Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Shim 15.8 for ZeeOS (x86_64) #441

Open
8 tasks done
zeetim opened this issue Sep 6, 2024 · 13 comments
Open
8 tasks done

Shim 15.8 for ZeeOS (x86_64) #441

zeetim opened this issue Sep 6, 2024 · 13 comments
Labels
Accredited review needed Needs a successful review by an accredited reviewer contacts verified OK Contact verification is complete here (or in an earlier submission) easy to review This submission might be a good place to start for an inexperienced reviewer new vendor This is a new vendor question Reviewer(s) waiting on response

Comments

@zeetim
Copy link

zeetim commented Sep 6, 2024

Confirm the following are included in your repo, checking each box:

  • completed README.md file with the necessary information
  • shim.efi to be signed
  • public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
  • binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
  • any extra patches to shim via your own git tree or as files
  • any extra patches to grub via your own git tree or as files
  • build logs
  • a Dockerfile to reproduce the build of the provided shim EFI binaries

What is the link to your tag in a repo cloned from rhboot/shim-review?


https://github.com/zeetim/shim-review/tree/zeetim-shim-x64-20240906


What is the SHA256 hash of your final SHIM binary?


26cb646f44e7592bfce836206f2dc81f9aa80b7cdcbd1b440e5b2e49e4962a6f shimx64.efi


What is the link to your previous shim review request (if any, otherwise N/A)?


N/A. This is our first application


If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?


N/A. This is our first application

@steve-mcintyre steve-mcintyre added new vendor This is a new vendor contact verification pending Contact verification emails have been sent, waiting on response labels Sep 8, 2024
@steve-mcintyre
Copy link
Collaborator

Contact verification emails sent

@Kal42
Copy link

Kal42 commented Sep 9, 2024

Hi,

Verification for [email protected] :

eunuchs drowned milkier awkwardness dilute coiffuring deserve similarities lingoes trotters

@zeetim
Copy link
Author

zeetim commented Sep 9, 2024

Hello,
Contact verification for [email protected]:
mulishness Ewing furnish calamity emblems remounts infinitesimals Swansea fusing protrusion

@steve-mcintyre steve-mcintyre added contacts verified OK Contact verification is complete here (or in an earlier submission) and removed contact verification pending Contact verification emails have been sent, waiting on response labels Sep 9, 2024
@evilteq
Copy link

evilteq commented Sep 23, 2024

Just to clarify: "We use an ephemeral key to sign kernel modules" or "Kernel modules are signed using the same vendor keypair used inside shim image." ?

@zeetim
Copy link
Author

zeetim commented Sep 24, 2024

Just to clarify: "We use an ephemeral key to sign kernel modules" or "Kernel modules are signed using the same vendor keypair used inside shim image." ?

We are using a different keypair to sign kernel modules. Vendor keypair included in shim image is only used to sign mokmanager (mmx64.efi), fallback (fbx64.efi), grub (grubx64.efi) and kernel image (bzImage).

@evilteq
Copy link

evilteq commented Sep 24, 2024

And that key is unique for each release (ephemeral) or is it fixed?

@zeetim
Copy link
Author

zeetim commented Sep 24, 2024

And that key is unique for each release (ephemeral) or is it fixed?

The key is unique for each release

@evilteq
Copy link

evilteq commented Sep 27, 2024

Shim is pretty much by the book, only one patch to make it NX and non-NX (only the the NX is used).
Reproduced it with the same sha256.

Certificate inside is valid for 30 years, 4K, key inside a yubike, these details:
Subject: C = FR, ST = Ile-de-France, L = Vitry-Sur-Seine, O = ZEETIM SAS, OU = ZEETIM SAS CERTIFICATE AUTHORITY, CN = ZEETIM SAS ROOT CA

Grub has many patches, but all known. (I found them exactly in the ubuntu sources).

I guess there is a mistake in the grub .sbat as it says 2.06 version, then states to be 2.12. I guess its just forgotten to add the new one for this review?

Looks good to me!

@steve-mcintyre steve-mcintyre added extra review wanted easy to review This submission might be a good place to start for an inexperienced reviewer labels Sep 30, 2024
@zeetim
Copy link
Author

zeetim commented Oct 1, 2024

I guess there is a mistake in the grub .sbat as it says 2.06 version, then states to be 2.12. I guess its just forgotten to add the new one for this review?

Thank you for your review! We have fixed the grub sbat mismatch in our repository.

@costinchen
Copy link

costinchen commented Oct 25, 2024

I'm not an official reviewer, but I want to help speed up reviewing.

  • Build is reproducible with the same sha256sum:
    26cb646f44e7592bfce836206f2dc81f9aa80b7cdcbd1b440e5b2e49e4962a6f shimx64.efi

  • Revoked certs in dbx - None, first submission

  • Embedded cert is CA cert:

    • Subject: C = FR, ST = Ile-de-France, L = Vitry-Sur-Seine, O = ZEETIM SAS, OU = ZEETIM SAS CERTIFICATE AUTHORITY, CN = ZEETIM SAS ROOT CA
    • Valid begin: Sep 6 10:00:12 2024 GMT, until: Aug 30 10:00:12 2054 GMT (30 years)
    • 4096 bit RSA key
    • Key in YubiKey
  • SBAT sections look reasonable:

shim:
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.zeetim,1,Zeetim,shim,15.8,mail:[email protected]

grub:
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,4,Free Software Foundation,grub,2.12,https://www.gnu.org/software/grub/
grub.zeetim,1,Zeetim,grub,2.12,mail:[email protected]
  • Build shim with official tarball and only one patch from ubuntu to set the NX bit:
objdump -x shimx64.efi | grep -E 'SectionAlignment|DllCharacteristics'
SectionAlignment        00001000
DllCharacteristics      00000100
  • Grub has many patches, but all of those are from well-known distributions.

All looks good from my perspective!

A small suggestion:
Since you have updated the .sbat info of grub in your repo, you could add a new tag and update this issue with that new tag.

@christopherco
Copy link
Contributor

I am not an official reviewer but also looking to help reviewers out.

Shim

  • Using official shim 15.8 as starting source? Yes
  • Patches to shim? Yes, a NX shim patch is applied, sourced from Canonical
  • dockerfile reproduces the shimx64.efi? Yes
  • Note: The shim binary is the NX shim efi version.
  • First time submission? Yes

Certificate

$ openssl x509 -inform der -in zeetim-uefi-ca.der -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            44:8f:49:8a:fd:4d:ae:eb:9c:89:a1:d0:9e:d7:b9:80:b9:49:b7:f8
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = FR, ST = Ile-de-France, L = Vitry-Sur-Seine, O = ZEETIM SAS, OU = ZEETIM SAS CERTIFICATE AUTHORITY, CN = ZEETIM SAS ROOT CA
        Validity
            Not Before: Sep  6 10:00:12 2024 GMT
            Not After : Aug 30 10:00:12 2054 GMT
        Subject: C = FR, ST = Ile-de-France, L = Vitry-Sur-Seine, O = ZEETIM SAS, OU = ZEETIM SAS CERTIFICATE AUTHORITY, CN = ZEETIM SAS ROOT CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:db:cd:ab:7f:13:d9:45:b5:8a:45:1a:77:f5:1d:
                    47:f7:4b:a5:ee:24:4d:5c:72:d5:f4:b9:57:8d:22:
                    3b:94:96:d4:9c:4c:6f:c5:75:04:f5:d8:26:37:25:
                    ee:92:34:02:89:38:5e:ed:dd:e8:34:ba:9a:f2:1d:
                    f7:05:3b:fd:65:ff:32:9b:2c:1f:9f:86:8a:4b:13:
                    13:63:b7:86:e7:ea:a2:4f:f6:ad:f5:48:9f:25:90:
                    29:66:ff:7b:37:d7:2e:5e:f9:af:53:87:a4:30:63:
                    74:04:84:75:48:1c:b3:52:40:4f:e2:6d:93:8c:22:
                    80:bb:f7:d8:37:1c:d2:be:5b:ab:a9:60:2a:42:24:
                    cd:8f:38:6c:57:af:b8:5b:b8:87:85:60:f9:99:4e:
                    73:e0:67:ab:27:2d:4b:06:5e:24:2b:eb:84:9c:da:
                    ff:14:a5:44:cd:60:c0:8c:2c:fb:c6:d3:a5:e2:9a:
                    ea:15:07:b9:34:9c:e9:ea:ba:95:e5:93:ce:f9:e6:
                    11:9e:c1:f7:8a:d0:f6:2f:90:a8:a0:58:c1:8c:8f:
                    93:d6:0e:50:c7:bf:e5:61:9c:94:08:99:89:ec:4b:
                    78:7f:9c:af:0d:34:8b:a5:55:84:99:b3:e8:71:22:
                    12:6e:4c:39:7a:ba:ec:56:f3:7c:38:49:4c:91:57:
                    5a:27:80:ff:58:70:f3:10:33:77:51:a6:b1:34:5b:
                    9f:f5:eb:68:78:69:47:98:35:a3:e5:80:af:dd:84:
                    48:73:d1:ef:4e:2a:f9:3f:1e:9c:54:d5:c4:c1:19:
                    19:2e:94:30:49:7f:a0:31:3c:81:b8:61:7b:a1:67:
                    a0:c9:48:1b:1d:87:82:76:f4:92:7f:b4:c3:92:e5:
                    58:ce:1d:e3:11:e0:e3:db:c1:e1:d8:18:d3:90:96:
                    e3:a7:49:e2:1a:63:00:84:24:39:af:3f:8a:e0:59:
                    12:78:71:06:06:43:df:98:4d:4e:2a:84:a7:63:92:
                    b7:d1:22:8c:a2:0c:80:ba:80:aa:2f:5e:f4:e5:c0:
                    b1:a7:d2:3c:e5:da:37:5e:16:d5:1c:1b:90:a3:41:
                    9d:df:62:1f:1d:9b:c5:bf:a4:94:2d:97:10:b7:1c:
                    9d:b5:72:ec:f1:fb:44:c4:8c:4d:f3:d3:6d:43:ba:
                    ee:61:8b:a4:0a:6a:16:7c:dc:22:9c:d6:64:c2:f8:
                    ee:63:4e:5a:ec:6a:7d:cf:51:1e:55:ed:fd:32:16:
                    1f:41:a2:bf:53:5d:b0:6e:be:bb:53:1e:44:51:45:
                    75:10:e7:cd:73:42:88:f7:07:d2:b5:86:54:b3:86:
                    4a:44:d9:d2:8a:88:ec:9a:6a:8f:70:16:ec:79:c6:
                    71:20:a1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                9A:74:C0:F8:DE:4A:3C:0C:3E:2D:2F:07:60:90:1E:9C:8C:85:CA:EB
            X509v3 Authority Key Identifier:
                9A:74:C0:F8:DE:4A:3C:0C:3E:2D:2F:07:60:90:1E:9C:8C:85:CA:EB
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        c0:7f:b6:34:66:19:74:c0:35:0f:e3:c3:18:48:6a:d4:a9:3b:
        98:33:e6:0a:d6:ff:05:8d:83:2e:64:df:23:8c:aa:97:41:69:
        ab:06:f5:e4:ed:1d:7e:81:b7:d9:55:07:a0:ca:a4:83:57:3c:
        18:53:76:e1:2a:8e:f0:ea:ed:f6:b5:e2:c9:cb:d0:8c:b4:6a:
        80:16:23:f0:8e:b4:56:91:b9:22:22:d3:a2:6d:09:15:19:74:
        37:c3:63:cc:99:a7:90:6b:6a:21:d6:23:02:ce:0b:2f:2c:df:
        4a:92:da:56:39:a7:2b:f9:83:ba:eb:cc:f2:18:c0:88:9a:8c:
        29:1d:74:42:cb:9b:f6:79:0c:51:20:1b:73:29:d3:fc:ee:ca:
        ce:5d:c4:2a:5a:a1:90:01:8d:76:d5:e3:22:f3:53:93:bd:23:
        93:29:e2:ea:96:ca:5e:57:5a:34:70:08:86:1a:18:0a:ab:22:
        00:8d:74:47:9a:9a:0d:78:9c:c6:36:81:6a:db:8c:28:86:85:
        bb:4e:1f:f5:16:ad:45:83:9c:89:ed:13:3a:38:4c:2d:ce:8a:
        e4:80:80:01:fe:bf:a2:22:1f:31:3e:f6:60:0c:87:a9:a4:79:
        71:35:a4:ab:4f:0d:40:c4:b9:62:7f:71:d2:06:71:a0:f6:26:
        13:2a:73:9a:f5:0f:30:94:71:41:c3:f7:20:3b:02:b1:07:2d:
        24:98:99:6a:74:e2:37:45:3f:12:96:26:81:2a:c6:b6:e2:47:
        08:c2:51:a2:f2:dc:90:e7:86:cf:c1:3b:4a:77:55:e8:0b:51:
        61:3b:98:23:ec:2f:84:af:d3:09:4a:7a:b3:d9:71:d7:65:6f:
        2e:07:16:d3:47:cf:fb:54:6d:bf:22:06:7c:72:d8:df:0b:d3:
        fc:ce:31:81:0f:b1:c5:a2:8a:13:27:ac:36:21:80:f6:9e:3a:
        2c:b4:0a:2e:e0:ad:dd:91:1c:22:3e:79:a7:d5:e1:4e:ea:d5:
        4e:b0:58:47:2c:58:cf:85:ff:bc:3c:8a:97:38:88:a0:65:4f:
        46:44:6b:3c:55:91:6a:38:4b:86:fb:ec:9b:5e:88:c7:af:4c:
        fb:fd:af:40:dd:fc:f5:15:a6:64:44:4f:16:2a:7e:03:4f:99:
        66:65:f7:8e:52:45:1c:f9:f5:5d:c0:4f:d8:16:fc:78:68:5c:
        08:57:38:49:33:5f:2c:16:15:4f:86:08:36:d3:9b:81:e0:b5:
        fe:0c:ee:4c:74:23:47:e8:9e:03:ac:fd:a1:99:32:34:8c:54:
        0f:4b:6f:e4:42:dc:cf:8b:e4:16:27:af:a0:7d:9e:54:e7:a8:
        5f:dc:ef:cb:cc:44:7d:ae
  • Does the submitter’s embedded certificate match the organization they are submitting under? Yes Subject: C = FR, ST = Ile-de-France, L = Vitry-Sur-Seine, O = ZEETIM SAS, OU = ZEETIM SAS CERTIFICATE AUTHORITY, CN = ZEETIM SAS ROOT CA
  • Does the submitter have reasonable access controls in place (e.g. HSM, etc.) for the private half of the public key embedded in their shim? Yubikey HW token.
  • Does the embedded certificate have a reasonable validity period? Yes, 30 years
  • Reasonable key length and algo? Yes, RSA4K & SHA256

SBAT

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.zeetim,1,Zeetim,shim,15.8,mail:[email protected]
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,4,Free Software Foundation,grub,2.12,https://www.gnu.org/software/grub/
grub.zeetim,1,Zeetim,grub,2.12,mail:[email protected]
  • Is SBAT data present in the provided binaries, and does it match what was provided in the answers to issue template questions? Yes

GRUB

  • Does the submitter use grub as a bootloader? Yes
  • Does it have the patches stated by the issue template and README.md? Yes
  • Are there any custom patches applied? Yes. Patches look to be sourced from Canonical / Debian.
  • Which grub modules are built in? part_msdos part_gpt part_msdos fat memdisk squash4 iso9660 cpio loopback keylayouts at_keyboard all_video gfxterm terminal font gettext echo regexp cat gcry_sha256 gcry_sha512 gcry_dsa gcry_rsa password_pbkdf2 pbkdf2 efinet tftp http linux boot halt reboot minicmd sleep test gzio normal configfile peimage

Kernel

  • What kernel is loaded, and does it have all the patches stated by the issue template and README.md? Yes, using stable version of Linux kernel 6.10.7 without additional patches
  • How is lockdown enforced? Kernel compiled with CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY, CONFIG_MODULE_SIG_FORCE, CONFIG_INTEGRITY_PLATFORM_KEYRING and CONFIG_INTEGRITY_MACHINE_KEYRING. Grub also uses a builtin GPG key to prevent tampering with grub configs and initrd.

Additional Comments / Questions

  • shim and grub seem to derive from Canonical. If this is indeed the case, it is recommend to include Ubuntu's SBAT information as well in case there is a need to revoke a whole family of builds due to a shared vendor patch.
  • In the ephemeral key question, you indicate that you use the ephemeral key to sign kernel modules. But in the launched components question, you indicate the kernel modules are signed using the same vendor keypair used inside the shim image. Can you clarify how your kernel modules are signed?

@aronowski
Copy link
Collaborator

Just wanted to mention that if the kernel modules are double-signed, this will need to be corrected before the submission is ready for acceptance: see #362 (comment)

@aronowski aronowski added the question Reviewer(s) waiting on response label Nov 10, 2024
@steve-mcintyre steve-mcintyre added Accredited review needed Needs a successful review by an accredited reviewer and removed extra review wanted labels Nov 13, 2024
@zeetim
Copy link
Author

zeetim commented Nov 25, 2024

  • I have fix the Readme, we use only ephemeral key for Kernel module.
  • And for sbat, we use only a small part of all the patch from Ubuntu, we are more close to "standard" grub than ubuntu grub.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Accredited review needed Needs a successful review by an accredited reviewer contacts verified OK Contact verification is complete here (or in an earlier submission) easy to review This submission might be a good place to start for an inexperienced reviewer new vendor This is a new vendor question Reviewer(s) waiting on response
Projects
None yet
Development

No branches or pull requests

7 participants