shim-15.8 for CentOS Stream 8
Closed this issue · 5 comments
bstinsonmhk commented
Confirm the following are included in your repo, checking each box:
- completed README.md file with the necessary information
- shim.efi to be signed
- public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
- binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
- any extra patches to shim via your own git tree or as files
- any extra patches to grub via your own git tree or as files
- build logs
- a Dockerfile to reproduce the build of the provided shim EFI binaries
What is the link to your tag in a repo cloned from rhboot/shim-review?
https://github.com/CentOS/shim-review/commit/4c3f4a82bc70abd56737f2c023cf6ab59120381b
What is the SHA256 hash of your final SHIM binary?
478f378b1ffa1bdea33d623cc969bd3abb1214605c4c91a01942f343dfa03a19
What is the link to your previous shim review request (if any, otherwise N/A)?
SherifNagy commented
Grub2 SBAT entries are wrong:
- grub,1 can't be right, this should be grub,3 if you don't have NTFS CVE fixes or grub,4 if you do have them
- grub.rh is already at grub.rh,2 based on this https://github.com/vathpela/shim-review/tree/rhel-8-x64-20231201 nor from the binary
[root@rhel8 ~]# objcopy --only-section .sbat -O binary /boot/efi/EFI/redhat/grubx64.efi /dev/stdout
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,3,Free Software Foundation,grub,2.02,https//www.gnu.org/software/grub/
grub.rh,2,Red Hat,grub2,2.02-150.el8,mailto:secalert@redhat.com
msmeissn commented
The readme.md seems not up to date with the template. the section with ephemeral keys is missing at least.
steve-mcintyre commented
@bstinsonmhk Could you please update your submission to match the most recent template please?
steve-mcintyre commented
No responses to questions in several months, closing
AlexBaranowski commented
@steve-mcintyre -> They EOLed about 10 days ago :) https://www.centos.org/cl-vs-cs/ so 👍🏻