ISSUE_TEMPLATE.md - external/github.com/neverware/shim-review - Git at Google

 Make sure you have provided the following information:

  - [ ] link to your code branch cloned from rhboot/shim-review in the form user/repo@tag
  - [ ] completed README.md file with the necessary information
  - [ ] shim.efi to be signed
  - [ ] public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
  - [ ] binaries, for which hashes are added do vendor_db ( if you use vendor_db and have hashes allow-listed )
  - [ ] any extra patches to shim via your own git tree or as files
  - [ ] any extra patches to grub via your own git tree or as files
  - [ ] build logs
  - [ ] a Dockerfile to reproduce the build of the provided shim EFI binaries


 ###### What organization or people are asking to have this signed:
 `[your text here]`

 ###### What product or service is this for:
 `[your text here]`

 ###### Please create your shim binaries starting with the 15.4 shim release tar file:
 ###### https://github.com/rhboot/shim/releases/download/15.4/shim-15.4.tar.bz2
 ###### This matches https://github.com/rhboot/shim/releases/tag/15.4 and contains
 ###### the appropriate gnu-efi source.
 ###### Please confirm this as the origin your shim.
 `[your text here]`

 ###### What's the justification that this really does need to be signed for the whole world to be able to boot it:
 `[your text here]`

 ###### How do you manage and protect the keys used in your SHIM?
 `[your text here]`

 ###### Do you use EV certificates as embedded certificates in the SHIM?
 `[your text here]`

 ###### If you use new vendor_db functionality, are any hashes allow-listed, and if yes: for what binaries ?
 `[your text here]`

 ###### Is kernel upstream commit 75b0cea7bf307f362057cc778efe89af4c615354 present in your kernel, if you boot chain includes a Linux kernel ?
 `[your text here]`

 ###### if SHIM is loading GRUB2 bootloader, are CVEs CVE-2020-14372,
 ###### CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779,
 ###### CVE-2021-20225, CVE-2021-20233, CVE-2020-10713, CVE-2020-14308,
 ###### CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705,
 ###### ( July 2020 grub2 CVE list + March 2021 grub2 CVE list )
 ###### and if you are shipping the shim_lock module CVE-2021-3418
 ###### fixed ?
 `[your text here]`

 ###### "Please specifically confirm that you add a vendor specific SBAT entry for SBAT header in each binary that supports SBAT metadata
 ###### ( grub2, fwupd, fwupdate, shim + all child shim binaries )" to shim review doc ?
 ###### Please provide exact SBAT entries for all SBAT binaries you are booting or planning to boot directly through shim
 `[your text here]`

 ##### Were your old SHIM hashes provided to Microsoft ?
 `[your text here]`

 ##### Did you change your certificate strategy, so that affected by CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749,
 ##### CVE-2020-27779, CVE-2021-20225, CVE-2021-20233, CVE-2020-10713,
 ##### CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705 ( July 2020 grub2 CVE list + March 2021 grub2 CVE list )
 ##### grub2 bootloaders can not be verified ?
 `[your text here]`

 ##### What exact implementation of Secureboot in grub2 ( if this is your bootloader ) you have ?
 ##### * Upstream grub2 shim_lock verifier or * Downstream RHEL/Fedora/Debian/Canonical like implementation ?
 `[your text here]`

 ###### What is the origin and full version number of your bootloader (GRUB or other)?
 `[your text here]`

 ###### If your SHIM launches any other components, please provide further details on what is launched
 `[your text here]`

 ###### If your GRUB2 launches any other binaries that are not Linux kernel in SecureBoot mode,
 ###### please provide further details on what is launched and how it enforces Secureboot lockdown
 `[your text here]`

 ###### If you are re-using a previously used (CA) certificate, you
 ###### will need to add the hashes of the previous GRUB2 binaries
 ###### exposed to the CVEs to vendor_dbx in shim in order to prevent
 ###### GRUB2 from being able to chainload those older GRUB2 binaries. If
 ###### you are changing to a new (CA) certificate, this does not
 ###### apply. Please describe your strategy.
 `[your text here]`

 ###### How do the launched components prevent execution of unauthenticated code?
 `[your text here]`

 ###### Does your SHIM load any loaders that support loading unsigned kernels (e.g. GRUB)?
 `[your text here]`

 ###### What kernel are you using? Which patches does it includes to enforce Secure Boot?
 `[your text here]`

 ###### What changes were made since your SHIM was last signed?
 `[your text here]`

 ###### What is the SHA256 hash of your final SHIM binary?
 `[your text here]`
	Make sure you have provided the following information:

	- [ ] link to your code branch cloned from rhboot/shim-review in the form user/repo@tag
	- [ ] completed README.md file with the necessary information
	- [ ] shim.efi to be signed
	- [ ] public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
	- [ ] binaries, for which hashes are added do vendor_db ( if you use vendor_db and have hashes allow-listed )
	- [ ] any extra patches to shim via your own git tree or as files
	- [ ] any extra patches to grub via your own git tree or as files
	- [ ] build logs
	- [ ] a Dockerfile to reproduce the build of the provided shim EFI binaries


	###### What organization or people are asking to have this signed:
	`[your text here]`

	###### What product or service is this for:
	`[your text here]`

	###### Please create your shim binaries starting with the 15.4 shim release tar file:
	###### https://github.com/rhboot/shim/releases/download/15.4/shim-15.4.tar.bz2
	###### This matches https://github.com/rhboot/shim/releases/tag/15.4 and contains
	###### the appropriate gnu-efi source.
	###### Please confirm this as the origin your shim.
	`[your text here]`

	###### What's the justification that this really does need to be signed for the whole world to be able to boot it:
	`[your text here]`

	###### How do you manage and protect the keys used in your SHIM?
	`[your text here]`

	###### Do you use EV certificates as embedded certificates in the SHIM?
	`[your text here]`

	###### If you use new vendor_db functionality, are any hashes allow-listed, and if yes: for what binaries ?
	`[your text here]`

	###### Is kernel upstream commit 75b0cea7bf307f362057cc778efe89af4c615354 present in your kernel, if you boot chain includes a Linux kernel ?
	`[your text here]`

	###### if SHIM is loading GRUB2 bootloader, are CVEs CVE-2020-14372,
	###### CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779,
	###### CVE-2021-20225, CVE-2021-20233, CVE-2020-10713, CVE-2020-14308,
	###### CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705,
	###### ( July 2020 grub2 CVE list + March 2021 grub2 CVE list )
	###### and if you are shipping the shim_lock module CVE-2021-3418
	###### fixed ?
	`[your text here]`

	###### "Please specifically confirm that you add a vendor specific SBAT entry for SBAT header in each binary that supports SBAT metadata
	###### ( grub2, fwupd, fwupdate, shim + all child shim binaries )" to shim review doc ?
	###### Please provide exact SBAT entries for all SBAT binaries you are booting or planning to boot directly through shim
	`[your text here]`

	##### Were your old SHIM hashes provided to Microsoft ?
	`[your text here]`

	##### Did you change your certificate strategy, so that affected by CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749,
	##### CVE-2020-27779, CVE-2021-20225, CVE-2021-20233, CVE-2020-10713,
	##### CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705 ( July 2020 grub2 CVE list + March 2021 grub2 CVE list )
	##### grub2 bootloaders can not be verified ?
	`[your text here]`

	##### What exact implementation of Secureboot in grub2 ( if this is your bootloader ) you have ?
	##### * Upstream grub2 shim_lock verifier or * Downstream RHEL/Fedora/Debian/Canonical like implementation ?
	`[your text here]`

	###### What is the origin and full version number of your bootloader (GRUB or other)?
	`[your text here]`

	###### If your SHIM launches any other components, please provide further details on what is launched
	`[your text here]`

	###### If your GRUB2 launches any other binaries that are not Linux kernel in SecureBoot mode,
	###### please provide further details on what is launched and how it enforces Secureboot lockdown
	`[your text here]`

	###### If you are re-using a previously used (CA) certificate, you
	###### will need to add the hashes of the previous GRUB2 binaries
	###### exposed to the CVEs to vendor_dbx in shim in order to prevent
	###### GRUB2 from being able to chainload those older GRUB2 binaries. If
	###### you are changing to a new (CA) certificate, this does not
	###### apply. Please describe your strategy.
	`[your text here]`

	###### How do the launched components prevent execution of unauthenticated code?
	`[your text here]`

	###### Does your SHIM load any loaders that support loading unsigned kernels (e.g. GRUB)?
	`[your text here]`

	###### What kernel are you using? Which patches does it includes to enforce Secure Boot?
	`[your text here]`

	###### What changes were made since your SHIM was last signed?
	`[your text here]`

	###### What is the SHA256 hash of your final SHIM binary?
	`[your text here]`