Debian GNU/Linux 11 (bullseye) shim-15.8-1 x64 and ia32

[steve-mcintyre]

Confirm the following are included in your repo, checking each box:

• [x] completed README.md file with the necessary information
• [x] shim.efi to be signed
• [x] public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• [x] binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• [x] any extra patches to shim via your own git tree or as files
• [x] any extra patches to grub via your own git tree or as files
• [x] build logs
• [x] a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

• https://github.com/steve-mcintyre/shim-review/tree/debian-11-shim-amd64-20240512 for amd64
• https://github.com/steve-mcintyre/shim-review/tree/debian-11-shim-i386-20240512 for i386

The latter simply includes a change to the Dockerfile to request an i386 Docker image for building.

---

What is the SHA256 hash of your final SHIM binary?

---

1a0ccc0027b7a837b4d5832798e11d3f5ea28c2879d0fe3e5d4b2f8957e2cc16  shimia32.efi
bb87128d3a07a08993ac491d4fa256a83fed4ab9899ead7255912435ad455190  shimx64.efi

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

https://github.com/rhboot/shim-review/issues/315 is the last successful shim review. This review is almost identical to the review for Debian 13 at https://github.com/rhboot/shim-review/issues/415 .

---

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?

---

Pass - we've been submitting shims for years!

[THS-on]

Review for debian-11-shim-amd64-2024051 and debian-11-shim-i386-20240512

Note because this is similar to https://github.com/rhboot/shim-review/issues/415 I'm just reviewing the differences.

Shim

• Based on 15.8 and includes same revocation patches as in #415
• NX bit is disabled

• Builds are reproducible

  #24 0.410 bb87128d3a07a08993ac491d4fa256a83fed4ab9899ead7255912435ad455190  /shim/shimx64.efi
  #24 0.418 bb87128d3a07a08993ac491d4fa256a83fed4ab9899ead7255912435ad455190  /shim-review/shimx64.efi
  #24 0.400 1a0ccc0027b7a837b4d5832798e11d3f5ea28c2879d0fe3e5d4b2f8957e2cc16  /shim/shimia32.efi
  #24 0.406 1a0ccc0027b7a837b4d5832798e11d3f5ea28c2879d0fe3e5d4b2f8957e2cc16  /shim-review/shimia32.efi

  GRUB2 and fwupd

• Based on 2.06
• Module list ok
• Includes NTFS module
  • CVE patches are included
  • SBAT is set to 4
• Note comment from #416

Linux

• Based on 5.10.216
• Has the usual lockdown patches
• No ephemeral key signing used (still ok)

LGTM!

[SherifNagy]

Review of debian-11-shim-amd64-20240512 and debian-11-shim-i386-20240512

• Debian is very well known big time distro
• Security contacts looks good, didn't change
• Keys are stored in HSM and kernel using in-built ephemeral keys

Shim

• Uses upstream 15.8

• SBAT entries from shim looks fine shim,4

• Vendor SBAT entry is at 1

• patches looks fine and cherry picked from upstream

• Binaries are reproducible using the container file provided

  STEP 23/23: RUN sha256sum /shim/shim*.efi /shim-review/$(basename /shim/shim*.efi)
  1a0ccc0027b7a837b4d5832798e11d3f5ea28c2879d0fe3e5d4b2f8957e2cc16  /shim/shimia32.efi
  1a0ccc0027b7a837b4d5832798e11d3f5ea28c2879d0fe3e5d4b2f8957e2cc16  /shim-review/shimia32.efi

  STEP 23/23: RUN sha256sum /shim/shim*.efi /shim-review/$(basename /shim/shim*.efi)
  bb87128d3a07a08993ac491d4fa256a83fed4ab9899ead7255912435ad455190  /shim/shimx64.efi
  bb87128d3a07a08993ac491d4fa256a83fed4ab9899ead7255912435ad455190  /shim-review/shimx64.efi

• NX flag is not set, because the chain is not yet ready

• Self signed 2048 bit cert and valid for 22 years

GRUB2

• SBAT looks fine, vendor is at grub.debian,4
• NTFS patches are in place
• Module list sound fine

Kernel

• No ephemeral keys are used for signing kernel modules yet for this release
• Lockdown patches are included
• UKI's isn't provided

LGTM ! @THS-on Lets accept this one as well?

[steve-mcintyre]

We have signed shims now, closing.