-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shim 15.8 for Endless OS #439
Comments
Issue/question:
|
@es-fabricemarie thanks for the review!
It actually does use the official tarball, but it restores it using
|
I got: distention knuckling unexceptionable hydras tourneys comeliness fraternize Villa cosmetologists domains |
craws showbiz switch Dramamine unannounced internists babysitters tared quantum jouncing The verb “to jounce” is new to me. Thanks! |
In case this is holding up the review, I'd like to discuss these. There are 4 patches:
The first 2 are backports from upstream post-15.8 and inherited from Debian. They simply make the newer SBAT policies available for use. The second 2 are our real downstream patches. They're both against fallback and are trying to address the same issue. Endless OS is always installed by flashing a raw disk image containing filesystems. By definition, the filesystems in the disk image contain UUIDs. During first boot the UUIDs are randomized since they'd no longer be unique if every Endless OS installation had the same partition UUIDs. However, changing the ESP UUID means that existing EFI load options referencing that partition are now invalid. What currently happens is this:
The problem This works OK for Endless OS since that type of advanced functionality isn't supported, but it means the patch isn't really upstreamable. I've been working on a tool that updates the partition UUID in an existing load option, which we'd run at step 4 when the UUID is changed. I'm actually surprised that kind of tool doesn't exist (the closest I've seen is to manually do it with |
I was able to finish up the work that handles updating the UUID in the load option after the ESP partition UUID is changed. The program is here if anyone cares. With that I was able to update our shim package to drop our 2 downstream fallback patches (0003-Revert-fallback-work-around-the-issue-of-boot-option.patch and 0004-fallback-Clean-up-duplicate-boot-entries.patch). The shim binary is exactly the same as before since the patches were against fallback rather than shim. Still, I've updated our shim-review repo with the current build log. The new tag is https://github.com/endlessm/shim-review/releases/tag/endless-shim-x64-20240912. @es-fabricemarie would you mind reviewing again? Everything should be the same as before except for the 2 dropped patches. |
Sorry for the delay @dbnicholson
This shim looks good to go to me. |
I really went mad looking up and down for the 0003 and 0004 patches :P Built using gpb's black magic against a github repo fork, and the generated orig tarball matches the mainstream one. Nothing out of the ordinary, looks good to me! |
Review of
|
The CA key is kept on an offline encrypted disk that only a couple people have access to and can decrypt.
The way we generate the grub source package is kinda unusual. We take all of Debian's patches and apply them directly as commits. Then we add our own changes on top so that we can treat it as a normal git repo instead of using patch files. There are better ways to do that nowadays, but nobody has taken the time to rework our build system. Anyway, the full set of commits on top of grub 2.06 as of today is here. All of Debian's patches are prefixed with We haven't added any additional security patches on top of what Debian has done. The main thing we add is the
Yeah, that should be fine. We don't plan to support rolling back to an earlier shim. The people that need to do something like that can also just change the SBAT policy. Not coincidentally, Windows Update erroneously setting the SBAT policy in our dual boot cases is what spurred getting shim updated. |
@THS-on anything else I can provide to answer your questions? |
@dbnicholson had a look at the GRUB2 patches and they match the ones that are from Debian and required for SBAT level 4. Regarding the custom ones:
The rest LGTM |
I didn't develop those patches but I agree it would be good to upstream them. I can start an effort to do that. We're usually good about upstreaming our patches for no other reason than it eased our work when upgrading. I don't know why we haven't made an effort with grub. I would guess that at the time most of those were developed, grub upstream was in a different state. |
Looks good here with enough positive reviews, marking accepted |
Thank you! @THS-on thanks for raising the flag on grub. For next time I hope that patch queue can be much smaller. |
Confirm the following are included in your repo, checking each box:
https://github.com/endlessm/shim-review/blob/endless-shim-x64-20240912/README.md
https://github.com/endlessm/shim-review/blob/endless-shim-x64-20240912/shimx64.efi
https://github.com/endlessm/shim-review/blob/endless-shim-x64-20240912/endless-uefi-ca.der
We do not use the vendor_db functionality.
https://github.com/endlessm/shim/tree/endless/15.8-1_deb12u1endless2/debian/patches
The full set of patches relative to 2.06 can be viewed at
endlessm/grub@grub-2.06...Release_6.0.2 The
commits with
[DEB]
prefix come from Debian's2.06-13+deb12u1
release.All other commits are Endless specific.
https://github.com/endlessm/shim-review/blob/endless-shim-x64-20240912/buildlog.txt
https://github.com/endlessm/shim-review/blob/endless-shim-x64-20240912/Dockerfile
What is the link to your tag in a repo cloned from rhboot/shim-review?
https://github.com/endlessm/shim-review/releases/tag/endless-shim-x64-20240912
What is the SHA256 hash of your final SHIM binary?
7859e02e1fc6dff8e2b221dfcbfaffcb6d1e95e2acb65403e5db7c849f9221cd
What is the link to your previous shim review request (if any, otherwise N/A)?
#176
If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?
The security contacts have not changed, however I can't find any indication of
verification in any previous reviews. Those are:
#176
#105
#61
The text was updated successfully, but these errors were encountered: