shim-15.7 (NX Patched) for ZeronsoftN

[joseph-zeronsoftn]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/zeronsoftn/shim-review/tree/zeronsoftn-shim-x86_64_ia32_aarch64-20230915
https://github.com/zeronsoftn/shim-review/tree/zeronsoftn-shim-x86_64_ia32_aarch64-20231017

---

What is the SHA256 hash of your final SHIM binary?

---

4f7684174ad593b76284ddde3f947064a3ef602dd6b5f47047ff10a51774fbec  shimaa64.efi
7797d060d0869d5976eb91a21ab3341bd7a30e1f2c945f5be74a2720470bcc0e  shimia32.efi
bd455c5c85a0b6063cbd84015f097f63a8a0c8d199e5b9166406b622947be420  shimx64.efi

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

#147 (accepted)

Help to review

jc-lab/shim-review-bot#3 (comment)
jc-lab/shim-review-bot#3 (comment)

[THS-on]

Review zeronsoftn-shim-x86_64_ia32_aarch64-20230915

• ZeronsoftN Inc has an accepted 15.4 shim Shim 15.4 for ZeronsoftN #147

• Shim is required due to using Alpine (which currently has not its own shim), custom GRUB2 builds and using systemd-boot images

• Security have not changed since last review

  • Joseph Lee joseph@zeronsoftn.com (0744F33608FABCE1BD6996964961F2130CDE7CC8)
  • Hyunduk Choi hyunduk.choi@gmail.com (9eb34b7d9c9f81a3e8484ef0229e2b9f84ece2ac)

• Shim is reproducible using Dockerfile

Hashes

#18 0.622 8b1acf748a7390afcc8084fb5c6b2561eae8074cc4885db0c3c7f9666c5962a2  /work/output/aarch64/boot/efi/EFI/ZeronsoftN/shimaa64.efi
#18 0.639 a340c4acba8e5b0b0a6502790ade67289624dca8dd6b165401e08b3da8c47137  /work/output/ia32/boot/efi/EFI/ZeronsoftN/shimia32.efi
#18 0.656 c8300ef317ff4bdfe2ca223690062a43ccd350cad4ee65abb3d71349a5d32f63  /work/output/x86_64/boot/efi/EFI/ZeronsoftN/shimx64.ef

SBAT

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,3,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.zeronsoftn,2,ZeronsoftN,shim,15.7-0zeron2,https://github.com/zeronsoftn/shim-release

• Why is shim.zeronsoftn set to 2?

• Shim is upstream 15.7 with NX enabled

  • 0001-Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch matches Make sbat_var.S parse right with buggy gcc/binutils shim#535
  • 0002-Enable-the-NX-compatibility-flag-by-default.patch matches Enable the NX compatibility flag by default. shim#530
  • 0003-Don-t-loop-forever-in-load_certs-with-buggy-firmware.patch matches Don't loop forever in load_certs() with buggy firmware shim#547
  • 0004-Add-validation-function-for-Microsoft-signing.patch matches Add validation function for Microsoft signing shim#531
    • Patch is not upstream, but ok
    • Is superseded by https://github.com/rhboot/shim/pull/531.patch

• Certificate matches the organization (has changed since last submission)

  • Serial: 7230298064905535070
  • Subject: CN = ZeronsoftN Secure Boot Signing (2022), OU = Secure Boot, O = ZeronsoftN, C = KR
  • Valid till: Jun 25 04:35:17 2029 GMT (7 years, ok)
  • Certificate is not an CA certificate
    • Code Signing and Digital Signature are set
    • Certificate is issued by their CA

• Keys are stored in an HSM

• GRUB

  • GRUB is based on Debian's implementation
  • GRUB SBAT is set to 3
  • List of modules are ahci reboot halt minicmd help diskfilter acpi ata blocklist boot cat cmp configfile cpuid crypto cryptodisk datetime elf echo exfat ext2 fat gptsync halt hashsum iso9660 ldm linux loadenv ls lspci mdraid1x memdisk msdospart normal ntfs ntfscomp ohci part_gpt part_msdos raid5rec random scsi search search_fs_file search_fs_uuid search_label sleep squash4 tar test time true usb usb_keyboard xfs usbms file pgp verifiers gcry_rsa gcry_dsa gcry_sha256 gcry_sha512 regexp
  • The module list includes ntfs. Please update to version 2.06-13+deb12u1 to include the fixes for the CVEs in the ntfs implementation

• Kernel

  • Based on Apline 6.1.43
  • Do you enforce lockdown? Otherwise you might need to include some patches that do that when Secure Boot is enabled, e.g.: https://salsa.debian.org/kernel-team/linux/-/tree/bookworm-security/debian/patches/features/all/lockdown
  • systemd-uefi stub is used for unified images
  • Kernel is build with CONFIG_MODVERSIONS
    • How do you prevent modules from a kernel build to be loaded by another kernel? (This new question was added in 1f85d85)

Notes and questions

• Why is shim.zeronsoftn set to 2 in the shim?
• How do you prevent modules from a kernel build to be loaded by another kernel?
• Please update GRUB2 to version 2.06-13+deb12u1 to include the fixes for the CVEs in the ntfs implementation
• Thank you for using the bot and linking the patches! This made the review simpler

[joseph-zeronsoftn]

@THS-on Thank you! :)

https://github.com/zeronsoftn/shim-review/tree/zeronsoftn-shim-x86_64_ia32_aarch64-20231017
jc-lab/shim-review-bot#3 (comment) (Ignore linux-6.1.43.patch. This is the original linux-6.1.43.xz file, not the shim patch.)

• Modified the version of shim.zeronsoftn to 1. (It was a wrong setting)
• kernel is signed with a ephemeral key.
• Updated grub and applied additional patches to the kernel. Please check the revised README.

[THS-on]

I see that you pulled the Debian patches for enabling lockdown. To actually enable them you'll also need to set CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y otherwise this feature is not used.

[joseph-zeronsoftn]

@THS-on Thank you! I missed it.. This is the commit applied: zeronsoftn/alpine-pkg-kernel@3df6633

[THS-on]

The shim for zeronsoftn-shim-x86_64_ia32_aarch64-20231017 is reproducible and the questions are all answered.

For systemd stub, we are waiting for a review of the upstream code before accepting submissions including it. Besides that this needs also one more (also unofficial) review, to check that we haven't missed anything.

[joseph-zeronsoftn]

Hello.
Is there anyone who can review?

[aronowski]

Hello.

Apologies for the delay - reviewing as much as I can.

I won't be able to review systemd-boot by myself and can't base on the earlier accepted application. Apologies, but you'll have to wait for someone, who can.

In the meantime certain requirements have changed and some information will have to be updated. Below are the entries I spotted.

---

As far as I can see this is the current implementation in Debian's bookworm branch (https://salsa.debian.org/grub-team/grub/-/blob/bookworm/debian/sbat.debian.csv.in) - the upstream Free Software Foundation's GRUB2 SBAT entry has been bumped to 4](15c328e). Please, update it in the application's README.

---

Shim SBAT has not been updated in the zeronsoftn-shim-x86_64_ia32_aarch64-20231017 tag (although used zerox-shim-x86_64_ia32_aarch64-20231017 for reference - it's been fixed there).

---

Is the whole bootchain NX-compatible? Since I have no experience with systemd-boot, I can't tell anything on this one, but for the current GRUB2 and kernel versions I have some doubts.
If it's not, then please, update the shim binaries and the recipe for building them, so they are not NX-compatible, according to the latest Microsoft requirements. The builds do reproduce (just checked), so it should be easy.

---

The https://github.com/zeronsoftn/shim-release repository seems to be empty, despite being mentioned as part of Shim's SBAT. Is this intentional? Am I missing something?

[THS-on]

@joseph-zeronsoftn can you either update this submission to 15.8 or create a new one?