shim 15.8 for Certus Software S.R.L.

[eduardacatrinei]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/cssrl/shim-review/tree/CertusSoftware-shim-x64-20240321

---

What is the SHA256 hash of your final SHIM binary?

---

3be5b56b64d4e37391899eacd34c3773c1fd87fa97ddb5080880d135001cc366

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

#285

[sonicwall-jma]

• I'm not an official reviewer. But I'm trying to help. This is the review for CertusSoftware-shim-x64-20240321.

• Shim binary can be reproduced by Dockerfile.

# sha256sum /shim/shimx64.efi
3be5b56b64d4e37391899eacd34c3773c1fd87fa97ddb5080880d135001cc366  /shim/shimx64.efi

• Shim SBAT looks OK and matches the one in the README.md.

$ objdump -s -j .sbat shimx64.efi

shimx64.efi:     file format pei-x86-64

Contents of section .sbat:
 d3000 73626174 2c312c53 42415420 56657273  sbat,1,SBAT Vers
 d3010 696f6e2c 73626174 2c312c68 74747073  ion,sbat,1,https
 d3020 3a2f2f67 69746875 622e636f 6d2f7268  ://github.com/rh
 d3030 626f6f74 2f736869 6d2f626c 6f622f6d  boot/shim/blob/m
 d3040 61696e2f 53424154 2e6d640a 7368696d  ain/SBAT.md.shim
 d3050 2c342c55 45464920 7368696d 2c736869  ,4,UEFI shim,shi
 d3060 6d2c312c 68747470 733a2f2f 67697468  m,1,https://gith
 d3070 75622e63 6f6d2f72 68626f6f 742f7368  ub.com/rhboot/sh
 d3080 696d0a73 68696d2e 63657274 75732c31  im.shim.certus,1
 d3090 2c436572 74757320 536f6674 77617265  ,Certus Software
 d30a0 20532e52 2e4c2e2c 7368696d 2c31352e   S.R.L.,shim,15.
 d30b0 382c6d61 696c3a73 65637572 69747940  8,mail:security@
 d30c0 63657274 7573736f 66747761 72652e72  certussoftware.r
 d30d0 6f0a                                 o.

$ objcopy -O binary -j .sbat shimx64.efi /dev/stdout
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.certus,1,Certus Software S.R.L.,shim,15.8,mail:security@certussoftware.ro

• Shim .sbatlevel section looks OK.

$ objdump -s -j .sbatlevel shimx64.efi

shimx64.efi:     file format pei-x86-64

Contents of section .sbatlevel:
86000 00000000 08000000 37000000 73626174  ........7...sbat
86010 2c312c32 30323330 31323930 300a7368  ,1,2023012900.sh
86020 696d2c32 0a677275 622c330a 67727562  im,2.grub,3.grub
86030 2e646562 69616e2c 340a0073 6261742c  .debian,4..sbat,
86040 312c3230 32343031 30393030 0a736869  1,2024010900.shi
86050 6d2c340a 67727562 2c330a67 7275622e  m,4.grub,3.grub.
86060 64656269 616e2c34 0a00               debian,4..

• In the shim binary, disabled NX compatibility and section alignment look OK.

$ objdump -fhp shimx64.efi | egrep '(SectionAlignment|DllCharacteristics)'
SectionAlignment        00001000
DllCharacteristics      00000000

• Certificate certus.cer with 3 years validity.

$ openssl x509 -inform der -in certus.cer -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0e:fd:01:eb:79:80:a7:c5:63:78:21:6b:4b:b5:05:8f
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = "DigiCert, Inc.", CN = DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
        Validity
            Not Before: Oct 12 00:00:00 2022 GMT
            Not After : Oct 11 23:59:59 2025 GMT
        Subject: jurisdictionC = RO, businessCategory = Private Organization, serialNumber = J22/1532/2016, C = RO, L = Iasi, O = Certus Software S.R.L., CN = Certus Software S.R.L.

[aronowski]

The build reproduces, checksum matches, characteristics are OK.

Huge thanks to @sonicwall-jma for the help!

The application was easy to review, as very few things have changed between this one and the latest one, e.g. contacts that have been verified.

Accepting with some notes below.

---

*******************************************************************************
### If you are re-using a previously used (CA) certificate, you will need to add the hashes of the previous GRUB2 binaries exposed to the CVEs to vendor_dbx in shim in order to prevent GRUB2 from being able to chainload those older GRUB2 binaries. If you are changing to a new (CA) certificate, this does not apply.
### Please describe your strategy.
*******************************************************************************
Our GRUB2 binaries, which are signed by us, are not exposed to CVEs.

Since the most recent shim binary signing has been done about 3 months ago, I believe this fine.

---

The GRUB2 module list got extended by the entries gfxterm gfxterm_background tftp http efinet font png jpeg chain - the decision has been described at the end of the document:

We have updated the GRUB2 to include additional modules for PXE boot

[eduardacatrinei]

We have received the signed shim from Microsoft.