tag | 0316faa67daceb7da41865e77a85c838c4baf3c2 | |
---|---|---|
tagger | Paul Nardini <nardini@google.com> | Mon Sep 13 13:22:37 2021 |
object | 4a6262da3f8431f21cd25579888928fa7c8ab771 |
Shim 15.4 submission for ChromeOS, 2021-09-13
commit | 4a6262da3f8431f21cd25579888928fa7c8ab771 | [log] [tgz] |
---|---|---|
author | Paul Nardini <nardini@google.com> | Fri Sep 10 21:56:48 2021 |
committer | Paul Nardini <nardini@google.com> | Fri Sep 10 21:56:48 2021 |
tree | faa2135457cd803456d432ecfb1897c250c222e7 | |
parent | 422b43322e83a1e053607cf6aac4a923cf40e5b3 [diff] |
Updating for first Google shim submission * Includes updated binaries with a 5 yr embedded cert * Includes an updated build log from the new binaries * Includes an update to the README for a new shim-build tag, needed for the cert update. BUG=b:195737944 TEST=none Change-Id: I52f255749c783bffa00a643b3de2cce4b0741476
This repo is for review of requests for signing shim. To create a request for review:
Note that we really only have experience with using GRUB2 on Linux, so asking us to endorse anything else for signing is going to require some convincing on your part.
Here's the template:
Chrome OS (reven board)
Chrome OS is a Linux distribution. We want to enable (and encourage) our user base to boot Chrome OS (reven) with secure boot enabled.
Please create your shim binaries starting with the 15.4 shim release tar file: https://github.com/rhboot/shim/releases/download/15.4/shim-15.4.tar.bz2
We can confirm that all of our shim binaries are built from the referenced tarball.
https://github.com/rhboot/shim/tree/15.4
We are applying the following patches to fix critical regressions that have been identified in shim 15.4:
https://github.com/rhboot/shim/pull/364 https://github.com/rhboot/shim/pull/362 https://github.com/rhboot/shim/pull/357 https://github.com/rhboot/shim/pull/361
We're using upstream GRUB2
What exact implementation of Secureboot in GRUB2 ( if this is your bootloader ) you have ?
Upstream GRUB2 shim_lock verifier
If bootloader, shim loading is, GRUB2, and previous shims were trusting affected by CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233, CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705, and if you were shipping the shim_lock module CVE-2021-3418 ( July 2020 grub2 CVE list + March 2021 grub2 CVE list ) grub2:
N/A
We do not use this functionality.
We are changing to a new certificate.
All shim binaries can be built using our Dockerfile and instructions in the README.md of https://chromium.googlesource.com/external/github.com/neverware/shim-build/+/refs/tags/v8
We made our initial shim submissions as Neverware (see https://github.com/rhboot/shim-review/issues/27 and https://github.com/rhboot/shim-review/issues/106). We had a recent shim submission as Google approved for CloudReady (https://github.com/rhboot/shim-review/issues/193). This submission is for the project as it will be built on Google infrastructure, switching to the chromeos/reven identifier.