Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TencentOS Linux 4 shim-15.8 x64 and aarch64 #445

Open
8 tasks done
costinchen opened this issue Sep 30, 2024 · 3 comments
Open
8 tasks done

TencentOS Linux 4 shim-15.8 x64 and aarch64 #445

costinchen opened this issue Sep 30, 2024 · 3 comments
Labels
blocked Blocked on upstream / other project bug Problem with the review that must be fixed before it will be accepted contacts verified OK Contact verification is complete here (or in an earlier submission)

Comments

@costinchen
Copy link

Confirm the following are included in your repo, checking each box:

  • completed README.md file with the necessary information
  • shim.efi to be signed
  • public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
  • binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
  • any extra patches to shim via your own git tree or as files
  • any extra patches to grub via your own git tree or as files
  • build logs
  • a Dockerfile to reproduce the build of the provided shim EFI binaries

What is the link to your tag in a repo cloned from rhboot/shim-review?

https://github.com/costinchen/shim-review/tree/tencentos-4-shim-15.8-x86_64-aarch64-20240930

What is the SHA256 hash of your final SHIM binary?

a82578d410cdc75513a3870977e9c66a46fc98cfc4b9f0fc9def135ee6fa74fc  shimaa64.efi
faa7300b0daf818403ad4578d2ff875360f2f0f5a30c338d211ac9d4279dd4da  shimx64.efi

What is the link to your previous shim review request (if any, otherwise N/A)?

N/A

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?

#440
@steve-mcintyre steve-mcintyre added the contacts verified OK Contact verification is complete here (or in an earlier submission) label Sep 30, 2024
@steve-mcintyre
Copy link
Collaborator

There's a real problem here:

  1. openssl-add-ecdsa-and-ec-support-for-shim.patch: This patch adds support for ECDSA and EC >algorithms in shim's bundled openssl.
  2. shim-support-sm2-and-sm3-algorithm.patch: This patch adds support for the SM2 and SM3 >algorithms in shim, by adding sm3-related arguments to shim's main functions.

By applying these two patches, we can enable shim support for the SM2 and SM3 algorithms on >TencentOS Server 4. The SM2 algorithm is an asymmetric key algorithm that uses fewer bytes than RSA >while providing enhanced security. The SM3 algorithm is a hashing algorithm which is more secure >than algorithms like SHA-256. Together with the keys generated by our HSM that support SMx >algorithms, we can achieve secure boot using SM (ShangMi) algorithms on TencentOS Server 4. This is >crucial as our TS4 needs to support the entire chain of SM algorithms, including during the early >stages of booting.

We cannot accept changes this large as patches at shim-review time. This klnd of thing needs to be submitted for upstream submission into shim.

@steve-mcintyre steve-mcintyre added the bug Problem with the review that must be fixed before it will be accepted label Oct 8, 2024
@costinchen
Copy link
Author

OK, we will try to submit a PR to upstream shim first

@realnickel realnickel mentioned this issue Nov 4, 2024
Open
8 tasks
@steve-mcintyre steve-mcintyre added the blocked Blocked on upstream / other project label Nov 8, 2024
@steve-mcintyre
Copy link
Collaborator

Marking this as blocked based on those patches going upstream.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
blocked Blocked on upstream / other project bug Problem with the review that must be fixed before it will be accepted contacts verified OK Contact verification is complete here (or in an earlier submission)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@steve-mcintyre @costinchen