Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AmZetta Technologies, LLC shim-15.7 x64 #321

Closed
8 tasks done
amzdev0401 opened this issue Feb 28, 2023 · 42 comments
Closed
8 tasks done

AmZetta Technologies, LLC shim-15.7 x64 #321

amzdev0401 opened this issue Feb 28, 2023 · 42 comments
Assignees
Labels
new vendor This is a new vendor question Reviewer(s) waiting on response superseded Vendor has added a new review which makes this obsolete

Comments

@amzdev0401
Copy link

amzdev0401 commented Feb 28, 2023

Confirm the following are included in your repo, checking each box:


What is the link to your tag in a repo cloned from rhboot/shim-review?


'https://github.com/amzdev0401/shim-review/tree/AmZetta-shim-x86_64-20231225'
'https://github.com/amzdev0401/shim-review/releases/tag/AmZetta-shim-x86_64-20231225'


What is the SHA256 hash of your final SHIM binary?


[0a3a19af7762d418bb325a2b6a08f22f9b6488435f61e3f67f7bd85ed9d0ff3b shimx64.efi]


What is the link to your previous shim review request (if any, otherwise N/A)?


'#280'

@ClaudioGranatiero-10zig
  • I'm not an authorized reviewer, I'm just trying to help and learn.

  • Build is reproducible

  • hash value is ok:

0e35fd08db817724c44e641f7048e02addf440e5a5e299fff286e9b7e972e8d2  shimx64.efi
  • SBAT: if this is your first SHIM submission, why the SBAT level is set to 3? Shouldn't it be set to 1 (I'm just asking, it is completely possible I had misunderstood the way it works):
Contents of section .sbat:
 d1000 73626174 2c312c53 42415420 56657273  sbat,1,SBAT Vers
 d1010 696f6e2c 73626174 2c312c68 74747073  ion,sbat,1,https
 d1020 3a2f2f67 69746875 622e636f 6d2f7268  ://github.com/rh
 d1030 626f6f74 2f736869 6d2f626c 6f622f6d  boot/shim/blob/m
 d1040 61696e2f 53424154 2e6d640a 7368696d  ain/SBAT.md.shim
 d1050 2c332c55 45464920 7368696d 2c736869  ,3,UEFI shim,shi
 d1060 6d2c312c 68747470 733a2f2f 67697468  m,1,https://gith
 d1070 75622e63 6f6d2f72 68626f6f 742f7368  ub.com/rhboot/sh
 d1080 696d0a73 68696d2e 616d7a65 7474612c  im.shim.amzetta,
 d1090 332c416d 5a657474 61205465 63686e6f  3,AmZetta Techno
 d10a0 6c6f6769 65732c73 68696d2c 31352e37  logies,shim,15.7
 d10b0 2c687474 70733a2f 2f616d7a 65747461  ,https://amzetta
 d10c0 2e636f6d 2f0a                        .com/.          
  • Certificate seems good to me:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            5b:38:d2:e2:65:55:8b:c5:f1:8d:52:03:93:67:fc:35:0e:25:3a:fc
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = Georgia, L = Norcross, O = AmZetta, CN = AmZetta UEFI Bootloader
        Validity
            Not Before: Feb 27 20:26:36 2023 GMT
            Not After : Feb 24 20:26:36 2033 GMT
        Subject: C = US, ST = Georgia, L = Norcross, O = AmZetta, CN = AmZetta UEFI Bootloader

@amzdev0401
Copy link
Author

Thank you for the review. I have corrected the SBAT file and recompiled the SHIM and updated it. Please let us know is there are any corrections needed.

@aronowski
Copy link
Collaborator

Just scratching the surface and there's one error I noticed right away.

$ objdump -s -j .sbatlevel shimx64.efi 

shimx64.efi:     file format pei-x86-64

Contents of section .sbatlevel:
 85000 00000000 08000000 26000000 73626174  ........&...sbat
 85010 2c00312c 00323032 32303532 34303000  ,.1,.2022052400.
 85020 0a006772 75622c32 0a007362 61742c00  ..grub,2..sbat,.
 85030 312c0032 30323231 31313530 30000a00  1,.2022111500...
 85040 7368696d 2c320a67 7275622c 330a00    shim,2.grub,3.. 

There are some NUL characters, which shouldn't be here. You'll need to port this patch and once that's done, update the shims' checksums.

Once that's done, I'll dig deeper into the review.

PS: Since the README has to be updated, please format listings properly with three graves; otherwise the render of it on GitHub is harder to read.

@amzdev0401
Copy link
Author

Thank you for the review. I have applied the "Make sbat_var.S parse right with buggy gcc/binutils #535" patch and uploaded the latest binaries. Could you please review the Shim submission and let us know if any changes are needed from our end?

@aronowski
Copy link
Collaborator

I'm into reviewing. I'll have to do it carefully, so it will take me some time.

In the meantime please update the datetime appropriately in the issue question What is the link to your tag in a repo cloned from rhboot/shim-review? and in the README. Also, please tag it and push the tag to GitHub - currently this is a branch.

@amzdev0401
Copy link
Author

@aronowski Thank you for the review, I have updated the README file and updated the source code tag also. Thank you.

@aronowski
Copy link
Collaborator

If you want to help me out with reviewing, please attach a log file of building your GRUB2. I'm interested in particular with what arguments ./grub-mkimage is ran with.

In the meantime, the formatting and datetimes are still not fixed.
I don't know if you use custom WYSIWYG software for writing in Markdown but the formatting and the render on GitHub are broken. Not that it prevents reviewing the review but makes it harder, even in a commandline editor.
If everything is right, please tag your current tree as AmZetta-shim-x86_64-20230508, push the tag and update all references. This assumes you can handle this today. ;)

@amzdev0401
Copy link
Author

@aronowski Thank you for the review.

  1. I have attached the grub compilation logs and script file on how I compiled the grub. Please find the files in the following location.
    https://github.com/amzdev0401/shim-review/blob/AmZetta-shim-x86_64-20230508/makegrub.log
    https://github.com/amzdev0401/shim-review/blob/AmZetta-shim-x86_64-20230508/makegrub.sh

  2. I have edited the README.md file in the GitHub editor and checked in again as per request.

  3. I have created the latest tree with the tag AmZetta-shim-x86_64-20230508

Please let me know if any corrections are needed. Thank you very much.

@aronowski
Copy link
Collaborator

Tag is OK.

Now that we have the script for building GRUB2 and the build log, everything should be clear. Looks good to me.

The README still seems broken. If you want, it can stay this way but I'm concerned if the official reviewers will like it this way. Or if you want, I can help reformat it for you (a new tag with a new datetime will then have to be provided).

@amzdev0401
Copy link
Author

@aronowski

I have verified the README.md file format with
https://dillinger.io/ and Visual Studio Code application also, it seems proper.
I don't understand why it is broken in github.

Can you please help me to reformat the READMD file.
As well as send the steps to reformat this README.md file.

I will create the new tag with the reformatted READMD.md file,

Thank you so much for the review.

@aronowski
Copy link
Collaborator

I've created a patch for you that you can apply this on top of your AmZetta-shim-x86_64-20230508 tag. Study it carefully to make sure everything's OK and once that's done, apply it. This is the patch:

From 39182156b8c1fc0511650ebb3ed6451c239005e1 Mon Sep 17 00:00:00 2001
From: Your Name <[email protected]>
Date: Wed, 10 May 2023 14:02:14 +0200
Subject: [PATCH] README formatting and cleanups

---
 README.md | 101 ++++++++++++++++++++++++++++++++++++------------------
 1 file changed, 68 insertions(+), 33 deletions(-)

diff --git a/README.md b/README.md
index b36bc79..74f26ab 100755
--- a/README.md
+++ b/README.md
@@ -20,22 +20,22 @@ Here's the template:
 *******************************************************************************
 ### What organization or people are asking to have this signed?
 *******************************************************************************
-[AmZetta Technologies AmZetta Technologies is a software developer providing secure endpoint solutions for companies and organizations worldwide. https://amzetta.com/products/ztc/]
+AmZetta Technologies AmZetta Technologies is a software developer providing secure endpoint solutions for companies and organizations worldwide. https://amzetta.com/products/ztc/
 
 *******************************************************************************
 ### What product or service is this for?
 *******************************************************************************
-[AmZetta zTC: Thin Client Endpoint Devices for Digital Workspaces, Citrix, Microsoft Hyper-V & WVD, VMware and other VDI and DaaS environments. AmZetta zTC Thin Clients are available in Linux and Windows operating system options and are designed to support all user types from call centers, students, office and remote users, manufacturing and high-end graphics users requiring CAD, HD Video/Audio and more. AmZetta zTC Thin Clients are preinstalled with the SnapOS operating system. The Snap Client Manager (SCM) software manages, monitors, and secures AmZetta zTC Thin Clients and SnapOS deployments from a single intuitive interface. Equip your organization with the agility to adapt without compromising power, compatibility, or security with the AmZetta zTC Thin Client product line. For More info: https://amzetta.com/ztc/]
+AmZetta zTC: Thin Client Endpoint Devices for Digital Workspaces, Citrix, Microsoft Hyper-V & WVD, VMware and other VDI and DaaS environments. AmZetta zTC Thin Clients are available in Linux and Windows operating system options and are designed to support all user types from call centers, students, office and remote users, manufacturing and high-end graphics users requiring CAD, HD Video/Audio and more. AmZetta zTC Thin Clients are preinstalled with the SnapOS operating system. The Snap Client Manager (SCM) software manages, monitors, and secures AmZetta zTC Thin Clients and SnapOS deployments from a single intuitive interface. Equip your organization with the agility to adapt without compromising power, compatibility, or security with the AmZetta zTC Thin Client product line. For More info: https://amzetta.com/ztc/
 
 *******************************************************************************
 ### What's the justification that this really does need to be signed for the whole world to be able to boot it?
 *******************************************************************************
-[AmZetta Technologies customers would like to be able to run and deploy the SnapOS operating system without disabling Secure Boot. The customers are seeking a more secure Thin Client solution and want to utilize secure boot. The AmZetta zTC Thin Clients with SnapOS are deployed in financial, healthcare and government organizations that require secure boot as a main feature for added security.]
+AmZetta Technologies customers would like to be able to run and deploy the SnapOS operating system without disabling Secure Boot. The customers are seeking a more secure Thin Client solution and want to utilize secure boot. The AmZetta zTC Thin Clients with SnapOS are deployed in financial, healthcare and government organizations that require secure boot as a main feature for added security.
 
 *******************************************************************************
 ### Why are you unable to reuse shim from another distro that is already signed?
 *******************************************************************************
-[SnapOS is the customized operating system build from the scratch from Ubuntu source code based on the product feature requirements.]
+SnapOS is the customized operating system build from the scratch from Ubuntu source code based on the product feature requirements.
 
 *******************************************************************************
 ### Who is the primary contact for security updates, etc.?
@@ -73,22 +73,28 @@ Please create your shim binaries starting with the 15.7 shim release tar file: h
 This matches https://github.com/rhboot/shim/releases/tag/15.7 and contains the appropriate gnu-efi source.
 
 *******************************************************************************
-[SHIM Created from https://github.com/rhboot/shim/releases/download/15.7/shim-15.7.tar.bz2. Following patch is applied. Patch : 1. Enable the NX compatibility flag by default. #530 (530.patch) 2. Make sbat_var.S parse right with buggy gcc/binutils #535 (535.patch)]
+SHIM Created from [https://github.com/rhboot/shim/releases/download/15.7/shim-15.7.tar.bz2](https://github.com/rhboot/shim/releases/download/15.7/shim-15.7.tar.bz2).
+
+Following patches are applied.
+
+1. Enable the NX compatibility flag by default. #530 (530.patch)
+2. Make sbat_var.S parse right with buggy gcc/binutils #535 (535.patch)
 
 *******************************************************************************
 ### URL for a repo that contains the exact code which was built to get this binary:
 *******************************************************************************
-[https://github.com/rhboot/shim/releases/download/15.7/shim-15.7.tar.bz2 source code with only Amzetta Technologies certificate is embedded]
+[https://github.com/rhboot/shim/releases/download/15.7/shim-15.7.tar.bz2](https://github.com/rhboot/shim/releases/download/15.7/shim-15.7.tar.bz2) source code with only Amzetta Technologies certificate is embedded
 
 *******************************************************************************
 ### What patches are being applied and why:
 *******************************************************************************
-[1. Enable the NX compatibility flag by default. #530 (530.patch) 2. Make sbat_var.S parse right with buggy gcc/binutils #535 (535.patch)]
+1. Enable the NX compatibility flag by default. #530 (530.patch)
+2. Make sbat_var.S parse right with buggy gcc/binutils #535 (535.patch)
 
 *******************************************************************************
 ### If shim is loading GRUB2 bootloader what exact implementation of Secureboot in GRUB2 do you have? (Either Upstream GRUB2 shim_lock verifier or Downstream RHEL/Fedora/Debian/Canonical-like implementation)
 *******************************************************************************
-[Downstream RHEL/Fedora/Debian/Canonical-like implementation]
+Downstream RHEL/Fedora/Debian/Canonical-like implementation
 
 *******************************************************************************
 ### If shim is loading GRUB2 bootloader and your previously released shim booted a version of grub affected by any of the CVEs in the July 2020 grub2 CVE list, the March 2021 grub2 CVE list, the June 7th 2022 grub2 CVE list, or the November 15th 2022 list, have fixes for all these CVEs been applied?
@@ -120,19 +126,24 @@ This matches https://github.com/rhboot/shim/releases/tag/15.7 and contains the a
 * CVE-2022-2601
 * CVE-2022-3775
 *******************************************************************************
-[This is the first time SHIM submission, We are going to use GRUB 2.11 with cherry picked from commit 65bc45963014773e2062ccc63ff34a089d2e352e for upcoming product line.]
+This is the first time SHIM submission, We are going to use GRUB 2.11 with cherry picked from commit 65bc45963014773e2062ccc63ff34a089d2e352e for upcoming product line.
 
 *******************************************************************************
 ### If these fixes have been applied, have you set the global SBAT generation on your GRUB binary to 3?
 *******************************************************************************
-[SHIM: sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md shim,3,UEFI shim,shim,1,https://github.com/rhboot/shim shim.amzetta,1,AmZetta Technologies,shim,15.7,https://amzetta.com/
- GRUB: sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md grub,3,Free Software Foundation,grub,2.11,https://www.gnu.org/software/grub/ grub.amzetta,1,AmZetta Technologies,grub2,2.11-65bc45963,https://amzetta.com/]
+Yes, as you can see
+
+```
+sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+grub,3,Free Software Foundation,grub,2.11,https://www.gnu.org/software/grub/
+grub.amzetta,1,AmZetta Technologies,grub2,2.11-65bc45963,https://amzetta.com/
+```
 
 *******************************************************************************
 ### Were old shims hashes provided to Microsoft for verification and to be added to future DBX updates?
 ### Does your new chain of trust disallow booting old GRUB2 builds affected by the CVEs?
 *******************************************************************************
-[This is the first time SHIM submission, We are going to use GRUB 2.11 for upcoming product line.]
+This is the first time SHIM submission, We are going to use GRUB 2.11 for upcoming product line.
 
 *******************************************************************************
 ### If your boot chain of trust includes a Linux kernel:
@@ -140,103 +151,127 @@ This matches https://github.com/rhboot/shim/releases/tag/15.7 and contains the a
 ### Is upstream commit [75b0cea7bf307f362057cc778efe89af4c615354 "ACPI: configfs: Disallow loading ACPI tables when locked down"](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=75b0cea7bf307f362057cc778efe89af4c615354) applied?
 ### Is upstream commit [eadb2f47a3ced5c64b23b90fd2a3463f63726066 "lockdown: also lock down previous kgdb use"](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eadb2f47a3ced5c64b23b90fd2a3463f63726066) applied?
 *******************************************************************************
-[1957a85b0032a81e6482ca4aab883643b8dae06e: Yes 75b0cea7bf307f362057cc778efe89af4c615354: Yes eadb2f47a3ced5c64b23b90fd2a3463f63726066: No ( CONFIG_DEBUG_KERNEL flag is not enabled in our linux kernel)]
+- 1957a85b0032a81e6482ca4aab883643b8dae06e: Yes
+- 75b0cea7bf307f362057cc778efe89af4c615354: Yes
+- eadb2f47a3ced5c64b23b90fd2a3463f63726066: No ( `CONFIG_DEBUG_KERNEL` flag is not enabled in our linux kernel)
 
 *******************************************************************************
 ### Do you build your signed kernel with additional local patches? What do they do?
 *******************************************************************************
-[No additional local patches applied in signed kernel]
+No additional local patches applied in signed kernel
 
 *******************************************************************************
 ### If you use vendor_db functionality of providing multiple certificates and/or hashes please briefly describe your certificate setup.
 ### If there are allow-listed hashes please provide exact binaries for which hashes are created via file sharing service, available in public with anonymous access for verification.
 *******************************************************************************
-[No, We don't use vendor_db functionality]
+No, We don't use `vendor_db` functionality
 
 *******************************************************************************
 ### If you are re-using a previously used (CA) certificate, you will need to add the hashes of the previous GRUB2 binaries exposed to the CVEs to vendor_dbx in shim in order to prevent GRUB2 from being able to chainload those older GRUB2 binaries. If you are changing to a new (CA) certificate, this does not apply.
 ### Please describe your strategy.
 *******************************************************************************
-[This is the first time SHIM submission, We are going to use GRUB2 2.11 for upcoming product line.]
+This is the first time SHIM submission, We are going to use GRUB2 2.11 for upcoming product line.
 
 *******************************************************************************
 ### What OS and toolchain must we use to reproduce this build?  Include where to find it, etc.  We're going to try to reproduce your build as closely as possible to verify that it's really a build of the source tree you tell us it is, so these need to be fairly thorough. At the very least include the specific versions of gcc, binutils, and gnu-efi which were used, and where to find those binaries.
 ### If the shim binaries can't be reproduced using the provided Dockerfile, please explain why that's the case and what the differences would be.
 *******************************************************************************
-[Ubuntu 18.04 or above with Docker, run make-shim.sh]
+Ubuntu 18.04 or above with Docker, run make-shim.sh
 
 *******************************************************************************
 ### Which files in this repo are the logs for your build?
 This should include logs for creating the buildroots, applying patches, doing the build, creating the archives, etc.
 *******************************************************************************
-[build.log]
+[build.log](./build.log)
 
 *******************************************************************************
 ### What changes were made since your SHIM was last signed?
 *******************************************************************************
-[This is first time submission.]
+This is first time submission.
 
 *******************************************************************************
 ### What is the SHA256 hash of your final SHIM binary?
 *******************************************************************************
-[ce63ec2309bd02048a3563a0c8acb5bdc9c302de4f9b7a74c9ffd01737c018bc shimx64.efi]
+ce63ec2309bd02048a3563a0c8acb5bdc9c302de4f9b7a74c9ffd01737c018bc shimx64.efi
 
 *******************************************************************************
 ### How do you manage and protect the keys used in your SHIM?
 *******************************************************************************
-[Amzetta Technologies's private key stored in Hardware Security Module(YubiHSM). Only authorized engineering professional having the access to build the binaries and sigining (SHIM, GRUB2, Linux kernel and SnapOS software)]
+Amzetta Technologies's private key stored in Hardware Security Module(YubiHSM). Only authorized engineering professional having the access to build the binaries and sigining (SHIM, GRUB2, Linux kernel and SnapOS software)
 
 *******************************************************************************
 ### Do you use EV certificates as embedded certificates in the SHIM?
 *******************************************************************************
-[Yes]
+Yes
 
 *******************************************************************************
 ### Do you add a vendor-specific SBAT entry to the SBAT section in each binary that supports SBAT metadata ( grub2, fwupd, fwupdate, shim + all child shim binaries )?
 ### Please provide exact SBAT entries for all SBAT binaries you are booting or planning to boot directly through shim.
 ### Where your code is only slightly modified from an upstream vendor's, please also preserve their SBAT entries to simplify revocation.
 *******************************************************************************
-[SHIM: sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md shim,3,UEFI shim,shim,1,https://github.com/rhboot/shim shim.amzetta,1,AmZetta Technologies,shim,15.7,https://amzetta.com/
- GRUB: sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md grub,3,Free Software Foundation,grub,2.11,https://www.gnu.org/software/grub/ grub.amzetta,1,AmZetta Technologies,grub2,2.11-65bc45963,https://amzetta.com/ ]
+SHIM:
+
+```
+sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+shim,3,UEFI shim,shim,1,https://github.com/rhboot/shim
+shim.amzetta,1,AmZetta Technologies,shim,15.7,https://amzetta.com/
+```
+
+GRUB:
+
+```
+sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+grub,3,Free Software Foundation,grub,2.11,https://www.gnu.org/software/grub/
+grub.amzetta,1,AmZetta Technologies,grub2,2.11-65bc45963,https://amzetta.com/
+```
 
 *******************************************************************************
 ### Which modules are built into your signed grub image?
 *******************************************************************************
-[Original source code has been used without any modification, compiled with only vendor-specific SBAT entry. https://github.com/rhboot/grub2.git with commit id 65bc45963014773e2062ccc63ff34a089d2e352e, dated Jan 29 19:49:33 2023.
+Original source code has been used without any modification, compiled with only vendor-specific SBAT entry. https://github.com/rhboot/grub2.git with commit id 65bc45963014773e2062ccc63ff34a089d2e352e, dated Jan 29 19:49:33 2023.
+
+Modules in signed grub:
 
-Modules in signed grub: all_video boot btrfs cat chain configfile echo efifwsetup efinet ext2 fat font gettext gfxmenu gfxterm gfxterm_background gzio halt hfsplus iso9660 jpeg keystatus loadenv linux lsefi lsefimmap lssal lvm mdraid09 memdisk minicmd normal part_apple part_msdos part_gpt password_pbkdf2 reboot search search_fs_uuid search_fs_file search_label sleep test tftp video xzio lzopio gcry_dsa gcry_sha512 cmp eval true serial hashsum gcry_md5 gcry_rsa ]
+```
+all_video boot btrfs cat chain configfile echo efifwsetup efinet ext2 fat font
+gettext gfxmenu gfxterm gfxterm_background gzio halt hfsplus iso9660 jpeg
+keystatus loadenv linux lsefi lsefimmap lssal lvm mdraid09 memdisk minicmd
+normal part_apple part_msdos part_gpt password_pbkdf2 reboot search
+search_fs_uuid search_fs_file search_label sleep test tftp video xzio lzopio
+gcry_dsa gcry_sha512 cmp eval true serial hashsum gcry_md5 gcry_rsa
+```
 
 *******************************************************************************
 ### What is the origin and full version number of your bootloader (GRUB or other)?
 *******************************************************************************
-[GRUB2 git clone https://github.com/rhboot/grub2.git, commit 65bc45963014773e2062ccc63ff34a089d2e352e used, Jan 29 19:49:33 2023]
+GRUB2 git clone https://github.com/rhboot/grub2.git, commit 65bc45963014773e2062ccc63ff34a089d2e352e used, Jan 29 19:49:33 2023
 
 *******************************************************************************
 ### If your SHIM launches any other components, please provide further details on what is launched.
 *******************************************************************************
-[SHIM only launches signed GRUB2, then launches kernel]
+SHIM only launches signed GRUB2, then launches kernel
 
 *******************************************************************************
 ### If your GRUB2 launches any other binaries that are not the Linux kernel in SecureBoot mode, please provide further details on what is launched and how it enforces Secureboot lockdown.
 *******************************************************************************
-[Linux kernel version 5.10 is used, SHIM will only launches signed GRUB AND Kernel, grub verifies signatures on booted kernel.]
+Linux kernel version 5.10 is used, SHIM will only launches signed GRUB AND Kernel, grub verifies signatures on booted kernel.
 
 *******************************************************************************
 ### How do the launched components prevent execution of unauthenticated code?
 *******************************************************************************
-[Kernel, Grub are updated with latest patch and all are signed with private key to prevent unsigned modules.]
+Kernel, Grub are updated with latest patch and all are signed with private key to prevent unsigned modules.
 
 *******************************************************************************
 ### Does your SHIM load any loaders that support loading unsigned kernels (e.g. GRUB)?
 *******************************************************************************
-[No]
+No
 
 *******************************************************************************
 ### What kernel are you using? Which patches does it includes to enforce Secure Boot?
 *******************************************************************************
-[Kernel Version is 5.10, it included enforce secure boot.]
+Kernel Version is 5.10, it included enforce secure boot.
 
 *******************************************************************************
 ### Add any additional information you think we may need to validate this shim.
 *******************************************************************************
-[N/A]
+N/A
-- 
2.38.1

Then commit the changes (you can add Co-authored-by: Kamil Aronowski <[email protected]> to the commit message as a token of appreciation), tag them with a proper datetime and push the changes along with the new tag.

Then edit this issue so the links point to the latest tag.

@amzdev0401
Copy link
Author

@aronowski Thank you very much.

README.md file has been uploaded after applying the patch.

New Branch : AmZetta-shim-x86_64-20230510
Release Tag : v1.0.2

I hope README.md file format issue has been fixed now. Could you please verify this from your end?
I appreciate your help in the SHIM review process.

@aronowski
Copy link
Collaborator

The formatting looks OK now. Good job!

Although I meant commiting with a message like this:

README formatting fixes

Co-authored-by: Kamil Aronowski <[email protected]>

with splitting the message into two lines so it shows up properly but it's a minor thing. The review seems OK now, so let's wait for the official committee review it. Wish you all the best!

PS: I pinged you in my own review so the peer review concept would be present. As a token of appreciation, you can review my review. Thanks!

@amzdev0401
Copy link
Author

@aronowski Thank you for the quick and prompt reply, I have corrected the comments in the release.

README formatting fixes

Co-authored-by: Kamil Aronowski [email protected]

Thank you

@amzdev0401
Copy link
Author

@frozencemetery we have been waiting for this SHIM approval for a very long time, Can you please review our shim we were waiting for the shim approval?

@rehakp
Copy link

rehakp commented Jul 31, 2023

Well, we all have been waiting (@aronowski as well). It would be beneficial if @frozencemetery, @julian-klode or someone else could give us a hint on what's really going on or what to expect, whether we will be reviewed, closed due to a security incident etc. Communication is really needed as probably many commercial projects depend on this process.

@THS-on THS-on added new vendor This is a new vendor contact verification needed Contact verification is needed for this review labels Sep 26, 2023
@THS-on
Copy link
Collaborator

THS-on commented Sep 29, 2023

I have just a few questions before doing the full review:

  • You stated that EV certificates are embedded in the shim, but the given amzetta.der (https://github.com/amzdev0401/shim-review/blob/AmZetta-shim-x86_64-20230510/amzetta.der) is self signed. Do you want to submit with this certificate or do you have an EV certificate that you want to use instead?
  • You stated that no local patches are applied to the Ubuntu kernel that you use. How does your kernel differ from the one that Ubuntu provides (e.g. other build options, different embedded certificates etc.)?

@THS-on THS-on added the question Reviewer(s) waiting on response label Sep 29, 2023
@amzdev0401
Copy link
Author

You stated that EV certificates are embedded in the shim, but the given amzetta.der (https://github.com/amzdev0401/shim-review/blob/AmZetta-shim-x86_64-20230510/amzetta.der) is self signed. Do you want to submit with this certificate or do you have an EV certificate that you want to use instead?

  • We would like to go with self self-signed certificate.

You stated that no local patches are applied to the Ubuntu kernel that you use. How does your kernel differ from the one that Ubuntu provides (e.g. other build options, different embedded certificates etc.)?

  • We have additional modules that need to be signed based on the hardware for our product so we would like to go with separate shim certification.

@THS-on
Copy link
Collaborator

THS-on commented Oct 5, 2023

@amzdev0401 can you update your submission to reflect that and issue an new tag?

@amzdev0401
Copy link
Author

Could you please elaborate on which section needs to be updated in the submission?

@THS-on
Copy link
Collaborator

THS-on commented Oct 5, 2023

The following sections:

  • Do you use EV certificates as embedded certificates in the SHIM?
  • Why are you unable to reuse shim from another distro that is already signed?

Please then also include the question about kernel module signing introduced in 1f85d85

@amzdev0401
Copy link
Author

@THS-on
Below question was not there in the README.md file when we submitted the SHIM.
Can we add the following question section in the submitted README.md and answer?
Please let me know how I should proceed.


Do you use an ephemeral key for signing kernel modules?

If not, please describe how you ensure that one kernel build does not load modules built for another kernel.


[your text here]


@THS-on
Copy link
Collaborator

THS-on commented Oct 6, 2023

Yes please add this question and update the other ones, than create a new tag and update it in the top comment of this issue.

@amzdev0401
Copy link
Author

I have updated the README.md file with the answer and created a new tag with the comment.

https://github.com/amzdev0401/shim-review/releases/tag/AmZetta-shim-x86_64-20231011

Thank you

@amzdev0401
Copy link
Author

@ dennis-tseng99 Can you please review our shim too?

@amzdev0401
Copy link
Author

Hi, I have not received my contact verification E-mail.

@aronowski
Copy link
Collaborator

@amzdev0401, I'll send the verification emails soon. Looks like the earlier comment did not result in a successful pinging due to an additional space between the '@' character and the username.

Furthermore, there's been some changes since I helped you out in the first half of 2023. I'll need to re-review this application, especially considering the latest news regarding NX support, among others. I'll hopefully be able to make it with peace and quiet during the holidays, when I won't be being disturbed.

@aronowski
Copy link
Collaborator

Verification emails sent.

@amzdev0401
Copy link
Author

amzdev0401 commented Dec 18, 2023

@aronowski Can you please verify the contents

From : Loganathan Ranganathan
symbol Purim belong Fleischer swindles prognosis consumptive Ramiro
philanthropy exposures

From : Justin Bagby
predicated scrolls macintosh conveyors follies Thames harder Lapps
pratfall fortunes

@aronowski aronowski removed the contact verification needed Contact verification is needed for this review label Dec 18, 2023
@aronowski aronowski self-assigned this Dec 18, 2023
@aronowski
Copy link
Collaborator

As far as I can see, only the answer on ephemeral key has been added. The rest has been clarified in this GitHub issue. OK.

Recently the NX requirements have changed and most likely you'll need to remove the NX-compatibility patch for Microsoft to sign your binaries - we've had a discussion to make this venue more user-friendly here - I suggested some hints there as well, to prevent confusion.

Please, remove the NX support patch, recompile the shim binary, update the checksums in the README and in this thread's opening post, push the changes and ping me here.

@amzdev0401
Copy link
Author

@aronowski

As you suggested, I have made the following changes and created the new release label.

  1. The NX support patch was removed and the Docker file was updated.
  2. SHIM binary was recompiled.
  3. The latest checksum was updated in the README file.
  4. The latest build.log file was uploaded.

Thank you so much.

@aronowski
Copy link
Collaborator

Alright, thank you!

However, I spotted an error - the README says that EV certificates are/will be used as being embedded in the shim binary, but the file amzetta.der seems to be a self-signed certificate, the latter matching what you said earlier:

We would like to go with self self-signed certificate

Please, change the answer in the Do you use EV certificates as embedded certificates in the SHIM? question from Yes to No and update the tags - again. I wish I spotted it earlier, so I could spare you the current work time.

@amzdev0401
Copy link
Author

@aronowski

I have corrected the README.file and recreated the release build (v1.0.4) with the updated file.
We would like to appreciate your quick and prompt response in this SHIM review process. Thank you so much.

@aronowski
Copy link
Collaborator

@amzdev0401, thank you.

Now, there's also the thing that the AmZetta-shim-x86_64-20231224 tag refers to the earlier commit (c2fd3f08ac19f33327e6ac7343899fd618754352).

If you want, you can locally delete the earlier one, then tag the 2ef23b704bdb4a7f5a0c12e0d6225b3f7188a410 commit as AmZetta-shim-x86_64-20231224 and then push the changes.

Once this is done, please ping me.

@amzdev0401
Copy link
Author

@aronowski

I have created the new tag AmZetta-shim-x86_64-20231225 from AmZetta-shim-x86_64-20231224 tag to avoid a commit version mismatch.

The new release version is v1.0.5.
Thank you so much.

@aronowski
Copy link
Collaborator

@amzdev0401, the tag is now OK. Thank you.

The application now seems alright to me. Please, ping other reviewers from the committee and ask that the application be reviewed by them too.

Though I can't guarantee, when another review will be written. I can't speak for other reviewers and their situations - I wrote a proposal on writing a document, which may clarify that this is all volunteer work here, but historically I myself was being less active due to life situations, which resulted in lack of sleep and free time.

I wish you that the next review happens sooner than later.

@aronowski aronowski added extra review wanted and removed question Reviewer(s) waiting on response labels Dec 25, 2023
@aronowski aronowski removed their assignment Dec 25, 2023
@amzdev0401
Copy link
Author

@aronowski can you please assign someone for extra review, we have been waiting for so long time for this SHIM approval.

@aronowski
Copy link
Collaborator

we have been waiting for so long time for this SHIM approval

I know that feeling.

can you please assign someone for extra review

Yes, since there was no pinging as I suggested, I'll just do the assignment. However, in the meantime shim 15.8 got released and the application shall be updated, since I got a tip that shims 15.7 won't be accepted by Microsoft anymore - you can reuse this GitHub issue, only updating the binaries, the application document and pushing the new tag - mention me, once this happens, so I'll prioritize this GitHub issue.

@aronowski aronowski added the question Reviewer(s) waiting on response label Feb 15, 2024
@dennis-tseng99
Copy link
Collaborator

@ dennis-tseng99 Can you please review our shim too?

Sorry for losing your message due to being busy for company project. I'll do it asap. But will you still need shim-15.7 rather than shim-15.8 ? Anyway, I'll assume 15.7 is what you need.

@amzdev0401
Copy link
Author

@dennis-tseng99 @aronowski @THS-on

Since, 15.7 is not accepted by Microsoft, I will re-submit the 15.8 SHIM in the same GitHub issue as soon as possible.
Please help me with this SHIM review process, I will update the SHIM 15.8 in a day or two.

Thank you

@amzdev0401
Copy link
Author

@dennis-tseng99 @aronowski @THS-on

I have resubmitted the latest SHIM 15.8. I kindly request you to review this new SHIM submission.
'#383'

@aronowski aronowski added the superseded Vendor has added a new review which makes this obsolete label Feb 20, 2024
@aronowski
Copy link
Collaborator

Superseded by #383, will review that one ASAP.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
new vendor This is a new vendor question Reviewer(s) waiting on response superseded Vendor has added a new review which makes this obsolete
Projects
None yet
Development

No branches or pull requests

6 participants