-
Notifications
You must be signed in to change notification settings - Fork 125
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SLES Expanded Support platform 8 #410
Comments
updated grub2 sources and SBAT entries |
I had to update the Dockerfile as shim didn't build anymore |
Review of
|
Contact verification ongoing in #419 |
Contact verification completed in #419 |
Thanks for the review @THS-on @steve-mcintyre yes sorry, round trip with the engineers took a while, already had the tab open writing the answer when you asked :) As for your questions:
|
Needs a second review |
@jsegitz thank you for the answers.
Just note that, the RHEL based GRUBS are mostly currently on upstream SBAT level 3 and RHEL level 2. None of those get revoked in 15.8. This is planned for the next 15.9 release. See https://github.com/rhboot/shim/blob/main/SbatLevel_Variable.txt
Ah I see. Yeah makes sense then to drop this. But just to clarify you in the last submission you already had GRUB2 versions with SBAT level 3 (https://github.com/jsegitz/shim-review/blob/be73155fb67deb0c349166956f2e0a9eba968762/README.md?plain=1#L246-L247), do you just mean the ones that were signed incorrectly had an SBAT level < 3? I still would recommend not to decrease the grub.sles SBAT, because that makes it harder to track what GRUBs it actually revokes with which other entries present. |
Correct. Just those incorrectly signed GRUBs had SBAT level < 3. We'd like to keep the GRUB2 just in this submission as is, if possible, and apply the proposed workflow to the future versions of GRUB2 and track the history no matter if GRUBs were actually delivered to end-users or not. |
Fine for me. I would just bump it then directly to 4 in the next release, so there is no confusion. My questions have been answered. Needs one more review. |
Please update the tag here to match what you're asking us to review. AFAICS the tag |
Going ahead using what's on the branch, I'm having problems with the Dockerfile:
|
sorry, that seems to be too hard for my brain to remember to also push the tag ... I pushed it and also fixed they build issue you saw |
Is there anything I can do to help with the review? I fear that it'll break again if we wait to long |
Everything seems ok. |
Review of Shim 15.8 for SLES Expanded Support platform 8, SUSE-liberty-15.8-20240415GoodGeneral
Shim
GRUB
Linux
fwupd
Queries and tweaks
|
I think we have enough good reviews, accepting. |
thank you very much, will sent it to MS right away |
got signed by MS |
Confirm the following are included in your repo, checking each box:
What is the link to your tag in a repo cloned from rhboot/shim-review?
https://github.com/jsegitz/shim-review/tree/SUSE-liberty-15.8-20240415
What is the SHA256 hash of your final SHIM binary?
Output from sha256sum:
$ sha256sum shimia32.efi
7b94d13b6d9a45e040f6b47cdf9774e8633010d60f7e5a1e962a458740dcfb58 shimia32.efi
$ sha256sum shimx64.efi
8375d94dfd60ca75be6490740d48bd3fd1688650d15bc5da2e9a44e808496c9a shimx64.efi
Output from pesign:
$ pesign --hash --padding --in=shimia32.efi
hash: b7a6529881db7ecd80634b4fa3cf0bfe6b7c66b779b8ea26b6ec7e3ff08dbab8
$ pesign --hash --padding --in=shimx64.efi
hash: bcc42e50c81159a7d6e278ebbff1f5168c07f37579d2d33ad65bc247c1f431d1
What is the link to your previous shim review request (if any, otherwise N/A)?
#114
If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?
I don't think we (Marcus Meissner, Johannes Segitz) have had our contacts verified. But I've submitted multiple
submissions that were accepted with these security contacts. Right answer probably still is
N/A
The text was updated successfully, but these errors were encountered: