Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Shim 15.8 for ZeronsoftN (patch added) #433

Open
8 tasks done
joseph-zeronsoftn opened this issue Jul 30, 2024 · 10 comments
Open
8 tasks done

Shim 15.8 for ZeronsoftN (patch added) #433

joseph-zeronsoftn opened this issue Jul 30, 2024 · 10 comments
Assignees
Labels
1 review needed Needs 1 (additional) successful review before being accepted contacts verified OK Contact verification is complete here (or in an earlier submission) question Reviewer(s) waiting on response

Comments

@joseph-zeronsoftn
Copy link

Confirm the following are included in your repo, checking each box:

  • completed README.md file with the necessary information
  • shim.efi to be signed
  • public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
  • binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
  • any extra patches to shim via your own git tree or as files
  • any extra patches to grub via your own git tree or as files
  • build logs
  • a Dockerfile to reproduce the build of the provided shim EFI binaries

What is the link to your tag in a repo cloned from rhboot/shim-review?


https://github.com/zeronsoftn/shim-review/tree/zeronsoftn-shim-x86_64_ia32_aarch64-20240730


What is the SHA256 hash of your final SHIM binary?


43989d3a59ff074ec9013cc000797f2139cf9fa24b30f38fee415d4daa0a41c0  shimaa64.efi
6c0c1b656c382823c9fe37110f0bf484783aa55db380664437654020fa33150b  shimia32.efi
6d47d6e3949084b7a93c4c9332ced82ad58e985ff6431e172af12072ab3d5490  shimx64.efi

What is the link to your previous shim review request (if any, otherwise N/A)?


#408


If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?


no changed: #408

REVIEW HELPER

https://github.com/jclab-joseph/other-shim-reviews.git can help you for review.

$ git clone https://github.com/jclab-joseph/other-shim-reviews.git
$ cd other-shim-reviews
$ ./clone.sh https://github.com/zeronsoftn/shim-review/tree/zeronsoftn-shim-x86_64_ia32_aarch64-20240730
@THS-on THS-on added the blocked Blocked on upstream / other project label Jul 30, 2024
@THS-on
Copy link
Collaborator

THS-on commented Jul 30, 2024

This is currently blocked on the patches getting reviewed upstream. I'll try to ping people to have a look at it.

@THS-on THS-on added the contacts verified OK Contact verification is complete here (or in an earlier submission) label Jul 30, 2024
@steve-mcintyre
Copy link
Collaborator

@vathpela could you take a look at the patches here please?

@steve-mcintyre
Copy link
Collaborator

@vathpela ping?

@vathpela
Copy link
Contributor

I don't have a problem with any of these patches.

@steve-mcintyre steve-mcintyre added 2 reviews needed Needs 2 (additional) successful reviews before being accepted Accredited review needed Needs a successful review by an accredited reviewer and removed blocked Blocked on upstream / other project labels Nov 13, 2024
@af-kulow
Copy link

Helper Review for ZeronsoftN shim-x86_64_ia32_aarch64-20240730

Build is reproducible:

Step 18/19 : RUN for name in $(find /work/output/ -type f -name "shim*.efi"); do echo "PESIGN($name): "; pesign --hash --padding --in=$name; echo "SHA256SUM:"; sha256sum $name; echo; done
 ---> Running in 413fa22c1901
PESIGN(/work/output/aarch64/boot/efi/EFI/ZeronsoftN/shimaa64.efi):
hash: 31e4dda42082535ef244918bb3386627f7f6d5fdd6c1eb71e10d6a7b667ff997
SHA256SUM:
43989d3a59ff074ec9013cc000797f2139cf9fa24b30f38fee415d4daa0a41c0  /work/output/aarch64/boot/efi/EFI/ZeronsoftN/shimaa64.efi

PESIGN(/work/output/ia32/boot/efi/EFI/ZeronsoftN/shimia32.efi):
hash: c23c3178cbe4ded0946382826b3314285d26274e781e413deafe528acb57b67d
SHA256SUM:
6c0c1b656c382823c9fe37110f0bf484783aa55db380664437654020fa33150b  /work/output/ia32/boot/efi/EFI/ZeronsoftN/shimia32.efi

PESIGN(/work/output/x86_64/boot/efi/EFI/ZeronsoftN/shimx64.efi):
hash: 497e26d477aa5b8895a47a17357461bab629ae19477baf55ae6847c77bca931a
SHA256SUM:
6d47d6e3949084b7a93c4c9332ced82ad58e985ff6431e172af12072ab3d5490  /work/output/x86_64/boot/efi/EFI/ZeronsoftN/shimx64.efi

Removing intermediate container 413fa22c1901
 ---> b7b090b396a0
Step 19/19 : RUN echo "::review hash-start" &&     for name in $(find /work/output/ -type f -name "shim*.efi"); do sha256sum $name; done &&     echo "::review hash-end"
 ---> Running in cbfa685f1f6a
::review hash-start
43989d3a59ff074ec9013cc000797f2139cf9fa24b30f38fee415d4daa0a41c0  /work/output/aarch64/boot/efi/EFI/ZeronsoftN/shimaa64.efi
6c0c1b656c382823c9fe37110f0bf484783aa55db380664437654020fa33150b  /work/output/ia32/boot/efi/EFI/ZeronsoftN/shimia32.efi
6d47d6e3949084b7a93c4c9332ced82ad58e985ff6431e172af12072ab3d5490  /work/output/x86_64/boot/efi/EFI/ZeronsoftN/shimx64.efi
::review hash-end
Removing intermediate container cbfa685f1f6a
 ---> e44ecafbab20
Successfully built e44ecafbab20

NX is not set:

objdump -x shimx64.efi | grep DllCharacteristics
DllCharacteristics	00000000
objdump -x shimia32.efi | grep DllCharacteristics
DllCharacteristics	00000000
aarch64-linux-gnu-objdump -x shimaa64.efi | grep DllCharacteristics
DllCharacteristics	00000000

SBAT sections:


$ objcopy --only-section .sbat -O binary shimx64.efi /dev/stdout
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.zeronsoftn,1,ZeronsoftN,shim,15.8-0zeron2,https://github.com/zeronsoftn/shim-release

$ objcopy --only-section .sbat -O binary shimia32.efi /dev/stdout
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.zeronsoftn,1,ZeronsoftN,shim,15.8-0zeron2,https://github.com/zeronsoftn/shim-release

$ aarch64-linux-gnu-objcopy --only-section .sbat -O binary shimaa64.efi /dev/stdout
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.zeronsoftn,1,ZeronsoftN,shim,15.8-0zeron2,https://github.com/zeronsoftn/shim-release

matches the section mentioned in the request.

Patch 0004

approved here: #621

UEFI SecureBoot Kernel Lockdown patches - 1 Finding

Found the activated LOCKDOWN config options:

CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y

here: x86_64 config aarch64 config

but this worries me: patch 0008

specifically:

@@ -1388,6 +1389,11 @@ static inline int security_locked_down(e
 {
 	return 0;
 }
+static inline int
+lock_kernel_down(const char *where, enum lockdown_reason level)
+{
+	return -EOPNOTSUPP;
+}

this lock down function looks like a no-op to me.

Kernel upstream looks different, and also includes the function for lockdown in security/lockdown.c. Can you please double check that?

Certficate

$ openssl x509 -noout -inform DER -in vendor_cert.der -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 7230298064905535070 (0x64572dc842e37e5e)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = ZeronsoftN CA, O = ZeronsoftN, C = KR
        Validity
            Not Before: Jun 27 04:35:17 2022 GMT
            Not After : Jun 25 04:35:17 2029 GMT
        Subject: CN = ZeronsoftN Secure Boot Signing (2022), OU = Secure Boot, O = ZeronsoftN, C = KR
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
       ...
    X509v3 extensions:
        X509v3 Subject Key Identifier:
            08:16:0B:68:89:6D:A7:F9:3E:81:18:5B:36:F8:7E:6F:47:4B:DE:52
        X509v3 Basic Constraints: critical
            CA:FALSE
  • valid 7 years
  • RSA 2048
  • CA is false.

@jclab-joseph
Copy link

jclab-joseph commented Nov 27, 2024

@af-kulow Thank you for your review.

patch 0008 is same as https://sources.debian.org/src/linux/6.6.13-1~bpo12%2B1/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch/

The dummy function is only for when CONFIG_SECURITY is false.

@af-kulow
Copy link

I see. That was not visible from the patch itself, so I wanted to make sure. No further questions on that then. Thank you for the quick response.

@lorddoskias
Copy link

  • Build is reproducible:
#18 [14/14] RUN echo "::review hash-start" &&     for name in $(find /work/output/ -type f -name "shim*.efi"); do sha256sum $name; done &&     echo "::review hash-end"
#18 0.183 ::review hash-start
#18 0.199 43989d3a59ff074ec9013cc000797f2139cf9fa24b30f38fee415d4daa0a41c0  /work/output/aarch64/boot/efi/EFI/ZeronsoftN/shimaa64.efi
#18 0.201 6c0c1b656c382823c9fe37110f0bf484783aa55db380664437654020fa33150b  /work/output/ia32/boot/efi/EFI/ZeronsoftN/shimia32.efi
#18 0.207 6d47d6e3949084b7a93c4c9332ced82ad58e985ff6431e172af12072ab3d5490  /work/output/x86_64/boot/efi/EFI/ZeronsoftN/shimx64.efi
#18 0.207 ::review hash-end
  • The sources used for building are the upstream 15.8 and the hash inside the docker file is checked against the well-known sha256 sum

  • Certificate seem sane, however the CA flag is indeed not set:

 Issuer: CN = ZeronsoftN CA, O = ZeronsoftN, C = KR
        Validity
            Not Before: Jun 27 04:35:17 2022 GMT
            Not After : Jun 25 04:35:17 2029 GMT
        Subject: CN = ZeronsoftN Secure Boot Signing (2022), OU = Secure Boot, O = ZeronsoftN, C = KR
...
X509v3 Basic Constraints: critical
                CA:FALSE
  • The signing keys are being protected via an HSM
  • sbat for shim/grub/systemd look sane.
  • grub2 modules look sane as well
  • nxcompat is not set:
objdump -x review/shimx64.efi | grep -E 'DllCharacteristics'
DllCharacteristics	00000000

@aronowski
Copy link
Collaborator

Review as per zeronsoftn-shim-x86_64_ia32_aarch64-20240730.


Great job, just as with the earlier application. The patches have been confirmed to be fine as per #433 (comment).

One curiosity I noticed is related to the GRUB2 module list: you don't ship some of the modules from the CD_MODULES list, in particular the peimage one? Why's that? What am I missing here?

@aronowski aronowski self-assigned this Dec 22, 2024
@aronowski aronowski added question Reviewer(s) waiting on response 1 review needed Needs 1 (additional) successful review before being accepted and removed 2 reviews needed Needs 2 (additional) successful reviews before being accepted Accredited review needed Needs a successful review by an accredited reviewer labels Dec 22, 2024
@jclab-joseph
Copy link

@aronowski

https://salsa.debian.org/grub-team/grub/-/blob/master/debian/patches/secure-boot/efi-use-peimage-shim.patch

I looked into the patch, but I still don't fully understand the clear differences between peimage and chainload.
peimage seems to simply load by reading the PE structure. How is it related to Secure Boot?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
1 review needed Needs 1 (additional) successful review before being accepted contacts verified OK Contact verification is complete here (or in an earlier submission) question Reviewer(s) waiting on response
Projects
None yet
Development

No branches or pull requests

8 participants