azurelinux icon indicating copy to clipboard operation
azurelinux copied to clipboard
verified publisher icon microsoft

Update shim-unsigned-x64 to 15.8

Open ddstreetmicrosoft opened this issue 1 year ago • 4 comments

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • [x] The toolchain has been rebuilt successfully (or no changes were made to it)
  • [x] The toolchain/worker package manifests are up-to-date
  • [x] Any updated packages successfully build (or no packages were changed)
  • [x] Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • [x] Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • [x] All package sources are available
  • [x] cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • [x] LICENSE-MAP files are up-to-date (./SPECS/LICENSES-AND-NOTICES/data/licenses.json, ./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md, ./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON)
  • [x] All source files have up-to-date hashes in the *.signatures.json files
  • [x] sudo make go-tidy-all and sudo make go-test-coverage pass
  • [x] Documentation has been updated to match any changes to the build system
  • [x] Ready to merge
Summary

What does the PR accomplish, why was it needed?

updates the unsigned shim for x64 to 15.8 and includes new signing certificate

Change Log

many cves since our current version of 15.4

Does this affect the toolchain?

NO

Test Methodology
  • Pipeline build id: xxxx

ddstreetmicrosoft avatar Feb 14 '24 19:02 ddstreetmicrosoft

Note that the current PR does not backlevel the grub sbat level, so this requires our grub to get updated to sbat grub,4 (it's currently at grub,2).

Depending on if we also update grub along with this, we may need to backlevel the grub sbat to grub,3 or even grub,2.

ddstreetmicrosoft avatar Feb 14 '24 19:02 ddstreetmicrosoft

Note that the current PR does not backlevel the grub sbat level, so this requires our grub to get updated to sbat grub,4 (it's currently at grub,2).

Depending on if we also update grub along with this, we may need to backlevel the grub sbat to grub,3 or even grub,2.

We will need to release this along with #7906 so that our grub's sbat level matches what is expected in this new shim

ddstreetmicrosoft avatar Feb 20 '24 14:02 ddstreetmicrosoft

Note that the current PR does not backlevel the grub sbat level, so this requires our grub to get updated to sbat grub,4 (it's currently at grub,2). Depending on if we also update grub along with this, we may need to backlevel the grub sbat to grub,3 or even grub,2.

We will need to release this along with #7906 so that our grub's sbat level matches what is expected in this new shim

Correction - we're going to push the grub updates thru now, so it will be ready by the time the shim is signed (most likely, the updated grub2 package with sbat level grub,4 will already be released by the time the updated signed shim package is ready)

ddstreetmicrosoft avatar Feb 20 '24 20:02 ddstreetmicrosoft

being reviewed upstream here https://github.com/rhboot/shim-review/issues/387

ddstreetmicrosoft avatar Apr 10 '24 21:04 ddstreetmicrosoft

Buddy build passes - https://dev.azure.com/mariner-org/mariner/_build/results?buildId=597616&view=results And the collateral confirmed working as expected with Secure Boot

christopherco avatar Jul 02 '24 16:07 christopherco

Buddy Build passes: https://dev.azure.com/mariner-org/mariner/_build/results?buildId=599080&view=results

Update to this shim-15.8 works image

Downgrade fails as expected due to SBAT image

christopherco avatar Jul 04 '24 02:07 christopherco