Shim 15.8 for Proxmox Bookworm-based

[Fabian-Gruenbichler]

Confirm the following are included in your repo, checking each box:

• [x] completed README.md file with the necessary information
• [x] shim.efi to be signed
• [x] public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• [x] binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• [x] any extra patches to shim via your own git tree or as files
• [x] any extra patches to grub via your own git tree or as files
• [x] build logs
• [x] a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/Fabian-Gruenbichler/shim-review/tree/proxmox-shim-15.8-amd64-20240507

---

What is the SHA256 hash of your final SHIM binary?

---

9eda051612cf976cb8a41dbdee3487668e9c1007682603beef8f4239b8e7be54 shimx64.efi

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

https://github.com/rhboot/shim-review/issues/330

---

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?

---

https://github.com/rhboot/shim-review/issues/330

[dennis-tseng99]

=== Review for Shim 15.8 for Proxmox Bookworm-based #414 ===

• Binaries are producible by running "docker build ." (Ok)

• hash value is matched: /# sha256sum /efi-boot-shim/shim.efi /shim-review/$(basename /shim/shim.efi) 9eda051612cf976cb8a41dbdee3487668e9c1007682603beef8f4239b8e7be54 /efi-boot-shim/shimx64.efi 9eda051612cf976cb8a41dbdee3487668e9c1007682603beef8f4239b8e7be54 /shim-review/shimx64.efi

• NX is disabled (Ok) /efi-boot-shim# objdump -x shimx64.efi | grep -E 'SectionAlignment|DllCharacteristics' SectionAlignment 00001000 DllCharacteristics 00000000

• sbat of shim (Ok) objcopy --only-section .sbat -O binary shimx64.efi /dev/stdout sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim shim.proxmox,1,Proxmox,shim,15.8,https://git.proxmox.com/?p=efi-boot-shim.git

• sbat of grub2 (Ok) patch for NTFS is included, so bump to 4

• ephemeral key is used. (Good)

• Certificate Validity (Ok) 10 years is good enough + codesign EKU + 4096 bits key size

openssl x509 -in proxmox-uefi-ca.der -inform der -noout -text 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4d:5a:3c:bd:e3:65:b7:4a:b3:b7:5e:09:f8:7d:a6:84:40:76:48:d5
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = AT, ST = Vienna, L = Vienna, O = Proxmox Server Solutions GmbH, CN = Secure Boot CA, emailAddress = office@proxmox.com
        Validity
            Not Before: Mar  6 13:51:34 2023 GMT
            Not After : Mar  3 13:51:34 2033 GMT
        Subject: C = AT, ST = Vienna, L = Vienna, O = Proxmox Server Solutions GmbH, CN = Secure Boot CA, emailAddress = office@proxmox.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:9e:7d:98:ff:20:44:ba:ac:03:a3:f9:dd:e8:f2:
                    d3:03:24:d2:a2:e5:20:2b:43:90:f5:ec:26:88:b8:
                    41:11:e3:94:f1:2b:c5:7b:f9:ce:c6:78:5a:a4:86:
                    d9:b4:3c:11:6f:79:14:07:fc:10:e1:7a:81:ef:86:
                    .............
                    bb:c0:3d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Extended Key Usage: 
                Code Signing
        ...........

• comment: To easily find your Dockerfile, please modify the review questionnaire: What is the link to your tag in a repo cloned from rhboot/shim-review? to: https://github.com/Fabian-Gruenbichler/shim-review/tree/proxmox-shim-15.8-amd64-20240507

[Fabian-Gruenbichler]

done the last part, thanks for the fast review!

[THS-on]

Review proxmox-shim-15.8-amd64-20240507

• Submission by Proxmox Server Solutions GmbH
• Builds custom kernel versions
• Has a previous accepted submission
• Security contacts haven't changed

Shim

• Shim is based on 15.8
• Includes Debian patches to revoke peimage < 2 and GRUB2 < 4
• Build is reproducible 9eda051612cf976cb8a41dbdee3487668e9c1007682603beef8f4239b8e7be54
• CA hasn't changed
• SBAT looks fine

GRUB2 and fwupd

• Looks fine GRUB2 based on the Debian bookworm GRUB2
• GRUB2 modules list looks fine
• SBATs looks fine

Kernel

• Based on Ubuntu
• Includes lockdown patches from Ubuntu
• Ephemeral key signing is used
• ZFS kernel module is supported out-of-the-box

Notes and Questions

• I see the warning on Github This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. Not sure why this is the case, as the branch exists.

Once we figure out why the commit is seemingly not part of the repo, this LGTM.

[Fabian-Gruenbichler]

Once we figure out why the commit is seemingly not part of the repo, this LGTM.

I pushed the tag, but forgot to forward the branch as well. did that now, so the warning is gone :) tag contains are still the same of course.

[THS-on]

It got two positive reviews, marking as accepted. Please help us out by reviewing some of the open submissions. Even when you are not an official reviewer it helps us to get more eyes on the reviews and catch issues earlier.

[Fabian-Gruenbichler]

submitted to Microsoft! thanks a lot :)

[THS-on]

@Fabian-Gruenbichler because your packages are based on Ubuntu or Debian upstreams, can you have a look at the Debian submissions for example as an unofficial reviewer? This would really help us out to keep the review wait time lower.

[Fabian-Gruenbichler]

yes, I have that on my todo list already :+1:

[Fabian-Gruenbichler]

signed shim received!