Shim 15.8 for ZeeOS (x86_64)

zeetim commented 3 weeks ago

Confirm the following are included in your repo, checking each box:

[x] completed README.md file with the necessary information
[x] shim.efi to be signed
[x] public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
[x] binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
[x] any extra patches to shim via your own git tree or as files
[x] any extra patches to grub via your own git tree or as files
[x] build logs
[x] a Dockerfile to reproduce the build of the provided shim EFI binaries

What is the link to your tag in a repo cloned from rhboot/shim-review?

https://github.com/zeetim/shim-review/tree/zeetim-shim-x64-20240906

What is the SHA256 hash of your final SHIM binary?

26cb646f44e7592bfce836206f2dc81f9aa80b7cdcbd1b440e5b2e49e4962a6f shimx64.efi

What is the link to your previous shim review request (if any, otherwise N/A)?

N/A. This is our first application

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?

N/A. This is our first application

steve-mcintyre commented 2 weeks ago

Contact verification emails sent

Kal42 commented 2 weeks ago

Hi,

Verification for damien.lanson@zeetim.com :

eunuchs drowned milkier awkwardness dilute coiffuring deserve similarities lingoes trotters

zeetim commented 2 weeks ago

Hello, Contact verification for sabir.tapory@zeetim.com: mulishness Ewing furnish calamity emblems remounts infinitesimals Swansea fusing protrusion

evilteq commented 5 days ago

Just to clarify: "We use an ephemeral key to sign kernel modules" or "Kernel modules are signed using the same vendor keypair used inside shim image." ?

zeetim commented 4 days ago

Just to clarify: "We use an ephemeral key to sign kernel modules" or "Kernel modules are signed using the same vendor keypair used inside shim image." ?

We are using a different keypair to sign kernel modules. Vendor keypair included in shim image is only used to sign mokmanager (mmx64.efi), fallback (fbx64.efi), grub (grubx64.efi) and kernel image (bzImage).

evilteq commented 4 days ago

And that key is unique for each release (ephemeral) or is it fixed?

zeetim commented 4 days ago

And that key is unique for each release (ephemeral) or is it fixed?

The key is unique for each release

evilteq commented 1 day ago

Shim is pretty much by the book, only one patch to make it NX and non-NX (only the the NX is used). Reproduced it with the same sha256.

Certificate inside is valid for 30 years, 4K, key inside a yubike, these details: Subject: C = FR, ST = Ile-de-France, L = Vitry-Sur-Seine, O = ZEETIM SAS, OU = ZEETIM SAS CERTIFICATE AUTHORITY, CN = ZEETIM SAS ROOT CA

Grub has many patches, but all known. (I found them exactly in the ubuntu sources).

I guess there is a mistake in the grub .sbat as it says 2.06 version, then states to be 2.12. I guess its just forgotten to add the new one for this review?

Looks good to me!

rhboot / shim-review