Shim-15.8 for LUX 2.0 x64_ia32

[Rodrigo-NR]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/Rodrigo-NR/shim-review/tree/lux2.0-shim-amd64_i386-20240304

New tag with GRUB 1+2.12+2:
https://github.com/Rodrigo-NR/shim-review/tree/lux2.0-shim-amd64_i386-20240612

---

What is the SHA256 hash of your final SHIM binary?

---

7e8e4368bb69563d5c479fe61270ceb4fe61e9dc06575e4645426713590aa9da shimia32.efi
c2afb5e3c305c894c299b54157a1a05891e4b7b0f6722a00696999820490e5db shimx64.efi

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

#308

[SherifNagy]

Just a quick note, you might want to increase grub.debian entry to 5 and release a new grub or wait until Debian releases new group with the increased global generation number, current shim 15.8 already revokes grub.debian,4

[THS-on]

@Rodrigo-NR I see that the second security contact changed to you and it is with an IPT email address. Because you are submitting on behalf of Lenovo, can @ManigaLenovo and you clarify what the relationship these two entities have?

[ManigaLenovo]

Lenovo has an R&D contract with IPT, and we are developing the Lux Linux distribution. @Rodrigo-NR is the IPT developer responsible for secure boot And @icteixeira works with us in the development of Lux Linux distro.

Below is the link where you can check more about Lenovo and IPT partnership (only in portuguese).

https://ipt.br/2023/05/23/tecnologias-digitais-para-todos/

[es-fabricemarie]

I am not an official reviewer, but I just want to help with reviewers workload

• build uses official 15.8 tarball and no patch

• build is reproducible

• shims shasums match:

  7e8e4368bb69563d5c479fe61270ceb4fe61e9dc06575e4645426713590aa9da  shimia32.efi
  c2afb5e3c305c894c299b54157a1a05891e4b7b0f6722a00696999820490e5db  shimx64.efi
  

• certificate: valid for 20 years, 2048 bits RSA.

  • Issuer: C = US, ST = North Carolina, O = Lenovo, CN = Lenovo UEFI CA 2014
  • according to the cert fingerprint, that is the exact certificate available already on my Lenovo laptop, in the UEFI secureboot DB variable.
    • is that expected or even a good thing to re-use the same cert here?

• sbat sections looks appropriate

• NX compat is disabled

  objdump -p shimx64.efi  | grep DllCharacteristics
  

  DllCharacteristics      00000000
  

[dennis-tseng99]

Just briefly reviewing :

• codes can be reproduced (good)
• Use 2048 bits as Certificate has some concern. Because NIST deems RSA 2048 sufficient until 2030, but your expired year is 2034.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:09:48:62:90:34:75:92:87:34:95:87:23:09:4d
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = North Carolina, O = Lenovo, CN = Lenovo UEFI CA 2014
        Validity
            Not Before: Jan 24 16:14:24 2014 GMT
            Not After : Jan 19 16:14:24 2034 GMT
        Subject: C = US, ST = North Carolina, O = Lenovo, CN = Lenovo UEFI CA 2014
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:

[Rodrigo-NR]

Thank you for the reviews. We will await feedback from the official reviewers regarding the certificate currently in use. I have not received the contact verification email, should we take any further action?

[es-fabricemarie]

@Rodrigo-NR If you plan on using your distro only on Lenovos and if you sign the shim yourself using that certificate it should just work (i.e. no need to review it and get it signed by Microsoft CA). Give it a try :)

[SherifNagy]

Just a quick note, you might want to increase grub.debian entry to 5 and release a new grub or wait until Debian releases new group with the increased global generation number, current shim 15.8 already revokes grub.debian,4

By the way, seems like there was a bit a mistake here, you can keep the grub.debian,4 , there is no harm if you already released the grub,debian,5 , just thought to mention it.

[THS-on]

Review of lux2.0-shim-amd64_i386-20240304

• Well known HW manufacturer
• Accepted 15.7 submission, but got never signed by MS

Shim

• Based on 15.8 without any patches
• NX is disabled
• SBAT looks fine
• certificate has not changed since last submission
• Build is reproducible

GRUB2 and fwupd

• GRUB2 based on 2.12-1 from Debian
• GRUB2 modules look fine
• SBAT looks fine

Linux Kernel

• Based on 6.6.18
• Has lockdown patches applied

Notes and Questions

• Looking at other CAs, the Debian's CA is 2048 bit and valid until 2046. @steve-mcintyre any opinion on this?
• Please update to GRUB2 2.12-2 as it fixes a CVE in the peimage loader
• Are your kernel sources somewhere public?

[steve-mcintyre]

Contact verification emails sent - please respond here as instructed.

[icteixeira]

Contact verification emails sent - please respond here as instructed.

alighting spooking bedroll cascade hampered mismatches oxygenates funnest a=
pprehensively suborns

[Rodrigo-NR]

Contact verification emails sent - please respond here as instructed.

stupefy Panamanian squalor cleverly oversimplified racoon hypo rinses curls=
drainpipes

[steve-mcintyre]

Two contacts have responded, verification is good

[steve-mcintyre]

Notes and Questions

* Looking at other CAs, the Debian's CA is 2048 bit and valid until 2046. @steve-mcintyre any opinion on this?

We discussed this in our meeting last week too. There's a worry that
lots of firmware implementations still won't do more than 2048-bit RSA
safely. :-( 2048 will do for now, and we'll check on that periodically.

* Please update to GRUB2 2.12-2 as it fixes a CVE in the peimage loader

Definitely this is needed

* Are your kernel sources somewhere public?

Do you have an answer for this please?

[Rodrigo-NR]

Hello, @THS-on and @steve-mcintyre

We have updated GRUB, based on version 2+2.12+2 from Debian, and also updated SBAT. The modifications are in the tag https://github.com/Rodrigo-NR/shim-review/tree/lux2.0-shim-amd64_i386-20240612/.

The kernel source is available at https://github.com/rcilto1/kernel. We used version 6.6.18 from Kernel.org and applied some patches that are in the respective folder.

[THS-on]

@Rodrigo-NR thanks!

• Grub update looks good
• Kernel config and patches look fine from a kernel module and lockdown perspective
  • CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is set
  • Module signing is activated

Please also add the new tag to the top comment of this issue, otherwise LGTM from my side. @dennis-tseng99 @steve-mcintyre can one of you have a look again?

[Rodrigo-NR]

Thank you @THS-on,

I added the new tag in the top comment.

[steve-mcintyre]

Review of Shim-15.8 for LUX 2.0 x64_ia32

OK

• Contact verification done - OK
• shim builds reproduce here for x64 and ia32 - OK

  7e8e4368bb69563d5c479fe61270ceb4fe61e9dc06575e4645426713590aa9da  shimia32.efi
  c2afb5e3c305c894c299b54157a1a05891e4b7b0f6722a00696999820490e5db  shimx64.efi

• key management using an HSM - OK
• Kernel modules signed with ephemeral key - OK
• NX bit not set - OK
• Builds from 15.8 upstream, with no patches - OK
• Includes a CA cert, expiring in Jan 2034 - OK

  Serial Number:
      03:09:48:62:90:34:75:92:87:34:95:87:23:09:4d
  Signature Algorithm: sha256WithRSAEncryption
  Issuer: C = US, ST = North Carolina, O = Lenovo, CN = Lenovo UEFI CA 2014
  Validity
      Not Before: Jan 24 16:14:24 2014 GMT
      Not After : Jan 19 16:14:24 2034 GMT
  Subject: C = US, ST = North Carolina, O = Lenovo, CN = Lenovo UEFI CA 2014

• Usig GRUB 2.12-2 copied from Debian trixie, so looks fine for fixes
  and patches and module list
• Using fwupd-efi from Debian too
• Shim has not been signed before, so no need for any revocations here.
• kernel 6.6.18 with lockdown patches - OK
• SBAT data looks fine for shim, GRUB and fwupd - OK

Issues / queries

None!

All looks good, accepting!

[THS-on]

@Rodrigo-NR did you get a signed shim back?

[Rodrigo-NR]

@THS-on
We submitted the SHIM to Microsoft, but it was not accepted and we don't know why. We are in contact with them to understand the reason for the rejection from Microsoft's side.

[es-fabricemarie]

@Rodrigo-NR could it be that it is because your certificate is already in all Lenovo's keys in the UEFI DB keyring (as mentioned in my previous comment)?
As mentioned, on my Lenovo laptop I already have cert with serial number 03:09:48:62:90:34:75:92:87:34:95:87:23:09:4d in my machine's DB keyring.

Otherwise are you sure that you:

1. packaged your efi binaries in a cab file
2. without directories
3. signed the resulting cab file with your EV Code Signing certificate