Shim 15.4 for openSUSE

[jsegitz]

Make sure you have provided the following information:

• link to your code branch cloned from rhboot/shim-review in the form user/repo@tag
  https://github.com/jsegitz/shim-review/tree/SUSE-openSUSE15.3-shim-20210624
• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added do vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs

What organization or people are asking to have this signed:

SUSE, https://suse.com/

What product or service is this for:

openSUSE 15.3

Please create your shim binaries starting with the 15.4 shim release tar file:

https://github.com/rhboot/shim/releases/download/15.4/shim-15.4.tar.bz2

This matches https://github.com/rhboot/shim/releases/tag/15.4 and contains

the appropriate gnu-efi source.

Please confirm this as the origin your shim.

We use 15.4 shim +

• shim-arch-independent-names.patch: use the Arch-independent names.
• shim-bsc1177315-verify-eku-codesign.patch: Check CodeSign in the signer's EKU
• shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch: fix NULL pointer dereference in AuthenticodeVerify
• shim-change-debug-file-path.patch: change path of debug file
• remove_build_id.patch: don't add the build id from the resulting binaries
• shim-bsc1184454-allocate-mok-config-table-BS.patch: Handle 'Failed to lookup EFI memory descriptor' errors
• shim-bsc1185232-fix-config-table-copying.patch: Avoid buffer overflow when copying data to the MOK config table
• shim-bsc1185232-relax-loadoptions-length-check.patch: Ignore the odd LoadOptions length
• shim-bsc1185261-relax-import_mok_state-check.patch: Relax the check for import_mok_state() when Secure Boot is off.
• shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch: To handle ignore_db and user_insecure_mode correctly
• shim-bsc1185621-relax-max-var-sz-check.patch: Relax the maximum variable size check for u-boot
• shim-bsc1187260-fix-efi-1.10-machines.patch: Avoid the potential crash when calling QueryVariableInfo in EFI 1.10 machines
• shim-disable-export-vendor-dbx.patch: Disable exporting vendor-dbx to MokListXRT since writing a large RT variable could crash some machines
• shim-fix-aa64-relsz.patch: Fix the size of rela sections for AArch64

What's the justification that this really does need to be signed for the whole world to be able to boot it:

Major linux distribution

How do you manage and protect the keys used in your SHIM?

The key is installed in a machine with restricted physical and system access.
Shim binaries do not include private portions of the key.

Do you use EV certificates as embedded certificates in the SHIM?

Yes

If you use new vendor_db functionality, are any hashes allow-listed, and if yes: for what binaries ?

n/a

Is kernel upstream commit 75b0cea7bf307f362057cc778efe89af4c615354 present in your kernel, if you boot chain includes a Linux kernel ?

yes

if SHIM is loading GRUB2 bootloader, are CVEs CVE-2020-14372,

CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779,

CVE-2021-20225, CVE-2021-20233, CVE-2020-10713, CVE-2020-14308,

CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705,

( July 2020 grub2 CVE list + March 2021 grub2 CVE list )

and if you are shipping the shim_lock module CVE-2021-3418

fixed ?

yes

"Please specifically confirm that you add a vendor specific SBAT entry for SBAT header in each binary that supports SBAT metadata

( grub2, fwupd, fwupdate, shim + all child shim binaries )" to shim review doc ?

Please provide exact SBAT entries for all SBAT binaries you are booting or planning to boot directly through shim

We use this pattern:
shim.${distro_id},${distro_sbat},${distro_name},%{name},%{version},mail:security-team@suse.de

So for this shim:
shim.opensuse,1,The openSUSE project,shim,15.4,mail:security-team@suse.de

Were your old SHIM hashes provided to Microsoft ?

yes

Did you change your certificate strategy, so that affected by CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749,

CVE-2020-27779, CVE-2021-20225, CVE-2021-20233, CVE-2020-10713,

CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705 ( July 2020 grub2 CVE list + March 2021 grub2 CVE list )

grub2 bootloaders can not be verified ?

yes (rotated signing key, old shims are blacklisted)

What exact implementation of Secureboot in grub2 ( if this is your bootloader ) you have ?

* Upstream grub2 shim_lock verifier or * Downstream RHEL/Fedora/Debian/Canonical like implementation ?

Downstream RHEL/Fedora/Debian/Canonical like implementation

What is the origin and full version number of your bootloader (GRUB or other)?

upstream grub-2.04 with patches for all currently discussed security issues

If your SHIM launches any other components, please provide further details on what is launched

it doesn't

If your GRUB2 launches any other binaries that are not Linux kernel in SecureBoot mode,

please provide further details on what is launched and how it enforces Secureboot lockdown

n/a

If you are re-using a previously used (CA) certificate, you

will need to add the hashes of the previous GRUB2 binaries

exposed to the CVEs to vendor_dbx in shim in order to prevent

GRUB2 from being able to chainload those older GRUB2 binaries. If

you are changing to a new (CA) certificate, this does not

apply. Please describe your strategy.

We switched to a new certificate after boothole2

How do the launched components prevent execution of unauthenticated code?

GRUB and kernel are patched to enforce Secure Boot.

Does your SHIM load any loaders that support loading unsigned kernels (e.g. GRUB)?

no

What kernel are you using? Which patches does it includes to enforce Secure Boot?

5.3.18 +
Module signing / secure boot
patches.suse/KEYS-Make-use-of-platform-keyring-for-module-signatu.patch

Lock down functions for UEFI secure boot
patches.suse/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-down.patch
patches.suse/0002-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-boot-mode.patch
patches.suse/0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mode.patch
patches.suse/0004-efi-Lock-down-the-kernel-at-the-integrity-level-if-b.patch

Using the hash in MOKx to blacklist kernel module, FATE#316531
patches.suse/0001-MODSIGN-do-not-load-mok-when-secure-boot-disabled.patch
patches.suse/0001-efi-add-a-function-to-convert-the-status-code-to-a-s.patch
patches.suse/0002-efi-show-error-messages-only-when-loading-certificat.patch
patches.suse/0003-MODSIGN-load-blacklist-from-MOKx.patch
patches.suse/0004-MODSIGN-checking-the-blacklisted-hash-before-loading.patch

Hibernation Signature Verification FATE#316350
patches.suse/0001-security-create-hidden-area-to-keep-sensitive-data.patch
patches.suse/0002-hibernate-avoid-the-data-in-hidden-area-to-be-snapsh.patch
patches.suse/0003-x86-KASLR-public-the-function-for-getting-random-lon.patch
patches.suse/0005-efi-generate-secret-key-in-EFI-boot-environment.patch
patches.suse/0006-efi-allow-user-to-regenerate-secret-key.patch
patches.suse/0007-PM-hibernate-encrypt-hidden-area.patch
patches.suse/0008-PM-hibernate-Generate-and-verify-signature-for-snaps.patch
patches.suse/0009-PM-hibernate-prevent-EFI-secret-key-to-be-regenerate.patch
patches.suse/0010-PM-hibernate-a-option-to-request-that-snapshot-image.patch
patches.suse/0011-PM-hibernate-require-hibernate-snapshot-image-to-be-.patch

What changes were made since your SHIM was last signed?

Mainly fixes for shim that causes issues with some firmwares. It's a maintenance
release, not a security update

What is the SHA256 hash of your final SHIM binary?

pesign --hash --padding --in=usr/share/efi/x86_64/shim-opensuse.efi
hash: 09953fd0439a08244844c9210de513f1d5aafc44ef30103055bd46db31035a6d
sha256sum usr/share/efi/x86_64/shim-opensuse.efi
84fc9fb6bb2b30eaa21ed4cb8e2987e6e32f5199fe68ad846813ef74e1a7034f /shim/usr/share/efi/x86_64/shim-opensuse.efi

[steve-mcintyre]

• x86-64 build reproduces ok
• SBAT looks fine

same questions as on #187:

• is the CA actually new?
• I'd like somebody else to review shim-bsc1177315-verify-eku-codesign.patch as well

[jsegitz]

Thank you for the review.

The basic idea of this patch is to make sure that the certificate used is actually intended to be used for code signing. We noticed that while going for the NIAP CC certification. I was under the impression that our shim maintainer sent this to upstream. I'll talk to him about this

As for the CA: It's the same (also the SBAT). I tried to explain that under "What changes were made since your SHIM was last signed?", but the whole questionnaire is targeted towards boothole so that's a bit confusing

[jsegitz]

The patch is upstreamed in rhboot/shim#232, but for now we still carry a slightly different version

[jsegitz]

We have to update our submission to include rhboot/shim#387, will do this in the next hour. Please don't work on this ATM. Sorry for this, but this has real world impact for our customers

[jsegitz]

I updated the submission, new tag is:
https://github.com/jsegitz/shim-review/tree/SUSE-openSUSE15.3-shim-20210701

One patch was added (explained in rhboot/shim#387):
shim-bsc1187696-avoid-deleting-rt-variables.patch

Readme and issue template are updated in my branch. Expected hashes:
pesign --hash --padding --in=usr/share/efi/x86_64/shim-opensuse.efi
hash: 8f2dec2046713748a977819950390a46565e635fb1d959b166775037c69d2060
sha256sum usr/share/efi/x86_64/shim-opensuse.efi
c3a3fe3a9092dbbebbd36a34dff0fb3bcdaf3e3b4d080709dabaef1e8b282fb9 /shim/usr/share/efi/x86_64/shim-opensuse.efi

[jsegitz]

Any chance to look at this? It's very similar to #187 so once that's accepted only the diff needs to be checked

[julian-klode]

Building now, rest looks good (like #187)

[julian-klode]

shim built reproducibly too, accepted.

[jsegitz]

C