shim 15.8 for opsi - Githubissues

uibmz commented 4 months ago

Confirm the following are included in your repo, checking each box:

[x] completed README.md file with the necessary information
[x] shim.efi to be signed
[x] public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
[x] binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
[x] any extra patches to shim via your own git tree or as files
[x] any extra patches to grub via your own git tree or as files
[x] build logs
[x] a Dockerfile to reproduce the build of the provided shim EFI binaries

What is the link to your tag in a repo cloned from rhboot/shim-review?

https://github.com/opsi-org/shim-review/releases/tag/opsi-shim-x86_64-20240618

What is the SHA256 hash of your final SHIM binary?

9c447ae6ee1010eb19645c9479cb47c35eb4afab8b3b36eda586112c1a68c19e

What is the link to your previous shim review request (if any, otherwise N/A)?

https://github.com/rhboot/shim-review/issues/360 https://github.com/rhboot/shim-review/issues/245 https://github.com/rhboot/shim-review/issues/29

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?

Security contacts haven't changed https://github.com/rhboot/shim-review/issues/245

THS-on commented 3 months ago

We generally only accept minimal patches (such as adding more revocations), so let us know once https://github.com/rhboot/shim/pull/666 makes it upstream or gets reviewed by one of the shim developers.

steve-mcintyre commented 2 months ago

@vathpela could you take a look at the patches here please? (https://github.com/rhboot/shim/pull/666)

dbnicholson commented 1 month ago

@vathpela could you take a look at the patches here please? (rhboot/shim#666)

I'm obviously not @vathpela, but I did take a look at the patch. I don't know if that's really the best way to handle the problem, but it's addressing a real bug in shim. Currently if you try to load a non-existent second stage from disk, you get EFI_NOT_FOUND and shim automatically tries to load the default second stage (grub). However, if you try fetch a non-existent second stage from a server, you'll get a different error and shim won't try the default second stage.

Since shim is already setup to try the default second stage and it still goes through all the same verification, I don't think there's any harm also trying it when a network server returns an error trying to fetch the specified second stage. The patch has been there for 3 months and received no response.

rhboot / shim-review

shim 15.8 for opsi #428

What is the link to your tag in a repo cloned from rhboot/shim-review?

What is the SHA256 hash of your final SHIM binary?

What is the link to your previous shim review request (if any, otherwise N/A)?

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?