If the shim binaries can't be reproduced using the provided Dockerfile, please explain why that's the case and the differences would be. At the very least include the specific versions of gcc, binutils, and gnu-efi which were used, and where to find those binaries. We're going to try to reproduce your build as close as possible to verify that it's really a build of the source tree you tell us it is, so these need to be fairly thorough. What OS and toolchain must we use to reproduce this build? Include where to find it, etc. If you are changing to a new (CA) certificate, this does not In order to prevent GRUB2 from being able to chainload those older GRUB2īinaries. To add the hashes of the previous GRUB2 binaries to vendor_dbx in shim If you are re-using a previously used (CA) certificate, you will need Please provide exact binaries for which hashes are created via file sharing service,Īvailable in public with anonymous access for verification Hashes please briefly describe your certificate setup. If you use vendor_db functionality of providing multiple certificates and/or Is "ACPI: configfs: Disallow loading ACPI tables when locked down" "efi: Restrict efivar_ssdt_load when the kernel is locked down" If your boot chain of trust includes linux kernel, is were old shims hashes provided to Microsoft for verification.( July 2020 grub2 CVE list + March 2021 grub2 CVE list ) Upstream GRUB2 shim_lock verifier or * Downstream RHEL/Fedora/Debian/Canonical like implementation ?.What exact implementation of Secureboot in GRUB2 ( if this is your bootloader ) you have ? URL for a repo that contains the exact code which was built to get this binary: Please create your shim binaries starting with the 15.4 shim release tar file: Who is the secondary contact for security updates, etc. Email address: PGP key, signed by the other security contacts, and preferably also with signatures that are reasonably well known in the Linux community:NA.Who is the primary contact for security updates, etc. What's the justification that this really does need to be signed for the whole world to be able to boot it: What organization or people are asking to have this signed: Us to endorse anything else for signing is going to require some convincing on Note that we really only have experience with using GRUB2 on Linux, so asking
0 Comments
Leave a Reply. |