NComputing LEAFOS shim-15.8 x64

[ncboot]

Confirm the following are included in your repo, checking each box:

• [x] completed README.md file with the necessary information
• [x] shim.efi to be signed
• [x] public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• [-] binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• [-] any extra patches to shim via your own git tree or as files
• [-] any extra patches to grub via your own git tree or as files
• [x] build logs
• [x] a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/ncboot/shim-review/tree/ncomputing-shim-x64-20240313

---

What is the SHA256 hash of your final SHIM binary?

---

[1075d8cee7fac50c87e3b9b10accaed6eaff7514d09122fd7803ece1e3fcbaa0 shimx64.efi]

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

[https://github.com/rhboot/shim-review/issues/279]

[eduardacatrinei]

Disclaimer: I am not an official reviewer.

• Shim is reproducible using Dockerfile.
• Shim is based on the latest version 15.8.
• Includes EV certificates provided by DigiCert (valid until: Dec 17 23:59:59 2026 GMT).

  Certificate:
  Data:
      Version: 3 (0x2)
      Serial Number:
          0b:17:3d:58:e4:42:96:ab:c9:42:72:00:0f:ac:04:5a
      Signature Algorithm: sha256WithRSAEncryption
      Issuer: C = US, O = "DigiCert, Inc.", CN = DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
      Validity
          Not Before: Mar  7 00:00:00 2024 GMT
          Not After : Dec 17 23:59:59 2026 GMT
      Subject: jurisdictionC = US, jurisdictionST = California, businessCategory = Private Organization, serialNumber = 3967495, C = US, ST = California, L = San Mateo, O = "NComputing Global, Inc.", CN = "NComputing Global, Inc."

• The keys are stored on a FIPS 140-2 certified HSM.
• Shim SBAT seems OK and is bumped to level 4.

  
  $ objdump -s -j .sbat shimx64.efi 

shimx64.efi: file format pei-x86-64

Contents of section .sbat: d3000 73626174 2c312c53 42415420 56657273 sbat,1,SBAT Vers d3010 696f6e2c 73626174 2c312c68 74747073 ion,sbat,1,https d3020 3a2f2f67 69746875 622e636f 6d2f7268 ://github.com/rh d3030 626f6f74 2f736869 6d2f626c 6f622f6d boot/shim/blob/m d3040 61696e2f 53424154 2e6d640a 7368696d ain/SBAT.md.shim d3050 2c342c55 45464920 7368696d 2c736869 ,4,UEFI shim,shi d3060 6d2c312c 68747470 733a2f2f 67697468 m,1,https://gith d3070 75622e63 6f6d2f72 68626f6f 742f7368 ub.com/rhboot/sh d3080 696d0a73 68696d2e 6e636f6d 70757469 im.shim.ncomputi d3090 6e672c31 2c4e436f 6d707574 696e6720 ng,1,NComputing d30a0 476c6f62 616c2049 6e632c73 68696d2c Global Inc,shim, d30b0 31352e38 2c6d6169 6c3a7365 63757269 15.8,mail:securi d30c0 7479406e 636f6d70 7574696e 672e636f ty@ncomputing.co d30d0 6d0a

- Shim .sbatlevel seems OK and there is no binutils bug.

$ objdump -s -j .sbatlevel shimx64.efi

shimx64.efi: file format pei-x86-64

Contents of section .sbatlevel: 86000 00000000 08000000 37000000 73626174 ........7...sbat 86010 2c312c32 30323330 31323930 300a7368 ,1,2023012900.sh 86020 696d2c32 0a677275 622c330a 67727562 im,2.grub,3.grub 86030 2e646562 69616e2c 340a0073 6261742c .debian,4..sbat, 86040 312c3230 32343031 30393030 0a736869 1,2024010900.shi 86050 6d2c340a 67727562 2c330a67 7275622e m,4.grub,3.grub. 86060 64656269 616e2c34 0a00 debian,4..

- NX compatibility is disabled.

$ objdump -p shimx64.efi | grep DllCharacteristics DllCharacteristics 00000000

- Ephemeral key singing is used.
- GRUB dosen't use NTFS module; however, starting from version 2.12, GRUB has addressed NTFS vulnerabilities identified in October 2023.
`grub modules: all_video boot linux ext2 fat font squash4 part_msdos part_gpt normal`
- GRUB SBAT looks good.

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md grub,4,Free Software Foundation,grub,2.12,http://www.gnu.org/software/grub/ grub.ncomputing,1,NComputing Global Inc,grub2,2.12,mail:security@ncomputing.com

[ncboot]

Hi @aronowski Can I ask You to review this submission?

[aronowski]

I'll give it a try, although it's important to note that I'm already preoccupied with other applications, as well as personal things going on in my life.

It's a good thing that there already was an accepted application, making things easier. However, feel free to ping another reviewer if there's no review from me for some time.

[ncboot]

Hello @steve-mcintyre @jsetje @vathpela ! May I kindly ask you to look at this submission?

[aronowski]

Huge thanks to @eduardacatrinei for the review!

The build reproduces, checksum matches, characteristics are OK.

Contacts have been verified as part of application #279 and haven't changed.

The application is very well-written apart from some rendering issues, possibly regarding a different Markdown dialect being used.

Accepting!

[ncboot]

Thank You very much!

[ncboot]

Sorry. Probably I need to reopen and then close after signing by MS?

[aronowski]

On 2024.04.15 01:39:28, ncboot wrote:

Sorry. Probably I need to reopen and then close after signing by MS?

While I'm not a Microsoft employee and can't speak on behalf of the company, leaving the GitHub issue open should help with organizing things here. After all, we can therefore track these, where people are waiting to receive signed binaries.

-- Reply to this email directly or view it on GitHub: https://github.com/rhboot/shim-review/issues/401#issuecomment-2056208995 You are receiving this because you were assigned.

Message ID: @.***>