Open uibmz opened 4 months ago
We generally only accept minimal patches (such as adding more revocations), so let us know once https://github.com/rhboot/shim/pull/666 makes it upstream or gets reviewed by one of the shim developers.
@vathpela could you take a look at the patches here please? (https://github.com/rhboot/shim/pull/666)
@vathpela could you take a look at the patches here please? (rhboot/shim#666)
I'm obviously not @vathpela, but I did take a look at the patch. I don't know if that's really the best way to handle the problem, but it's addressing a real bug in shim. Currently if you try to load a non-existent second stage from disk, you get EFI_NOT_FOUND
and shim automatically tries to load the default second stage (grub). However, if you try fetch a non-existent second stage from a server, you'll get a different error and shim won't try the default second stage.
Since shim is already setup to try the default second stage and it still goes through all the same verification, I don't think there's any harm also trying it when a network server returns an error trying to fetch the specified second stage. The patch has been there for 3 months and received no response.
Confirm the following are included in your repo, checking each box:
What is the link to your tag in a repo cloned from rhboot/shim-review?
https://github.com/opsi-org/shim-review/releases/tag/opsi-shim-x86_64-20240618
What is the SHA256 hash of your final SHIM binary?
9c447ae6ee1010eb19645c9479cb47c35eb4afab8b3b36eda586112c1a68c19e
What is the link to your previous shim review request (if any, otherwise N/A)?
https://github.com/rhboot/shim-review/issues/360 https://github.com/rhboot/shim-review/issues/245 https://github.com/rhboot/shim-review/issues/29
If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?
Security contacts haven't changed https://github.com/rhboot/shim-review/issues/245