Alpaquita Linux shim-15.8 x64 and aarch64

[akodanev]

Confirm the following are included in your repo, checking each box:

• [x] completed README.md file with the necessary information
• [x] shim.efi to be signed
• [x] public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• [x] binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• [x] any extra patches to shim via your own git tree or as files
• [x] any extra patches to grub via your own git tree or as files
• [x] build logs
• [x] a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/akodanev/shim-review/tree/alpaquita-shim-x64-aarch64-20240624

---

What is the SHA256 hash of your final SHIM binary?

---

f83b753616fab1bffa57a1ea446577c1c20e36d0726885ae6f9da035cf12ef9b  shimaa64.efi
2b2f2dada7a8e0060dfbd8d6d4ef926b0d57a49edb8560623091eedcc9f205fd  shimx64.efi

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

https://github.com/rhboot/shim-review/issues/325

---

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?

---

https://github.com/rhboot/shim-review/issues/325#issuecomment-1755613348

[steve-mcintyre]

Contact verification has been done previously, marking as such

[THS-on]

Review for alpaquita-shim-x64-aarch64-20240528

• Require a Shim because they provide custom kernel builds for their Linux distro Alpaquita Linux
• Last review was accepted, but not signed by MS
• Contacts were verified in #325

Shim

• Based 15.8
• SBAT look fine
• No patches
• NX disabled
• CA hasn't changed (2048bit RSA, valid till 2033)
• Build reproducibly using Dockerfile

  #20 0.249 2b2f2dada7a8e0060dfbd8d6d4ef926b0d57a49edb8560623091eedcc9f205fd  /shim-review/shimx64.efi
  #20 0.252 2b2f2dada7a8e0060dfbd8d6d4ef926b0d57a49edb8560623091eedcc9f205fd  /pkg/x86_64/boot/efi/EFI/alpaquita/shimx64.efi
  #20 0.460 f83b753616fab1bffa57a1ea446577c1c20e36d0726885ae6f9da035cf12ef9b  /shim-review/shimaa64.efi
  #20 0.463 f83b753616fab1bffa57a1ea446577c1c20e36d0726885ae6f9da035cf12ef9b  /pkg/aarch64/boot/efi/EFI/alpaquita/shimaa64.efi

Kernel

• Based on 6.1
• Includes lockdown patches and are enabled in config
• ephemeral key signing is used

GRUB

• Based on 2.12-r3
• Includes peimage patches (latest version from Debian) and adds the SBAT entry for that (good)
• Other patches from Alpine look fine (mostly related to configs and not grub itself)
• SBAT looks fine

Notes and questions

• The latest submission template includes now question on how you contributed to the shim review process (https://github.com/rhboot/shim-review/commit/1a54c184c1cb2de610b2598b983031d1b483e6a8). Please add that and continue to contribute to this community effort. Thank you for helping reviewing the Debian submission!
• Are you planning on signing UKIs, systemd-boot or fwupd in the future?

Besides those questions LGTM

[akodanev]

@THS-on thanks for your review!

Last review was accepted, but not signed by MS

It was returned signed by Microsoft some time after the issue was closed. I should have mentioned this in a comment there.

The latest submission template includes now question on how you contributed to the shim review process

Added. The new tag is https://github.com/akodanev/shim-review/tree/alpaquita-shim-x64-aarch64-20240624.

Are you planning on signing UKIs, systemd-boot or fwupd in the future?

There are no plans to sign UKI or systemd-boot. However, we will most likely make the fwupd component available for review in the next shim update.

[THS-on]

@akodanev thanks for the clarifications. LGTM from my side.

[SherifNagy]

Review of alpaquita-shim-x64-aarch64-20240624

• Security contacts looks good, didn't change since last successful submission
• Keys are stored in FIPS HSM

Shim

• Uses upstream 15.8 and source hashes matches original hashes

• SBAT entries from shim looks fine

• No patches added on top of upstream shim

• Vendor SBAT entry is at 1

• Binaries are reproducible using the container image

  --> da351481bf72
  STEP 18/18: RUN for i in x86_64 aarch64; do         case $i in             x86_64) shim_name=shimx64.efi;;             aarch64) shim_name=shimaa64.efi;;         esac;         sha256sum /shim-review/$shim_name /pkg/$i/boot/efi/EFI/alpaquita/$shim_name;         hexdump -Cv /pkg/$i/boot/efi/EFI/alpaquita/$shim_name > build.$i;         hexdump -Cv /shim-review/$shim_name > orig.$i;         diff -u orig.$i build.$i;     done
  2b2f2dada7a8e0060dfbd8d6d4ef926b0d57a49edb8560623091eedcc9f205fd  /shim-review/shimx64.efi
  2b2f2dada7a8e0060dfbd8d6d4ef926b0d57a49edb8560623091eedcc9f205fd  /pkg/x86_64/boot/efi/EFI/alpaquita/shimx64.efi
  f83b753616fab1bffa57a1ea446577c1c20e36d0726885ae6f9da035cf12ef9b  /shim-review/shimaa64.efi
  f83b753616fab1bffa57a1ea446577c1c20e36d0726885ae6f9da035cf12ef9b  /pkg/aarch64/boot/efi/EFI/alpaquita/shimaa64.efi

• NX flag is not set, because the chain is not yet ready

• Self signed 2048 bit cert and valid for almost 9 years

GRUB2

• SBAT looks "mostly" fine
• NTFS module isn't shipped and sbat entry is at grub,4
• Module list looks fine

Kernel

• Ephemeral keys are used for signing kernel modules
• Lockdown patches are included from Debian

Notes

• For your next submission, make sure to include the patch from here https://salsa.debian.org/efi-team/shim/-/blob/master/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch?ref_type=heads since you are shipping peimage, it just good practice
• Regarding grub2 sbat entry, if you are fetching from Alpine, I guess you need to maintain the upstream SBAT entry int your SBAT, @THS-on any thoughts on this?

Other than those few notes, LGTM

[akodanev]

For your next submission, make sure to include the patch from here

OK. I am hoping that this will be the next release of the shim so that the patch will already be there.

Regarding grub2 sbat entry, if you are fetching from Alpine, I guess you need to maintain the upstream SBAT entry int your SBAT

There is none upstream. Maybe it's only helpful if there's more than one such shim/grub based on this Alpine version.

Other than those few notes, LGTM

Thank you @SherifNagy!

[THS-on]

Regarding grub2 sbat entry, if you are fetching from Alpine, I guess you need to maintain the upstream SBAT entry int your SBAT, @THS-on any thoughts on this?

@SherifNagy as mentioned Alpine does not have one. As the current package is mostly vanilla GRUB2 + peimage patches, I'm fine with not having an Alpine specific one.

[THS-on]

marking it as accepted

[akodanev]

The signed binaries received. Closing this as completed.