shim-15.7 (NX Patched, Custom Patched) for ZeronsoftN (ZeroX)

[joseph-zeronsoftn]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/zeronsoftn/shim-review/tree/zerox-shim-x86_64_ia32_aarch64-20230925
https://github.com/zeronsoftn/shim-review/tree/zerox-shim-x86_64_ia32_aarch64-20231017

---

What is the SHA256 hash of your final SHIM binary?

---

3a0ebd4dfb854e8c84e8f0d3205c3b3337ec1f75d9d52f4311ecc33a11f0491f  shimaa64.efi
e67d09053e37f63954b9fad64d2f05c95d7051edab934c534f0216312b9f95b9  shimia32.efi
c6d5b80a0f14445a7f489ba6bd6f88837abebf4d7ab4b5aa6a76d1f748721035  shimx64.efi

https://github.com/zeronsoftn/shim-review/blob/zerox-shim-x86_64_ia32_aarch64-20230925/review/hash.txt

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

#147 (accepted)

Help to review

• other repository tests jc-lab/shim-review-bot#3 (comment)
• other repository tests jc-lab/shim-review-bot#3 (comment)
• custom patched: https://github.com/zeronsoftn/shim-review/blob/zerox-shim-x86_64_ia32_aarch64-20231017/patches/0005-feat-zerox-shim.patch

[THS-on]

@joseph-zeronsoftn I have a few questions regarding the custom patchset:

• What is the reason to put those features directly into the shim and not e.g. GRUB2?
• Are there parts that can be made part of the upstream shim? If so, please submit those changes upstream first.
• Can you breakup the patch into smaller ones, that can be more easily reviewed on its own?

[joseph-zeronsoftn]

@THS-on Thank you! :)

For reference, I modified sbat to differentiate it from the existing zeronsoftn.

https://github.com/zeronsoftn/shim-review/tree/zerox-shim-x86_64_ia32_aarch64-20231017
jc-lab/shim-review-bot#3 (comment)

• The purpose of zerox-shim is to run efi on “another drive”. This is to run systemd-stub with the solution installed.
• I would avoid using unnecessary grub2 by using systemd-stub . This provides integrity to the initrd that is difficult to obtain with grub2 by signing the entire EFI.
• There are no patches available for upstream.
• Among the patches, BdsConnect.c is a large file, but it can be found at https://github.com/pldmgg/refind/blob/master/EfiLib/BdsConnect.c.

[THS-on]

@joseph-zeronsoftn thanks! Reviewing this will likely take a long time if someone takes on that task, so if you can build those features using GRUB I would go down that route.

I would avoid using unnecessary grub2 by using systemd-stub . This provides integrity to the initrd that is difficult to obtain with grub2 by signing the entire EFI.

You can still use GRUB2 to chainload other EFI binaries (e.g. systemd-stub) and limit it to only use a builtin config.

[jclab-joseph]

We also have the ability to enter the recovery environment by user action.
For this purpose, we have created a separate efi and used it signed by MS. I'm trying to integrate this into a shim.

[THS-on]

@jclab-joseph please update the submission to 15.8 or create a new one.

systemd-boot is now also allowed for singing. Does this help to reduce your patchset?