Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shim 15.8 for Miray Software #367

Closed
8 tasks done
miray-tf opened this issue Feb 2, 2024 · 13 comments
Closed
8 tasks done

Shim 15.8 for Miray Software #367

miray-tf opened this issue Feb 2, 2024 · 13 comments
Labels
accepted Submission is ready for sysdev

Comments

@miray-tf
Copy link

miray-tf commented Feb 2, 2024
edited
Loading

Confirm the following are included in your repo, checking each box:

What is the link to your tag in a repo cloned from rhboot/shim-review?

https://github.com/MiraySoftware/shim-review/tree/miraysoftware-shim-x64+aa64-20240216

What is the SHA256 hash of your final SHIM binary?

shim_mirayx64.efi: f380dc1d382483c3229305c1fec4b57395edf04f515c439445aa09cc9b3feb94

shim_mirayaa64.efi: 3bab2c22c4c658be2fe63b528485b1f19c256d23e5585b3154e403db2e8683ef

What is the link to your previous shim review request (if any, otherwise N/A)?

Resubmit for 15.7 because of missing patch file:
#355

Request for 15.7:
#351

Last accepted:
#247
@miray-ar miray-ar mentioned this issue Feb 2, 2024
Closed
8 tasks
@miray-tf
Copy link
Author

Updated from tag miraysoftware-shim-x64+aa64-20240202 to miraysoftware-shim-x64+aa64-20240216 to add answer to new NX question in readme file.

@aronowski aronowski self-assigned this Feb 20, 2024
@aronowski
Copy link
Collaborator

Build reproduces, SHA256 sums match. The binaries' characteristics are fine, no NX support, as the whole chain is not NX-compatible.

The application seems alright just like #355. Please, ping someone and ask for a review too.

Note for other reviewers:

The SBAT generation numbers are compatible with the current revision of the written consensus and have been discussed thoroughly in #355.

@aronowski aronowski added the extra review wanted Initial review(s) look good, another review desired label Feb 22, 2024
@aronowski aronowski removed their assignment Feb 22, 2024
@steve-mcintyre
Copy link
Collaborator

Trying to see what you've done with your git repo here - how on earth have you been committing and pushing without using a branch? I'm not seeing any history here even though I've already got https://github.com/MiraySoftware/shim-review cloned locally...!

@dennis-tseng99
Copy link
Collaborator

dennis-tseng99 commented Feb 27, 2024
edited
Loading

Hi @steve-mcintyre and @aronowski , please also let me join this reviewing:

=== Review for Miray Software #367 ===

  • Binaries are producible based on tag miraysoftware-shim-x64+aa64-20240216

  • 2 patches are applied. Still investigate them line by line.

  • NX flag is disable:
    objdump -x shim_mirayx64.efi | grep -E 'SectionAlignment|DllCharacteristics'
    SectionAlignment 00001000
    DllCharacteristics 00000000
    objdump -x shim_mirayaa64.efi | grep -E 'SectionAlignment|DllCharacteristics'
    SectionAlignment 00001000
    DllCharacteristics 00000000

  • Hash values are matched, and with values in README
    /shim-review# sha256sum shim_mirayx64.efi
    f380dc1d382483c3229305c1fec4b57395edf04f515c439445aa09cc9b3feb94 shim_mirayx64.efi
    /shim-review# sha256sum shim_mirayaa64.efi
    3bab2c22c4c658be2fe63b528485b1f19c256d23e5585b3154e403db2e8683ef shim_mirayaa64.efi

  • sbat checking:
    objdump -j .sbat -s shim_mirayx64.efi
    Shim:
    sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
    shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
    shim.miray,1,Miray Software,shim,miray-15.8,https://www.miray-software.com
    Grub:
    sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
    grub,4,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/
    grub.miray,1,Miray Software,grub2,sysload_2.8.4,https://github.com/MiraySoftware/grub2

  • Certificate Validity:
    shim-review# openssl x509 -in MiraySoftwareAG2023.DER.cer -inform der -noout -text
    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number:
    0a:93:0f:9e:f2:b2:b6:67:46:3e:38:0f:27:cc:ff:f5
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C = US, O = "DigiCert, Inc.", CN = DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
    Validity
    Not Before: Nov 2 00:00:00 2023 GMT
    Not After : Nov 1 23:59:59 2026 GMT
    .....
    X509v3 extensions:
    X509v3 Certificate Policies:
    Policy: 2.23.140.1.3 <--------------- CABF OID
    CPS: http://www.digicert.com/CPS

It is a DigiCert EV Code Signing Certificate, so 3 years is good enough

  • Minor suggestion:
    For the next submission, please specify more details about the contact information for your product when you specify vendor_url field, or just use email instead. For example, you might change sbat.miray.csv to:
    shim.miray,1,Miray Software,shim,miray-15.8,https://www.miray-software.com/packages/shim

@miray-tf
Copy link
Author

@steve-mcintyre I now added branch shim-review-miray-15.8 for the current tag and also set it as default branch.

@dennis-tseng99 Thank you for the suggestion.

@miray-tf
Copy link
Author

miray-tf commented Mar 7, 2024

@dennis-tseng99 We will use an email address in the future.

Do we need to provide any additional information for this review request?

@dennis-tseng99
Copy link
Collaborator

@miray-tf Sorry for the late response. No problem, vendor_url is minor. Actually, I'm just curious why you skip fallback procedure ? (No boot.csv either)

@miray-tf
Copy link
Author

miray-tf commented Mar 7, 2024

We currently only use shim for removable media and network boot.
Because of this we install shim and grub to \EFI\BOOT.
As I understand it fallback handling is primarily for installed systems where the bootloader is in \EFI<VENDOR>, so we don't need that functionality.

@dennis-tseng99
Copy link
Collaborator

Thanks. I've no question. Let's accept it.

@dennis-tseng99 dennis-tseng99 added accepted Submission is ready for sysdev and removed extra review wanted Initial review(s) look good, another review desired labels Mar 7, 2024
@miray-tf
Copy link
Author

Thank you for the reviews.

The submission id at Microsoft is 14420854136501935

@dennis-tseng99
Copy link
Collaborator

Close as completed.

@miray-tf
Copy link
Author

miray-tf commented Mar 12, 2024
edited
Loading

@dennis-tseng99 We will do that as soon as we get the signed shim back from Microsoft.

@miray-tf
Copy link
Author

We got the signed shim, thank you again for the reviews

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
accepted Submission is ready for sysdev
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@miray-tf @dennis-tseng99 @steve-mcintyre @aronowski