Shim 15.7 (NX Patched) for ZeronsoftN

[joseph-zeronsoftn]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/zeronsoftn/shim-review/tree/zeronsoftn-shim-x86_64-20230310

---

What is the SHA256 hash of your final SHIM binary?

---

0cce8d1b89075739840a30db40ff9cb0a372b0b38c0e50afd4225379de61ef35  shimaa64.efi
6fa59470093eae65bee01d88e576e83ba92e7bff9222f391f349c41245e59b8c  shimia32.efi
c9c614bd36ba5399b68dae79f023ba3d9e3af590778fa080961cd10c671fd328  shimx64.efi

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

#147 (Accepted)
#254 (15.6, Closed)

[aronowski]

While I'm not an official reviewer, I can see a few curiosities:

*******************************************************************************
### If your boot chain of trust includes a Linux kernel:
### Is upstream commit [1957a85b0032a81e6482ca4aab883643b8dae06e "efi: Restrict efivar_ssdt_load when the kernel is locked down"](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1957a85b0032a81e6482ca4aab883643b8dae06e) applied?
### Is upstream commit [75b0cea7bf307f362057cc778efe89af4c615354 "ACPI: configfs: Disallow loading ACPI tables when locked down"](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=75b0cea7bf307f362057cc778efe89af4c615354) applied?
### Is upstream commit [eadb2f47a3ced5c64b23b90fd2a3463f63726066 "lockdown: also lock down previous kgdb use"](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eadb2f47a3ced5c64b23b90fd2a3463f63726066) applied?
*******************************************************************************

Yes. They are all applied.

5.15.98: https://github.com/zeronsoftn/alpine-packages/tree/a891088f81f5cd36b7886f5e3905df19f55eb0d7/main/linux-lts

*******************************************************************************
### Do you build your signed kernel with additional local patches? What do they do?
*******************************************************************************

No pacthes.

By linking to the alpine-packages repository I thought there were these upstream commits presented somewhere. Or a snapshot of your kernel. I don't understand, why is the link in here then. Isn't this a bit confusing?

On the other hand, the next entry claims that there are no patches, even though there are some .patch files in the repository you linked, so I assume these are related to the Alpine Linux kernel, rather than local ones. Is that right?

Since I'm not familiar with this project, I'm guessing this is just a mainline v5.15 kernel (if it's not, please explain me this in simple terms). If that's true, what the status of NX support? Is there something like this backported?

---

*******************************************************************************
### Which modules are built into your signed grub image?
*******************************************************************************
ahci reboot halt minicmd help diskfilter acpi ata blocklist boot cat cmp configfile cpuid crypto cryptodisk datetime elf echo exfat ext2 fat gptsync halt hashsum iso9660 ldm linux loadenv ls lspci mdraid1x memdisk msdospart normal ntfs ntfscomp ohci part_gpt part_msdos raid5rec random scsi search search_fs_file search_fs_uuid search_label sleep squash4 tar test time true usb usb_keyboard xfs usbms file pgp verifiers gcry_rsa gcry_dsa gcry_sha256 gcry_sha512 regexp

*******************************************************************************
### What is the origin and full version number of your bootloader (GRUB or other)?
*******************************************************************************

grub-efi-amd64-signed_1+2.06+3~deb11u5_amd64
https://packages.debian.org/source/bullseye/grub2

After downloading the archive at http://deb.debian.org/debian/pool/main/g/grub2/grub2_2.06-3~deb11u5.debian.tar.xz I inspected the modules listed in the build-efi-images file.
There seems to be a huge difference between the modules listed in this review and in that file. See for yourself:
(the ones with < are mentioned only in your review, the ones with > are mentioned only in build-efi-images)

1,4c1
< acpi
< ahci
< ata
< blocklist
---
> all_video
5a3
> btrfs
7c5
< cmp
---
> chain
10d7
< crypto
12,13d8
< datetime
< diskfilter
15,16c10,11
< elf
< exfat
---
> efifwsetup
> efinet
17a13
> f2fs
19c15,21
< file
---
> font
> gcry_arcfour
> gcry_blowfish
> gcry_camellia
> gcry_cast5
> gcry_crc
> gcry_des
20a23,28
> gcry_idea
> gcry_md4
> gcry_md5
> gcry_rfc2268
> gcry_rijndael
> gcry_rmd160
21a30,32
> gcry_seed
> gcry_serpent
> gcry_sha1
24c35,42
< gptsync
---
> gcry_tiger
> gcry_twofish
> gcry_whirlpool
> gettext
> gfxmenu
> gfxterm
> gfxterm_background
> gzio
26,27d43
< halt
< hashsum
28a45
> hfsplus
30c47,49
< ldm
---
> jfs
> jpeg
> keystatus
31a51
> linuxefi
32a53
> loopback
34c55,61
< lspci
---
> lsefi
> lsefimmap
> lsefisystab
> lssal
> luks
> lvm
> mdraid09
38d64
< msdospart
41,42c67
< ntfscomp
< ohci
---
> part_apple
45c70,73
< pgp
---
> password_pbkdf2
> play
> png
> probe
47c75
< random
---
> raid6rec
50d77
< scsi
57d83
< tar
59c85,86
< time
---
> tftp
> tpm
61,64c88
< usb
< usb_keyboard
< usbms
< verifiers
---
> video
65a90,92
> zfs
> zfscrypt
> zfsinfo

With this in mind I assume the source of truth is located somewhere else rather than in the build-efi-images file. Please, give me a hint, where it is.

Also, when it comes to GRUB2, just a reminder, that we're all waiting for Debian's implementation of NX support. But since Debian got their shim signed without having it yet, I hope everything goes well!

---

Why does your SBAT entry mention the empty repository https://github.com/zeronsoftn/shim-release?
Asking just out of curiosity since the same entry was accepted in an earlier review.

[joseph-zeronsoftn]

By linking to the alpine-packages repository I thought there were these upstream commits presented somewhere. Or a snapshot of your kernel. I don't understand, why is the link in here then. Isn't this a bit confusing?

We have separated the repository separately to distinguish the kernel we use.
It said that it was applied because the 5.15 kernel already included the three patches mentioned in shim-review.
NX support patch has not been applied. This is clearly the part I'm missing. Only the patches mentioned in shim-review have been applied.

After downloading the archive at http://deb.debian.org/debian/pool/main/g/grub2/grub2_2.06-3~deb11u5.debian.tar.xz I inspected the modules listed in the build-efi-images file.
There seems to be a huge difference between the modules listed in this review and in that file. See for yourself:
(the ones with < are mentioned only in your review, the ones with > are mentioned only in build-efi-images)

Rather than using build-efi-images, we create a new grub image containing the modules we need via grub-mkstandalone. For this part I said We also generate a single executable grub.efi with the grub-mkstandalone tool with check_signatures enabled to prevent tampering with grub's configuration.

Why does your SBAT entry mention the empty repository https://github.com/zeronsoftn/shim-release?
Asking just out of curiosity since the same entry was accepted in an earlier review.

The link in the SBAT entry is a separate repository for issue management so that we can explain about it when there is a problem with the shim we have deployed. It's empty as it hasn't been deployed to production yet, but later we'll write down which images we've signed.

Thank you for your review.