commit | df62dc56558b13df86c02452f50969973c488a7a | [log] [tgz] |
---|---|---|
author | Nicholas Bishop <nicholasbishop@google.com> | Fri Jun 24 17:09:06 2022 |
committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | Fri Jun 24 22:28:24 2022 |
tree | 4056715a880988bdfdfd8ba1cff4b1fd1f8dc3ad | |
parent | 8bc77171e09224d3808067d5e10d99d20a94c1d6 [diff] |
Update grub's SBAT https://crrev.com/c/3720921 changed grub's SBAT data. Update the questionnaire to match. BUG=b:235243412 TEST=None Change-Id: Id4d9972d4f2d897a0541e9319ac5cb7f173fb03b Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/shim-review/+/3723076 Auto-Submit: Nicholas Bishop <nicholasbishop@google.com> Commit-Queue: Paul Nardini <nardini@google.com> Reviewed-by: Paul Nardini <nardini@google.com> Tested-by: Nicholas Bishop <nicholasbishop@google.com>
Chrome OS (reven board)
Chrome OS is a Linux distribution. We want to enable (and encourage) our user base to boot Chrome OS (reven) with secure boot enabled.
(Key should be signed by the other security contacts, pushed to a keyserver like keyserver.ubuntu.com, and preferably have signatures that are reasonably well known in the Linux community.)
(Key should be signed by the other security contacts, pushed to a keyserver like keyserver.ubuntu.com, and preferably have signatures that are reasonably well known in the Linux community.)
Please create your shim binaries starting with the 15.6 shim release tar file: https://github.com/rhboot/shim/releases/download/15.6/shim-15.6.tar.bz2
This matches https://github.com/rhboot/shim/releases/tag/15.6 and contains the appropriate gnu-efi source.
We confirm that our shim binaries are built from the referenced tarball.
https://github.com/rhboot/shim/tree/15.6
No patches are applied.
Upstream GRUB2 with shim_lock verifier.
CVE-2020-14372
CVE-2020-25632
CVE-2020-25647
CVE-2020-27749
CVE-2020-27779
CVE-2021-20225
CVE-2021-20233
CVE-2020-10713
CVE-2020-14308
CVE-2020-14309
CVE-2020-14310
CVE-2020-14311
CVE-2020-15705
CVE-2021-3418 (if you are shipping the shim_lock module)
CVE-2021-3695
CVE-2021-3696
CVE-2021-3697
CVE-2022-28733
CVE-2022-28734
CVE-2022-28735
CVE-2022-28736
CVE-2022-28737
Pre-SBAT shim builds have been sent to Microsoft for revocation. Our current cert has not been used to sign anything pre-SBAT.
Yes, all three commits are in the chromeos-5.10
branch our kernel is built from: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/refs/heads/chromeos-5.10
We do not use this functionality.
N/A: we already switched to a new certificate for our Shim 15.4 submission: https://github.com/rhboot/shim-review/issues/204
The Dockerfile
in this repository will reproduce our shim build. As a convenience, make build-no-cache
will do a clean build.
This should include logs for creating the buildroots, applying patches, doing the build, creating the archives, etc.
Makefile
to podman
(can be overridden by setting the CONTAINER_CMD
env var).0fcef16c44af02cf586200c93bccec6c5776591c01f7317b62a45d1d5f91361e shimia32.efi bcd526a9a726680f9ac6334c99aa1fb53a6f6228f65251dfda59e18cece0052f shimx64.efi
The keys used in this shim are generated and stored in an HSM. They are then encrypted for export to a signing fleet for usage in build signing by our CI pipeline, where they remain encrypted at rest. Only 4 trusted individuals in the org have access to the signing fleet machines, enforced by ACL and 2FA.
No.
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md shim,2,UEFI shim,shim,1,https://github.com/rhboot/shim shim.chromeos,2,ChromeOS,shim,15.6,https://chromium.googlesource.com/chromiumos/shim-review
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md grub,2,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/ grub.chromeos,2,ChromeOS,grub2,2.06,https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/refs/heads/main/sys-boot/grub/grub-2.06.ebuild
Grub 2.06
This is largely the same as our previous submission, but the patch list (linked above) has been updated:
0001-Forward-port-ChromeOS-specific-GRUB-environment-vari.patch
and 0002-Forward-port-gptpriority-command-to-GRUB-2.00.patch
are unchanged from previous submission.0003-Add-configure-option-to-reduce-visual-clutter-at-boo.patch
: this is from a Debian patch.N/A
N/A
Our shim launches grub2 built with secure-boot support.
No
Our kernel is based on 5.10 and has secure boot enabled. Source: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/refs/heads/chromeos-5.10
Previous submission: https://github.com/rhboot/shim-review/issues/204