Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

shim 15.7 for SUSE #301

Closed
7 tasks done
jsegitz opened this issue Dec 1, 2022 · 12 comments
Closed
7 tasks done

shim 15.7 for SUSE #301

jsegitz opened this issue Dec 1, 2022 · 12 comments
Labels
accepted Submission is ready for sysdev

Comments

@jsegitz
Copy link

jsegitz commented Dec 1, 2022

Confirm the following are included in your repo, checking each box:

  • completed README.md file with the necessary information
  • shim.efi to be signed
  • public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
  • binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
  • any extra patches to shim via your own git tree or as files
  • any extra patches to grub via your own git tree or as files - [x] build logs
  • a Dockerfile to reproduce the build of the provided shim EFI binaries

What is the link to your tag in a repo cloned from rhboot/shim-review?

https://github.com/jsegitz/shim-review/tree/SUSE-SLES-shim-x86_aarch64-20221130

What is the SHA256 hash of your final SHIM binary?

x86_64:
$ pesign --hash --padding --in=shim-sles_x86_64.efi
hash: 2b0d7d00e2d5ef27605375da81690afaab91d19ea4cc129ced8dfb34d9c5c2d3
$ sha256sum shim-sles_x86_64.efi
bb405777bde97cfed333939cd6409c7b1cf72e5e07ae72226fa5214e95c9e113 shim-sles_x86_64.efi

aarch64:
$ pesign --hash --padding --in=shim-sles_aarch64.efi
hash: 04478d49dfa6c5f8442ec919568e1eda59de99cc1b5192f18028084409bbebe5
$ sha256sum shim-sles_aarch64.efi
d16ed6993b51ba96a4664e1648d7b244d0dd7c1c1e1eb9d5404b2973c0b2c4fc shim-sles_aarch64.efi

What is the link to your previous shim review request (if any, otherwise N/A)?

#263
@jsetje
Copy link
Collaborator

jsetje commented Dec 7, 2022

Can you confirm that you're not impacted by rhboot/shim#533 ?
If you are the, fix was just merged.

@jsegitz
Copy link
Author

jsegitz commented Dec 9, 2022

thanks for the hint. We checked and we're not affected by this

@jsetje
Copy link
Collaborator

jsetje commented Dec 13, 2022

This all looks reasonable, but my attempts to get this to build are failing when the docker build tries to fetch container-suseconnect-zypp. This is most likely due to me trying to turn this crank on a fedora system. I'll dig into this a bit more this afternoon, but this isn't the sort of thing I do regularly, so any hints would be appreciated. :)

@jsegitz
Copy link
Author

jsegitz commented Dec 14, 2022

Thanks for checking. For me this still work without issues on my system. I'll retry it on a Fedora system. Can you please share the logs of your failed build?

@jsegitz
Copy link
Author

jsegitz commented Dec 14, 2022

I tried on a fresh Fedora 37 and for me a simple
podman build --build-arg ARCHITECTURE=x86_64 -t sles_shim:15.7 .
in the directories builds it without errors. So I need to have a look at your logs to figure out what's wrong

@jsegitz
Copy link
Author

jsegitz commented Jan 3, 2023

Back from the holiday break. @jsetje could you please sent me your logs so I can debug this? Thanks

@jsegitz
Copy link
Author

jsegitz commented Feb 24, 2023

@jsetje ping. Can you please sent me your logs?

@julian-klode
Copy link
Collaborator

Rebuilds commit d1d0b3f (HEAD, tag: SUSE-SLES-shim-x86_aarch64-20221130:

x86_64 passed:

STEP 18/19: RUN pesign --hash --padding --in=/shim/usr/share/efi/$ARCHITECTURE/shim-sles.efi
hash: 2b0d7d00e2d5ef27605375da81690afaab91d19ea4cc129ced8dfb34d9c5c2d3
--> cd6b0826c13
STEP 19/19: RUN sha256sum /shim/usr/share/efi/$ARCHITECTURE/shim-sles.efi
bb405777bde97cfed333939cd6409c7b1cf72e5e07ae72226fa5214e95c9e113  /shim/usr/share/efi/x86_64/shim-sles.efi

ARCHITECTURE=aarch64 failed:

STEP 11/19: RUN zypper -n in /pesign-obs-integration-10.2+git20210804.ff18da1-150400.1.14.$ARCHITECTURE.rpm
Refreshing service 'container-suseconnect-zypp'.
Loading repository data...
Reading installed packages...
'_tmpRPMcache_:pesign-obs-integration=0:10.2+git20210804.ff18da1-150400.1.14' not found in package names. Trying capabilities.
No provider of '_tmpRPMcache_:pesign-obs-integration=0:10.2+git20210804.ff18da1-150400.1.14' found.
Error: error building at STEP "RUN zypper -n in /pesign-obs-integration-10.2+git20210804.ff18da1-150400.1.14.$ARCHITECTURE.rpm": error while running runtime: exit status 104
****

Retrying with emulated build rather than cross build (if this does not intend to allow cross-building, it shouldn't need an ARCHITECTURE argument?).

@julian-klode julian-klode added the bug Problem with the review that must be fixed before it will be accepted label Mar 6, 2023
@julian-klode
Copy link
Collaborator

aarch64 passed.

STEP 18/19: RUN pesign --hash --padding --in=/shim/usr/share/efi/$ARCHITECTURE/shim-sles.efi
hash: 04478d49dfa6c5f8442ec919568e1eda59de99cc1b5192f18028084409bbebe5
--> 01c1aadafa2
STEP 19/19: RUN sha256sum /shim/usr/share/efi/$ARCHITECTURE/shim-sles.efi
d16ed6993b51ba96a4664e1648d7b244d0dd7c1c1e1eb9d5404b2973c0b2c4fc /shim/usr/share/efi/aarch64/shim-sles.efi

Reviewing notes:

  1. Known submitter
  2. Build is reproducible
  3. shim is built from 15.7 tarball + patches, only new patch is NX support, deferring to previous review on existing patches
  4. README.md is complete. Answers are technically wrong, as it also launches fwupd, not just grub as stated.
  5.     Subject: CN = SUSE Linux Enterprise Secure Boot CA, C = DE, L = Nuremberg, O = SUSE Linux Products GmbH, OU = Build Team, emailAddress = [email protected]
  6. Key protection is inadequate
  7. Key is valid until 2035, that's ok for a CA key
  8. SBAT is reasonable
  9. grub is used
  10. grub patches seem reasonable
  11. kernel seems reasonable
  12. revocation seems clear w/ CA key
  13. classic rhboot boot patchset and stack, not concerned

FIXME

  • The key protection story is inadequate, please provide more details:

    The keys are in a specially hardened machine that is in our build environment.

  • SBAT: fwupd has a fwupd-sle entry, should be fwupd.sle

@jsegitz
Copy link
Author

jsegitz commented Mar 7, 2023

Thank you very much!

Yes aarch64 needs to be build on a matching architecture.

As for the FIXMES:

  • The key is on our signing server. The server is in a CC EAL 4+ certified server room and specially hardened. Only a small number of employees has access to the server. If additional details are needed I can bring in one of the admins
  • fwupd: Thanks, didn't notice that. We'll fix that. Would it be okay to do this with the next submission? We need this shim to go out since the old ones might stop working any day, they're on the blocklists

@julian-klode
Copy link
Collaborator

Accepted.

Please remove the ARCHITECTURE argument for the next submission, you don't need that if cross-building doesn't actually work, you can just derive that from the image.

I was hoping for some HSM involvement like at least some wrapping of the key but I suppose that's good enough

@julian-klode julian-klode added accepted Submission is ready for sysdev and removed bug Problem with the review that must be fixed before it will be accepted labels Mar 7, 2023
@jsegitz
Copy link
Author

jsegitz commented Mar 8, 2023

Thank you very much.

Will remove ARCHITECTURE and get the fwupd sbat fixed for the next submission.

@jsegitz jsegitz closed this as completed Mar 8, 2023
@jsegitz jsegitz mentioned this issue Apr 5, 2023
Closed
8 tasks
This was referenced Feb 29, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
accepted Submission is ready for sysdev
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@julian-klode @jsegitz @jsetje