Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update shim-unsigned-x64 to 15.8 #7893

Merged
merged 8 commits into from
Jul 5, 2024
Merged

Update shim-unsigned-x64 to 15.8 #7893

merged 8 commits into from
Jul 5, 2024

Conversation

ddstreetmicrosoft
Copy link
Contributor

@ddstreetmicrosoft ddstreetmicrosoft commented Feb 14, 2024
edited
Loading

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./SPECS/LICENSES-AND-NOTICES/data/licenses.json, ./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md, ./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge
Summary

What does the PR accomplish, why was it needed?

updates the unsigned shim for x64 to 15.8 and includes new signing certificate

Change Log

many cves since our current version of 15.4

Does this affect the toolchain?

NO

Test Methodology
  • Pipeline build id: xxxx

@microsoft-github-policy-service microsoft-github-policy-service bot added the main PR Destined for main label Feb 14, 2024
@ddstreetmicrosoft
Copy link
Contributor Author

Note that the current PR does not backlevel the grub sbat level, so this requires our grub to get updated to sbat grub,4 (it's currently at grub,2).

Depending on if we also update grub along with this, we may need to backlevel the grub sbat to grub,3 or even grub,2.

@ddstreetmicrosoft ddstreetmicrosoft force-pushed the ddstreet/shim2 branch 10 times, most recently from 1bea9b2 to 25517d7 Compare February 15, 2024 18:54
@ddstreetmicrosoft ddstreetmicrosoft changed the title Update (unsigned) shim to 15.8 Update shim-unsigned-x64 to 15.8 Feb 20, 2024
@ddstreetmicrosoft
Copy link
Contributor Author

Note that the current PR does not backlevel the grub sbat level, so this requires our grub to get updated to sbat grub,4 (it's currently at grub,2).

Depending on if we also update grub along with this, we may need to backlevel the grub sbat to grub,3 or even grub,2.

We will need to release this along with #7906 so that our grub's sbat level matches what is expected in this new shim

@ddstreetmicrosoft
Copy link
Contributor Author

Note that the current PR does not backlevel the grub sbat level, so this requires our grub to get updated to sbat grub,4 (it's currently at grub,2).
Depending on if we also update grub along with this, we may need to backlevel the grub sbat to grub,3 or even grub,2.

We will need to release this along with #7906 so that our grub's sbat level matches what is expected in this new shim

Correction - we're going to push the grub updates thru now, so it will be ready by the time the shim is signed (most likely, the updated grub2 package with sbat level grub,4 will already be released by the time the updated signed shim package is ready)

@ddstreetmicrosoft ddstreetmicrosoft marked this pull request as ready for review February 21, 2024 18:43
@ddstreetmicrosoft
Copy link
Contributor Author

being reviewed upstream here rhboot/shim-review#387

@christopherco
shim: Update spec to include signed shim
0de13fc 
Signed-off-by: Chris Co <chrco@microsoft.com>
@christopherco christopherco requested a review from a team as a code owner July 2, 2024 02:40
@christopherco
shim: Update signature file
9e610d2 
Signed-off-by: Chris Co <chrco@microsoft.com>
@christopherco
cgmanifest: add a signed shim entry
fa4c5d7 
Signed-off-by: Chris Co <chrco@microsoft.com>
@christopherco
Copy link
Contributor

christopherco commented Jul 2, 2024
edited
Loading

Buddy build passes - https://dev.azure.com/mariner-org/mariner/_build/results?buildId=597616&view=results
And the collateral confirmed working as expected with Secure Boot

@christopherco
shim: fix how we use our source0
e883b40 
Rather than having a tarball for the signed shim binary, we will just
use the binary directly.

Signed-off-by: Chris Co <chrco@microsoft.com>
PawelWMS
PawelWMS reviewed Jul 3, 2024
View reviewed changes
SPECS/shim/shim.spec Outdated Show resolved Hide resolved
PawelWMS
PawelWMS reviewed Jul 3, 2024
View reviewed changes
SPECS/shim/shim.spec Outdated Show resolved Hide resolved
@christopherco christopherco mentioned this pull request Jul 4, 2024
Closed
13 tasks
@christopherco
shim: update source0
c48c9c6 
The "#/" is needed in Source0 to allow proper filename resolution in our tools.
Also use %{release} which will have the dist tag present already.
Also use %{version} in the URL for future proofing.

Signed-off-by: Chris Co <chrco@microsoft.com>
@christopherco
shim: use rpm's %{_arch} macro in source0
bdaa40a 
Signed-off-by: Chris Co <chrco@microsoft.com>
@christopherco
shim: no sources to unpack in prep step
cb542bf 
Signed-off-by: Chris Co <chrco@microsoft.com>
@christopherco
Copy link
Contributor

christopherco commented Jul 4, 2024
edited
Loading

Buddy Build passes:
https://dev.azure.com/mariner-org/mariner/_build/results?buildId=599080&view=results

Update to this shim-15.8 works
image

Downgrade fails as expected due to SBAT
image

@christopherco christopherco merged commit 350616f into main Jul 5, 2024
10 checks passed
@christopherco christopherco deleted the ddstreet/shim2 branch July 5, 2024 00:17
Camelron pushed a commit that referenced this pull request Jul 17, 2024
@ddstreetmicrosoft @christopherco @Camelron
Update shim-unsigned-x64 to 15.8 and updates signed shim (#7893)
5d68595 
Updates the unsigned shim for x64 to 15.8 and includes new signing certificate
Also updates the signed version of this shim

Co-authored-by: Chris Co <chrco@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PawelWMS PawelWMS PawelWMS left review comments

@christopherco christopherco christopherco approved these changes

Assignees
No one assigned
Labels
main PR Destined for main
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ddstreetmicrosoft @christopherco @PawelWMS