Shim 15.8 for AlmaLinux OS 8 (aarch64)

[eabdullin1]

Confirm the following are included in your repo, checking each box:

• [X] completed README.md file with the necessary information
• [X] shim.efi to be signed
• [X] public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• [X] binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• [X] any extra patches to shim via your own git tree or as files
• [X] any extra patches to grub via your own git tree or as files
• [X] build logs
• [X] a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/AlmaLinux/shim-review/tree/almalinux-8-shim-aarch64-20240718

---

What is the SHA256 hash of your final SHIM binary?

---

1b3142f0c76df4942088fda2b2e4693d3d727893db2a7aaf5eb6fcefaec51b7a  shimaa64.efi

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

• shim-15.5: rhboot#235
• shim-15.6: rhboot#250
• shim-15.8: rhboot#407

---

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?

---

• rhboot#250

[steve-mcintyre]

Contacts verified previously

[aronowski]

As good as the application for x86_64: https://github.com/rhboot/shim-review/issues/407

The binary seems alright and the checksum matches the rebuilt one (Took me 32m29.073s to rebuild due to architectural differences ;-)). One more positive review (may be from a non-accredited reviewer) and it can be accepted.

[dennis-tseng99]

=== Review for Shim 15.8 Shim 15.8 for AlmaLinux OS 8 (aarch64) #432 ===

• Binaries are producible in aarch64 environment finally. Step 17/17 : RUN sha256sum /usr/share/shim/15.8-2.el8.alma.1/aa64/shimaa64.efi /shimaa64.efi ---> Running in b751a2017d14 1b3142f0c76df4942088fda2b2e4693d3d727893db2a7aaf5eb6fcefaec51b7a /usr/share/shim/15.8-2.el8.alma.1/aa64/shimaa64.efi 1b3142f0c76df4942088fda2b2e4693d3d727893db2a7aaf5eb6fcefaec51b7a /shimaa64.efi Removing intermediate container b751a2017d14 ---> 98404190d868 Successfully built 98404190d868

• Hash value is matched (ok) $ sha256sum shimaa64.efi 1b3142f0c76df4942088fda2b2e4693d3d727893db2a7aaf5eb6fcefaec51b7a shimaa64.efi

• NX flag is disable: (ok) [method-1] objdump -x shimaa64.efi | grep -E 'Sec objdump: shimaa64.efi: file format not recognized [method-2] hexdump -n 0x0120 -C shimaa64.efi

  00000000  4d 5a 90 00 03 00 00 00  04 00 00 00 ff ff 00 00  |MZ..............|
  00000010  b8 00 00 00 00 00 00 00  40 00 00 00 00 00 00 00  |........@.......|
  00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  00000030  00 00 00 00 00 00 00 00  00 00 00 00 80 00 00 00  |................|
  00000040  0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
  00000050  69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
  00000060  74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
  00000070  6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|
  00000080  50 45 00 00 64 aa 0a 00  00 00 00 00 00 c8 0c 00  |PE..d...........|
  00000090  a2 11 00 00 f0 00 06 02  0b 02 02 26 00 80 06 00  |...........&....|
  000000a0  00 44 06 00 00 00 00 00  00 e0 01 00 00 e0 01 00  |.D..............|
  000000b0  00 00 00 00 00 00 00 00  00 10 00 00 00 02 00 00  |................|
  000000c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  000000d0  00 80 0d 00 00 04 00 00  af 85 0f 00 0a 00 00 00  |................| <-- DllCharacteristics=0x0000 (last 2 bytes)
  000000e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

• sbat seems fine

  
  shim:
  sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
  shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
  shim.almalinux,3,AlmaLinux,shim,15.8,security@almalinux.org

grub2: NTFS module is not included. sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md grub,3,Free Software Foundation,grub,2.02,https//www.gnu.org/software/grub/ grub.rh,2,Red Hat,grub2,2.02-156.el8,mailto:secalert@redhat.com grub.almalinux,2,AlmaLinux,grub2,2.02-156.el8.alma.1,mail:security@almalinux.org

NTFS module is not included, but you answer "Yes" in your questionnaire:

Do you have fixes for all the following GRUB2 CVEs applied? ......... October 2023 - NTFS vulnerabilities Details: https://lists.gnu.org/archive/html/grub-devel/2023-10/msg00028.html, SBAT increase to 4 CVE-2023-4693 CVE-2023-4692

- Certificate Validity: 10 years is ok, but NIST deems RSA 2048 suffficient until 2030. hmm...
openssl x509 -in almalinux-sb-cert-3.der -inform der -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            c3:8b:43:54:da:0e:40:94:87:23:0d:e7:64:25:6a:db
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: emailAddress = security@almalinux.org, O = AlmaLinux OS Foundation, CN = AlmaLinux Secure Boot CA
        Validity
            Not Before: Mar 14 01:51:13 2024 GMT
            Not After : Mar 14 01:51:13 2034 GMT
        Subject: emailAddress = security@almalinux.org, O = AlmaLinux OS Foundation, CN = AlmaLinux Secure Boot CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b0:c0:a1:22:01:fa:bd:f1:33:f7:83:f4:76:d9:
                    eb:20:94:77:e0:a6:3d:87:b1:7a:1f:b4:53:a1:8a:
                   ...

- Conclusion:
Everything seems all right except some minor concerns. But that is ok at this stage. Let's accept it.

[andrewlukoshko]

@dennis-tseng99 @aronowski thank you so much for quick review.

[eabdullin1]

Signed by Microsoft.

Submission ID: 13945420415662615

Closing. Thanks everyone.