Open zeetim opened 3 weeks ago
Contact verification emails sent
Hi,
Verification for damien.lanson@zeetim.com :
eunuchs drowned milkier awkwardness dilute coiffuring deserve similarities lingoes trotters
Hello,
Contact verification for sabir.tapory@zeetim.com:
mulishness Ewing furnish calamity emblems remounts infinitesimals Swansea fusing protrusion
Just to clarify: "We use an ephemeral key to sign kernel modules" or "Kernel modules are signed using the same vendor keypair used inside shim image." ?
Just to clarify: "We use an ephemeral key to sign kernel modules" or "Kernel modules are signed using the same vendor keypair used inside shim image." ?
We are using a different keypair to sign kernel modules. Vendor keypair included in shim image is only used to sign mokmanager (mmx64.efi), fallback (fbx64.efi), grub (grubx64.efi) and kernel image (bzImage).
And that key is unique for each release (ephemeral) or is it fixed?
And that key is unique for each release (ephemeral) or is it fixed?
The key is unique for each release
Shim is pretty much by the book, only one patch to make it NX and non-NX (only the the NX is used). Reproduced it with the same sha256.
Certificate inside is valid for 30 years, 4K, key inside a yubike, these details:
Subject: C = FR, ST = Ile-de-France, L = Vitry-Sur-Seine, O = ZEETIM SAS, OU = ZEETIM SAS CERTIFICATE AUTHORITY, CN = ZEETIM SAS ROOT CA
Grub has many patches, but all known. (I found them exactly in the ubuntu sources).
I guess there is a mistake in the grub .sbat as it says 2.06 version, then states to be 2.12. I guess its just forgotten to add the new one for this review?
Looks good to me!
Confirm the following are included in your repo, checking each box:
What is the link to your tag in a repo cloned from rhboot/shim-review?
https://github.com/zeetim/shim-review/tree/zeetim-shim-x64-20240906
What is the SHA256 hash of your final SHIM binary?
26cb646f44e7592bfce836206f2dc81f9aa80b7cdcbd1b440e5b2e49e4962a6f shimx64.efi
What is the link to your previous shim review request (if any, otherwise N/A)?
N/A. This is our first application
If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?
N/A. This is our first application