Closed jsegitz closed 3 years ago
steve-mcintyre
commented
3 years ago same questions as on #187:
jsegitz
commented
3 years ago Thank you for the review.
The basic idea of this patch is to make sure that the certificate used is actually intended to be used for code signing. We noticed that while going for the NIAP CC certification. I was under the impression that our shim maintainer sent this to upstream. I'll talk to him about this
As for the CA: It's the same (also the SBAT). I tried to explain that under "What changes were made since your SHIM was last signed?", but the whole questionnaire is targeted towards boothole so that's a bit confusing
jsegitz
commented
3 years ago The patch is upstreamed in https://github.com/rhboot/shim/pull/232, but for now we still carry a slightly different version
jsegitz
commented
3 years ago We have to update our submission to include https://github.com/rhboot/shim/pull/387, will do this in the next hour. Please don't work on this ATM. Sorry for this, but this has real world impact for our customers
jsegitz
commented
3 years ago I updated the submission, new tag is: https://github.com/jsegitz/shim-review/tree/SUSE-openSUSE15.3-shim-20210701
One patch was added (explained in https://github.com/rhboot/shim/pull/387): shim-bsc1187696-avoid-deleting-rt-variables.patch
Readme and issue template are updated in my branch. Expected hashes: pesign --hash --padding --in=usr/share/efi/x86_64/shim-opensuse.efi hash: 8f2dec2046713748a977819950390a46565e635fb1d959b166775037c69d2060 sha256sum usr/share/efi/x86_64/shim-opensuse.efi c3a3fe3a9092dbbebbd36a34dff0fb3bcdaf3e3b4d080709dabaef1e8b282fb9 /shim/usr/share/efi/x86_64/shim-opensuse.efi
jsegitz
commented
3 years ago Any chance to look at this? It's very similar to #187 so once that's accepted only the diff needs to be checked
julian-klode
commented
3 years ago Building now, rest looks good (like #187)
julian-klode
commented
3 years ago shim built reproducibly too, accepted.
jsegitz
commented
3 years ago C
Make sure you have provided the following information:
What organization or people are asking to have this signed:
SUSE, https://suse.com/
What product or service is this for:
openSUSE 15.3
Please create your shim binaries starting with the 15.4 shim release tar file:
https://github.com/rhboot/shim/releases/download/15.4/shim-15.4.tar.bz2
This matches https://github.com/rhboot/shim/releases/tag/15.4 and contains
the appropriate gnu-efi source.
Please confirm this as the origin your shim.
We use 15.4 shim +
What's the justification that this really does need to be signed for the whole world to be able to boot it:
Major linux distribution
How do you manage and protect the keys used in your SHIM?
The key is installed in a machine with restricted physical and system access. Shim binaries do not include private portions of the key.
Do you use EV certificates as embedded certificates in the SHIM?
Yes
If you use new vendor_db functionality, are any hashes allow-listed, and if yes: for what binaries ?
n/a
Is kernel upstream commit 75b0cea7bf307f362057cc778efe89af4c615354 present in your kernel, if you boot chain includes a Linux kernel ?
yes
if SHIM is loading GRUB2 bootloader, are CVEs CVE-2020-14372,
CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779,
CVE-2021-20225, CVE-2021-20233, CVE-2020-10713, CVE-2020-14308,
CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705,
( July 2020 grub2 CVE list + March 2021 grub2 CVE list )
and if you are shipping the shim_lock module CVE-2021-3418
fixed ?
yes
"Please specifically confirm that you add a vendor specific SBAT entry for SBAT header in each binary that supports SBAT metadata
( grub2, fwupd, fwupdate, shim + all child shim binaries )" to shim review doc ?
Please provide exact SBAT entries for all SBAT binaries you are booting or planning to boot directly through shim
We use this pattern: shim.${distro_id},${distro_sbat},${distro_name},%{name},%{version},mail:security-team@suse.de
So for this shim: shim.opensuse,1,The openSUSE project,shim,15.4,mail:security-team@suse.de
Were your old SHIM hashes provided to Microsoft ?
yes
Did you change your certificate strategy, so that affected by CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749,
CVE-2020-27779, CVE-2021-20225, CVE-2021-20233, CVE-2020-10713,
CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705 ( July 2020 grub2 CVE list + March 2021 grub2 CVE list )
grub2 bootloaders can not be verified ?
yes (rotated signing key, old shims are blacklisted)
What exact implementation of Secureboot in grub2 ( if this is your bootloader ) you have ?
Upstream grub2 shim_lock verifier or Downstream RHEL/Fedora/Debian/Canonical like implementation ?
Downstream RHEL/Fedora/Debian/Canonical like implementation
What is the origin and full version number of your bootloader (GRUB or other)?
upstream grub-2.04 with patches for all currently discussed security issues
If your SHIM launches any other components, please provide further details on what is launched
it doesn't
If your GRUB2 launches any other binaries that are not Linux kernel in SecureBoot mode,
please provide further details on what is launched and how it enforces Secureboot lockdown
n/a
If you are re-using a previously used (CA) certificate, you
will need to add the hashes of the previous GRUB2 binaries
exposed to the CVEs to vendor_dbx in shim in order to prevent
GRUB2 from being able to chainload those older GRUB2 binaries. If
you are changing to a new (CA) certificate, this does not
apply. Please describe your strategy.
We switched to a new certificate after boothole2
How do the launched components prevent execution of unauthenticated code?
GRUB and kernel are patched to enforce Secure Boot.
Does your SHIM load any loaders that support loading unsigned kernels (e.g. GRUB)?
no
What kernel are you using? Which patches does it includes to enforce Secure Boot?
5.3.18 + Module signing / secure boot patches.suse/KEYS-Make-use-of-platform-keyring-for-module-signatu.patch
Lock down functions for UEFI secure boot patches.suse/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-down.patch patches.suse/0002-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-boot-mode.patch patches.suse/0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mode.patch patches.suse/0004-efi-Lock-down-the-kernel-at-the-integrity-level-if-b.patch
Using the hash in MOKx to blacklist kernel module, FATE#316531 patches.suse/0001-MODSIGN-do-not-load-mok-when-secure-boot-disabled.patch patches.suse/0001-efi-add-a-function-to-convert-the-status-code-to-a-s.patch patches.suse/0002-efi-show-error-messages-only-when-loading-certificat.patch patches.suse/0003-MODSIGN-load-blacklist-from-MOKx.patch patches.suse/0004-MODSIGN-checking-the-blacklisted-hash-before-loading.patch
Hibernation Signature Verification FATE#316350 patches.suse/0001-security-create-hidden-area-to-keep-sensitive-data.patch patches.suse/0002-hibernate-avoid-the-data-in-hidden-area-to-be-snapsh.patch patches.suse/0003-x86-KASLR-public-the-function-for-getting-random-lon.patch patches.suse/0005-efi-generate-secret-key-in-EFI-boot-environment.patch patches.suse/0006-efi-allow-user-to-regenerate-secret-key.patch patches.suse/0007-PM-hibernate-encrypt-hidden-area.patch patches.suse/0008-PM-hibernate-Generate-and-verify-signature-for-snaps.patch patches.suse/0009-PM-hibernate-prevent-EFI-secret-key-to-be-regenerate.patch patches.suse/0010-PM-hibernate-a-option-to-request-that-snapshot-image.patch patches.suse/0011-PM-hibernate-require-hibernate-snapshot-image-to-be-.patch
What changes were made since your SHIM was last signed?
Mainly fixes for shim that causes issues with some firmwares. It's a maintenance release, not a security update
What is the SHA256 hash of your final SHIM binary?
pesign --hash --padding --in=usr/share/efi/x86_64/shim-opensuse.efi hash: 09953fd0439a08244844c9210de513f1d5aafc44ef30103055bd46db31035a6d sha256sum usr/share/efi/x86_64/shim-opensuse.efi 84fc9fb6bb2b30eaa21ed4cb8e2987e6e32f5199fe68ad846813ef74e1a7034f /shim/usr/share/efi/x86_64/shim-opensuse.efi