tSU-RooT
Repos
42
Followers
16
Following
52

A client for Twitter, works on terminal

8
4

A programable presentaton tool by Ruby.

0
0

OSS GateのWebサイト

0
0

A Go client library for the Twitter 1.1 API

0
0

grep for japanese vimmer

0
0

Events

Created at 5 days ago
Created at 1 week ago
issue comment
Shim 15.6 for SUSE expanded support 8

Hi, I will help. Disclaimer: I am not an authorized reviewer

  • What was being reviewed?
commit 1a63eec1ff1d8f8b0114ff626e14c41626e0a2ed (HEAD, tag: SUSE-res8-shim-x86_ia32-20220905)
Author: Johannes Segitz <jsegitz@suse.de>
Date:   Mon Sep 5 16:46:28 2022 +0200

    initial commit

  • Reproducibility Build is reproducible from Rocky Linux 8.6 Package versions are:
gcc: 8.5.0-10.1.el8_6.x86_64
binutils: 2.30-113.el8.x86_64
  • Content of certificate file

slesecurebootca.cer in shim-unsigned-x64-15.6-1.el8.src.rpm

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = SLE Expanded Support Secure Boot CA, C = DE, L = Nuremberg, O = SUSE Linux Products GmbH, emailAddress = res-maintenance@suse.de
        Validity
            Not Before: Nov 30 15:54:45 2015 GMT
            Not After : Oct 25 15:54:45 2037 GMT
        Subject: CN = SLE Expanded Support Secure Boot CA, C = DE, L = Nuremberg, O = SUSE Linux Products GmbH, emailAddress = res-maintenance@suse.de
[snip]
            X509v3 Basic Constraints: critical
                CA:TRUE

22 years lifetime but this is CA certifiace, looks acceptable.

Does the submitter’s embedded certificate have a reasonable validity period? For a straight certificate, 1 to 5 years is probably sensible. For an embedded CA cert, longer is fine (20 years?)

https://github.com/rhboot/shim/wiki/reviewer-guidelines

  • shim-unsigned-x64 src rpm A bit of spec changes from RHEL 8's shim, OK.
--- a/shim-unsigned-x64.spec	2022-10-18 21:43:25.975872837 +0900
+++ b/shim-unsigned-x64.spec	2022-10-18 19:45:37.754542009 +0900
@@ -24,11 +24,9 @@
 License:	BSD
 URL:		https://github.com/rhboot/shim
 Source0:	https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
-Source1:	redhatsecurebootca5.cer
-# currently here's what's in our dbx:
-# nothing.
+Source1:	slesecurebootca.cer
 Source2:	dbx.esl
-Source3:	sbat.redhat.csv
+Source3:	sbat.sleses.csv
 Source4:	shim.patches
 
 Source100:	shim-find-debuginfo.sh
@@ -95,6 +93,10 @@
 %debug_desc
 
 %prep
+echo "Displaying the list of the installed packages in the build environment."
+echo "This can be useful for the shim's certification procedure."
+rpm -qa | sort
+
 %autosetup -S git_am -n shim-%{version}
 git config --unset user.email
 git config --unset user.name
@@ -178,6 +180,9 @@
 %files debugsource -f build-%{efiarch}/debugsource.list
 
 %changelog
+* Tue Jul 12 2022 SLES Expanded Support <noreply@suse.com> - 15.6
+- rebuild for SLES ES 8
+
 * Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el8
 - Update to shim-15.6
   Resolves: CVE-2022-28737

Looks just rebuild(except replace certificate) for SLES.

  • Private key management Storing private key in HSM looks reasonable.

  • Kernel & grub2 patches Looks rebuild of RHEL8. local patches are debrand.

Point of concern:

  • SBAT section For unknown reason, first two lines of your build binary are duplicate.(although sbat.sleses.csv haven't such lines)
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,2,UEFI shim,shim,1,https://github.com/rhboot/shim
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,2,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.sles_es,1,SLES Expanded Support platform,shim,15.6-1.el8,mail:security@suse.com

We need to investigate.

Created at 1 month ago
issue comment
Shim 15.6 for SUSE Euler Linux 2.0

Seem to affected from enhancement binutils-AArch64-EFI.patch (that backported from upstream commit ) in binutils-2.37-10.se2 This patch affects aarch64 EFI(PE) binary build, but looks not problem.

Created at 1 month ago
issue comment
Shim 15.6 for SUSE Euler Linux 2.0

Hi, I see some points of new commit.

shim-sel_x86_64.efi: little change from previous version in binary level, reproducibility is also good, so no problem I think.
shim-sel_aarch64.efi: There are a lot of changes, seems to affected from build environment changes(probably binutils update you know)
I will try to check it on aarch64 build.

However, seems to be OK in source level I think.

Created at 1 month ago
started
Created at 1 month ago
pull request opened
exampleSite: Fix mismatch of between sample code and chart
Created at 1 month ago
create branch
tSU-RooT create branch fix-chart-sample-code
Created at 1 month ago
Created at 1 month ago
Created at 1 month ago
issue comment
Shim 15.6 for SUSE Euler Linux 2.0

Hi, sorry for my late response.

  • Cert file
$ openssl x509 -text -noout -in shim-sel.der
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Yunche Secure Boot CA, C = CN, ST = Guangdong, L = Shenzhen, O = Yunche Ltd., OU = Build Team, emailAddress = build@yuncheos.net
        Validity
            Not Before: Sep  6 10:39:11 2022 GMT
            Not After : Sep  5 10:39:11 2027 GMT
[...]

5 years expiry time, I think OK.

  • New sha256 checksum Matched OK.

  • Reproducibility from docker(=podman) build Differences are only 0-allign data.

@@ -58578,5 +58578,5 @@
 000e4d10  55 49 44 00 6c 6f 61 64  5f 6f 70 74 69 6f 6e 73  |UID.load_options|
 000e4d20  00 50 4b 45 59 5f 55 53  41 47 45 5f 50 45 52 49  |.PKEY_USAGE_PERI|
 000e4d30  4f 44 5f 69 74 00 58 35  30 39 5f 4e 41 4d 45 5f  |OD_it.X509_NAME_|
-000e4d40  45 4e 54 52 59 5f 69 74  00 00 00 00 00 00 00 00  |ENTRY_it........|
-000e4d50
+000e4d40  45 4e 54 52 59 5f 69 74  00                       |ENTRY_it.|
+000e4d49

  • SBAT
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,2,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.sel,1,SUSE Euler Linux,shim,15.6-3.se2,mailto:euler-security@suse.com

Looks OK. I confirmed that build shim has above sbat section.

I hope someone authorized reviewer confirms OK to pass.

Created at 1 month ago
started
Created at 1 month ago
closed issue
shim 15.6 for MIRACLE LINUX 9

Confirm the following are included in your repo, checking each box:

  • [x] completed README.md file with the necessary information
  • [x] shim.efi to be signed
  • [x] public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
  • [x] binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
  • [x] any extra patches to shim via your own git tree or as files
  • [x] any extra patches to grub via your own git tree or as files
  • [x] build logs
  • [x] a Dockerfile to reproduce the build of the provided shim EFI binaries

What is the link to your tag in a repo cloned from rhboot/shim-review?


https://github.com/miraclelinux/shim-review/tree/miraclelinux-shim-x64-20220715


What is the SHA256 hash of your final SHIM binary?


eff340b0165a2bddf95ffa387bc71aea3bcee4102a2dc081a53f0dcbb3dd7152  shimx64.efi
Created at 1 month ago
issue comment
shim 15.6 for MIRACLE LINUX 9

We have received signed shim from Microsoft Hardware Developer Program. close.

Created at 1 month ago
started
Created at 2 months ago
Created at 2 months ago
started
Created at 2 months ago
started
Created at 2 months ago
Created at 2 months ago
issue comment
shim 15.6 for MIRACLE LINUX 8.6

In your README.md, you list the version but nothing more.

OK, We will note more detail next time.

All sources of grub2 are checked-in grub2 dir: https://github.com/miraclelinux/shim-review/tree/miraclelinux-shim-x64-20220803/grub2 sbat.csv.in is: https://github.com/miraclelinux/shim-review/blob/miraclelinux-shim-x64-20220803/grub2/sbat.csv.in Our change log in grub2.spec is : https://github.com/miraclelinux/shim-review/blob/miraclelinux-shim-x64-20220803/grub2/grub2.spec#L505 No local patch is added from 2.06-123.el8_6.8.

Created at 2 months ago
issue comment
shim 15.6 for MIRACLE LINUX 8.6

Your shim SBAT data looks fine, but minor issue with the grub SBAT. You don't need to increase the grub.miracle8 SBAT level to 2 just because upstream grub has been increased.

Hmm..., I had thought vendor must increase component_generation of own entry when important vulnerabilities are found(and fix), but is it means OK to do not bump number when it is increased by upstream side?

If yes, we must decrease number of grub.miracle8 to 1?

You said "no" to the question about kernel patch eadb2f47a3ced5c64b23b90fd2a3463f63726066. Are you sure you're not vulnerable here? (Please explain).

RHEL based kernels are set CONFIG_KDB_DEFAULT_ENABLE(kdb_cmd_enabled) as 0x0(=0=disable) in kernel-x86_64.config, kernel-x86_64-debug.config (aarch64 is exception, set as 0x1 but we have no plans for aarch64) So I think CVE-2022-21499 is not vulnerable by default kernel config.

More detail about eadb2f47a3ced5c64b23b90fd2a3463f63726066: Upstram commit added kdb_check_for_lockdown() to fix CVE-2022-21499 kdb_check_for_lockdown() does not change flag when kdb_cmd_enabled is 0.

Created at 2 months ago
issue comment
shim 15.6 for MIRACLE LINUX 8.6

I received a message from secondary contact. Keywords are: unbelievable rustled Lippmann scullery moons embroidering recliner advocating supplied marabou

Created at 2 months ago
issue comment
shim 15.6 for MIRACLE LINUX 8.6

lied field pickers sol diminuendos erected catastrophic Aprils prefabricated alley

Created at 2 months ago
issue comment
shim 15.6 for MIRACLE LINUX 8.6

I've marked vendor_db box. (I misunderstood about case of answer is 'not applied') We updated repository to fix pointed issues at #264 .

New tag is: https://github.com/miraclelinux/shim-review/tree/miraclelinux-shim-x64-20220901

Created at 2 months ago
tSU-RooT create tag miraclelinux-shim-x64-20220901
Created at 2 months ago

Add link to previous review in issue template

Signed-off-by: Robbie Harwood rharwood@redhat.com

Add an extra question about local kernel patches

If people have arbitrary extra kernel patches, they could well break SB. Let's check?

ML8.6: Dockerfile: Use fedora SRPM

Merge branch 'main' into ML8.6-draft

ML8.6: Add kernel build source codes

ML8.6: README.md: Update the justification

ML8.6: README.md: Update the answer for "What kernel are you using? Which patches does it includes to enforce Secure Boot?"

ML8.6: README.md: Add the answer for "Do you build your signed kernel with additional local patches? What do they do?"

ML8.6: ISSUE_TEMPLATE.md: Add the answer for "What is the link to your previous shim review request..."

ML8.6: ISSUE_TEMPLATE.md: Add check for binaries, for which hashes are added to vendor_db

ML8.6: Dockerfile: Update from ML9 accepted request

Merge branch 'ML8.6-draft' into 'ML8.6'

ML8.6: Update for the request at 2022-08-29

See merge request asianux/shim-review!2

Created at 2 months ago