-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shim 15.8 for Navix 9 #413
Comments
Review of Shim 15.8 for Navix 9OK
Issues / queries
|
Two more reviews needed, I think. AFAICS previous submissions were never signed so you're still a new vendor by our normal rules. Feel free to correct me if I've missed something here! |
We finally enrolled MS HW Dev program, so we are going to process previous(Navix 8) shim submission ASAP. |
Review of navix9-shim-x86_64-20240502
Shim
GRUB2
Kernel
NotesThe UKI entries aren't correct, the following are all redundant, one of those is enough and it make sense to be the vendor's entry
For the following section, why are you keeping centos and not rhel? also openELA isn't a distro as far as I understand, so not sure if it make sense to keep it here as well, will need some feedback from @jsetje and maybe @bluca
Other than those few notes, LGTM, we will need one more reviewer |
Actually, I was following the guideline - https://github.com/rhboot/shim-review/blob/main/docs/submitting.md#31-sbat-data
So that's why there is openELA's SBAT data and additional redundant entries.
Sorry for the confusion. It was mistake. Thanks for the review! |
Not an official reviewer Review of navix9-shim-x86_64-20240502
Build analysts
Patches
sbats
Other than the grub sbat entry everything looks good, please provide response to the vendor grub2 sbat entry for my education |
For this part, you only need single entry of
Cool, can you sort those in the README? we need to track those in #397 |
Thank you for your review jason!
We will fix our SBAT generation to 1, as this is first shim for Navix 9 and we did not revoked our grub2 using shim.
Thank you. I'll update and fix the SBAT data.
As you said in previous comment, I'm also not sure about keeping OpenELA's SBAT data. so additional feedback is welcome. Thank you all for your review and corrections. |
Update : We got our signed shim for Navix 8 - #370 |
@leejun9503 Can you update the issue / tag itself with your final SBAT entires for your EFI components? |
Updated. |
It's okay for keep the OpenELA SBAT data, as long as your upstream has them. |
@SherifNagy does this still need a review? |
@THS-on Might as well :) more eyes is better, if that's okay with you |
Review of
|
@leejun9503 as @THS-on mentioned, decreasing the |
ah no wait, other submission are also But if you did release a signed grub with |
We saw other EL vendor's SBAT entry for reference - Because this is first time we integrating secure boot to Navix 8 and 9. - and they have similar SBAT entry for fwupd and we followed their structure.
Nope, For now we never released signed grub with |
The upstream entry points to version 1.4 and yours to 1.8.10. In most cases this should be the same. Might be that by importing the package, your version number does not get increased automatically.
Ok then this is fine. |
Marking accepted |
Got signed shim binary from Microsoft. Thank you everyone for reviewing our application. |
Confirm the following are included in your repo, checking each box:
What is the link to your tag in a repo cloned from rhboot/shim-review?
https://github.com/NaverCloudPlatform/shim-review/tree/navix9-shim-x86_64-20240723
What is the SHA256 hash of your final SHIM binary?
20c570a0995f07ed06cf3da856795ab4c968b86b9ef866611b4dd993f9f0ee30 shimx64.efi
What is the link to your previous shim review request (if any, otherwise N/A)?
#370
If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?
#346
The text was updated successfully, but these errors were encountered: