Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shim 15.8 for Azure Linux 3.0 (x86_64 and aarch64) #427

Open
8 tasks done
ddstreetmicrosoft opened this issue Jun 6, 2024 · 11 comments
Open
8 tasks done

Shim 15.8 for Azure Linux 3.0 (x86_64 and aarch64) #427

ddstreetmicrosoft opened this issue Jun 6, 2024 · 11 comments
Assignees
@THS-on
Labels
bug Problem with the review that must be fixed before it will be accepted contacts verified OK Contact verification is complete here (or in an earlier submission) question Reviewer(s) waiting on response

Comments

@ddstreetmicrosoft
Copy link

ddstreetmicrosoft commented Jun 6, 2024
edited

Confirm the following are included in your repo, checking each box:

  • completed README.md file with the necessary information
  • shim.efi to be signed
  • public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
  • binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
  • any extra patches to shim via your own git tree or as files
  • any extra patches to grub via your own git tree or as files
  • build logs
  • a Dockerfile to reproduce the build of the provided shim EFI binaries

What is the link to your tag in a repo cloned from rhboot/shim-review?

Initial submission:
https://github.com/microsoft/shim-review/tree/azurelinux-shim-aa64-x64-20240531

Update (2024-07-01):
https://github.com/microsoft/shim-review/tree/azurelinux-shim-aa64-x64-20240701

What is the SHA256 hash of your final SHIM binary?

Initial submission:
0eff03502514be459b182c3cda1cef6a3762cbf10462591685a17c356e42774d shimaa64.efi b6a99795d9f3e882afa318d11bdb648dff7e547470d14bfeba03af385eb452fc shimx64.efi

Update (2024-07-01):
7905c30de3109eb4ff8a5d198f5077bceb35b0fc3559b03924cf78a96e511bd0 shimaa64.efi
83c927eada08e0811adbaab47323841808d79e51d11aa8072c552bfbf80af801 shimx64.efi

What is the link to your previous shim review request (if any, otherwise N/A)?

#387

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?

Dan Streetman: #387 (comment)

Chris Co: #387 (comment)
@THS-on THS-on added the contacts verified OK Contact verification is complete here (or in an earlier submission) label Jun 9, 2024
@ddstreetmicrosoft ddstreetmicrosoft mentioned this issue Jun 13, 2024
Open
@ddstreetmicrosoft
Copy link
Author

Hi, just checking if anything else is needed for this review.

@THS-on
Copy link
Collaborator

THS-on commented Jun 28, 2024

@ddstreetmicrosoft no don't think so. I gave it just an initial read and will do a complete review in the next few days. In the meantime it really helps us to speed up the queue if submitters review also other submissions.

@THS-on THS-on self-assigned this Jun 28, 2024
@THS-on
Copy link
Collaborator

THS-on commented Jun 30, 2024

There seems something wrong with the gcc installation in the Dockerfile:

 > [3/5] RUN <<-EOF (set -ex...):                                                                                                  
0.287 ++ rpm -E %_arch                                                                                                             
0.294 + export ARCH=x86_64                                                                                                         
0.294 + ARCH=x86_64                                                                                                                
0.294 + case $ARCH in                                                                                                              
0.294 + PKGNAME=shim-unsigned-x64
0.294 + SHIMDIR=/usr/share/shim/15.8/x64
0.294 + SHIM=shimx64.efi
0.294 + tdnf install -y binutils-0:2.41-2.azl3 dos2unix-0:7.5.1-1.azl3 efivar-devel-0:39-1.azl3 gcc-0:13.2.0-4.azl3 git-0:2.42.0-2.azl3 glibc-devel-0:2.38-3.azl3 kernel-headers-0:6.6.29.1-3.azl3 make-0:4.4.1-1.azl3 openssl-devel-0:3.3.0-1.azl3 pesign-0:116-3.azl3 rpm-build-0:4.18.2-1.azl3 vim-extra-0:9.0.2190-2.azl3
0.306 Loaded plugin: tdnfrepogpgcheck
0.330 Refreshing metadata for: 'Azure Linux Official Microsoft Non-Open-Source Preview 3.0 x86_64'
2.054 Refreshing metadata for: 'Azure Linux Official Preview 3.0 x86_64'
6.143 gcc-0:13.2.0-4.azl3 package not found or not installed
6.143 Error(1011) : No matching packages
------
Dockerfile:4
--------------------
   3 |     
   4 | >>> RUN <<-EOF
   5 | >>>   set -ex
   6 | >>> 
   7 | >>>   export ARCH=$(rpm -E %_arch)
   8 | >>>   case $ARCH in
   9 | >>>     x86_64)
  10 | >>>       PKGNAME=shim-unsigned-x64
  11 | >>>       SHIMDIR=/usr/share/shim/15.8/x64
  12 | >>>       SHIM=shimx64.efi
  13 | >>>       ;;
  14 | >>>     aarch64)
  15 | >>>       PKGNAME=shim-unsigned-aarch64
  16 | >>>       SHIMDIR=/usr/share/shim/15.8/aa64
  17 | >>>       SHIM=shimaa64.efi
  18 | >>>       ;;
  19 | >>>     *)
  20 | >>>       echo "Invalid arch: $ARCH"
  21 | >>>       false
  22 | >>>       ;;
  23 | >>>   esac
  24 | >>> 
  25 | >>>   tdnf install -y binutils-0:2.41-2.azl3 \
  26 | >>>                   dos2unix-0:7.5.1-1.azl3 \
  27 | >>>                   efivar-devel-0:39-1.azl3 \
  28 | >>>                   gcc-0:13.2.0-4.azl3 \
  29 | >>>                   git-0:2.42.0-2.azl3 \
  30 | >>>                   glibc-devel-0:2.38-3.azl3 \
  31 | >>>                   kernel-headers-0:6.6.29.1-3.azl3 \
  32 | >>>                   make-0:4.4.1-1.azl3 \
  33 | >>>                   openssl-devel-0:3.3.0-1.azl3 \
  34 | >>>                   pesign-0:116-3.azl3 \
  35 | >>>                   rpm-build-0:4.18.2-1.azl3 \
  36 | >>>                   vim-extra-0:9.0.2190-2.azl3
  37 | >>> 
  38 | >>>   rpm -iv /${PKGNAME}-*.src.rpm
  39 | >>>   rpmbuild -bb /usr/src/azl/SPECS/${PKGNAME}.spec
  40 | >>>   rpm -iv /usr/src/azl/RPMS/${ARCH}/${PKGNAME}-*.${ARCH}.rpm
  41 | >>>   sha256sum ${SHIMDIR}/${SHIM} /${SHIM} > /shim.sha256
  42 | >>>   cmp ${SHIMDIR}/${SHIM} /${SHIM}
  43 | >>>   objcopy -O binary -j .sbat ${SHIMDIR}/${SHIM} /shim-sbat
  44 | >>> EOF
  45 |     
--------------------
ERROR: failed to solve: process "/bin/sh -c   set -ex\n\n  export ARCH=$(rpm -E %_arch)\n  case $ARCH in\n    x86_64)\n      PKGNAME=shim-unsigned-x64\n      SHIMDIR=/usr/share/shim/15.8/x64\n      SHIM=shimx64.efi\n      ;;\n    aarch64)\n      PKGNAME=shim-unsigned-aarch64\n      SHIMDIR=/usr/share/shim/15.8/aa64\n      SHIM=shimaa64.efi\n      ;;\n    *)\n      echo \"Invalid arch: $ARCH\"\n      false\n      ;;\n  esac\n\n  tdnf install -y binutils-0:2.41-2.azl3 \\\n                  dos2unix-0:7.5.1-1.azl3 \\\n                  efivar-devel-0:39-1.azl3 \\\n                  gcc-0:13.2.0-4.azl3 \\\n                  git-0:2.42.0-2.azl3 \\\n                  glibc-devel-0:2.38-3.azl3 \\\n                  kernel-headers-0:6.6.29.1-3.azl3 \\\n                  make-0:4.4.1-1.azl3 \\\n                  openssl-devel-0:3.3.0-1.azl3 \\\n                  pesign-0:116-3.azl3 \\\n                  rpm-build-0:4.18.2-1.azl3 \\\n                  vim-extra-0:9.0.2190-2.azl3\n\n  rpm -iv /${PKGNAME}-*.src.rpm\n  rpmbuild -bb /usr/src/azl/SPECS/${PKGNAME}.spec\n  rpm -iv /usr/src/azl/RPMS/${ARCH}/${PKGNAME}-*.${ARCH}.rpm\n  sha256sum ${SHIMDIR}/${SHIM} /${SHIM} > /shim.sha256\n  cmp ${SHIMDIR}/${SHIM} /${SHIM}\n  objcopy -O binary -j .sbat ${SHIMDIR}/${SHIM} /shim-sbat\n" did not complete successfully: exit code: 243

@ddstreetmicrosoft can you have a look at it?

@THS-on THS-on added the bug Problem with the review that must be fixed before it will be accepted label Jul 1, 2024
@christopherco
Copy link
Contributor

@THS-on thanks for taking a look - I'll look into it and see what is going on.

@christopherco
Copy link
Contributor

christopherco commented Jul 2, 2024
edited

@THS-on @ddstreetmicrosoft I've identified the issue and would like to update our Azure Linux 3.0 submission to reflect the changes. New tagged submission - https://github.com/microsoft/shim-review/tree/azurelinux-shim-aa64-x64-20240701

7905c30de3109eb4ff8a5d198f5077bceb35b0fc3559b03924cf78a96e511bd0 shimaa64.efi
83c927eada08e0811adbaab47323841808d79e51d11aa8072c552bfbf80af801 shimx64.efi

Let me know if you'd prefer a new GH issue for the submission or to handle in some other way.

Details for the submission difference:

  • This shim-review is for a new Azure Linux 3.0 release that is not fully released for production use. The packages are currently part of our "preview" package repository.
  • The packages used to build shim, including gcc, were updated, and as part of that update we also removed previous versions of the packages from our package server, so the dockerfile could not fetch those packages. I've updated the dockerfile with the updated versions that are present.
  • In this case, our gcc was updated to remove a specific default compiler optimization change which has also altered the shim binaries we were submitting. So I have rebuilt the shim binaries with the latest toolchain and the docker build now matches our new binary submissions. This change to gcc is also the main reason we purged our "preview" package repository and re-uploaded all of the packages built with the updated gcc.
  • I've also updated the submission's docker build logs to match the new build and the README and ISSUE_TEMPLATE files with the new shim binary hashes

@THS-on
Copy link
Collaborator

THS-on commented Jul 8, 2024
edited

Review for azurelinux-shim-aa64-x64-20240701

Shim

  • Shim based on 15.8 without any patches
  • NX is disabled
  • SBAT looks fine
  • CA is valid till 2038, 4096bit RSA (ok)
  • Is reproducible
#8 0.271 83c927eada08e0811adbaab47323841808d79e51d11aa8072c552bfbf80af801  /usr/share/shim/15.8/x64/shimx64.efi
#8 0.271 83c927eada08e0811adbaab47323841808d79e51d11aa8072c552bfbf80af801  /shimx64.efi
#8 0.261 7905c30de3109eb4ff8a5d198f5077bceb35b0fc3559b03924cf78a96e511bd0  /usr/share/shim/15.8/aa64/shimaa64.efi
#8 0.261 7905c30de3109eb4ff8a5d198f5077bceb35b0fc3559b03924cf78a96e511bd0  /shimaa64.efi

GRUB2

Linux

Notes and Questions

  • Can you update top comment with the new tag and hashes?
  • Can you clarify the GRUB2 version that is used?
  • How do you ensure that kernel is forced in lockdown mode when booted via Secure Boot?

@THS-on THS-on added the question Reviewer(s) waiting on response label Jul 8, 2024
@ddstreetmicrosoft
Copy link
Author

Can you update top comment with the new tag and hashes?

updated; I'll let Chris respond to the other questions

@christopherco
Copy link
Contributor

christopherco commented Jul 24, 2024
edited

Can you clarify the GRUB2 version that is used?

Sorry about the confusion. We are releasing with 2.06 with Fedora 34 patches for invoking EFI Handover Protocol. We had initially made the move to 2.12 but encountered an unexpected regression where the TPM Event Log was not being handed over to the kernel, only when Secure Boot was enabled. We'll be sticking here with 2.06 for the foreseeable future of Azure Linux 3.0.
I'll also add the SBAT entry into the grub SBAT.

How do you ensure that kernel is forced in lockdown mode when booted via Secure Boot?

All of our default images and configurations set lockdown=integrity in the kernel command line to force the kernel into lockdown mode. i.e., https://github.com/microsoft/azurelinux/blob/3.0/toolkit/tools/internal/resources/assets/grub2/grub#L5 which is used during base image creation.

We have previously mulled over bringing in the out-of-tree kernel patches to link Secure Boot to forcing lockdown mode directly, but we thus far decided to stick closer to upstream stable LTS kernel for the time being.

@THS-on
Copy link
Collaborator

THS-on commented Jul 24, 2024

@ddstreetmicrosoft @christopherco thank you for the clarifications.

Regarding the grub config. Forcing lockdown=integrity is a valid way to achieve the same, as the lockdown patches. The question is if a user can remove this option or not, i.e. is the config part of the GRUB2 binary that is signed? If the user is able to change it, than this would differ for the lockdown patches.

@christopherco
Copy link
Contributor

Regarding the grub config. Forcing lockdown=integrity is a valid way to achieve the same, as the lockdown patches. The question is if a user can remove this option or not, i.e. is the config part of the GRUB2 binary that is signed? If the user is able to change it, than this would differ for the lockdown patches.

Ah yes, in our case, it is possible for a user that has root privileges to remove the lockdown setting since the kernel command line setting is located in our grub.cfg. I can discuss internally on pulling in the lockdown patches to cover the difference.

@THS-on
Copy link
Collaborator

THS-on commented Jul 25, 2024

Yeah you can either include the lockdown patches or build your signed kernel CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y which forces the lockdown mode to be enabled.

Note tho that the following lockdown patch is not upstream, so you probably want to include either way:
https://salsa.debian.org/kernel-team/linux/-/blob/master/debian/patches/features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch?ref_type=heads

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@THS-on THS-on

Labels
bug Problem with the review that must be fixed before it will be accepted contacts verified OK Contact verification is complete here (or in an earlier submission) question Reviewer(s) waiting on response
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@THS-on @christopherco @ddstreetmicrosoft