shim 15.8 for Navix 8

[leejun9503]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/NaverCloudPlatform/shim-review/tree/navix-shim-x86_64-20240226

---

What is the SHA256 hash of your final SHIM binary?

---

2e7522c7c251f0d80cbddcad9f2ec73ee94cfe672efe986152bf59ca67e7cc19  shimx64.efi
6200d688b270fbdfc29fe86775ed50c8614e23430aec495f20c7de75adf22e6c  shimia32.efi

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

#346

[leejun9503]

Updated questions

There are some minor fixes that are not mentioned on this list, but they are shim/grub version and typo fixes.

• What patches are being applied and why
• If shim is loading GRUB2 bootloader and your previously released shim booted a version of GRUB2 affected by any of the CVEs in the July 2020, the March 2021, the June 7th 2022, the November 15th 2022, or 3rd of October 2023 GRUB2 CVE list, have fixes for all these CVEs been applied?
• If these fixes have been applied, is the upstream global SBAT generation in your GRUB2 binary set to 4?
• Were old shims hashes provided to Microsoft for verification and to be added to future DBX updates?
• If your boot chain of trust includes a Linux kernel:
• Do you use an ephemeral key for signing kernel modules?
• Do you add a vendor-specific SBAT entry to the SBAT section in each binary that supports SBAT metadata ( GRUB2, fwupd, fwupdate, shim + all child shim binaries )?
• What is the origin and full version number of your bootloader (GRUB2 or other)?

[kukrimate]

Disclaimer: I am not an official reviewer.

Basics

• Contact already verified (shim 15.7 for Navix 8 #346)
• RHEL 8 downstream with self-built GRUB and kernels (planned public release)
• No personal familiarity with vendor, but "NAVER Cloud Corp." seems like a reasonably sized company, and looks to have the ability to provide security updates.

CA

• "Navix Secure Boot CA": RSA2048, self-signed, signing bit set
• Private key in HSM with access controls

shim

• First submission, no pre-SBAT shims.
• Using 15.8 release without patches.
• Binaries reproduce via provided Dockerfile
• SBAT data looks good
• NX bit correctly off

GRUB2

• Unmodified RHEL GRUB2
• No signed NTFS, SBAT gen still at 3 (fine for now, but bump to 4 will still be needed when revocations reach grub,4)

Kernel

• Unmodified RHEL kernel

[SherifNagy]

While I am not an official reviewer, here are my comments "looking at latest tag: https://github.com/NaverCloudPlatform/shim-review/tree/navix-shim-x86_64-20240205":

• SHIM sources within the SRPM matches the release hash
• SHIM's CA valid for almost 9 years and it's 2048 bits
• SHIM binary reproducible correctly and hashes matches
• Contacts GPG keys looks good and verified on shim 15.7 for Navix 8 #346
• CA and certs protection with HSM story looks good
• Grub modules looks good, no NFTS module
• SBAT entry for grub looks good and it's grub,3 since no NTFS patches has been applied to their grub sources
• NX is disabled and doesn't exist in the bootchain

SBAT entry for shim is wrong, seems like a copy / paste error mostly, in the issue it is shim,3 while in the binary it is shim,4 as it should be since you are building 15.8

sha256sum *.efi
6200d688b270fbdfc29fe86775ed50c8614e23430aec495f20c7de75adf22e6c  shimia32.efi
2e7522c7c251f0d80cbddcad9f2ec73ee94cfe672efe986152bf59ca67e7cc19  shimx64.efi

objcopy --only-section .sbat -O binary shimx64.efi /dev/stdout
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.navix,1,Navix,shim,15.8,[email protected]

objcopy --only-section .sbat -O binary shimia32.efi /dev/stdout
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.navix,1,Navix,shim,15.8,[email protected]

[SherifNagy]

One more thing, but this is a personal preference, I like to submit my mock build and root logs while I am building the SRPM RPM itself instead of the logs from building the docker container, but this is just me :) I know they are very similar, but again, that's just my personal preference

[SherifNagy]

And there are couple of question into merged into your issue, such as the usage of systemd-boot , stub and UKI

[leejun9503]

SBAT entry for shim is wrong, seems like a copy / paste error mostly, in the issue it is shim,3 while in the binary it is shim,4 as it should be since you are building 15.8

You're right. We fixed shim's SBAT entry.

And there are couple of question into merged into your issue, such as the usage of systemd-boot , stub and UKI

We migrated review template to current version and answered all questions.

[leejun9503]

We updated our review template to fix errors mentioned by SherifNagy.
https://github.com/NaverCloudPlatform/shim-review/tree/navix-shim-x86_64-20240226

[SherifNagy]

All seems good, typo got fixed. We need to wait for couple of trusted reviewers to look at this.

Best of luck with the review process

[aronowski]

The build reproduces, checksums match, NX support properly disabled until the whole chain gets NX support.

Accepting! Great job!

---

Notes:

*******************************************************************************
### If you are using systemd-boot on arm64 or riscv, is the fix for [unverified Devicetree Blob loading](https://githu
b.com/systemd/systemd/security/advisories/GHSA-6m6p-rjcq-334c) included?
*******************************************************************************
We only support x86_64 architecture.

No systemd-boot entries as GRUB2 is used. The answer above got me worried for a moment.

No UKIs as far as I'm aware as of today (RHEL 8 fork).

[leejun9503]

Awesome! Thank you all people for reviewing our application!
What do we have to do next? Does Microsoft contact us about shim signing or do we have to contact Microsoft ourselves?

[eduardacatrinei]

What do we have to do next? Does Microsoft contact us about shim signing or do we have to contact Microsoft ourselves?

You need to enroll your company in Microsoft's 'Hardware Development' program and make a request on the platform for shim signing.

UPDATED: UEFI Signing Requirements

Create a new UEFI or LSA submission

[leejun9503]

We finally got signed shim binary from Microsoft,
Closing..