Shim 15.2 for eLux

[UniconSoftware]

Make sure you have provided the following information:

• link to your code branch cloned from rhboot/shim-review in the form user/repo@tag
• https://github.com/UniconSoftware/shim-review
• completed README.md file with the necessary information
• https://github.com/UniconSoftware/shim-review/blob/master/README.md
• shim.efi to be signed
• https://github.com/UniconSoftware/shim-review/blob/master/shimx64.efi
• public portion of your certificate embedded in shim (the file passed to VENDOR_CERT_FILE)
• https://github.com/UniconSoftware/shim-review/blob/master/UniconCodeSign-valid20230910.pem
• any extra patches to shim via your own git tree or as files
• N/A
• any extra patches to grub via your own git tree or as files
• N/A
• build logs
• https://github.com/UniconSoftware/shim-review/blob/master/build.log

What organization or people are asking to have this signed:

Unicon Software Entwicklungs- und Vertriebsgesellschaft mbH

What product or service is this for:

eLux®
https://www.unicon-software.com/products/elux/

What is the origin and full version number of your shim?

https://github.com/rhboot/shim/tree/15.2
Commit: 74b05de7d19fa4f462b6e228a8a03f8ee242b673

What's the justification that this really does need to be signed for the whole world to be able to boot it:

We plan to support secure boot with our next release of eLux RP6 having a signed shim
will allow us to be hardware independant.

How do you manage and protect the keys used in your SHIM?

Private key is stored on a Gemalto SefeNet eToken which is stored in a secured environment where only limited person have access to.

Do you use EV certificates as embedded certificates in the SHIM?

Yes

If you use new vendor_db functionality, are any hashes whitelisted, and if yes: for what binaries ?

We are not using vendor_db functionality

Is kernel upstream commit 75b0cea7bf307f362057cc778efe89af4c615354 present in your kernel, if you boot chain includes a linux kernel ?

Yes, using upstream 5.9 kernel

if SHIM is loading grub2 bootloader, is CVE CVE-2020-10713 fixed ?

Yes

Were your old SHIM hashes provided to Microsoft ?

This is the first shim signing request so there are no old hashes

Did you change your certificate strategy, so that affected by CVE CVE-2020-10713 grub2 bootloaders can not be verified ?

We are only signing grub2 from version 2.04-1ubuntu26.2 going onward. Older versions will not be signed.

What is the origin and full version number of your bootloader (GRUB or other)?

Original grub2 from Ubuntu 20.04 (grub2_2.04-1ubuntu26.2)
Upstream source: http://archive.ubuntu.com/ubuntu/pool/main/g/grub2/grub2_2.04.orig.tar.xz
Patches: http://archive.ubuntu.com/ubuntu/pool/main/g/grub2/grub2_2.04-1ubuntu26.2.debian.tar.xz

If your SHIM launches any other components, please provide further details on what is launched

Yes

• fwupx64.efi used for UEFI capsule update

How do the launched components prevent execution of unauthenticated code?

Our shim launches grub2 built with secure-boot support

Does your SHIM load any loaders that support loading unsigned kernels (e.g. GRUB)?

No

What kernel are you using? Which patches does it includes to enforce Secure Boot?

We are using latest upstream kernel 5.9-rc5, the first eLux release with Secure Boot is planned to use a released version of 5.9

What changes were made since your SHIM was last signed?

None, first signing request

What is the hash of your final SHIM binary?

c91f4c63aacc5a9bea6c5d94ce60442c1f39e0a8c2afa2ddb092574e4f76092b shimx64.efi

[steve-mcintyre]

Sorry, things have moved on and we'll have to ask you to move forwards to 15.3 as a base.

Please start from the source at https://github.com/rhboot/shim/releases/download/15.3/shim-15.3.tar.bz2
or https://github.com/rhboot/shim/releases/tag/15.3