| Age | Commit message (Collapse) | Author |
|---|
|
|
|
Enhance the text here and include a copy of Peter's key too
|
|
Signed-off-by: Steve McIntyre <steve@einval.com>
|
|
We're seeing quite a few vendors using non-CA "CA" keys, and this is
likely to cause problems in future.
|
|
Signed-off-by: Steve McIntyre <steve@einval.com>
|
|
The reviewers should be able to easily verify, that an organization is a
legal entity, to prevent abuse. Ask for the information, which can prove
the genuineness with certainty.
Signed-off-by: Kamil Aronowski <kamil.aronowski@yahoo.com>
|
|
As discussed during the May 27, 2024 meeting, the applicants shall be
informed about this venue being a community peer-review work and how to
help us speed up the process, rather than frequently chasing us for
reviews.
Signed-off-by: Kamil Aronowski <kamil.aronowski@yahoo.com>
|
|
Signed-off-by: Kamil Aronowski <kamil.aronowski@yahoo.com>
|
|
Allows to revoke a family of UKIs from a vendor, independently
of the systemd-stub generation numbers.
|
|
|
|
Currently, the wording isn't clear (to me, at least) if it's asking
for the shim SBAT or not; this clarifies that.
|
|
|
|
|
|
Signed-off-by: Luca Boccassi <bluca@debian.org>
|
|
|
|
This also adds more details about the CVEs and unifies the spelling of GRUB2.
|
|
|
|
Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
|
|
In commonmark, `---` and `===` can be used to mark either [setext
headings] or [thematic breaks] (aka horizontal lines). Headings take
precendence, so if you aren't careful with line breaks you can make a
heading where you meant to have a horizontal line. See [example] for a
case of this happening.
Fortunately, `***` is unambiguous: it will always create a horizontal
line instead of a heading. Switch all the separators to that format so
that we never have to worry about accidental headings again.
[setext headings]: https://spec.commonmark.org/0.30/#setext-headings
[thematic breaks]: https://spec.commonmark.org/0.30/#thematic-breaks
[example]: https://github.com/rhboot/shim-review/blob/b8ebe98d7198174e95d9e62e4522c145ee9caa5b/README.md#this-should-include-logs-for-creating-the-buildroots-applying-patches-doing-the-build-creating-the-archives-etc
|
|
On a few questions the `---` separators were missing or placed differently.
|
|
Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
|
|
[julian: fix typo]
Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
|
|
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
If people have arbitrary extra kernel patches, they could well break
SB. Let's check?
|
|
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Also update list of GRUB2 CVEs and add one more lockdown bypass fix.
|
|
|
|
Update the process described in README.md to be slightly clearer.
* The checklist in the ISSUE_TEMPLATE asks for your tag, not your branch
so we should match that.
* "when you have accepted tag" might be ambiguous in this context.
We're talking about git tags and issue tags/labels. Acceptance is
indicated with a github label, so let's try to clearly state that.
|
|
Changes to:
* Formatting
* Capitalization
* Sentence structure, where appropriate
* Question-ifying (please confirm [...]. -> Do you [...]?)
I had a hard time understanding a few of the questions, and spent some
time looking through the history to understand when they were added and
how they evolved. Some of them were phased differently between
ISSUE_TEMPLATE and README, so when in doubt I've erred on the side of
keeping more detailed versions of questions.
|
|
This is a bit of a workflow change. Based on the conversation in
https://github.com/rhboot/shim-review/pull/207, seems like the README
should be the source of truth for submissions.
I've tried to remove duplicates. When in doubt I've used the history to
see what questions were added at the same time and considered
similar-but-different phrasing to be "duplicated".
For now all added questions have been tacked on the end. Grouping by
subject can come later.
|
|
This is almost entirely changes to capitalization, spacing, etc. There
are a few places where I've added words where I felt they'd be
uncontroversial.
|
|
This changes the headers and horizontal rules to be the same style in
both documents. This makes it a little easier for submitters to copy
answers from one to the other, and hopefully easier for maintainers to
update the questions (only one format to manage).
|
|
This attempts to fix two problems: first, that pgp.mit.edu isn't
reliable enough to regularly use, and second that we're getting shim
review requests are not providing the information we need to verify
emails.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
|
|
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
Shim-15.3 should not be used. Point to shim-15.4 release instead.
Signed-off-by: Chris Co <chrco@microsoft.com>
|
|
Require vendor_dbx listing or key rolling to secure chainloading
|
|
|
|
|
|
Add sbat requirements
Add non linux kernel, add request to explain chain of trust
|
|
|
|
|
|
possible."
|
|
|
|
|
|
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
