steve-mcintyre
commented
6 days ago There's a real problem here:
- openssl-add-ecdsa-and-ec-support-for-shim.patch: This patch adds support for ECDSA and EC >algorithms in shim's bundled openssl.
- shim-support-sm2-and-sm3-algorithm.patch: This patch adds support for the SM2 and SM3 >algorithms in shim, by adding sm3-related arguments to shim's main functions.
By applying these two patches, we can enable shim support for the SM2 and SM3 algorithms on >TencentOS Server 4. The SM2 algorithm is an asymmetric key algorithm that uses fewer bytes than RSA >while providing enhanced security. The SM3 algorithm is a hashing algorithm which is more secure >than algorithms like SHA-256. Together with the keys generated by our HSM that support SMx >algorithms, we can achieve secure boot using SM (ShangMi) algorithms on TencentOS Server 4. This is >crucial as our TS4 needs to support the entire chain of SM algorithms, including during the early >stages of booting.
We cannot accept changes this large as patches at shim-review time. This klnd of thing needs to be submitted for upstream submission into shim.
costinchen
Confirm the following are included in your repo, checking each box:
What is the link to your tag in a repo cloned from rhboot/shim-review?
https://github.com/costinchen/shim-review/tree/tencentos-4-shim-15.8-x86_64-aarch64-20240930
What is the SHA256 hash of your final SHIM binary?
What is the link to your previous shim review request (if any, otherwise N/A)?
N/A
If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?
https://github.com/rhboot/shim-review/issues/440