Shim 15.6 for Uos

[kyrie-z]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/linuxdeepin/shim-review/tree/uos-shim-amd64-aarch64-20220906

---

What is the SHA256 hash of your final SHIM binary?

---

1e52957b078be3ba731690cbf93d936516a2fe8a2b90d12cea9f69339d3a0c15 shimx64.efi
76bc367e6adc2e83e2646558e414597f07095b1a324c927578b0d17a7458f60a shimaa64.efi

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

Previous (accepted) submission: #173

[steve-mcintyre]

Looking:

• x86-64 build reproduces ok
• aarch64 build reproduces ok
• no patches, using 15.6 release
• includes code-signing cert with 3 year life, ok
• SBAT for shim looks fine
• Revocation story sounds ok
• kernel sounds ok
• grub modules list looks ok

Things to look at:

• Happy to see you using Debian as a base for your build, but be very careful about using testing as a base as it's a moving target! In this case you've been lucky as I've verified the builds soon enough, but if there was too much delay then it might have failed. In future I'd recommend maybe using snapshot.debian.org like I did in Debian GNU/Linux 12 shim-15.6-1 x64, ia32 and aarch64 #267 for safety.
• You're still basing on an old GRUB 2.04 from Debian, which doesn't have the latest round of updates. I can see that you say you've backprted the fixes, but I can't verify that directly. Could you point me at your grub sources please?
• Your GRUB SBAT data is also old because of that older Debian base you're on. Either update the GRUB SBAT level to 2, or maybe rebase forwards to Debian's 2.06-3 or later to pick up the fixes there. Also: if you're using a Debian GRUB as an upstream (which is fine!), please also list the Debian SBAT data for that GRUB alongside yours. It makes revocation easier if we find a common issue there.

[kyrie-z]

@steve-mcintyre Thanks for the review.

Happy to see you using Debian as a base for your build, but be very careful about using testing as a base as it's a moving target! In this case you've been lucky as I've verified the builds soon enough, but if there was too much delay then it might have failed. In future I'd recommend maybe using snapshot.debian.org like I did in #267 for safety.

Your suggestion is very useful, we will use it in the future. :D

You're still basing on an old GRUB 2.04 from Debian, which doesn't have the latest round of updates. I can see that you say you've backprted the fixes, but I can't verify that directly. Could you point me at your grub sources please?

Grub2 source: https://community-packages.deepin.com/deepin/pool/main/g/grub2/grub2_2.04.25-18.dsc
corresponding CVE patches:

CVE-2021-3695    0070-video-readers-png-Drop-greyscale-support-to-fix-heap.patch
CVE-2021-3696    0071-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch
CVE-2021-3697    0076-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch
CVE-2022-28733   0079-net-ip-Do-IP-fragment-maths-safely.patch
CVE-2022-28734   0085-net-http-Fix-OOB-write-for-split-http-headers.patch

all patches in the debian/patches/ directory.

Your GRUB SBAT data is also old because of that older Debian base you're on. Either update the GRUB SBAT level to 2, or maybe rebase forwards to Debian's 2.06-3 or later to pick up the fixes there. Also: if you're using a Debian GRUB as an upstream (which is fine!), please also list the Debian SBAT data for that GRUB alongside yours. It makes revocation easier if we find a common issue there.

We are in the process of migrating to grub 2.06 but are still using 2.04, as it takes time to test.
I have added the debian Grub sbat data to the grub SBAT entry and updated the component_generation in .sbat to 2.

[kyrie-z]

@jsetje Could you help me with a review? I haven't heard from @steve-mcintyre in a while.

[frozencemetery]

Please note #307

[steve-mcintyre]

Picking up on this again, sorry for the delay :-(

We're way past the deadline for signing shims without NX now I'm afraid - see #307 . This isn't your fault, but you'll need to move forward to a newer shim version at this point. I'd recommend 15.7 or 15.8 if that comes out soon.

[kyrie-z]

Okay, I'll resubmit it. Thanks.