iPXE shim for Heimdal #425
Comments
|
Hi! You say in your submission:
Is there a reason to do that? The iPXE project themselves have submitted a shim for review (#319). We accepted it after a few rounds of discussion and tweaks, and I'm hoping it should be ready soon. So, I have to ask - how is your shim submission different to that one? |
steve-mcintyre
added
contact verification needed
|
The shim submitted here appears to be a direct clone of the shim submitted in #319. I would suggest that we wait until #319 is fully resolved. @gne227 Heimdal Security is welcome to contact me directly if you would like to join the ongoing discussions with Microsoft. Also, the SBAT data in the Heimdal submission needs to include a separate line such as |
|
Regarding the question: "How is your shim submission different to that one?" it's mostly the same. We just wanted to follow the procedure of getting the iPXE shim signed by Microsoft and one of the requirements was to get a "preapproval by the SHIM review board". I know that @mcb30 already made a submission here and got an approval and maybe you are asking now, why we still made the submission? We got the information from Michael Brown that Microsoft decided not to sign the iPXE shim, despite the approval from the shim review board. Having this information, we thought that Microsoft might not want to sign it for public use and might sign it for business use. It was just an idea. Heimdal invested time and resources into implementing this feature, which can deploy custom OS images for our clients (most of them are using Windows as an Operating System) through iPXE and now we got stuck here, where we have the feature ready, but it doesn't work on machines that have Secure Boot enabled. We knew that at some point we would need to handle this part, signing the iPXE, but we didn't think achieving this would be so complicated. |
|
So when we agreed to the iPXE review the idea we sort of agreed on was that we'd accept one shim from iPXE upstream but not downstream distributions of iPXE as we already have a hard time with all the tiny rescue discs using grub, and throwing in tons of iPXE users wouldn't be particularly intriguing. And it shouldn't be needed; you don't need to sign the entire chain: the iPXE doesn't do any validation against shim, but only loads using the firmware interfaces. |
Curious about this - do you have any more information? Also: if Microsoft for some reason don't want to sign #319, why would your submission be any different? @mcb30 said the next meeting was due at the end of June, so... |
Heimdal contacted me in mid April, at which point Microsoft had indicated that they would not sign the shim. This is still an active conversation with Microsoft, and I have a meeting with them scheduled for next week to discuss. As per my #425 (comment) above, Heimdal is still welcome to contact me to ask to be looped in to this upcoming meeting. |
|
Added the blocked label - waiting on the story from #319 |
Confirm the following are included in your repo, checking each box:
What is the link to your tag in a repo cloned from rhboot/shim-review?
https://github.com/gne227/shim-review/tree/heimdal-ipxe-shim-x64-aa64-20240529
What is the SHA256 hash of your final SHIM binary?
shimx64.eficaaff3a76e5a79b24b50185093b2342c07da06378ed768b993264c58404f77a9shimaa64.efi9afbdd9a702a1de8020424ca2d13ce150ebd02ae999c2c1c11745b156876ab8fWhat is the link to your previous shim review request (if any, otherwise N/A)?
N/A
If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?
N/A
The text was updated successfully, but these errors were encountered: