Shim 15.7 for Pop OS (system76-shim-x86_64-20230131)

[jackpot51]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/system76/shim-review/tree/system76-shim-x86_64-20230131

---

What is the SHA256 hash of your final SHIM binary?

---

c2f68d9214792d6e76901a287f01a8befea760ca1ec82b13f2b3c9f19bda52a4

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

N/A

[jackpot51]

@julian-klode I realized that I do not have NX support enabled (#307). Is it preferred if I add a patch on top of 15.7 or preferred if I use the current master branch of shim in order to enable it? When will there be a new release of shim that enables it by default?

[jackpot51]

Can I please get a response on this?

[dennis-tseng99]

@julian-klode I realized that I do not have NX support enabled (#307). Is it preferred if I add a patch on top of 15.7 or preferred if I use the current master branch of shim in order to enable it? When will there be a new release of shim that enables it by default?

May be you could add a patch named NX.patch like this: https://github.com/opsi-org/shim-review/tree/opsi-shim-x86_64-20230109

[frozencemetery]

A patch works.

[jackpot51]

Thanks, I will do that.

[steve-mcintyre]

Picking up in this now, apologies for the delay. :-(

I've just sent you mails for contact verification - please read and follow the instructions there.

[jackpot51]

Thank you @steve-mcintyre, I realize that I still need to pick the NX patch

[jackpot51]

Hi!

Please quote the following words in

  https://github.com/rhboot/shim-review/issues/313

to confirm your identity:

  aspic grotesque licit glowing Pole planet milkshake focussed apathetic ta=
booed

[crawfxrd]

prior relived congests Nashua interruption disgusting pincushions scholar suffixed wooliest

[steve-mcintyre]

Review of Shim 15.7 for Pop OS (system76-shim-x86_64-20230131)

OK

• No previous shims signed, so revocation story is easy
• Shim directly from 15.7 upstream, with no patches applied.
• SBAT data looks mostly OK, but see below.
• Using upstream kernel lockdown stuff in 6.0

Issues / queries / outstanding

• Contact verification reequired - mails sent
• Shim build does not reproduce for x64. You claim
  c2f68d9214792d6e76901a287f01a8befea760ca1ec82b13f2b3c9f19bda52a4 shimx64.efi
  but I get from my build locally:
  24282dff21ca7dcc1d9df8575513dc42914a9eb428f6e39cef8c1ff76ef464e8 /shim/shimx64.efi
  Hexdump and comparison suggests minor shuffling of code. Looks like
  the compiler has moved on in Ubuntu jammy. Could you please update?
• Will need to add NX patch yet
• Vendor SBAT version in shim is set to "3", which is unnecessary -
  "1" would do here as you've not had to revoke anything yet.
• Using systemd-boot as the second-stage bootloader, not grub. I'll
  need an extra pair of eyes to review that.
• Embedded cert is quite different to what we normally get. Using AWS
  KMS is reasonable for key management I think, but:
  • You're directly embedding a 10-year cert. I'm assuming you're
    planning on using the same cert to sign all binaries?
  • More normal is either:
    • A long-lived CA cert which you'd use as the root of trust for
      further signing of other binaries
    • A shorter-lived embedded code-signing cert to be used directly.
      Could you explain your setup here in a little more detail please?

[steve-mcintyre]

Contact verification complete!

[jackpot51]

Thank you for the review, I'll work through the items remaining. If systemd-boot will be an issue, I can try to utilize grub and specify that in the next version I build. The certificate that is embedded is used directly to sign binaries. I'd be happy to build a new one with a shorter revocation time.

[THS-on]

I think the signing of systemd-boot we should discuss on the up coming meeting. Ubuntu got a submission accepted with systemd-boot, but we currently have no fixed guidelines for that. To make it easier to review for us you can:

• use GRUB2 taken either from upstream or one of the major distros. (Please keep their SBAT entry and just add your own)
• build shim with NX enabled (rhboot/shim@7c76425) and possibly the buggy binutils patch (rhboot/shim@657b248)
• Use ephemeral keys for signing the kernel modules and add the related question to your review (1f85d85)

Regarding the certificate. The most common thing to do is to embed a 20-30 years CA certificate and then generate other certs to sign the components with a shorter lifespan.

[THS-on]

systemd-boot is now allowed. Can you either create a new submission for 15.8 or update this one to 15.8?

[jackpot51]

I will do a new submission with the latest shim when I have time. Closing this one in the meantime.