Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alpaquita Linux shim-15.8 x64 and aarch64 #426

Closed
8 tasks done
akodanev opened this issue May 31, 2024 · 9 comments
Closed
8 tasks done

Alpaquita Linux shim-15.8 x64 and aarch64 #426

akodanev opened this issue May 31, 2024 · 9 comments
Assignees
@THS-on
Labels
accepted Submission is ready for sysdev contacts verified OK Contact verification is complete here (or in an earlier submission)

Comments

@akodanev
Copy link

akodanev commented May 31, 2024
edited

Confirm the following are included in your repo, checking each box:

  • completed README.md file with the necessary information
  • shim.efi to be signed
  • public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
  • binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
  • any extra patches to shim via your own git tree or as files
  • any extra patches to grub via your own git tree or as files
  • build logs
  • a Dockerfile to reproduce the build of the provided shim EFI binaries

What is the link to your tag in a repo cloned from rhboot/shim-review?

https://github.com/akodanev/shim-review/tree/alpaquita-shim-x64-aarch64-20240624

What is the SHA256 hash of your final SHIM binary?

f83b753616fab1bffa57a1ea446577c1c20e36d0726885ae6f9da035cf12ef9b  shimaa64.efi
2b2f2dada7a8e0060dfbd8d6d4ef926b0d57a49edb8560623091eedcc9f205fd  shimx64.efi

What is the link to your previous shim review request (if any, otherwise N/A)?

#325

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?

#325 (comment)
@steve-mcintyre
Copy link
Collaborator

Contact verification has been done previously, marking as such

@steve-mcintyre steve-mcintyre added the contacts verified OK Contact verification is complete here (or in an earlier submission) label May 31, 2024
@THS-on THS-on self-assigned this Jun 17, 2024
@THS-on
Copy link
Collaborator

THS-on commented Jun 23, 2024

Review for alpaquita-shim-x64-aarch64-20240528

  • Require a Shim because they provide custom kernel builds for their Linux distro Alpaquita Linux
  • Last review was accepted, but not signed by MS
  • Contacts were verified in Alpaquita Linux shim-15.7 x64 #325

Shim

  • Based 15.8
  • SBAT look fine
  • No patches
  • NX disabled
  • CA hasn't changed (2048bit RSA, valid till 2033)
  • Build reproducibly using Dockerfile
#20 0.249 2b2f2dada7a8e0060dfbd8d6d4ef926b0d57a49edb8560623091eedcc9f205fd  /shim-review/shimx64.efi
#20 0.252 2b2f2dada7a8e0060dfbd8d6d4ef926b0d57a49edb8560623091eedcc9f205fd  /pkg/x86_64/boot/efi/EFI/alpaquita/shimx64.efi
#20 0.460 f83b753616fab1bffa57a1ea446577c1c20e36d0726885ae6f9da035cf12ef9b  /shim-review/shimaa64.efi
#20 0.463 f83b753616fab1bffa57a1ea446577c1c20e36d0726885ae6f9da035cf12ef9b  /pkg/aarch64/boot/efi/EFI/alpaquita/shimaa64.efi

Kernel

  • Based on 6.1
  • Includes lockdown patches and are enabled in config
  • ephemeral key signing is used

GRUB

  • Based on 2.12-r3
  • Includes peimage patches (latest version from Debian) and adds the SBAT entry for that (good)
  • Other patches from Alpine look fine (mostly related to configs and not grub itself)
  • SBAT looks fine

Notes and questions

  • The latest submission template includes now question on how you contributed to the shim review process (1a54c18). Please add that and continue to contribute to this community effort. Thank you for helping reviewing the Debian submission!
  • Are you planning on signing UKIs, systemd-boot or fwupd in the future?

Besides those questions LGTM

@THS-on THS-on added extra review wanted Initial review(s) look good, another review desired question Reviewer(s) waiting on response labels Jun 23, 2024
@akodanev
Copy link
Author

@THS-on thanks for your review!

Last review was accepted, but not signed by MS

It was returned signed by Microsoft some time after the issue was closed. I should have mentioned this in a comment there.

The latest submission template includes now question on how you contributed to the shim review process

Added. The new tag is https://github.com/akodanev/shim-review/tree/alpaquita-shim-x64-aarch64-20240624.

Are you planning on signing UKIs, systemd-boot or fwupd in the future?

There are no plans to sign UKI or systemd-boot. However, we will most likely make the fwupd component available for review in the next shim update.

@THS-on
Copy link
Collaborator

THS-on commented Jun 28, 2024

@akodanev thanks for the clarifications. LGTM from my side.

@THS-on THS-on removed the question Reviewer(s) waiting on response label Jun 28, 2024
@SherifNagy
Copy link
Collaborator

Review of alpaquita-shim-x64-aarch64-20240624

  • Security contacts looks good, didn't change since last successful submission
  • Keys are stored in FIPS HSM

Shim

  • Uses upstream 15.8 and source hashes matches original hashes
  • SBAT entries from shim looks fine
  • No patches added on top of upstream shim
  • Vendor SBAT entry is at 1
  • Binaries are reproducible using the container image
--> da351481bf72
STEP 18/18: RUN for i in x86_64 aarch64; do         case $i in             x86_64) shim_name=shimx64.efi;;             aarch64) shim_name=shimaa64.efi;;         esac;         sha256sum /shim-review/$shim_name /pkg/$i/boot/efi/EFI/alpaquita/$shim_name;         hexdump -Cv /pkg/$i/boot/efi/EFI/alpaquita/$shim_name > build.$i;         hexdump -Cv /shim-review/$shim_name > orig.$i;         diff -u orig.$i build.$i;     done
2b2f2dada7a8e0060dfbd8d6d4ef926b0d57a49edb8560623091eedcc9f205fd  /shim-review/shimx64.efi
2b2f2dada7a8e0060dfbd8d6d4ef926b0d57a49edb8560623091eedcc9f205fd  /pkg/x86_64/boot/efi/EFI/alpaquita/shimx64.efi
f83b753616fab1bffa57a1ea446577c1c20e36d0726885ae6f9da035cf12ef9b  /shim-review/shimaa64.efi
f83b753616fab1bffa57a1ea446577c1c20e36d0726885ae6f9da035cf12ef9b  /pkg/aarch64/boot/efi/EFI/alpaquita/shimaa64.efi
  • NX flag is not set, because the chain is not yet ready
  • Self signed 2048 bit cert and valid for almost 9 years

GRUB2

  • SBAT looks "mostly" fine
  • NTFS module isn't shipped and sbat entry is at grub,4
  • Module list looks fine

Kernel

  • Ephemeral keys are used for signing kernel modules
  • Lockdown patches are included from Debian

Notes

Other than those few notes, LGTM

@akodanev
Copy link
Author

For your next submission, make sure to include the patch from here

OK. I am hoping that this will be the next release of the shim so that the patch will already be there.

Regarding grub2 sbat entry, if you are fetching from Alpine, I guess you need to maintain the upstream SBAT entry int your SBAT

There is none upstream. Maybe it's only helpful if there's more than one such shim/grub based on this Alpine version.

Other than those few notes, LGTM

Thank you @SherifNagy!

@THS-on
Copy link
Collaborator

THS-on commented Jul 22, 2024

Regarding grub2 sbat entry, if you are fetching from Alpine, I guess you need to maintain the upstream SBAT entry int your SBAT, @THS-on any thoughts on this?

@SherifNagy as mentioned Alpine does not have one. As the current package is mostly vanilla GRUB2 + peimage patches, I'm fine with not having an Alpine specific one.

@THS-on THS-on added accepted Submission is ready for sysdev and removed extra review wanted Initial review(s) look good, another review desired labels Jul 22, 2024
@THS-on
Copy link
Collaborator

THS-on commented Jul 22, 2024

marking it as accepted

@akodanev
Copy link
Author

akodanev commented Aug 5, 2024

The signed binaries received. Closing this as completed.

@akodanev akodanev closed this as completed Aug 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@THS-on THS-on

Labels
accepted Submission is ready for sysdev contacts verified OK Contact verification is complete here (or in an earlier submission)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@SherifNagy @akodanev @THS-on @steve-mcintyre