Shim 15.7 for Cisco

[vasudevluthra]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
  N/A
• any extra patches to shim via your own git tree or as files
  N/A
• any extra patches to grub via your own git tree or as files
  N/A
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/cisco/sto-uefi-secure-bootloader/releases/tag/cisco-shim-x86_64-20231116

---

What is the SHA256 hash of your final SHIM binary?

---

SHA2-256(shimx64.efi)= ead71732d1fbd7710f1aeb7c69b4ad77bfb7db7533bf5708e7c719bf0aac2df3

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

#126

#37 (accepted)

[Blarse]

I'm not an authorized reviewer, but I'd like to contribute and help
@frozencemetery @steve-mcintyre @julian-klode:

Build reproducibility

• Reproducible according to Dockfile:

objcopy -D -j .text -j .sdata -j .data \
        -j .dynamic -j .rodata -j .rel* \
        -j .rela* -j .dyn -j .reloc -j .eh_frame -j .sbat \
        -j .sbatlevel \
        -j .debug_info -j .debug_abbrev -j .debug_aranges \
        -j .debug_line -j .debug_str -j .debug_ranges \
        -j .note.gnu.build-id \
        fbx64.so fbx64.efi.debug
objcopy -D -j .text -j .sdata -j .data -j .data.ident \
        -j .dynamic -j .rodata -j .rel* \
        -j .rela* -j .dyn -j .reloc -j .eh_frame \
        -j .vendor_cert -j .sbat -j .sbatlevel \
        --target efi-app-x86_64 mmx64.so mmx64.efi
./post-process-pe -vv mmx64.efi
objcopy -D -j .text -j .sdata -j .data -j .data.ident \
        -j .dynamic -j .rodata -j .rel* \
        -j .rela* -j .dyn -j .reloc -j .eh_frame \
        -j .vendor_cert -j .sbat -j .sbatlevel \
        --target efi-app-x86_64 fbx64.so fbx64.efi
./post-process-pe -vv fbx64.efi
make: Leaving directory '/shim-build/build-x64'
--> d4b730693292
STEP 10/11: RUN mkdir /shim-build/install
--> 3e6b8b563cc3
STEP 11/11: RUN cp build-x64/shimx64.efi /shim-build/install
COMMIT cisco-shim-x86_64-20231116
--> 95cf9fc3e898
Successfully tagged localhost/cisco-shim-x86_64-20231116:latest
95cf9fc3e898ad206f2b9e9b989bd68231b77016e318c44c57af582a8cffe5ae

• Hash is matched for shimx64.efi

$podman run -it --rm cisco-shim-x86_64-20231116:latest sha256sum /shim-build/install/shimx64.efi
ead71732d1fbd7710f1aeb7c69b4ad77bfb7db7533bf5708e7c719bf0aac2df3  /shim-build/install/shimx64.efi

Shim source

• Shim is cloned from https://github.com/rhboot/shim.git and checkout at 15.7; it is okay

• NX support patch is not applied:
  Microsoft requires NX support for signing since Nov 30 2022.
  See: PSA: NX support mandatory since November 30 2022 #307

Certificates

• Embedded cert is valid until 2099; @rhboot Ask for help is it okay?

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0d:57:ab:c2:ee:d2:fb:a8:f2
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: OU = Pavo, O = Cisco, CN = Virtual UEFI Root CA V2
        Validity
            Not Before: Oct 22 17:08:54 2020 GMT
            Not After : Oct 22 15:26:16 2099 GMT
        Subject: O = Cisco, OU = Perseus, CN = Virtual UEFI SubCA V3

SBAT

• SBAT seems okay for shimx64.efi:

Contents of section .sbat:
 d5000 73626174 2c312c53 42415420 56657273  sbat,1,SBAT Vers
 d5010 696f6e2c 73626174 2c312c68 74747073  ion,sbat,1,https
 d5020 3a2f2f67 69746875 622e636f 6d2f7268  ://github.com/rh
 d5030 626f6f74 2f736869 6d2f626c 6f622f6d  boot/shim/blob/m
 d5040 61696e2f 53424154 2e6d640a 7368696d  ain/SBAT.md.shim
 d5050 2c332c55 45464920 7368696d 2c736869  ,3,UEFI shim,shi
 d5060 6d2c312c 68747470 733a2f2f 67697468  m,1,https://gith
 d5070 75622e63 6f6d2f72 68626f6f 742f7368  ub.com/rhboot/sh
 d5080 696d0a73 68696d2e 63697363 6f2c312c  im.shim.cisco,1,
 d5090 43697363 6f2c7368 696d2c31 352e372c  Cisco,shim,15.7,
 d50a0 70736972 74406369 73636f2e 636f6d0a  [email protected].

GRUB

@rhboot Ask for help

If you are using a downstream implementation of GRUB2 (e.g. from Fedora or Debian), please
preserve the SBAT entry from those distributions and only append your own.
More information on how SBAT works can be found here.

---

We use upstreams distros for grub since we are not rebuilding it.

I'm not exactly sure how SBAT revocation works in this case.

@vasudevluthra are you planning to sign upstream distros' grub binaries with your key?

@rhboot do we accept this?

Kernel

@rhboot Ask for help

Do you use an ephemeral key for signing kernel modules?

If not, please describe how you ensure that one kernel build does not load modules built for another kernel.

---

We do not use an ephemeral key. We use a Cisco HSM backed key for signing.

As discussed in #345, do we accept this strategy?

[aronowski]

@Blarse, thank you for the review. To clarify:

NX support patch is not applied

We recently got informed about the Microsoft exception mentioned in PR #359, so the current revision without NX support would be fine. No blame intended, as the requirements have changed in the meantime.

Embedded cert is valid until 2099; [...] is it okay?

I'd ask Microsoft on this, if they would be willing to sign such a binary, but would also take into consideration other details, such as the hashing function used, public modulus (n) size, as well as the public exponent (e), to see if the parameters are satisfactory for reasonable usage.
Disclaimer: I myself am not a cryptologist, so don't rely on me as an expert here.

---

I'll send verification emails first, and once the verification is successful, I'll then proceed with the application.

[aronowski]

Verification emails sent to all the 3 contacts listed in the current application.

[vasudevluthra]

dowel hicks paints Minnesotan legalize refiles lobster bagatelles
sampans melodrama

[dat-van]

@aronowski

corpuscle Dover aforesaid uppity hospitalizations announcing pertained impedance plait sprints

[vasudevluthra]

@Blarse Thank you for the review. Yes, we are planning to sign upstream distros' grub binaries with our key.

[jeffh-id]

larded unbuckles Herder consorted disables phantasmagorias northerlies overdosing rotating reanimated

[aronowski]

Apologies for the delays, been having a lot of stuff on my plate.

Please, update the issue, so it reflects the current shim 15.8.

[dat-van]

Thanks, We're working on it.

[steve-mcintyre]

Closing - please start with a new issue when you're ready, and link to this one