Debian GNU/Linux 10 shim-15.7-1 x64 and ia32

[steve-mcintyre]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/steve-mcintyre/shim-review/tree/debian-10-shim-amd64-i386-20230209

---

What is the SHA256 hash of your final SHIM binary?

---

56799038b33ba75a9fb1aa3bf46439b4b2b60f82778e34b31c6e6c1fd4bf5424 shimia32.efi
2634ad3f55012e35f469b9346ee21c7930d981c0e34833675317154492a611c2 shimx64.efi

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

#267, #268, #269 (15.6, accepted, but never signed due to issues with submission)
#184, #185 (15.4, accepted and signed)

Very similar to #315 and #316

[THS-on]

Disclaimer: I am not a not an authorized reviewer

• Debian is a well-known Linux distribution
• Last signed shim was 15.4 and last accepted was 15.6
• Security contacts have not changed since the last review
• Shim build is reproducible using Dockerfile

Hashes

2634ad3f55012e35f469b9346ee21c7930d981c0e34833675317154492a611c2  /shim/shimx64.efi
2634ad3f55012e35f469b9346ee21c7930d981c0e34833675317154492a611c2  /shim-review/shimx64.efi
56799038b33ba75a9fb1aa3bf46439b4b2b60f82778e34b31c6e6c1fd4bf5424  /shim/shimia32.efi
56799038b33ba75a9fb1aa3bf46439b4b2b60f82778e34b31c6e6c1fd4bf5424  /shim-review/shimia32.efi

SBAT

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,3,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.debian,1,Debian,shim,15.7,https://tracker.debian.org/pkg/shim

• Upstream 15.7 Shim is used with the following patches:

  • aarch64-gnuefi-old.patch and aarch64-shim-old.patch: allow for older arm toolchains
  • block-grub-sbat3-debian.patch: Blocks debian.grub SBAT < 3, same as Block Debian grub binaries with SBAT < 4 shim#550
  • Enable-NX.patch: Enables NX compatibility, same as Enable the NX compatibility flag by default. shim#530
  • Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch: same as rhboot/shim@657b248

• SBAT entries are matching the provided one

• Embedded certificate matches the organization (has not changed since last review)

  • valid for 30 years
  • Is a CA certificate, has code signing attribute set

• Keys are kept in an HSM, root CA sharded between Debian's sysadmin team

• Shim launches GRUB and fwupd

  • GRUB has November CVEs applied (grub SBAT version is 3 and debian.grub is 4, see https://bugs.debian.org/1024617)
  • Added GRUB modules are since last review: serial, smbios

• Kernel has lockdown and stated patches applied

LGTM!

[steve-mcintyre]

Signed binaries returned, closing