-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update shim-unsigned-x64 to 15.8 #7893
Conversation
Note that the current PR does not backlevel the grub sbat level, so this requires our grub to get updated to sbat grub,4 (it's currently at grub,2). Depending on if we also update grub along with this, we may need to backlevel the grub sbat to grub,3 or even grub,2. |
1bea9b2
to
25517d7
Compare
25517d7
to
52297e2
Compare
We will need to release this along with #7906 so that our grub's sbat level matches what is expected in this new shim |
Correction - we're going to push the grub updates thru now, so it will be ready by the time the shim is signed (most likely, the updated grub2 package with sbat level grub,4 will already be released by the time the updated signed shim package is ready) |
being reviewed upstream here rhboot/shim-review#387 |
Signed-off-by: Chris Co <chrco@microsoft.com>
Signed-off-by: Chris Co <chrco@microsoft.com>
Signed-off-by: Chris Co <chrco@microsoft.com>
Buddy build passes - https://dev.azure.com/mariner-org/mariner/_build/results?buildId=597616&view=results |
Rather than having a tarball for the signed shim binary, we will just use the binary directly. Signed-off-by: Chris Co <chrco@microsoft.com>
The "#/" is needed in Source0 to allow proper filename resolution in our tools. Also use %{release} which will have the dist tag present already. Also use %{version} in the URL for future proofing. Signed-off-by: Chris Co <chrco@microsoft.com>
Signed-off-by: Chris Co <chrco@microsoft.com>
Signed-off-by: Chris Co <chrco@microsoft.com>
Buddy Build passes: |
Updates the unsigned shim for x64 to 15.8 and includes new signing certificate Also updates the signed version of this shim Co-authored-by: Chris Co <chrco@microsoft.com>
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-static
subpackages, etc.) have had theirRelease
tag incremented../cgmanifest.json
,./toolkit/scripts/toolchain/cgmanifest.json
,.github/workflows/cgmanifest.json
)./SPECS/LICENSES-AND-NOTICES/data/licenses.json
,./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md
,./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON
)*.signatures.json
filessudo make go-tidy-all
andsudo make go-test-coverage
passSummary
What does the PR accomplish, why was it needed?
updates the unsigned shim for x64 to 15.8 and includes new signing certificate
Change Log
many cves since our current version of 15.4
Does this affect the toolchain?
NO
Test Methodology