Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Shim 15.7 for 10ZiG Linux #326

Closed
8 tasks done
ClaudioGranatiero-10zig opened this issue Mar 17, 2023 · 42 comments
Closed
8 tasks done

Shim 15.7 for 10ZiG Linux #326

ClaudioGranatiero-10zig opened this issue Mar 17, 2023 · 42 comments
Labels
accepted Submission is ready for sysdev new vendor This is a new vendor

Comments

@ClaudioGranatiero-10zig
Copy link

ClaudioGranatiero-10zig commented Mar 17, 2023

Confirm the following are included in your repo, checking each box:

  • completed README.md file with the necessary information
  • shim.efi to be signed
  • public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
  • binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
  • any extra patches to shim via your own git tree or as files
  • any extra patches to grub via your own git tree or as files
  • build logs
  • a Dockerfile to reproduce the build of the provided shim EFI binaries

What is the link to your tag in a repo cloned from rhboot/shim-review?


https://github.com/ClaudioGranatiero-10zig/shim-review/tree/10zig-shim-x64-20231120


What is the SHA256 hash of your final SHIM binary?


102a7ba88a13c3bc88cd6d4c30e39d78946c62776779bc228a5d309edb4a84d8


What is the link to your previous shim review request (if any, otherwise N/A)?


N/A

@frozencemetery frozencemetery added new vendor This is a new vendor contact verification needed Contact verification is needed for this review labels Mar 17, 2023
@dennis-tseng99
Copy link
Collaborator

  • I'm not an authorized reviewer. I just wan to help.
  • reproducible is okay:
gcc -std=gnu11 -Og -g3 -Wall -Wextra -Wno-missing-field-initializers -Werror -o post-process-pe /build/shim-15.7/post-process-pe.c
objcopy -D -j .text -j .sdata -j .data -j .data.ident \
        -j .dynamic -j .rodata -j .rel* \
        -j .rela* -j .dyn -j .reloc -j .eh_frame \
        -j .vendor_cert -j .sbat -j .sbatlevel \
        --target efi-app-x86_64 shimx64.so shimx64.efi
./post-process-pe -vv  shimx64.efi
set_dll_characteristics():360: Updating DLL Characteristics from 0x0000 to 0x0100
ms_validation():375: NX-Compat-Flag: PASS
ms_validation():380:   4K-Alignment: PASS
ms_validation():394: Section-Wr-Exe: PASS
fix_checksum():446: Updating checksum from 0x000eb52d to 0x000eb62d
objcopy -D -j .text -j .sdata -j .data \
        -j .dynamic -j .rodata -j .rel* \
        -j .rela* -j .dyn -j .reloc -j .eh_frame -j .sbat \
        -j .sbatlevel \
        -j .debug_info -j .debug_abbrev -j .debug_aranges \
        -j .debug_line -j .debug_str -j .debug_ranges \
        -j .note.gnu.build-id \
        shimx64.so shimx64.efi.debug
        .......
STEP 17: RUN mkdir /build/output
STEP 18: RUN cp build-x64/shimx64.efi /build/output
STEP 19: RUN cp ${CERT_FILE} /build/output
STEP 20: RUN objdump -s -j .sbatlevel /build/output/shimx64.efi
  • hash value is matched:
cbd7b5b8a73483268102955c28fd467f830cbd0f0b1de92904c90371392daa97
  • sbat for shimx64 seems okay:
Contents of section .sbat:
 d2000 73626174 2c312c53 42415420 56657273  sbat,1,SBAT Vers
 d2010 696f6e2c 73626174 2c312c68 74747073  ion,sbat,1,https
 d2020 3a2f2f67 69746875 622e636f 6d2f7268  ://github.com/rh
 d2030 626f6f74 2f736869 6d2f626c 6f622f6d  boot/shim/blob/m
 d2040 61696e2f 53424154 2e6d640a 7368696d  ain/SBAT.md.shim
 d2050 2c332c55 45464920 7368696d 2c736869  ,3,UEFI shim,shi
 d2060 6d2c312c 68747470 733a2f2f 67697468  m,1,https://gith
 d2070 75622e63 6f6d2f72 68626f6f 742f7368  ub.com/rhboot/sh
 d2080 696d0a73 68696d2e 31307a69 672c312c  im.shim.10zig,1,
 d2090 31305a69 47205465 63686e6f 6c6f6779  10ZiG Technology
 d20a0 2c736869 6d2c3135 2e372c6d 61696c3a  ,shim,15.7,mail:
 d20b0 73656375 7265626f 6f744031 307a6967  secureboot@10zig
 d20c0 2e636f6d 0a                          .com.
  • Your CA key validity period is 100 years ? Normally, it should be shorter than 10 years. Please correct me if I'm wrong.
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3b:3e:ff:59:28:b2:94:3d:c0:81:9d:05:03:41:83:95:8e:c6:e2:b5
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = AZ, L = Phoenix, O = 10ZiG Technology, CN = 10ZiG Technology Secure Boot Signing 2022, emailAddress = [email protected]
        Validity
            Not Before: Dec  1 11:23:20 2022 GMT
            Not After : Nov  7 11:23:20 2122 GMT

@ClaudioGranatiero-10zig
Copy link
Author

Hi Dennis, thanks for your time.
Yes, you're right, usually the validity period is shorter, but since Secure Boot does not consider it, I have taken a conservative position. But if that is beyond the specifications, no problem in changing to a more acceptable value.

@ClaudioGranatiero-10zig
Copy link
Author

Hi all,

I just changed the certificate (as reported by https://github.com/dennis-tseng99), changing the validity from 100 years to 10 years. The new tag is https://github.com/ClaudioGranatiero-10zig/shim-review/tree/10zig-shim-x64-20230328.

If I understood correctly, we need to provide proof of our PGP identity, so we're waiting for a verification message.
Please, let me know if something else is needed to proceed with the review.

Thank you.
Claudio

@ClaudioGranatiero-10zig
Copy link
Author

Hi all,

please, can someone (@dennis-tseng99, maybe) check our contact references, so we can advance on the review queue?
Let me know if something is missing.
Thank you.

@aronowski
Copy link
Collaborator

If I understand correctly, you're using Debian's GRUB2 implementation as well as the mainline 5.15 kernel with only these tweaks:

- support for a specific type of EMMC present in our hardware
- 10ZiG Boot Logo
- lockdown: also lock down previous kgdb use (eadb2f47a3ced5c64b23b90fd2a3463f63726066)

If this is correct, then I'd like to remind that they need to have NX support as issue #307 says.

Debian shall have this in their GRUB2 builds soon so keep an eye out for it, but the mainline kernel 5.15 will need to have an additional patch.

Use the IMAGE_DLL_CHARACTERISTICS_NX_COMPAT definition (or hardcode 0x100) in arch/x86/boot/header.S instead of the 0 in the line with the # DllCharacteristics comment and that should do it.
Reference is here.


Also, I know that there is indeed a demand for the Debian's GRUB2 implementation to support NX and just FYI, I've been asking around, what can be done to speed up the process.

@ClaudioGranatiero-10zig
Copy link
Author

Thank you @aronowski!
Yes, you are correct, these are our patch at the moment. Surely I'll take a look at kernel for implement NX_COMPAT (I was thinking it was already in the mainline). As soon as Debian would support NX in GRUB2, I'll give a try.

@ClaudioGranatiero-10zig
Copy link
Author

Forced NX_COMPAT in kernel 5.15.39:

objdump -x kernel/linux-5.15.39/arch/x86/boot/bzImage |grep DllCharacteristics
DllCharacteristics	00000100

Updated README.md and referenced tag.
Thanks again @aronowski !

@ClaudioGranatiero-10zig
Copy link
Author

@aronowski , do you think a binary-modified GRUB is a viable solution in the meantime? I've found a way to change the DllCharacteristics of GRUB2 from the extern (with this program: https://blog.didierstevens.com/2010/10/17/setdllcharacteristics/).
So I took the GRUB2 binary extracted from Debian Bookworm and executed setdllcharacteristics +n on that.

./setdllcharacteristics +n grubx64.efi
Original DLLCHARACTERISTICS = 0x0000
 DYNAMIC_BASE    = 0
 NX_COMPAT       = 0
 FORCE_INTEGRITY = 0
Updated  DLLCHARACTERISTICS = 0x0100
 DYNAMIC_BASE    = 0
 NX_COMPAT       = 1
 FORCE_INTEGRITY = 0

root@RPOS165:/opt/Linux-16/src/SecureBoot/shim# objdump -x grubx64.efi |grep DllChar
DllCharacteristics	00000100

Do you (or any other reviewer) think that this is acceptable as a temporary solution until Debian implements it natively?

@julian-klode
Copy link
Collaborator

Both the kernel and grub need very substantial patch sets to enable NX support.

@ClaudioGranatiero-10zig
Copy link
Author

@julian-klode , thanks to comment.
So, if I understand, it's not so simple as changing the DllCharacteristics?
Can you please give me some hints on where can I found some informations about all this and go further on?

@aronowski
Copy link
Collaborator

@ClaudioGranatiero-10zig
I think it's best to just wait for Debian's implementation as they know the best, how it should look like from their side, as well as wait for the review's approval.

Debian got their shims signed 2 months ago so the conclusion is that the support needs to be promised to be added in the future.

Or, if that's not acceptable, a permission needs to be obtained from Microsoft like Oracle got in their reviews (1, 2).

@THS-on
Copy link
Collaborator

THS-on commented Sep 29, 2023

You might run into issues with your embedded certificate because:

  • It is not an CA certificate
  • KeyUsage/DigitalSignature and ExtKeyUsage/CodeSigning are not set

Also as already mentioned the validity is rather long. While no component to my knowledge enforces the time validation, can you limit it 20-30 years, which seems to be common.

@THS-on THS-on added the question Reviewer(s) waiting on response label Sep 29, 2023
@ClaudioGranatiero-10zig
Copy link
Author

ClaudioGranatiero-10zig commented Oct 2, 2023

Hi @THS-on, thanks for taking the time to look at our request.
As for you concern about validity, maybe you were looking at the original commit. After an analog observation from @dennis-tseng99 in March we've changed the duration to 10 years, as for https://github.com/ClaudioGranatiero-10zig/shim-review/tree/10zig-shim-x64-20230328. The latest tag https://github.com/ClaudioGranatiero-10zig/shim-review/tree/10zig-shim-x64-20230427 should contain the new certificate.
Concerning the other two observations:

  • CA Certificate vs self signed: do you think it could be useful/required to obtain a full CA certificate? In that case I need to investigate where to buy one and what to ask for.
  • ExtKeyUsage CodeSigning: in my tests I found that when the field "codeSigning,1.3.6.1.4.1.311.10.3.6,1.3.6.1.4.1.2312.16.1.2" is used, the SHIM was not valid for my SecureBoot test environments, so I removed it. Is there some guidelines on all this?

Thanks.

@THS-on
Copy link
Collaborator

THS-on commented Oct 2, 2023

@ClaudioGranatiero-10zig indeed the new certificate has a lifetime of 10 years.

Regarding CA certificates) What you refer to are EV certificates. Those are used to prove that your legal entity exists, e.g. for singing software. You'll need one for submitting the shim to MS.
A CA certificate can be used to issue different certificates that then in return can be used for signing the components (e.g. shim, GRUB, kernel). The advantage of that approach is that you can revoke or retire certificates without needing to change the CA certificate embedded in the shim.

How did you generate the certificates? Here is an example OpenSSL configuration that sets the attributes:

[ req ]
default_bits           = 2048
digest                 = sha256
distinguished_name     = req_distinguished_name
days                   = 3650
prompt                 = no
copy_extensions        = copyall

[ req_distinguished_name ]
CN                     = TEST code singing cert

[ cert_ext ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage               = Digital Signature
extendedKeyUsage       = codeSigning

Now to generate an test key and certificate which is self-signed from that you can use:

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -outform DER  -out simple.crt  -extensions cert_ext -config /path/to/conf.cnf 

I've tested a shim + GRUB2 using such a certificate using QEMU and EDK2 and it seems to work fine.

@ClaudioGranatiero-10zig
Copy link
Author

@THS-on thank you for your exposition on certificates, I'm quite new to all this, but I'm trying to learn.
I'll try to recap everything: some months are passed since I worked on all this, so I'll need some time to realloc my current tasks and get back with my mind on this. I'll do some tests as you suggest, and as soon as I have something new, I'll post it here. Thanks again.

By the way, I'm trying to arrange to be in Brusselles for Fosdem in February, hope to see some of you guys there.

@aronowski aronowski mentioned this issue Oct 3, 2023
8 tasks
ClaudioGranatiero-10zig added a commit to ClaudioGranatiero-10zig/shim-review that referenced this issue Oct 6, 2023
rhboot#326 (comment)
as reviewed from https://github.com/THS-on:
- New certificate (CA, keyUsage and extendedKeyUsage)
- smoe updates to Dockerfile

	deleted:    10ZiG_SecureBoot2023.der
	new file:   10ZiG_SecureBootCA_RootCA.der
	modified:   Dockerfile
	modified:   build.log
	modified:   shimx64.efi
@ClaudioGranatiero-10zig
Copy link
Author

Please @THS-on (or everyone else reviewing), take a look at https://github.com/ClaudioGranatiero-10zig/shim-review/tree/10zig-shim-x64-20231006, where I updated the certificate as suggested.
Thanks for your help.

@THS-on
Copy link
Collaborator

THS-on commented Oct 6, 2023

@ClaudioGranatiero-10zig thanks for updating the certificate.

Doing an initial look at the submission, can you explain in more detail why you cannot use the shim + GRUB2 + kernel from another distribution?

  • The custom kernel patches are for the appliances. In this case you can also roll your own Secure Boot chain without the need for a shim.
  • If you don't do anything specific with the kernels (e.g. custom verification keys for EVM, dm-verity etc. and uncommon kernel options) you can use for 3rd party devices a stack from one of the big Linux distributions.

@ClaudioGranatiero-10zig
Copy link
Author

Sure: the reasons for a custom kernel are mainly three:

  1. we need to include some patch for some specific hardware on legacy products;
  2. we are currently using a simple "rootfs in RAM" mechanism, and so we cannot just add every possible module in the rootfs (it will fill the RAM). Hopefully we would change to a more usual and modern "root on physical device" sooner or later, but for now we are stuck on this.
  3. we have two main line of products: the appliance-type (thin client on proprietary hardware) and the generic "install-everywhere" software product (derived from the other one), so we need the best (or the worst, you can say) of the two worlds. For the later (the software solution) we need a generic Secure Boot solution able to install on every customer's hardware, for the first we need custom patches. Sure, we can split the development in two different solutions, but we choose to maintain a single production line for both.

@THS-on
Copy link
Collaborator

THS-on commented Oct 10, 2023

Yeah I think point 3 is the main thing here. There is a trade-off between splitting the products in two and maintaining your own builds of shim, grub and kernel.

@ClaudioGranatiero-10zig
Copy link
Author

Please @THS-on, there's something else I need to answer? I see the tag "question" is still there...

@THS-on THS-on removed the question Reviewer(s) waiting on response label Oct 14, 2023
@THS-on
Copy link
Collaborator

THS-on commented Oct 14, 2023

For now that's all. I'll try to do a full review in the next couple of days.

@THS-on
Copy link
Collaborator

THS-on commented Oct 16, 2023

Review for 10zig-shim-x64-20231006

OK

Questions and issues

  • The certificate only seems to be valid for 1 month now:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            6f:1f:bb:03:d6:e6:45:5b:4c:70:d7:b3:34:ac:0d:3f:6f:3b:8c:af
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = AZ, L = Phoenix, O = 10ZiG Technology, CN = 10ZiG Technology Secure Boot CA 2023, emailAddress = [email protected]
        Validity
            Not Before: Oct  5 08:55:17 2023 GMT
            Not After : Nov  4 08:55:17 2023 GMT
        Subject: C = US, ST = AZ, L = Phoenix, O = 10ZiG Technology, CN = 10ZiG Technology Secure Boot CA 2023, emailAddress = [email protected]

Small note that forcing the NX flag on the kernel is likely not sufficient alone. Newer kernels (>=6.2) should have all the required patches.

@ClaudioGranatiero-10zig
Copy link
Author

Hi @THS-on, sorry for the inconvenience regarding the cert's validity, I missed the "-days" parameter on generating the new cert... Amended on the new commit.

Regarding GRUB: as you suggested, I downloaded the package 2.06-13+deb12u1 from debian repositories (http://security.debian.org/debian-security/pool/updates/main/g/grub2/grub-efi-amd64-bin_2.06-13+deb12u1_amd64.deb ): I extracted and signed directly the monolithic binary as is, no need to change modules or recompile, just the binary. I add this to git.
The SBAT is the original one, but here it is:

grubx64.efi: file format pei-x86-64

Contents of section .sbat:
 3ff000 73626174 2c312c53 42415420 56657273  sbat,1,SBAT Vers
 3ff010 696f6e2c 73626174 2c312c68 74747073  ion,sbat,1,https
 3ff020 3a2f2f67 69746875 622e636f 6d2f7268  ://github.com/rh
 3ff030 626f6f74 2f736869 6d2f626c 6f622f6d  boot/shim/blob/m
 3ff040 61696e2f 53424154 2e6d640a 67727562  ain/SBAT.md.grub
 3ff050 2c342c46 72656520 536f6674 77617265  ,4,Free Software
 3ff060 20466f75 6e646174 696f6e2c 67727562   Foundation,grub
 3ff070 2c322e30 362c6874 7470733a 2f2f7777  ,2.06,https://ww
 3ff080 772e676e 752e6f72 672f736f 66747761  w.gnu.org/softwa
 3ff090 72652f67 7275622f 0a677275 622e6465  re/grub/.grub.de
 3ff0a0 6269616e 2c342c44 65626961 6e2c6772  bian,4,Debian,gr
 3ff0b0 7562322c 322e3036 2d31332b 64656231  ub2,2.06-13+deb1
 3ff0c0 3275312c 68747470 733a2f2f 74726163  2u1,https://trac
 3ff0d0 6b65722e 64656269 616e2e6f 72672f70  ker.debian.org/p
 3ff0e0 6b672f67 72756232 0a000000 00000000  kg/grub2........

And this is the shimx64 one:

shimx64.efi:     file format pei-x86-64

Contents of section .sbat:
 d2000 73626174 2c312c53 42415420 56657273  sbat,1,SBAT Vers
 d2010 696f6e2c 73626174 2c312c68 74747073  ion,sbat,1,https
 d2020 3a2f2f67 69746875 622e636f 6d2f7268  ://github.com/rh
 d2030 626f6f74 2f736869 6d2f626c 6f622f6d  boot/shim/blob/m
 d2040 61696e2f 53424154 2e6d640a 7368696d  ain/SBAT.md.shim
 d2050 2c332c55 45464920 7368696d 2c736869  ,3,UEFI shim,shi
 d2060 6d2c312c 68747470 733a2f2f 67697468  m,1,https://gith
 d2070 75622e63 6f6d2f72 68626f6f 742f7368  ub.com/rhboot/sh
 d2080 696d0a73 68696d2e 31307a69 672c312c  im.shim.10zig,1,
 d2090 31305a69 47205465 63686e6f 6c6f6779  10ZiG Technology
 d20a0 2c736869 6d2c3135 2e372c6d 61696c3a  ,shim,15.7,mail:
 d20b0 73656375 7265626f 6f744031 307a6967  secureboot@10zig
 d20c0 2e636f6d 0a                          .com.           

As for the kernel source: at the moment we don't have a public repository for sources, but I think that if it's needed we can arrange something.
The kernel now is the vanilla 6.3.7 with only the already indicated patches applied.

Please, update your review to the latest 10zig-shim-x64-20231017 tag.

Thank you Thore for your time and patience.

@THS-on
Copy link
Collaborator

THS-on commented Oct 29, 2023

  • The expiry date of the certificate is now right, but the certificate is no longer a CA. It seems that you have issued an certificate from that CA and included that:
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            7d:10:9d:28:40:31:c8:10:f2:84:00:60:c5:3c:60:51:64:3f:ac:61
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = AZ, L = Phoenix, O = 10ZiG Technology, CN = 10ZiG Technology Secure Boot CA 2023, emailAddress = [email protected]
        Validity
            Not Before: Oct 17 06:18:17 2023 GMT
            Not After : Oct 14 06:18:17 2033 GMT
        Subject: C = US, ST = AZ, L = Phoenix, O = 10ZiG Technology, OU = 10ZiG Technolog RnD, CN = 10ZiG Technology Secure Boot Signing 2023
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a2:e8:d5:aa:f7:ae:1a:8d:cc:a0:3c:4e:01:ed:
                    09:31:7a:11:ba:b9:d4:13:34:c3:20:c3:3a:98:ac:
                    2b:04:10:ae:d7:c7:28:0d:59:de:aa:aa:81:17:a9:
                    68:b6:7c:6e:e9:5a:bb:b7:95:96:94:48:06:e6:9d:
                    89:7d:f5:5d:d8:74:97:f0:5b:f4:94:9b:ed:82:24:
                    5a:8a:69:97:0b:62:2d:1c:4d:bd:5e:37:df:54:33:
                    26:c0:df:76:8e:11:6b:b9:74:9b:ce:cd:ca:3e:db:
                    f5:70:48:41:6b:68:42:1f:a0:7e:fe:af:da:04:3b:
                    50:a3:71:a7:0b:97:ba:c7:73:77:e3:14:df:08:bf:
                    a1:ae:ef:6c:9b:4b:b9:a9:d4:c3:ee:54:13:87:2c:
                    a8:d3:16:05:aa:80:1d:ae:d2:42:65:dc:f2:d2:b6:
                    e6:03:f6:9f:50:b1:04:79:7d:6a:47:53:0c:62:bb:
                    5e:68:3b:86:42:58:68:26:8d:d0:52:27:ad:06:be:
                    90:09:ca:c0:ab:b9:e3:39:99:4f:90:6b:df:14:79:
                    bc:05:66:4d:2d:01:ec:f6:cf:04:0e:40:a6:12:d3:
                    90:bc:7e:f9:d3:78:08:6e:53:8c:92:87:63:0e:f7:
                    2c:95:84:09:3f:42:98:27:fa:79:da:51:51:67:2f:
                    a4:1f
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        4f:33:b3:1d:20:a0:18:54:41:86:4b:dc:08:1a:5d:d5:b7:38:
        6b:3c:85:64:b9:f3:e9:d9:73:ec:67:e3:96:b4:9d:82:66:98:
        68:19:84:54:3d:57:f8:c9:32:c9:84:a8:6f:25:47:05:61:ec:
        79:7b:a7:1d:ff:72:b3:d9:5a:bf:4f:db:22:2d:c2:85:af:43:
        c4:ad:4e:b4:28:c6:86:ea:02:16:02:3c:3c:c4:8f:68:7e:ca:
        e2:ee:76:b6:88:03:91:48:1b:5c:1e:4b:ea:7a:c0:4b:e6:ef:
        bf:b6:5c:82:04:67:43:1a:28:59:fe:15:c9:ab:a8:16:35:bf:
        77:6b:ed:10:e1:b3:83:88:82:0d:55:64:3a:4e:2a:e9:04:bc:
        13:8a:6e:c2:6d:43:17:02:2d:69:b4:82:47:51:13:7c:f2:83:
        9a:d1:24:88:55:d9:9d:8a:f2:82:e6:3e:22:08:05:bb:27:1d:
        f0:5f:eb:9c:26:ca:18:c9:7f:1d:bc:77:11:88:e8:a2:92:35:
        28:58:52:bc:da:3b:25:b3:2e:54:b1:d8:3f:b5:34:32:4c:57:
        e3:45:64:01:c5:d8:df:ab:89:e2:87:f5:61:cd:19:75:4c:58:
        c2:dd:60:a3:0d:df:5c:d6:8e:fe:0f:f7:dc:46:ca:01:f5:44:
        e4:6f:77:e2
  • Taking GRUB2 binary from another distribution is unusual, but is fine.
  • I don't see the question about how kernel modules are signed answered. Can you add that to the README?
  • If the kernel sources are public, it makes it easier to review and spot issues with the configuration. If you can make them easily public available, it would be nice.
  • New shim is reproducible:
#25 [21/21] RUN sha256sum /build/output/*
#25 0.530 a4b8c08c88bf1efa315907055d083bc4aeda7f40c1e3acdcce50119415ee3ab0  /build/output/10ZiG_SecureBootCA_RootCA.der
#25 0.535 5bf2387d795c896d6b2400b6885e31e978b84897c0330a8082bd2b4d120747fb  /build/output/shimx64.efi
#25 DONE 0.6s

@ClaudioGranatiero-10zig
Copy link
Author

ClaudioGranatiero-10zig commented Oct 30, 2023

Hi @THS-on, thanks for the review.
I added an answer to the question about ephemeral keys in README, I hope it is acceptable.
Corrected the certificate, now it's a CA and the validity is 10 years.
About publishing the kernel sources: we are working on that, we need some days to have all online (our team is splitted between time zones, so I need to wait the Phoenix collegues). Please, refer to tag 10zig-shim-x64-20231030.

@ClaudioGranatiero-10zig
Copy link
Author

I just amended the README.md with the link to our Linux kernel repo (https://github.com/10ZiG-Technology/linux).
Please refer to tag 10zig-shim-x64-20231031.

@ClaudioGranatiero-10zig
Copy link
Author

@THS-on, there is something else I can do to go further on? Thanks.

@THS-on
Copy link
Collaborator

THS-on commented Nov 14, 2023

@ClaudioGranatiero-10zig I'll try to take a closer look hopefully this week again. What you can do is to look at the issues with "extra review wanted" and check their submissions (is the shim reproducible, does the SBAT entries look good, where does the GRUB come from, does the certificate match and how are keys managed etc.).

@ClaudioGranatiero-10zig
Copy link
Author

@THS-on: message received, I'll try to squeeze some review between my "official" tasks.

@THS-on
Copy link
Collaborator

THS-on commented Nov 19, 2023

Review of 10zig-shim-x64-20231031

  • This is the first submission by 10ZiG Technology

  • A shim is wanted to keep to not split the product line and being able to add modifications

  • Security contacts (verification emails are sent):

  • Shim is reproducible using Dockerfile:

HASH

#25 0.396 102a7ba88a13c3bc88cd6d4c30e39d78946c62776779bc228a5d309edb4a84d8  /build/output/shimx64.efi

SBAT

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,3,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.10zig,1,10ZiG Technology,shim,15.7,mail:[email protected]
  • SBAT suffix .10zig is fine

  • Shim is based on 15.7 with NX enabled

  • Certificate matches the organisation

    • Subject: C = US, ST = AZ, L = Phoenix, O = 10ZiG Technology, CN = 10ZiG Technology Secure Boot CA 2023, emailAddress = [email protected]
    • Valid till: Oct 27 09:08:49 2033 GMT (10 years, OK)
    • Is CA certificate with code singing attributes set
  • Keys are stored in a HSM

  • GRUB

    • Is the binary from Debian 2.06-13+deb12u1
    • Has all the latest patches and SBAT level 4
  • Linux

    • based on 6.3.7
    • Submissions mentions that the kernel is build with LOCK_DOWN_KERNEL_FORCE_INTEGRITY but entry cannot be found in provided .config file
    • ephemeral key signing for kernel modules is used

Question/Notes

  • Please add the full SBAT entry of the shim to the submission.
  • Note that the idea embedded CA certificate is to then being able to create leaf certificates for singing GRUB2 and Linux. You can for example look at Debian's submissions how they are doing it.
  • How do you make sure to actually build with LOCK_DOWN_KERNEL_FORCE_INTEGRITY always enabled?

@ClaudioGranatiero-10zig
Copy link
Author

Thore, thanks for the updated review.

  1. updated README.md with info about SBAT
  2. thank you, I've already tested in my test environment with a leaf certificate generated from our CA, and it's working good.
  3. the .config we released in the public repo is the actual one for our current production line, not yet ready for Secure Boot (as we lack a signed shim). I just tested it on an internal release in our test environment. As soon as the Secure Boot stack is completed, we will add the option in .config

@ClaudioGranatiero-10zig
Copy link
Author

For my contact verification:

computerization
committing
overstatements
clouded
menus
condemning
semiprofessional
tablespoon
ranked
burger's

@THS-on
Copy link
Collaborator

THS-on commented Nov 20, 2023

Resend contact verification for Kevin Greenway [email protected] with new PGP key (1D7E 0F09 AF6C 117F 9914 BFF3 4AFD D3B9 069C D9C2)

@ClaudioGranatiero-10zig
Copy link
Author

Kevin's verification:

savers
presented
trap's
authorize
spotlessness
characteristic
heuristics
intersession's
mystification
invoice

@THS-on THS-on added extra review wanted and removed contact verification needed Contact verification is needed for this review labels Nov 20, 2023
@ClaudioGranatiero-10zig
Copy link
Author

Please, can some of the peer reviewers take a final look at this issue? We're waiting only for an extra review before we're ready to go... thanks to all for the work already done.

@aronowski
Copy link
Collaborator

@ClaudioGranatiero-10zig, I'll try to write a review this week.

Have been struggling with several personal things, but most of them have been resolved and I should have more time for that.

Thank you for the updates and for helping out with peer-reviewing other applications. I appreciate that.

@aronowski aronowski self-assigned this Dec 5, 2023
@aronowski
Copy link
Collaborator

Review done, checksum matches, seems alright! Accepting.

Thank you for the patience.

@aronowski aronowski added accepted Submission is ready for sysdev and removed extra review wanted labels Dec 5, 2023
@aronowski aronowski removed their assignment Dec 5, 2023
@ClaudioGranatiero-10zig
Copy link
Author

Thank you all for your effort!
I hope to see some of you at FOSDEM in February.

@THS-on
Copy link
Collaborator

THS-on commented Feb 5, 2024

What is the status of this? Did you get a signed shim back or are you creating a new submission for 15.8?

@ClaudioGranatiero-10zig
Copy link
Author

Hi Thore,

not yet uploaded to Microsoft (we're trying to obtain an EV certificate and have a bunch of other priorities). So, I think we'll create a new submission as soon as the EV cert arrives.

@ClaudioGranatiero-10zig
Copy link
Author

New submission created here: #376
Should I close this one?

@THS-on
Copy link
Collaborator

THS-on commented Feb 20, 2024

Yes I'll close this one.

@THS-on THS-on closed this as completed Feb 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
accepted Submission is ready for sysdev new vendor This is a new vendor
Projects
None yet
Development

No branches or pull requests

6 participants