpmbuild -bb /usr/src/azl/SPECS/${PKGNAME}.spec
40 | >>> rpm -iv /usr/src/azl/RPMS/${ARCH}/${PKGNAME}-*.${ARCH}.rpm
41 | >>> sha256sum ${SHIMDIR}/${SHIM} /${SHIM} > /shim.sha256
42 | >>> cmp ${SHIMDIR}/${SHIM} /${SHIM}
43 | >>> objcopy -O binary -j .sbat ${SHIMDIR}/${SHIM} /shim-sbat
44 | >>> EOF
45 |
--------------------
ERROR: failed to solve: process "/bin/sh -c set -ex\n\n export ARCH=$(rpm -E %_arch)\n case $ARCH in\n x86_64)\n PKGNAME=shim-unsigned-x64\n SHIMDIR=/usr/share/shim/15.8/x64\n SHIM=shimx64.efi\n ;;\n aarch64)\n PKGNAME=shim-unsigned-aarch64\n SHIMDIR=/usr/share/shim/15.8/aa64\n SHIM=shimaa64.efi\n ;;\n *)\n echo \"Invalid arch: $ARCH\"\n false\n ;;\n esac\n\n tdnf install -y binutils-0:2.41-2.azl3 \\\n dos2unix-0:7.5.1-1.azl3 \\\n efivar-devel-0:39-1.azl3 \\\n gcc-0:13.2.0-4.azl3 \\\n git-0:2.42.0-2.azl3 \\\n glibc-devel-0:2.38-3.azl3 \\\n kernel-headers-0:6.6.29.1-3.azl3 \\\n make-0:4.4.1-1.azl3 \\\n openssl-devel-0:3.3.0-1.azl3 \\\n pesign-0:116-3.azl3 \\\n rpm-build-0:4.18.2-1.azl3 \\\n vim-extra-0:9.0.2190-2.azl3\n\n rpm -iv /${PKGNAME}-*.src.rpm\n rpmbuild -bb /usr/src/azl/SPECS/${PKGNAME}.spec\n rpm -iv /usr/src/azl/RPMS/${ARCH}/${PKGNAME}-*.${ARCH}.rpm\n sha256sum ${SHIMDIR}/${SHIM} /${SHIM} > /shim.sha256\n cmp ${SHIMDIR}/${SHIM} /${SHIM}\n objcopy -O binary -j .sbat ${SHIMDIR}/${SHIM} /shim-sbat\n" did not complete successfully: exit code: 243@ddstreetmicrosoft can you have a look at it?
christopherco
commented
4 months ago @THS-on thanks for taking a look - I'll look into it and see what is going on.
christopherco
commented
4 months ago @THS-on @ddstreetmicrosoft I've identified the issue and would like to update our Azure Linux 3.0 submission to reflect the changes. New tagged submission - https://github.com/microsoft/shim-review/tree/azurelinux-shim-aa64-x64-20240701
7905c30de3109eb4ff8a5d198f5077bceb35b0fc3559b03924cf78a96e511bd0 shimaa64.efi
83c927eada08e0811adbaab47323841808d79e51d11aa8072c552bfbf80af801 shimx64.efiLet me know if you'd prefer a new GH issue for the submission or to handle in some other way.
Details for the submission difference:
THS-on
commented
4 months ago azurelinux-shim-aa64-x64-20240701#8 0.271 83c927eada08e0811adbaab47323841808d79e51d11aa8072c552bfbf80af801 /usr/share/shim/15.8/x64/shimx64.efi
#8 0.271 83c927eada08e0811adbaab47323841808d79e51d11aa8072c552bfbf80af801 /shimx64.efi
#8 0.261 7905c30de3109eb4ff8a5d198f5077bceb35b0fc3559b03924cf78a96e511bd0 /usr/share/shim/15.8/aa64/shimaa64.efi
#8 0.261 7905c30de3109eb4ff8a5d198f5077bceb35b0fc3559b03924cf78a96e511bd0 /shimaa64.efiCONFIG_MODULE_SIG_FORCE,cannot see Debians or RHEL lockdown patches and CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is set (https://raw.githubusercontent.com/microsoft/azurelinux/3.0/SPECS/kernel/config). How do you ensure that kernel is forced in lockdown mode when booted via Secure Boot?ddstreetmicrosoft
commented
4 months ago Can you update top comment with the new tag and hashes?
updated; I'll let Chris respond to the other questions
christopherco
commented
4 months ago Can you clarify the GRUB2 version that is used?
Sorry about the confusion. We are releasing with 2.06 with Fedora 34 patches for invoking EFI Handover Protocol. We had initially made the move to 2.12 but encountered an unexpected regression where the TPM Event Log was not being handed over to the kernel, only when Secure Boot was enabled. We'll be sticking here with 2.06 for the foreseeable future of Azure Linux 3.0. I'll also add the SBAT entry into the grub SBAT.
How do you ensure that kernel is forced in lockdown mode when booted via Secure Boot?
All of our default images and configurations set lockdown=integrity in the kernel command line to force the kernel into lockdown mode. i.e., https://github.com/microsoft/azurelinux/blob/3.0/toolkit/tools/internal/resources/assets/grub2/grub#L5 which is used during base image creation.
We have previously mulled over bringing in the out-of-tree kernel patches to link Secure Boot to forcing lockdown mode directly, but we thus far decided to stick closer to upstream stable LTS kernel for the time being.
THS-on
commented
4 months ago @ddstreetmicrosoft @christopherco thank you for the clarifications.
Regarding the grub config. Forcing lockdown=integrity is a valid way to achieve the same, as the lockdown patches. The question is if a user can remove this option or not, i.e. is the config part of the GRUB2 binary that is signed? If the user is able to change it, than this would differ for the lockdown patches.
christopherco
commented
4 months ago Regarding the grub config. Forcing
lockdown=integrityis a valid way to achieve the same, as the lockdown patches. The question is if a user can remove this option or not, i.e. is the config part of the GRUB2 binary that is signed? If the user is able to change it, than this would differ for the lockdown patches.
Ah yes, in our case, it is possible for a user that has root privileges to remove the lockdown setting since the kernel command line setting is located in our grub.cfg. I can discuss internally on pulling in the lockdown patches to cover the difference.
THS-on
commented
4 months ago Yeah you can either include the lockdown patches or build your signed kernel CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y which forces the lockdown mode to be enabled.
Note tho that the following lockdown patch is not upstream, so you probably want to include either way: https://salsa.debian.org/kernel-team/linux/-/blob/master/debian/patches/features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch?ref_type=heads
christopherco
commented
3 months ago Following up here - our 6.6.47 kernel now has the lockdown patches that will tie kernel lockdown to secure boot state
THS-on
commented
2 months ago @christopherco great! The the question is if it makes already sense to also rotate your signing certificate for the kernel and then put the old one on the revocation list, so that older kernels cannot be booted with the new shim?
christopherco
commented
2 months ago @christopherco great! The the question is if it makes already sense to also rotate your signing certificate for the kernel and then put the old one on the revocation list, so that older kernels cannot be booted with the new shim?
@THS-on This shim actually has a new certificate that has not been used to sign any boot artifacts for Azure Linux yet. Once this shim is approved, we will be updating our signing certificate in our official Azure Linux 3.0 builds to sign with the new signing cert. So, we had already planned in a certificate rotation as part of this new shim.
THS-on
commented
2 months ago @christopherco thanks for the clarification. I saw that the current certificate was already included in the other Shims DB, but now also saw checked that the Grub in 2.0 is still signed with the other cert (/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Testing PCA 2010).
LGTM, just needs another reviewer.
NeilHanlon
commented
2 months ago I'm taking the extra review here, but have run into some trouble.
The July version of the review (https://github.com/microsoft/shim-review/tree/azurelinux-shim-aa64-x64-20240701) is unable to be built, as the container registry's DNS no longer resolves. Additionally, I cannot find the specified tag on the mcr.microsoft.com registry which now holds these images.
I tried to use the 3.0 tag from mcr.microsoft.com for azurelinux, but the repositories no longer have the versions of packages that the Dockerfile is expecting.
Pausing review until this issue is resolved, though the rest of procedural things look OK.
christopherco
commented
2 months ago I'm taking the extra review here, but have run into some trouble.
The July version of the review (https://github.com/microsoft/shim-review/tree/azurelinux-shim-aa64-x64-20240701) is unable to be built, as the container registry's DNS no longer resolves. Additionally, I cannot find the specified tag on the
mcr.microsoft.comregistry which now holds these images.I tried to use the 3.0 tag from mcr.microsoft.com for azurelinux, but the repositories no longer have the versions of packages that the Dockerfile is expecting.
Pausing review until this issue is resolved, though the rest of procedural things look OK.
@NeilHanlon Thanks for doing the extra review and apologies about the trouble. The container registry location and package versions & server location were moved between the July tag and now. We have updated our submission collateral and created a new tag - https://github.com/microsoft/shim-review/tree/azurelinux-shim-aa64-x64-20240923
Note: the shim binary hashes did not change between the July tag and this new tag.
7905c30de3109eb4ff8a5d198f5077bceb35b0fc3559b03924cf78a96e511bd0 shimaa64.efi
83c927eada08e0811adbaab47323841808d79e51d11aa8072c552bfbf80af801 shimx64.efiThanks @gjswalling for making the Dockerfile changes on our side!
steve-mcintyre
commented
1 month ago Very tempted to NACK this review. Neither docker nor podman will work for me here.
lorddoskias
commented
1 month ago Very tempted to NACK this review. Neither docker nor podman will work for me here.
If run with docker buildx build . it actually work and reproduces for x86 at least.
steve-mcintyre
commented
1 month ago We say "docker build ." in the docs, no mention of buildx.
ddstreet
commented
1 month ago We say "docker build ." in the docs, no mention of buildx.
As noted here, we created the single Dockerfile using a here-doc, which requires use of buildx instead of build. I did this to simplify the work of reviewers, so that a single Dockerfile could be used for both architectures, as I saw no way to craft a single Dockerfile that would allow building the shim on both architectures.
As shown using the Fedora docker command, the old build is actually deprecated and the new buildx (BuildKit) is recommended, e.g.:
$ grep PRETTY_NAME /etc/os-release
PRETTY_NAME="Fedora Linux 40 (Cloud Edition)"
$ docker build .
DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
Install the buildx component to build images with BuildKit:
https://docs.docker.com/go/buildx/
However, it looks like Fedora doesn't provide buildx until release 41: https://src.fedoraproject.org/rpms/docker-buildx
I had been testing this using Ubuntu which has provided docker buildx as an option in current stable releases, so I didn't realize this would add difficulty to reproducing the docker build on Fedora.
In any case, we can certainly split the Dockerfile into two per-arch Dockerfiles to make it easier for you to review, if that's the easiest path forward.
ddstreet
commented
1 month ago split the Dockerfile into two per-arch Dockerfiles to make it easier for you to review
I split the Dockerfile into per-arch files, located at Dockerfile-x86_64/Dockerfile and Dockerfile-aarch64/Dockerfile. I did not change the existing Dockerfile. The split per-arch Dockerfiles are the same as the main Dockerfile with the here-doc removed and use of per-arch variables replaced with actual arch strings (e.g. x86_64, x64, aarch64, aa64); and they also require the shim EFI and src.rpm to be located in their dir, so I copied those files into the per-arch Dockerfile dirs.
Using Fedora 40, I can run docker build Dockerfile-x86_64 successfully.
Using Fedora 41, because it switches the docker backend builder over to the newer BuildKit, using either file will work, i.e. docker build . will work just as well as docker build Dockerfile-x86_64
Obviously, using the arch-specific Dockerfile requires actually running on the correct arch (i.e. use Dockerfile-x86_64 only while running on a x86_64 system).
This is included in this updated tag: https://github.com/microsoft/shim-review/tree/azurelinux-shim-aa64-x64-20240930
steve-mcintyre
commented
1 month ago I'm using Debian 12 (Bookworm, current stable release) here - Fedora doesn't help...
It would be nice if Docker provided stable interfaces and useful isolation. But hey, moon on a stick...
ddstreet
commented
1 month ago One more minor update, sorry: https://github.com/microsoft/shim-review/tree/azurelinux-shim-aa64-x64-20240930.1
This only fixes the aarch64-specific Dockerfile, which had some of the lines using aa64 instead of aarch64; it should be correct now and should be docker-buildable on aarch64 systems.
I'm using Debian 12 (Bookworm, current stable release) here - Fedora doesn't help...
Unfortunately Debian Bookworm doesn't seem to provide any package for docker buildx, but the arch-specific Dockerfile does build correctly:
ddstreet@d-bookworm:~/shim-review$ docker build Dockerfile-x86_64
...
Successfully built be5e10cb2919
#14 [10/11] RUN cat /shim.sha256
#14 0.320 83c927eada08e0811adbaab47323841808d79e51d11aa8072c552bfbf80af801 /usr/share/shim/15.8/x64/shimx64.efiInitial CBL-Mariner import from Fedora 40 (license: MIT).christopherco
commented
1 month ago @lorddoskias thanks for the review! Regarding the sbat entry, while our previous releases / shim-reviews had shims from custom specs we authored, with Azure Linux 3.0 we rebased our 3.0 shim spec onto the fedora 40 version.
We'll include the fedora SBAT entries in addition to our own and update our submission here.
shim.rh,3,The Fedora Project,shim,15.8,https://src.fedoraproject.org/rpms/shim-unsigned-x64
shim.redhat,3,The Fedora Project,shim,15.8,https://src.fedoraproject.org/rpms/shim-unsigned-x64
shim.fedora,3,The Fedora Project,shim,15.8,https://src.fedoraproject.org/rpms/shim-unsigned-x64https://src.fedoraproject.org/rpms/shim-unsigned-x64/blob/f40/f/sbat.redhat.csv
christopherco
commented
4 weeks ago @lorddoskias We have updated our submission: https://github.com/microsoft/shim-review/tree/azurelinux-shim-aa64-x64-20241028
This update introduces the Fedora SBAT entries in addition to our Azure Linux SBAT entries.
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.azurelinux,1,Microsoft,shim,15.8,https://github.com/microsoft/azurelinux
shim.rh,3,The Fedora Project,shim,15.8,https://src.fedoraproject.org/rpms/shim-unsigned-x64
shim.redhat,3,The Fedora Project,shim,15.8,https://src.fedoraproject.org/rpms/shim-unsigned-x64
shim.fedora,3,The Fedora Project,shim,15.8,https://src.fedoraproject.org/rpms/shim-unsigned-x64Updated hashes:
ddf770c9cac6a5cd693928bb047ea7c0d0dce51a3b7f4cde4dc08a919ab4538a shimaa64.efi
ff49c422cab4d6252631e0e8593ab28d1e8e2f30b6c7b86593381f368bf1e314 shimx64.efiMinor update to our submission's readme.md to reflect the latest submission state and update the various answers from this review for reviewers: https://github.com/microsoft/shim-review/tree/azurelinux-shim-aa64-x64-20241028.1
christopherco
commented
2 weeks ago Gentle bump @NeilHanlon, @steve-mcintyre, @lorddoskias . Checking if there are any concerns with the most recent submission information
steve-mcintyre
commented
2 weeks ago ff49c422cab4d6252631e0e8593ab28d1e8e2f30b6c7b86593381f368bf1e314 /usr/share/shim/15.8/x64/shimx64.efi
ff49c422cab4d6252631e0e8593ab28d1e8e2f30b6c7b86593381f368bf1e314 /shimx64.efi
ddf770c9cac6a5cd693928bb047ea7c0d0dce51a3b7f4cde4dc08a919ab4538a /usr/share/shim/15.8/aa64/shimaa64.efi
ddf770c9cac6a5cd693928bb047ea7c0d0dce51a3b7f4cde4dc08a919ab4538a /shimaa64.efiSerial Number:
33:00:00:00:02:63:94:70:7a:16:d9:f1:da:00:00:00:00:00:02
Signature Algorithm: sha512WithRSAEncryption
Issuer: C = US, O = Microsoft Corporation, CN = Microsoft Mariner RSA Root CA 2023
Validity
Not Before: Feb 16 19:39:02 2023 GMT
Not After : Feb 9 21:25:53 2038 GMT
Subject: C = US, O = Microsoft Corporation, CN = Mariner Trusted Base RSA Code Signing CA
Subject Public Key Info:Thanks @steve-mcintyre for the review!
Bigger issue - I see that you've updated the grub SBAT data in git to add RH data too, but no sign in your README.md or the review issue. Please show us the complete data from a current grub build.
Ah apologies for that. This is our updated grub SBAT data from the current grub build.
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,4,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/
grub.azurelinux,3,Microsoft,grub2,2.06-21.azl3,https://github.com/microsoft/azurelinux
grub.rh,2,Red Hat,grub2,2.06-21.azl3,mailto:secalert@redhat.comIf curious, this was pulled just now from our current preview RPMs located here -> https://packages.microsoft.com/azurelinux/3.0/preview/base/x86_64/Packages/g/grub2-2.06-21.azl3.x86_64.rpm
[/tmp/shim-cert/grub]$ ls
grub2-efi-binary-2.06-21.azl3.x86_64.rpm
[/tmp/shim-cert/grub]$ rpm2cpio grub2-efi-binary-2.06-21.azl3.x86_64.rpm | cpio -idmv
./boot/efi/EFI/BOOT/grubx64.efi
2837 blocks
[/tmp/shim-cert/grub]$ objcopy -O binary -j .sbat boot/efi/EFI/BOOT/grubx64.efi grub-sbat
[/tmp/shim-cert/grub]$ cat grub-sbat
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,4,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/
grub.azurelinux,3,Microsoft,grub2,2.06-21.azl3,https://github.com/microsoft/azurelinux
grub.rh,2,Red Hat,grub2,2.06-21.azl3,mailto:secalert@redhat.comazureuser@chrco-dev-vm-1 [ /tmp/shim-cert/grubaa64 ]$ ls
grub2-efi-binary-2.06-21.azl3.aarch64.rpm
azureuser@chrco-dev-vm-1 [ /tmp/shim-cert/grubaa64 ]$ rpm2cpio grub2-efi-binary-2.06-21.azl3.aarch64.rpm | cpio -idmv
./boot/efi/EFI/BOOT/grubaa64.efi
2789 blocks
azureuser@chrco-dev-vm-1 [ /tmp/shim-cert/grubaa64 ]$ objcopy -O binary -j .sbat boot/efi/EFI/BOOT/grubaa64.efi grubaa64-sbat
azureuser@chrco-dev-vm-1 [ /tmp/shim-cert/grubaa64 ]$ cat grubaa64-sbat
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,4,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/
grub.azurelinux,3,Microsoft,grub2,2.06-21.azl3,https://github.com/microsoft/azurelinux
grub.rh,2,Red Hat,grub2,2.06-21.azl3,mailto:secalert@redhat.com@christopherco thanks, just what I was asking for.
Good to go!
jamorris-msft
commented
2 weeks ago Thanks for the help, folks, greatly appreciated!
NeilHanlon
commented
2 weeks ago For good measure, and because I was half done with it last night... My extra review :)
Note I am not an official reviewer, this is an ‘extra’ review
Azure Linuxff49c422cab4d6252631e0e8593ab28d1e8e2f30b6c7b86593381f368bf1e314 /usr/share/shim/15.8/x64/shimx64.efi
ff49c422cab4d6252631e0e8593ab28d1e8e2f30b6c7b86593381f368bf1e314 /shimx64.efi
ddf770c9cac6a5cd693928bb047ea7c0d0dce51a3b7f4cde4dc08a919ab4538a /usr/share/shim/15.8/aa64/shimaa64.efi
ddf770c9cac6a5cd693928bb047ea7c0d0dce51a3b7f4cde4dc08a919ab4538a /shimaa64.efiUpdate: We have received the signed shims and can now close this issue. Thank you everyone for reviewing our submission. Very much appreciated!
Confirm the following are included in your repo, checking each box:
What is the link to your tag in a repo cloned from rhboot/shim-review?
Initial submission: https://github.com/microsoft/shim-review/tree/azurelinux-shim-aa64-x64-20240531
Update (2024-07-01): https://github.com/microsoft/shim-review/tree/azurelinux-shim-aa64-x64-20240701
Update (2024-09-23): https://github.com/microsoft/shim-review/tree/azurelinux-shim-aa64-x64-20240923
Update (2024-09-30): https://github.com/microsoft/shim-review/tree/azurelinux-shim-aa64-x64-20240930 Another Update, sorry (2024-09-30): https://github.com/microsoft/shim-review/tree/azurelinux-shim-aa64-x64-20240930.1
Update (2024-10-28): https://github.com/microsoft/shim-review/tree/azurelinux-shim-aa64-x64-20241028 Another Update, sorry (2024-10-28): https://github.com/microsoft/shim-review/tree/azurelinux-shim-aa64-x64-20241028.1
What is the SHA256 hash of your final SHIM binary?
Initial submission: 0eff03502514be459b182c3cda1cef6a3762cbf10462591685a17c356e42774d shimaa64.efi b6a99795d9f3e882afa318d11bdb648dff7e547470d14bfeba03af385eb452fc shimx64.efi
Update (2024-07-01): 7905c30de3109eb4ff8a5d198f5077bceb35b0fc3559b03924cf78a96e511bd0 shimaa64.efi 83c927eada08e0811adbaab47323841808d79e51d11aa8072c552bfbf80af801 shimx64.efi
Update (2024-10-28): ddf770c9cac6a5cd693928bb047ea7c0d0dce51a3b7f4cde4dc08a919ab4538a shimaa64.efi ff49c422cab4d6252631e0e8593ab28d1e8e2f30b6c7b86593381f368bf1e314 shimx64.efi
What is the link to your previous shim review request (if any, otherwise N/A)?
https://github.com/rhboot/shim-review/issues/387
If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?
Dan Streetman: https://github.com/rhboot/shim-review/issues/387#issuecomment-2042990828
Chris Co: https://github.com/rhboot/shim-review/issues/387#issuecomment-2072937510