Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Debian GNU/Linux 11 (bullseye) shim-15.8-1 x64 and ia32 #417

Closed
8 tasks done
steve-mcintyre opened this issue May 13, 2024 · 3 comments
Closed
8 tasks done

Debian GNU/Linux 11 (bullseye) shim-15.8-1 x64 and ia32 #417

steve-mcintyre opened this issue May 13, 2024 · 3 comments
Assignees
@SherifNagy
Labels
accepted Submission is ready for sysdev contacts verified OK Contact verification is complete here (or in an earlier submission) easy to review This submission might be a good place to start for an inexperienced reviewer

Comments

@steve-mcintyre
Copy link
Collaborator

steve-mcintyre commented May 13, 2024
edited
Loading

Confirm the following are included in your repo, checking each box:

  • completed README.md file with the necessary information
  • shim.efi to be signed
  • public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
  • binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
  • any extra patches to shim via your own git tree or as files
  • any extra patches to grub via your own git tree or as files
  • build logs
  • a Dockerfile to reproduce the build of the provided shim EFI binaries

What is the link to your tag in a repo cloned from rhboot/shim-review?

  • https://github.com/steve-mcintyre/shim-review/tree/debian-11-shim-amd64-20240512 for amd64
  • https://github.com/steve-mcintyre/shim-review/tree/debian-11-shim-i386-20240512 for i386

The latter simply includes a change to the Dockerfile to request an i386 Docker image for building.

What is the SHA256 hash of your final SHIM binary?

1a0ccc0027b7a837b4d5832798e11d3f5ea28c2879d0fe3e5d4b2f8957e2cc16  shimia32.efi
bb87128d3a07a08993ac491d4fa256a83fed4ab9899ead7255912435ad455190  shimx64.efi

What is the link to your previous shim review request (if any, otherwise N/A)?

#315 is the last successful shim review.
This review is almost identical to the review for Debian 13 at #415 .

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?

Pass - we've been submitting shims for years!
@steve-mcintyre steve-mcintyre added the contacts verified OK Contact verification is complete here (or in an earlier submission) label May 27, 2024
@THS-on
Copy link
Collaborator

THS-on commented May 28, 2024

Review for debian-11-shim-amd64-2024051 and debian-11-shim-i386-20240512

Note because this is similar to #415 I'm just reviewing the differences.

Shim

#24 0.410 bb87128d3a07a08993ac491d4fa256a83fed4ab9899ead7255912435ad455190  /shim/shimx64.efi
#24 0.418 bb87128d3a07a08993ac491d4fa256a83fed4ab9899ead7255912435ad455190  /shim-review/shimx64.efi
#24 0.400 1a0ccc0027b7a837b4d5832798e11d3f5ea28c2879d0fe3e5d4b2f8957e2cc16  /shim/shimia32.efi
#24 0.406 1a0ccc0027b7a837b4d5832798e11d3f5ea28c2879d0fe3e5d4b2f8957e2cc16  /shim-review/shimia32.efi

GRUB2 and fwupd

Linux

  • Based on 5.10.216
  • Has the usual lockdown patches
  • No ephemeral key signing used (still ok)

LGTM!

@THS-on THS-on added extra review wanted Initial review(s) look good, another review desired easy to review This submission might be a good place to start for an inexperienced reviewer labels May 28, 2024
@SherifNagy SherifNagy self-assigned this Jun 10, 2024
@SherifNagy
Copy link
Collaborator

Review of debian-11-shim-amd64-20240512 and debian-11-shim-i386-20240512

  • Debian is very well known big time distro
  • Security contacts looks good, didn't change
  • Keys are stored in HSM and kernel using in-built ephemeral keys

Shim

  • Uses upstream 15.8
  • SBAT entries from shim looks fine shim,4
  • Vendor SBAT entry is at 1
  • patches looks fine and cherry picked from upstream
  • Binaries are reproducible using the container file provided
STEP 23/23: RUN sha256sum /shim/shim*.efi /shim-review/$(basename /shim/shim*.efi)
1a0ccc0027b7a837b4d5832798e11d3f5ea28c2879d0fe3e5d4b2f8957e2cc16  /shim/shimia32.efi
1a0ccc0027b7a837b4d5832798e11d3f5ea28c2879d0fe3e5d4b2f8957e2cc16  /shim-review/shimia32.efi

STEP 23/23: RUN sha256sum /shim/shim*.efi /shim-review/$(basename /shim/shim*.efi)
bb87128d3a07a08993ac491d4fa256a83fed4ab9899ead7255912435ad455190  /shim/shimx64.efi
bb87128d3a07a08993ac491d4fa256a83fed4ab9899ead7255912435ad455190  /shim-review/shimx64.efi
  • NX flag is not set, because the chain is not yet ready
  • Self signed 2048 bit cert and valid for 22 years

GRUB2

  • SBAT looks fine, vendor is at grub.debian,4
  • NTFS patches are in place
  • Module list sound fine

Kernel

  • No ephemeral keys are used for signing kernel modules yet for this release
  • Lockdown patches are included
  • UKI's isn't provided

LGTM ! @THS-on Lets accept this one as well?

@SherifNagy SherifNagy added accepted Submission is ready for sysdev and removed extra review wanted Initial review(s) look good, another review desired labels Jun 13, 2024
@steve-mcintyre
Copy link
Collaborator Author

We have signed shims now, closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SherifNagy SherifNagy

Labels
accepted Submission is ready for sysdev contacts verified OK Contact verification is complete here (or in an earlier submission) easy to review This submission might be a good place to start for an inexperienced reviewer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@SherifNagy @THS-on @steve-mcintyre