Debian GNU/Linux 12 (bookworm) shim-15.8-1 x64, ia32 and aarch64

[steve-mcintyre]

Confirm the following are included in your repo, checking each box:

• [x] completed README.md file with the necessary information
• [x] shim.efi to be signed
• [x] public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• [x] binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• [x] any extra patches to shim via your own git tree or as files
• [x] any extra patches to grub via your own git tree or as files
• [x] build logs
• [x] a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

• https://github.com/steve-mcintyre/shim-review/tree/debian-12-shim-amd64-arm64-20240512 for x64 and aa64
• https://github.com/steve-mcintyre/shim-review/tree/debian-12-shim-i386-20240512 for ia32

The latter simply includes a change to the Dockerfile to request an i386 Docker image for building.

---

What is the SHA256 hash of your final SHIM binary?

---

aacb06df9a9e76cf5c921dcd0833f580d960f6b558d12810b5e97931904866a9  shimaa64.efi
ae5fc6ff75bd454082666c0e0e75ba1a48190c9184c48ac7b7fadf951bc0e466  shimia32.efi
00c236495d21ed36e12da292e58e3163b8b058d8050559d57ecfd93ce8dafe2a  shimx64.efi

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

https://github.com/rhboot/shim-review/issues/315 is the last successful shim review. This review is almost identical to the review for Debian 13 at https://github.com/rhboot/shim-review/issues/415 .

---

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?

---

Pass - we've been submitting shims for years!

[THS-on]

Review of debian-12-shim-amd64-arm64-20240512 and debian-12-shim-i386-20240512

Note because this is similar to #415 I'm just reviewing the differences.

Shim

• Based on 15.8 with added revocations. Same as #415
• NX disabled
• Builds are reproducible

  #24 0.409 00c236495d21ed36e12da292e58e3163b8b058d8050559d57ecfd93ce8dafe2a  /shim/shimx64.efi
  #24 0.424 00c236495d21ed36e12da292e58e3163b8b058d8050559d57ecfd93ce8dafe2a  /shim-review/shimx64.efi
  #24 0.408 ae5fc6ff75bd454082666c0e0e75ba1a48190c9184c48ac7b7fadf951bc0e466  /shim/shimia32.efi
  #24 0.422 ae5fc6ff75bd454082666c0e0e75ba1a48190c9184c48ac7b7fadf951bc0e466  /shim-review/shimia32.efi
  #24 0.621 aacb06df9a9e76cf5c921dcd0833f580d960f6b558d12810b5e97931904866a9  /shim/shimaa64.efi
  #24 0.640 aacb06df9a9e76cf5c921dcd0833f580d960f6b558d12810b5e97931904866a9  /shim-review/shimaa64.efi

GRUB2 and fwupd

• Based on 2.06 + Debian patches
• Includes NTFS module
  • CVE patches are included: https://salsa.debian.org/grub-team/grub/-/commit/279cc2d193c6b9d69a0e486247eb465785fb5718
  • SBAT is set to 4: https://salsa.debian.org/grub-team/grub/-/commit/3fd986ee51242e34b3a8c4011bb7c8d64708438c
  • New module since last submission is luks2 (ok)
  • grub.debian is 4 in Debian 12, but 5 in Debian 13. This is fine, as the bump was because of the peimage CVE. Just something to keep in mind that revoking grub.debian 4 will also revoke the unaffected older GRUB builds that way.
  • fwupd-efi SBAT looks fine

Linux

• Based 6.1.90
• ephemeral key signing not yet used for all kernels (still ok)
• usual lockdown patches

LGTM! Just note the GRUB2 SBAT thing.

[SherifNagy]

Review of debian-12-shim-amd64-arm64-20240512 and debian-12-shim-i386-20240512

• Debian is very well known big time distro
• Security contacts looks good, didn't change
• Keys are stored in HSM and kernel using in-built ephemeral keys

Shim

• Uses upstream 15.8 and source hashes matches original hashes
• SBAT entries from shim looks fine shim,4
• Vendor SBAT entry is at 1
• patches looks fine and cherry picked from upstream
• Binaries are reproducible using the container file provided

  STEP 23/23: RUN sha256sum /shim/shim*.efi /shim-review/$(basename /shim/shim*.efi)
  aacb06df9a9e76cf5c921dcd0833f580d960f6b558d12810b5e97931904866a9  /shim/shimaa64.efi
  aacb06df9a9e76cf5c921dcd0833f580d960f6b558d12810b5e97931904866a9  /shim-review/shimaa64.efi

  STEP 23/23: RUN sha256sum /shim/shim*.efi /shim-review/$(basename /shim/shim*.efi)
  00c236495d21ed36e12da292e58e3163b8b058d8050559d57ecfd93ce8dafe2a  /shim/shimx64.efi
  00c236495d21ed36e12da292e58e3163b8b058d8050559d57ecfd93ce8dafe2a  /shim-review/shimx64.efi

  STEP 23/23: RUN sha256sum /shim/shim*.efi /shim-review/$(basename /shim/shim*.efi)
  ae5fc6ff75bd454082666c0e0e75ba1a48190c9184c48ac7b7fadf951bc0e466  /shim/shimia32.efi
  ae5fc6ff75bd454082666c0e0e75ba1a48190c9184c48ac7b7fadf951bc0e466  /shim-review/shimia32.efi

• NX flag is not set, because the chain is not yet ready
• Self signed 2048 bit cert and valid for 22 years

GRUB2

• SBAT looks fine, vendor is at grub.debian,4
• NTFS patches are in place
• Module list sound fine

Kernel

• Ephemeral keys are used for signing kernel modules
• Lockdown patches are included
• UKI's isn't provided

LGTM ! @THS-on I think we can mark this one as accepted

[steve-mcintyre]

We have signed shims now, closing.