SUSE Liberty Linux 9

[jsegitz]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/jsegitz/shim-review/tree/SUSE-liberty-15.8-20240514

---

What is the SHA256 hash of your final SHIM binary?

---

$ sha256sum shimx64.efi

013d595e73d76dc627f2cebf45206064db4249683361f781ddb7f6bb0d61805f shimx64.efi

$ pesign --hash --padding --in=shimx64.efi

hash: be992c206387509db24838c7c8af66eae563f3cdaaa088f5da03cf4891f8146f

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

This is the first request to review shim on SUSE Liberty Linux 9.

---

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?

---

I don't think we (Marcus Meissner, Johannes Segitz) have had our contacts verified. But I've submitted multiple
submissions that were accepted with these security contacts. Right answer probably still is
N/A

[steve-mcintyre]

I don't think we (Marcus Meissner, Johannes Segitz) have had our contacts verified. But I've submitted multiple
submissions that were accepted with these security contacts. Right answer probably still is
N/A

OK, let's do the verification this time then. :-) Mails on the way.

[msmeissn]

"howitzer dactyls misnomers birthday sinuous purport sighting concern Melanesian Adhara" was the requested to be quoted phrase

[jsegitz]

For me it is:
châteaux councils gendarmes toolboxes mulch dictatorship odorless recessions simulcasting lockout

[steve-mcintyre]

Contact verification successful - thanks!

[jsegitz]

is there anything I can do to help the review process?

[aronowski]

shim:
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.sll,3,SUSE Liberty Linux,shim,15.8-2.el9,mail:security@suse.com

grub2:
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,3,Free Software Foundation,grub,2.06,https//www.gnu.org/software/grub/
grub.rhel,2,Red Hat Enterprise Linux,grub2,2.06-70.el9_3.2,mail:secalert@redhat.com
grub.sll,2,SUSE,grub2,2.06-70.el9_3.2.2,mailto:security@suse.com

Why are the product-specific generation numbers set the way they are? Were there any earlier ones that had to be denylisted, that I'm not aware of?

The binary is reproducible and the characteristics seem OK, apart from the downstream generation number bothering me. Let's clarify it!

---

The kernel rpm has been split into two files because of GH file restrictions. Just concatenate them to receive the rpm

Please use a separate repository for the SRPM's contents next time.

---

is there anything I can do to help the review process?

Reducing the size of the repository would definitely come in handy especially for those on mobile networks:

$ time git clone https://github.com/jsegitz/shim-review.git
Cloning into 'shim-review'...
[...]

real	5m46.794s
user	0m40.157s
sys	0m19.945s

[jsegitz]

Why are the product-specific generation numbers set the way they are? Were there any earlier ones that had to be denylisted, that I'm not aware of?

Those SBAT numbers have been set to follow upstream RHEL9 as close as possible. We have no custom changes previously made, and no pre-15.8 shims submitted for a review on Liberty 9.

Please use a separate repository for the SRPM's contents next time.

will do so

Reducing the size of the repository would definitely come in handy especially for those on mobile networks:

yes, sorry. There's also some history in there that doesn't need to be there. I'll create a new repository from scratch next time and split out the SRPM's

[THS-on]

Review for SUSE-liberty-15.8-20240514

• SUSE is a well known Linux vendor
• keys are kept in a custom HSM environment (same as in other SUSE submissions)
• Contacts have been verified

Shim

• Based on upstream 15.8 with no additional patches
• Self signed CA, valid till 2037 using 2048bit RSA
• NX flag is disabled
• Is reproducible using Dockerfile:

#25 [21/21] RUN sha256sum /usr/share/shim/15.8-2.el9/x64/shimx64.efi /shimx64.efi
#25 0.248 013d595e73d76dc627f2cebf45206064db4249683361f781ddb7f6bb0d61805f  /usr/share/shim/15.8-2.el9/x64/shimx64.efi
#25 0.250 013d595e73d76dc627f2cebf45206064db4249683361f781ddb7f6bb0d61805f  /shimx64.efi
#25 DONE 0.3s

GRUB2

• Still on SBAT level 3 (as ntfs fixes are not included, fine as ntfs module was not signed)
• SBAT looks fine (see clarification in other comment)
• Based on RHEL sources

Kernel

• Based on 5.14
• Includes lockdown patches
• ephemeral key signing is used

Notes

• The UKI entry should be added to [meta] unifying and tracking UKI / systemd-boot SBAT entries #397

LGTM!

[jsegitz]

thank you very much. I'll sent the shim to MS tomorrow

[steve-mcintyre]

Only close this once it's signed please!

[jsegitz]

okay, sorry. Didn't know that

[jsegitz]

got signed by MS