Shim 15.4 + critical patches for CloudReady

[pnardini]

Make sure you have provided the following information:

• link to your code branch cloned from rhboot/shim-review in the form user/repo@tag
  neverware/shim-review@google-shim-20210713
• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added do vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

What organization or people are asking to have this signed:

Google

What product or service is this for:

CloudReady

Please create your shim binaries starting with the 15.4 shim release tar file:

https://github.com/rhboot/shim/releases/download/15.4/shim-15.4.tar.bz2

This matches https://github.com/rhboot/shim/releases/tag/15.4 and contains

the appropriate gnu-efi source.

Please confirm this as the origin your shim.

We can confirm that all of our shim binaries are built from the referenced tarball.

What's the justification that this really does need to be signed for the whole world to be able to boot it:

CloudReady is a Linux distribution, forked from Chromium OS. We want to enable (and encourage) our user base to boot our OS with secure boot enabled.

How do you manage and protect the keys used in your SHIM?

Our keys are stored on a SafeNet eToken 5110 HSM that is under physical access control.

Do you use EV certificates as embedded certificates in the SHIM?

Yes

If you use new vendor_db functionality, are any hashes allow-listed, and if yes: for what binaries ?

We do not use this functionality

Is kernel upstream commit 75b0cea7bf307f362057cc778efe89af4c615354 present in your kernel, if you boot chain includes a Linux kernel ?

Yes, this commit is applied in our kernel but appears as 824d0b6225f3fa2992704478a8df520537cfcb56 https://github.com/neverware/kernel/commit/824d0b6225f3fa2992704478a8df520537cfcb56

if SHIM is loading GRUB2 bootloader, are CVEs CVE-2020-14372,

CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779,

CVE-2021-20225, CVE-2021-20233, CVE-2020-10713, CVE-2020-14308,

CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705,

( July 2020 grub2 CVE list + March 2021 grub2 CVE list )

and if you are shipping the shim_lock module CVE-2021-3418

fixed ?

All of the referenced CVEs are fixed in our GRUB2 fork

"Please specifically confirm that you add a vendor specific SBAT entry for SBAT header in each binary that supports SBAT metadata

( grub2, fwupd, fwupdate, shim + all child shim binaries )" to shim review doc ?

Please provide exact SBAT entries for all SBAT binaries you are booting or planning to boot directly through shim

shim SBAT (https://raw.githubusercontent.com/neverware/shim-build/v6/sbat.csv)

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,1,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.cloudready,1,CloudReady,shim,15.4,https://github.com/neverware/shim-build

grub2 SBAT (https://raw.githubusercontent.com/neverware/grub2-build/main/container/sbat.csv)

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,1,Free Software Foundation,grub,2.06~rc1,https://www.gnu.org/software/grub/
grub.cloudready,1,CloudReady,grub2,2.06~rc1-1,https://github.com/neverware/grub2-build

We do not currently support fwupd / fwupdate.

Were your old SHIM hashes provided to Microsoft ?

Yes, our old vulnerable hashes have been sent to Microsoft for verification via email to ueficamanualreview@microsoft.com.

Did you change your certificate strategy, so that affected by CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749,

CVE-2020-27779, CVE-2021-20225, CVE-2021-20233, CVE-2020-10713,

CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705 ( July 2020 grub2 CVE list + March 2021 grub2 CVE list )

grub2 bootloaders can not be verified ?

This shim embeds a new certificate that has not yet been used to sign any released versions of our bootloader, effectively revoking all bootloader releases to date.

What exact implementation of Secureboot in grub2 ( if this is your bootloader ) you have ?

* Upstream grub2 shim_lock verifier or * Downstream RHEL/Fedora/Debian/Canonical like implementation ?

Downstream RHEL/Fedora/Debian/Canonical like implementation

What is the origin and full version number of your bootloader (GRUB or other)?

The version of grub2 we build is based off of the RedHat fork:
https://github.com/rhboot/grub2/tree/fedora-34

We require a few additional changes on top of that, so we have our own
fork, currently based on the fedora-34 branch of RedHat's fork:
https://github.com/neverware/grub2

The tools that we use to build our fork of grub2 can be found here:
https://github.com/neverware/grub2-build

Here is a list of the changes we apply:

Two patches from the master branch of the upstream GNU repo
(http://git.savannah.gnu.org/gitweb/?p=grub.git) to fix warnings:

bdf170d1018a500a7fea8d43677c5b4fc8812c74 (mdraid1x_linux: Fix gcc10 error -Werror=array-bounds)
68006d173291c6e972c4882d4fa40dc91a9c1d45 (zfs: Fix gcc10 error -Werror=zero-length-bounds)

Two patches from ChromiumOS:
https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/3d20670d426f9e1864e8d87fe2344770ff09614a/sys-boot/grub/files/

0001-Forward-port-ChromeOS-specific-GRUB-environment-vari.patch
0002-Forward-port-gptpriority-command-to-GRUB-2.00.patch

A patch to fix compilation with rpm-sort disabled:

Fix disabling gnus-rpm-sort grub2#46

And a couple Neverware-authored patches to fix warnings:

fbbdb83a8874cf808faae7a62643cb936986dd08 (Fix a sign-compare warning)
e37e9ced05e7406b60ef8df401126f0c65de4399 (Fix compilation warnings on 32-bit)

If your SHIM launches any other components, please provide further details on what is launched

N/A

If your GRUB2 launches any other binaries that are not Linux kernel in SecureBoot mode,

please provide further details on what is launched and how it enforces Secureboot lockdown

N/A

If you are re-using a previously used (CA) certificate, you

will need to add the hashes of the previous GRUB2 binaries

exposed to the CVEs to vendor_dbx in shim in order to prevent

GRUB2 from being able to chainload those older GRUB2 binaries. If

you are changing to a new (CA) certificate, this does not

apply. Please describe your strategy.

We are changing to a new certificate.

How do the launched components prevent execution of unauthenticated code?

Our shim launches grub2 built with secure-boot support.

Does your SHIM load any loaders that support loading unsigned kernels (e.g. GRUB)?

No

What kernel are you using? Which patches does it includes to enforce Secure Boot?

Our kernel is based on v5.4 and has secure boot enabled.

What changes were made since your SHIM was last signed?

1. We've updated to shim 15.4 with the following critical patches:

• Don't call QueryVariableInfo() on EFI 1.10 machines shim#364
• Don't set user_insecure_mode and ignore_db in import_one_mok_state shim#362
• Broken ia32 relocs and an unimportant submodule change. shim#357
• mok: allocate MOK config table as BootServicesData shim#361

2. Our embedded EV code signing cert has been updated with a renewed version. The new cert now expires on 2022/09/22

What is the SHA256 hash of your final SHIM binary?

f8c896b379dde11974324cd6b4920b6bce7e12d5a6ecef1fd2f0ea7ab570e4a1 shimia32.efi
eb0b333b209c59ae96aad58d1b8417a71a9f0653ed1133479b9da772601a3f9f shimx64.efi

[julian-klode]

Questions look OK, build reproduces, everything looks sensible.

I want to note that while the signing request is made as Google, the certificate is still issued to Neverware, but I guess that's fine.

Accepted. Please close the issue once you got a signed shim back from MS

[pnardini]

Thank you @julian-klode for the review!