Shim 15.8 for IGEL OS (x86_64)

[af-kulow]

Confirm the following are included in your repo, checking each box:

• [x] completed README.md file with the necessary information
• [x] shim.efi to be signed
• [x] public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• [x] binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• [x] any extra patches to shim via your own git tree
• [x] any extra patches to grub via your own git tree or as files
• [x] build logs
• [x] a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/IGEL-Technology/shim-review/tree/IGEL-shim-x64-20240730-1

EDIT: In the meantime, linux kernel diffs, as well as additional sbat sections were requested in the review (see comments below). We included the information in the following tag of the review: https://github.com/IGEL-Technology/shim-review/releases/tag/IGEL-shim-x64-20240807

---

What is the SHA256 hash of your final SHIM binary?

---

90ce33685c5ac241b582bdf27d0ae872b72263a5ae8271ef7f738bd1d13e8e63 shimx64.efi

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

N/A

---

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?

---

N/A

[steve-mcintyre]

Contact verification mails sent to:

• kulow@igel.com
• christina.mueller@igel.com

[tina-igel]

Contact verification for christina.mueller@igel.com:

seethes demarcating softwood tuning imbecilities perfunctory bobbling voyager Wyoming bulwark

[af-kulow]

contact verification for kulow@igel.com:

tines buttons noiseless atrocity Kempis Versailles forgot gambolled comprises colorfast

[steve-mcintyre]

Contact responses good!

[jclab-joseph]

Review for IGEL-shim-x64-20240730-1

review helper : https://github.com/jclab-joseph/other-shim-reviews/tree/master/20240802-IGEL-shim-x64-20240730-1

shim

• [X] Version : 15.8 (Ref: https://github.com/IGEL-Technology/shim-review/blob/ab2ad0207ddbb93fe915915eb3847ba75af6e0a6/Dockerfile#L10)
• [X] Reproducible (90ce33685c5ac241b582bdf27d0ae872b72263a5ae8271ef7f738bd1d13e8e63 ./build/output/shimx64.efi)
• [X] SBAT of the built file matches the review request
• [X] SBAT entries from shim looks fine : shim.igel,1,Igel,shim,15.8,https://www.igel.com
• NX flag not set

Patches

• 0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch
• 0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch
• https://github.com/IGEL-Technology/shim/blob/2eed136ae574185f1ed1fab0babb566bb19de3cb/debian/patches/IGEL-change-default-loader-to-igel.diff : Just changed "grubXXXX.efi" => "igelXXXX.efi"

$ git clone https://github.com/IGEL-Technology/shim.git igel-shim
=> commit id: 2eed136ae574185f1ed1fab0babb566bb19de3cb
$ diff -urN shim-15.8 igel-shim/ | grep -A3 -E "^diff " | grep -v '\.git'

diff -urN shim-15.8/debian/block_signed_deb igel-shim/debian/block_signed_deb
--- shim-15.8/debian/block_signed_deb   1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/block_signed_deb   2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,73 @@
--
diff -urN shim-15.8/debian/changelog igel-shim/debian/changelog
--- shim-15.8/debian/changelog  1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/changelog  2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,534 @@
--
diff -urN shim-15.8/debian/check_nx igel-shim/debian/check_nx
--- shim-15.8/debian/check_nx   1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/check_nx   2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,32 @@
--
diff -urN shim-15.8/debian/control igel-shim/debian/control
--- shim-15.8/debian/control    1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/control    2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,46 @@
--
diff -urN shim-15.8/debian/copyright igel-shim/debian/copyright
--- shim-15.8/debian/copyright  1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/copyright  2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,415 @@
--
diff -urN shim-15.8/debian/generate_dbx_list igel-shim/debian/generate_dbx_list
--- shim-15.8/debian/generate_dbx_list  1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/generate_dbx_list  2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,54 @@
--
diff -urN shim-15.8/debian/igel-dbx.hashes igel-shim/debian/igel-dbx.hashes
--- shim-15.8/debian/igel-dbx.hashes    1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/igel-dbx.hashes    2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,21 @@
--
diff -urN shim-15.8/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch igel-shim/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch
--- shim-15.8/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch 1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch 2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,42 @@
--
diff -urN shim-15.8/debian/patches/0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch igel-shim/debian/patches/0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch
--- shim-15.8/debian/patches/0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch 1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/patches/0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch 2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,47 @@
--
diff -urN shim-15.8/debian/patches/IGEL-change-default-loader-to-igel.diff igel-shim/debian/patches/IGEL-change-default-loader-to-igel.diff
--- shim-15.8/debian/patches/IGEL-change-default-loader-to-igel.diff    1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/patches/IGEL-change-default-loader-to-igel.diff    2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,39 @@
--
diff -urN shim-15.8/debian/patches/series igel-shim/debian/patches/series
--- shim-15.8/debian/patches/series 1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/patches/series 2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,5 @@
--
diff -urN shim-15.8/debian/rules igel-shim/debian/rules
--- shim-15.8/debian/rules  1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/rules  2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,106 @@
--
diff -urN shim-15.8/debian/salsa-ci.yml igel-shim/debian/salsa-ci.yml
--- shim-15.8/debian/salsa-ci.yml   1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/salsa-ci.yml   2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,3 @@
--
diff -urN shim-15.8/debian/sbat.debian.csv.in igel-shim/debian/sbat.debian.csv.in
--- shim-15.8/debian/sbat.debian.csv.in 1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/sbat.debian.csv.in 2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1 @@
--
diff -urN shim-15.8/debian/sbat.igel.csv.in igel-shim/debian/sbat.igel.csv.in
--- shim-15.8/debian/sbat.igel.csv.in   1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/sbat.igel.csv.in   2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1 @@
--
diff -urN shim-15.8/debian/shim-helpers-amd64-signed-template.lintian-overrides igel-shim/debian/shim-helpers-amd64-signed-template.lintian-overrides
--- shim-15.8/debian/shim-helpers-amd64-signed-template.lintian-overrides   1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/shim-helpers-amd64-signed-template.lintian-overrides   2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1 @@
--
diff -urN shim-15.8/debian/shim-helpers-arm64-signed-template.lintian-overrides igel-shim/debian/shim-helpers-arm64-signed-template.lintian-overrides
--- shim-15.8/debian/shim-helpers-arm64-signed-template.lintian-overrides   1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/shim-helpers-arm64-signed-template.lintian-overrides   2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1 @@
--
diff -urN shim-15.8/debian/shim-helpers-i386-signed-template.lintian-overrides igel-shim/debian/shim-helpers-i386-signed-template.lintian-overrides
--- shim-15.8/debian/shim-helpers-i386-signed-template.lintian-overrides    1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/shim-helpers-i386-signed-template.lintian-overrides    2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1 @@
--
diff -urN shim-15.8/debian/shim-unsigned.dirs igel-shim/debian/shim-unsigned.dirs
--- shim-15.8/debian/shim-unsigned.dirs 1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/shim-unsigned.dirs 2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1 @@
--
diff -urN shim-15.8/debian/shim-unsigned.install igel-shim/debian/shim-unsigned.install
--- shim-15.8/debian/shim-unsigned.install  1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/shim-unsigned.install  2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,4 @@
--
diff -urN shim-15.8/debian/signing-template/@final_pkg_name@.postinst.in igel-shim/debian/signing-template/@final_pkg_name@.postinst.in
--- shim-15.8/debian/signing-template/@final_pkg_name@.postinst.in  1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/signing-template/@final_pkg_name@.postinst.in  2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,93 @@
--
diff -urN shim-15.8/debian/signing-template/@final_pkg_name@.postrm.in igel-shim/debian/signing-template/@final_pkg_name@.postrm.in
--- shim-15.8/debian/signing-template/@final_pkg_name@.postrm.in    1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/signing-template/@final_pkg_name@.postrm.in    2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,57 @@
--
diff -urN shim-15.8/debian/signing-template/README.source igel-shim/debian/signing-template/README.source
--- shim-15.8/debian/signing-template/README.source 1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/signing-template/README.source 2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,4 @@
--
diff -urN shim-15.8/debian/signing-template/changelog.in igel-shim/debian/signing-template/changelog.in
--- shim-15.8/debian/signing-template/changelog.in  1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/signing-template/changelog.in  2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,11 @@
--
diff -urN shim-15.8/debian/signing-template/compat igel-shim/debian/signing-template/compat
--- shim-15.8/debian/signing-template/compat    1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/signing-template/compat    2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1 @@
--
diff -urN shim-15.8/debian/signing-template/control.in igel-shim/debian/signing-template/control.in
--- shim-15.8/debian/signing-template/control.in    1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/signing-template/control.in    2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,25 @@
--
diff -urN shim-15.8/debian/signing-template/copyright igel-shim/debian/signing-template/copyright
--- shim-15.8/debian/signing-template/copyright 1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/signing-template/copyright 2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,51 @@
--
diff -urN shim-15.8/debian/signing-template/rules igel-shim/debian/signing-template/rules
--- shim-15.8/debian/signing-template/rules 1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/signing-template/rules 2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,18 @@
--
diff -urN shim-15.8/debian/signing-template/source/format igel-shim/debian/signing-template/source/format
--- shim-15.8/debian/signing-template/source/format 1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/signing-template/source/format 2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1 @@
--
diff -urN shim-15.8/debian/signing-template.generate igel-shim/debian/signing-template.generate
--- shim-15.8/debian/signing-template.generate  1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/signing-template.generate  2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,43 @@
--
diff -urN shim-15.8/debian/signing-template.json.in igel-shim/debian/signing-template.json.in
--- shim-15.8/debian/signing-template.json.in   1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/signing-template.json.in   2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,11 @@
--
diff -urN shim-15.8/debian/source/format igel-shim/debian/source/format
--- shim-15.8/debian/source/format  1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/source/format  2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1 @@
--
diff -urN shim-15.8/debian/source/include-binaries igel-shim/debian/source/include-binaries
--- shim-15.8/debian/source/include-binaries    1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/source/include-binaries    2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,2 @@
--
diff -urN shim-15.8/debian/tests/01_sanity_tests.py igel-shim/debian/tests/01_sanity_tests.py
--- shim-15.8/debian/tests/01_sanity_tests.py   1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/tests/01_sanity_tests.py   2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,54 @@
--
diff -urN shim-15.8/debian/tests/05_signature_tests.py igel-shim/debian/tests/05_signature_tests.py
--- shim-15.8/debian/tests/05_signature_tests.py    1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/tests/05_signature_tests.py    2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,91 @@
--
diff -urN shim-15.8/debian/tests/10_uefi_boot_tests.py igel-shim/debian/tests/10_uefi_boot_tests.py
--- shim-15.8/debian/tests/10_uefi_boot_tests.py    1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/tests/10_uefi_boot_tests.py    2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,51 @@
--
diff -urN shim-15.8/debian/tests/control igel-shim/debian/tests/control
--- shim-15.8/debian/tests/control  1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/tests/control  2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,47 @@
--
diff -urN shim-15.8/debian/tests/uefi_tests_base.py igel-shim/debian/tests/uefi_tests_base.py
--- shim-15.8/debian/tests/uefi_tests_base.py   1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/tests/uefi_tests_base.py   2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,261 @@
--
diff -urN shim-15.8/debian/upstream/metadata igel-shim/debian/upstream/metadata
--- shim-15.8/debian/upstream/metadata  1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/upstream/metadata  2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,2 @@
--
diff -urN shim-15.8/debian/upstream/signing-key.asc igel-shim/debian/upstream/signing-key.asc
--- shim-15.8/debian/upstream/signing-key.asc   1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/upstream/signing-key.asc   2024-08-02 15:48:22.095442243 +0900
@@ -0,0 +1,465 @@
--
diff -urN shim-15.8/debian/watch igel-shim/debian/watch
--- shim-15.8/debian/watch  1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/watch  2024-08-02 15:48:22.095442243 +0900
@@ -0,0 +1,5 @@

certificate

---

• Not After: Mar 19 08:55:59 2054 GMT
• self-signed 4096 bit cert and valid for almost 10 years
• [X] The keys are generated on a NitroKey HSM, which is stored in a safe in the company's facility.

NEED MORE CHECKS

• [ ] No exact kernel source. There are additional patches, but I don't know the exact source : https://github.com/IGEL-Technology/shim-review/tree/IGEL-shim-x64-20240730-1#do-you-build-your-signed-kernel-with-additional-local-patches-what-do-they-do

We generally backport fixes and features from development kernels to our LTS kernels. For example, we're currently on 6.6.x but have quite a few backports from 6.8+ We apply various patches to support also the most recent hardware, e.g.

• MeteorLake processor generation
• HP mt645
• Surface tablets We have IGEL OS-specific features in the kernel
• IGEL Flash Driver, a kind of logical volume manager optimized for small flash memory devices providing checksum validation, encryption, etc.

• [ ] No SBAT for all binaries. They use fwupd and grub, but there is no sbat for this. : https://github.com/IGEL-Technology/shim-review/tree/IGEL-shim-x64-20240730-1#do-you-add-a-vendor-specific-sbat-entry-to-the-sbat-section-in-each-binary-that-supports-sbat-metadata--grub2-fwupd-fwupdate-systemd-boot-systemd-stub-shim--all-child-shim-binaries-

[af-kulow]

I will add the SBAT entries of the binaries we boot also in the questionnaire, for quick reference, here they are:

igelx64.efi

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md 
grub,4,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/ 
grub.debian,4,Debian,grub2,2.06-13+deb12u1,https://tracker.debian.org/pkg/grub2 
grub.igel,4,Igel,grub2,2.06-13+deb12u1igel1721912063,https://www.igel.com 

fwupdx64.efi

sbat,1,UEFI shim,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
fwupd-efi,1,Firmware update daemon,fwupd-efi,1.6,https://github.com/fwupd/fwupd-efi
fwupd-efi.debian,1,Debian,fwupd,1:1.6-1,https://tracker.debian.org/pkg/fwupd

Further, we are preparing the Kernel patches for review.

[af-kulow]

We now have included the patches to the linux kernel as well as the kernel build config in the shim-review repo (linux-patches/). I created a new tag for the updated files as well as the updated, previously stated, sbat sections: https://github.com/IGEL-Technology/shim-review/releases/tag/IGEL-shim-x64-20240807

The source code of the kernel, initramfs et al. is available here for reviewers: https://github.com/IGEL-Technology

[zeetim]

Review of IGEL-shim-x64-20240807

I am not an authorized reviewer but I want to help

• shim sources sha256 sum matches in docker image:

  # sha256sum shim-15.8.tar.bz2 
  a79f0a9b89f3681ab384865b1a46ab3f79d88b11b4ca59aa040ab03fffae80a9  shim-15.8.tar.bz2

• shim patches:

  # diff shim shim-15.8
  Only in shim: .git
  Common subdirectories: shim/.github and shim-15.8/.github
  Common subdirectories: shim/Cryptlib and shim-15.8/Cryptlib
  diff shim/Make.defaults shim-15.8/Make.defaults
  31c31
  < DEFAULT_LOADER        ?= \\\\igel$(ARCH_SUFFIX).efi
  ---
  > DEFAULT_LOADER        ?= \\\\grub$(ARCH_SUFFIX).efi
  Common subdirectories: shim/data and shim-15.8/data
  Only in shim: dbx.esl
  Only in shim: debian
  Common subdirectories: shim/gnu-efi and shim-15.8/gnu-efi
  Common subdirectories: shim/include and shim-15.8/include
  Common subdirectories: shim/lib and shim-15.8/lib
  Only in shim: sbat.igel.csv
  diff shim/shim.h shim-15.8/shim.h
  73c73
  < #define DEFAULT_LOADER L"\\igelx64.efi"
  ---
  > #define DEFAULT_LOADER L"\\grubx64.efi"
  76c76
  < #define DEFAULT_LOADER_CHAR "\\igelx64.efi"
  ---
  > #define DEFAULT_LOADER_CHAR "\\grubx64.efi"
  88c88
  < #define DEFAULT_LOADER L"\\igelia32.efi"
  ---
  > #define DEFAULT_LOADER L"\\grubia32.efi"
  91c91
  < #define DEFAULT_LOADER_CHAR "\\igelia32.efi"
  ---
  > #define DEFAULT_LOADER_CHAR "\\grubia32.efi"
  Common subdirectories: shim/test-data and shim-15.8/test-data

• build is reproducible:

  # sha256sum build/output/shimx64.efi 
  90ce33685c5ac241b582bdf27d0ae872b72263a5ae8271ef7f738bd1d13e8e63  build/output/shimx64.efi

• NX is not set:

  # objdump -x /build/output/shimx64.efi | grep DllCharacteristics
  DllCharacteristics      00000000

• shim sbat looks fine

  # objcopy --only-section .sbat -O binary /build/output/shimx64.efi /dev/stdout
  sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
  shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
  shim.igel,1,Igel,shim,15.8,https://www.igel.com

• Certificate:
  • valid for 30 years
  • RSA 4096 bits key
  • Is a CA certificate

    # openssl x509 -noout -inform DER -in igel-uefi-ca.der -text
    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number:
        0e:88:b9:8d:0b:7e:00:6a:92:9c:9a:be:39:4e:af:54:57:f8:bc:85
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C = DE, ST = Bremen, L = Bremen, O = IGEL Technology GmbH, OU = IGEL Technology GmbH Certificate Authority, CN = IGEL Technology GmbH Root CA
    Validity
        Not Before: Mar 26 08:55:59 2024 GMT
        Not After : Mar 19 08:55:59 2054 GMT
    Subject: C = DE, ST = Bremen, L = Bremen, O = IGEL Technology GmbH, OU = IGEL Technology GmbH Certificate Authority, CN = IGEL Technology GmbH Root CA
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (4096 bit)

    ---

    Note:

I think you should split your kernel patch to make things easier to review.