richterger commented 1 month ago

Confirm the following are included in your repo, checking each box:

[x] completed README.md file with the necessary information
[x] shim.efi to be signed
[x] public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
[x] binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
[x] any extra patches to shim via your own git tree or as files
[x] any extra patches to grub via your own git tree or as files
[x] build logs
[x] a Dockerfile to reproduce the build of the provided shim EFI binaries

What is the link to your tag in a repo cloned from rhboot/shim-review?

https://github.com/ecos-platypus/shim-review/tree/ECOS_Technology_GmbH-shim-x64-20240528

What is the SHA256 hash of your final SHIM binary?

cfb155df60992a5cee2dff99d75089ee03a578d2d01e7d30b7cf5fc1c67da3b0

What is the link to your previous shim review request (if any, otherwise N/A)?

https://github.com/ecos-platypus/shim-review/tree/ECOS_Technology_GmbH-shim-x64-20220628

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?

christoph.stolz@ecos.de is a new contact gerald.richter@ecos.de was already verified in #243 https://github.com/ecos-platypus/shim-review/blob/ECOS_Technology_GmbH-shim-x64-20220628/pgp/gerald.richter.asc

tSU-RooT commented 1 month ago

Disclaimer: I'm not authorized reviewer. I am quite reffering to previous accepted review. https://github.com/rhboot/shim-review/issues/243

Shim

Based on 15.8. https://github.com/ecos-platypus/shim-review/blob/8f5b6286322d46b0c8362d7854e129ee1d795dcf/Dockerfile#L19
shim additional patches are already reviewed in 2022.
Build is reproducible.

NX bit is disabled.

$ objdump -x shimx64.efi   | grep -E 'SectionAlignment|DllCharacteristics'
SectionAlignment    00001000
DllCharacteristics  00000000

Grub2

Gentoo's grub-2.12-r4.ebuild
grub-2.12 is latest version by upstream.
iorw module is removed from previous review.
grub2 additional patches are already reviewed in 2022 too. https://www.gnu.org/software/grub/manual/grub/html_node/UEFI-secure-boot-and-shim.html

New Certificate

Storing in FIPS-140-2 Token is OK.

3-years certificate is OK as I know.

$ openssl x509 -inform der -in ECOS_Technology_GmbH_Code_Sign_24.cer -text -noout
Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        06:2f:83:49:c4:5c:13:d4:f2:a7:f6:e1
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C = BE, O = GlobalSign nv-sa, CN = GlobalSign GCC R45 EV CodeSigning CA 2020
    Validity
        Not Before: May  1 08:28:50 2024 GMT
        Not After : May  2 08:28:50 2027 GMT
[...]

steve-mcintyre commented 1 month ago

christoph.stolz@ecos.de is a new contact gerald.richter@ecos.de was already verified in https://github.com/rhboot/shim-review/issues/243

Sending verification mail to Christoph now...

stolzchr commented 1 month ago

Contact verification: moisture moors shunt customs camellias sustains pane oyster Hanna maintainer

rhboot / shim-review

Shim 15.8 for ECOS Technology GmbH #423