-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shim 15.8 for ZeeOS (x86_64) #441
Comments
Contact verification emails sent |
Hi, Verification for [email protected] :
|
Hello, |
Just to clarify: "We use an ephemeral key to sign kernel modules" or "Kernel modules are signed using the same vendor keypair used inside shim image." ? |
We are using a different keypair to sign kernel modules. Vendor keypair included in shim image is only used to sign mokmanager (mmx64.efi), fallback (fbx64.efi), grub (grubx64.efi) and kernel image (bzImage). |
And that key is unique for each release (ephemeral) or is it fixed? |
The key is unique for each release |
Shim is pretty much by the book, only one patch to make it NX and non-NX (only the the NX is used). Certificate inside is valid for 30 years, 4K, key inside a yubike, these details: Grub has many patches, but all known. (I found them exactly in the ubuntu sources). I guess there is a mistake in the grub .sbat as it says 2.06 version, then states to be 2.12. I guess its just forgotten to add the new one for this review? Looks good to me! |
Thank you for your review! We have fixed the grub sbat mismatch in our repository. |
I'm not an official reviewer, but I want to help speed up reviewing.
All looks good from my perspective! A small suggestion: |
I am not an official reviewer but also looking to help reviewers out. Shim
Certificate
SBAT
GRUB
Kernel
Additional Comments / Questions
|
Just wanted to mention that if the kernel modules are double-signed, this will need to be corrected before the submission is ready for acceptance: see #362 (comment) |
Confirm the following are included in your repo, checking each box:
What is the link to your tag in a repo cloned from rhboot/shim-review?
https://github.com/zeetim/shim-review/tree/zeetim-shim-x64-20240906
What is the SHA256 hash of your final SHIM binary?
26cb646f44e7592bfce836206f2dc81f9aa80b7cdcbd1b440e5b2e49e4962a6f shimx64.efi
What is the link to your previous shim review request (if any, otherwise N/A)?
N/A. This is our first application
If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?
N/A. This is our first application
The text was updated successfully, but these errors were encountered: