Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TencentOS Linux 3 shim-15.8 x64, ia32 and aarch64 #440

Open
8 tasks done
costinchen opened this issue Sep 6, 2024 · 31 comments
Open
8 tasks done

TencentOS Linux 3 shim-15.8 x64, ia32 and aarch64 #440

costinchen opened this issue Sep 6, 2024 · 31 comments
Labels
accepted Submission is ready for sysdev contacts verified OK Contact verification is complete here (or in an earlier submission) new vendor This is a new vendor

Comments

@costinchen
Copy link

costinchen commented Sep 6, 2024
edited
Loading

Confirm the following are included in your repo, checking each box:

  • completed README.md file with the necessary information
  • shim.efi to be signed
  • public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
  • binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
  • any extra patches to shim via your own git tree or as files
  • any extra patches to grub via your own git tree or as files
  • build logs
  • a Dockerfile to reproduce the build of the provided shim EFI binaries

What is the link to your tag in a repo cloned from rhboot/shim-review?

https://github.com/costinchen/shim-review/tree/tencentos-3-shim-15.8-ia32-x86_64-aarch64-20250208

What is the SHA256 hash of your final SHIM binary?

ca145c15cd26430dda03c37fc2f079afb7c78b0cd3a15afa55b8e73266d4500b  shimaa64.efi
fab52ed62f16cef5a0b02b3ae985bc5b09f261482417cefed3e84a837c8e9831  shimia32.efi
a5e93e8908195fb79a4c781408193cb7e9128d44e165ae061f07cb66806835d1  shimx64.efi

What is the link to your previous shim review request (if any, otherwise N/A)?

N/A, this is our first application.

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?

N/A, this is our first application.
@steve-mcintyre steve-mcintyre added the contact verification pending Contact verification emails have been sent, waiting on response label Sep 8, 2024
@steve-mcintyre
Copy link
Collaborator

Contact verification mails sent

@steve-mcintyre steve-mcintyre added the new vendor This is a new vendor label Sep 8, 2024
@costinchen
Copy link
Author

Contact verification mails sent

I got: secures spunkier vasectomies indecipherable uprisings shipboard Nescafe foxtrotting flawed defrays

@PrinterFranklin
Copy link

I got: unhurt recant proxies impeaching uniformed credence kickier Yemenis crates generate

@dbnicholson
Copy link

What is the link to your tag in a repo cloned from rhboot/shim-review?

https://github.com/costinchen/shim-review/tree/tencentos-3-shim-15.8-ia32-x86_64-aarch64-20240906

This is intended to be a tag rather than a branch.

@dbnicholson
Copy link

For your CA certificate:

$ openssl x509 -keyform DER -in tencentsecurebootca.der -text -noout 
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            57:45:90:d5:87:dd:bb:fe:86:a2:78:e4:f5:d5:22:3a:e5:bf:f2:40
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = Shanghai, O = Tencent, OU = TencentOS, CN = TencentOS Secure Boot CA, emailAddress = [email protected]
        Validity
            Not Before: Aug 29 09:08:07 2024 GMT
            Not After : Aug 27 09:08:07 2034 GMT
        Subject: C = CN, ST = Shanghai, O = Tencent, OU = TencentOS, CN = TencentOS Secure Boot CA, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:d0:86:82:72:67:2d:43:07:b3:e1:c7:38:07:8f:
                    dd:30:3c:ef:62:1f:cf:c8:e0:f6:78:02:83:40:1c:
                    51:ee:1f:2b:93:29:97:f4:ee:ba:68:18:40:db:55:
                    ff:e7:76:ff:8e:df:77:96:e0:73:67:8e:a9:7a:85:
                    a7:31:7d:8b:c0:86:6a:c8:e8:7d:0c:01:e3:cb:94:
                    dd:ff:42:c8:5b:49:66:3e:87:e4:4b:39:90:48:1a:
                    aa:b7:0b:1e:b2:5a:dd:2c:98:e6:de:7d:f5:16:1e:
                    68:9e:f1:1e:fa:e5:5a:ab:2b:ab:d3:01:19:ef:a1:
                    7b:06:4c:46:82:b8:1f:28:39:7d:6c:16:3f:0d:e7:
                    53:a6:a9:17:13:9a:cb:41:74:6a:20:0a:dd:0c:aa:
                    c9:18:4c:b0:dc:41:42:d2:87:75:5f:a4:b1:26:f5:
                    df:57:ba:fd:54:4f:cd:79:05:f1:3c:03:51:8b:fa:
                    e6:16:08:34:c9:f2:d8:90:86:db:9b:0e:29:81:ae:
                    18:1d:fb:1a:d9:bf:f5:a2:04:b1:ea:15:f0:dd:1b:
                    ab:44:65:d7:bd:27:63:07:e2:b6:e1:ff:eb:38:04:
                    7d:54:4b:ea:10:dc:3f:17:42:59:26:81:b2:06:c0:
                    9f:1f:d0:5d:8c:8a:cc:29:f4:e8:be:20:f5:5c:45:
                    81:a8:65:ac:32:53:23:0b:1f:24:fd:c7:b4:39:7e:
                    56:9b:06:6f:06:01:5d:9d:5a:6c:a6:e2:0b:c6:bc:
                    6e:24:ec:1f:96:cc:bc:69:36:ae:a7:52:11:ac:05:
                    d5:8d:93:0a:d1:d5:ad:0f:92:e5:69:c3:48:56:1a:
                    ca:82:f9:f6:a9:8b:b7:39:9c:46:e2:02:82:19:c7:
                    70:5d:52:22:30:e9:c8:68:74:25:b0:4c:73:9c:da:
                    e9:86:a9:63:fb:82:33:47:16:2d:7d:3c:33:28:7d:
                    0c:33:bd:c4:a3:19:fb:2a:88:7b:e5:32:d5:50:a4:
                    44:58:c6:81:8d:1b:21:3a:fc:22:92:ad:32:db:57:
                    ae:a2:a9:a3:1b:a0:62:ce:e7:cb:1b:35:35:b0:53:
                    01:fa:bd:a9:fc:61:a3:31:7f:4f:b1:d4:61:c6:c0:
                    70:e4:cd:14:cb:57:ca:08:2e:be:f7:42:6c:02:0a:
                    98:77:58:c8:85:bd:e6:5b:86:92:6d:91:8e:a6:07:
                    93:cd:77:a0:5a:d6:4c:ed:19:46:b0:87:38:11:05:
                    b8:60:d9:68:7c:35:85:1e:c5:7e:40:b1:a3:20:7e:
                    c8:0e:c1:eb:01:12:10:2f:c0:f3:4a:f4:b7:b6:7e:
                    69:ce:95:03:92:17:fc:80:e9:fd:f0:7b:25:cc:41:
                    62:c0:e5
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        3d:e2:a5:32:26:97:5d:4e:7f:37:2a:e2:77:65:e1:2b:e3:de:
        e3:79:07:28:3b:8b:68:54:9c:07:d6:4f:17:cd:69:7a:ca:8f:
        e4:49:0d:55:55:71:cb:3a:a5:8f:aa:59:05:f0:aa:00:51:06:
        89:11:f2:64:8b:2f:4e:b8:93:55:e2:1d:c4:aa:fe:e2:25:84:
        91:8f:7c:6a:9c:89:2d:f9:ad:76:fb:9b:d0:08:74:54:d0:26:
        0f:08:02:1a:34:c9:f3:a8:8e:cb:f6:89:74:ba:7c:1d:4e:3d:
        cd:56:2b:bc:20:4b:35:3d:85:87:f7:f8:62:89:c0:0f:ef:5e:
        1e:e3:9a:b4:8c:97:3e:04:26:13:b5:76:c8:4f:b4:f4:6d:fe:
        0e:dc:3c:11:04:70:0e:d9:0f:a3:72:53:a1:be:74:d2:27:e7:
        ea:f4:04:be:0c:82:7a:db:d2:88:96:bf:27:ad:c7:d4:b3:e3:
        0c:33:79:93:06:8f:1e:36:2d:2e:74:73:d7:b4:0d:bc:2c:b0:
        0a:cc:bb:8d:e4:9b:55:6e:8b:25:35:e9:b9:48:50:39:1d:f4:
        a3:be:f1:fb:e9:39:f4:aa:d6:b6:9d:c7:2f:1f:5c:76:5a:b5:
        91:80:b6:6c:26:da:b8:7b:db:c0:c9:0d:85:e7:f5:fd:aa:5f:
        91:1d:ee:da:ea:a7:e2:0e:93:fb:4e:1d:4b:15:d3:e0:6e:f9:
        b3:0c:ed:25:38:52:d3:17:76:35:18:49:04:ad:01:fc:12:95:
        b2:73:88:f8:ed:60:c6:a4:70:ba:ae:1d:d4:c5:75:91:9a:49:
        7d:d8:67:0e:21:7f:da:75:f2:0c:9a:67:c8:6e:03:6f:f6:b4:
        63:9a:7e:05:c2:44:d9:dc:a8:ef:92:a0:07:52:cd:c3:91:ab:
        8f:3b:3f:47:93:a6:d0:52:6d:b5:34:7f:2f:e9:64:d9:79:20:
        ef:f3:b4:c6:48:f7:ba:ac:59:5e:4b:5e:bc:ed:70:8b:80:9c:
        63:fe:3d:43:b0:26:36:a0:a0:b3:06:2d:08:66:f0:1d:6b:3a:
        52:0b:79:7d:3c:10:d3:ae:b7:4b:ed:1d:e4:14:db:6d:da:1b:
        0b:df:a3:31:db:2c:17:7c:ca:d3:71:f1:54:4f:08:d0:39:1d:
        99:ab:c6:14:32:4e:aa:b1:a6:15:f4:53:11:37:8a:89:56:8c:
        2e:ab:20:fd:31:ee:0b:58:e5:c9:ce:74:28:2e:3f:14:db:46:
        f1:de:bb:4b:16:66:57:ec:35:9e:1e:34:ce:ef:96:de:0d:3d:
        1a:a7:22:e6:65:5a:09:c1:60:a4:24:85:ff:84:6c:84:17:65:
        8d:15:00:db:af:59:e1:31

This certificate has no X.509v3 extensions. I don't know if I've ever seen that before. At a minimum I'd expect to see the CA:TRUE in basic constraints to indicate this self-signed certificate is a CA certificate. Also, a missing Subject Key Identifier means the chain to the CA can only be formed by looking at the Subject CN, which isn't robust. How did you generate this certificate?

@dbnicholson
Copy link

  • Build is reproducible (sha256sum):
    • shimaa64.efi - 16e1cf3e03d7007b306e730fdc994c1931bba1bfaf3d270ae6b76597bfd6836e
    • shimia32.efi - 6d2af602bbfd8bba63d98aec5449ec87f45d9be9654ec8b835a0a8cddda0916c
    • shimx64.efi - 846799f52f2f310e1969d2a3d421c5d71ca44288530cd5c29f1dee4bfd27a347
  • Revoked certs in dbx - None, first submission
  • Embedded cert is CAish:
    • Subject: C = CN, ST = Shanghai, O = Tencent, OU = TencentOS, CN = TencentOS Secure Boot CA, emailAddress = [email protected]
    • Valid until: Aug 27 09:08:07 2034 GMT (10 years)
    • 4096 bit RSA key
    • Key in HSM
  • NX bit disabled - DllCharacteristics 00000000
  • SBAT sections look reasonable (although the grub vendor label is inconsistent): 
    shim (x86_64/aarch64)
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.tencentos,1,TencentOS Linux 3,shim,15.8,[email protected]

grub2 (x86_64/aarch64)
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,3,Free Software Foundation,grub,2.02,https//www.gnu.org/software/grub/
grub.rh,2,Red Hat,grub2,2.02-156.tl3.1,mailto:[email protected]
grub.tencentos3,1,TencentOS Linux 3,grub2,2.02,mail:[email protected]

fwupd (x86_64/aarch64)
sbat,1,UEFI shim,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
fwupd-efi,1,Firmware update daemon,fwupd-efi,1.3,https://github.com/fwupd/fwupd-efi
fwupd-efi.rhel,1,Red Hat Enterprise Linux,fwupd,1.7.8,mail:[email protected]
fwupd-efi.tencentos,1,TencentOS Linux 3,fwupd,1.7.8,mail:[email protected]
  • Build uses official shim tarball with no patches.

Issues/questions:

  • See above CA certificate questions about lack of X.509v3 extensions.

@costinchen
Copy link
Author

costinchen commented Sep 12, 2024
edited
Loading

hi, @dbnicholson thanks for your review! and we have made some adjustments for your suggestions.

  • switched the latest commit from a branch to a tag.
  • rebuilt GRUB2 so that the vendor name in its sbat matches shim and fwupd.
  • updated our CA certificate and rebuilt all shim binaries, fixing the missing X.509v3 field in the certificate.

Since we updated our efi files, could you please help us refresh you review? Thanks a lot!

@steve-mcintyre steve-mcintyre added contacts verified OK Contact verification is complete here (or in an earlier submission) and removed contact verification pending Contact verification emails have been sent, waiting on response labels Sep 14, 2024
@steve-mcintyre
Copy link
Collaborator

All contacts verified successfully

@dbnicholson
Copy link

CA certificate looks more like what I'd expect now:

$ openssl x509 -noout -text -inform der -in tencentsecurebootca.der 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            68:91:b3:b7:fa:a2:ac:2b:c7:e7:2e:fb:a2:70:b4:14:24:5c:83:31
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = Shanghai, O = Tencent, OU = TencentOS, CN = TencentOS Secure Boot CA, emailAddress = [email protected]
        Validity
            Not Before: Sep 12 09:01:59 2024 GMT
            Not After : Sep 10 09:01:59 2034 GMT
        Subject: C = CN, ST = Shanghai, O = Tencent, OU = TencentOS, CN = TencentOS Secure Boot CA, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a7:dc:a2:3b:f9:cf:85:bd:99:de:cc:36:5c:d3:
                    52:d2:a9:1c:9a:3b:83:8b:eb:11:f5:67:cb:67:ea:
                    13:49:7e:90:ab:36:f1:f7:17:5c:77:f6:d8:42:f1:
                    ed:d8:63:b8:a9:15:ba:a4:0e:cd:94:c9:02:15:61:
                    4b:95:c5:60:b5:fc:4c:0b:d1:8d:f0:1d:8f:0b:9f:
                    b9:13:76:dd:80:ea:68:d2:d1:69:d6:70:f3:ad:6e:
                    9f:e4:65:70:04:01:0e:ce:24:83:c3:18:e5:d3:0e:
                    d4:0a:40:cd:7f:5d:19:c0:bc:1d:d3:d1:4e:3c:06:
                    4a:ba:a0:a9:55:ed:c4:39:99:33:85:b6:9e:72:b0:
                    41:10:bb:4a:70:5c:64:c2:08:9f:7a:13:cc:24:02:
                    11:76:13:21:8c:e1:a9:02:f5:c7:b1:56:c9:da:2b:
                    a1:9d:94:de:53:17:09:64:3d:9a:b9:c7:f5:da:5c:
                    4f:24:b6:e4:86:81:7b:1f:c8:70:d8:44:10:be:80:
                    1e:8b:48:5c:4d:07:aa:39:28:84:21:d4:c5:c2:83:
                    cc:58:fb:af:e1:8c:66:c6:61:ed:d8:97:31:9d:5f:
                    9c:7a:1e:7e:2a:26:51:eb:0e:66:7e:d8:f3:6b:46:
                    b3:f9:c7:9e:d2:83:35:e6:49:8c:da:97:5b:36:b6:
                    f3:5e:73:03:75:ac:92:b4:7e:97:d2:e1:94:6d:bc:
                    e1:cf:9a:bc:77:95:c8:7a:76:3f:61:1a:a3:65:bd:
                    2e:3a:8e:87:b3:94:81:83:79:4b:51:c4:7b:ea:c5:
                    71:30:5e:3e:5c:77:c1:e2:74:48:d0:d0:8e:26:0f:
                    b6:31:0f:93:f4:74:b0:d1:de:7e:64:2c:06:79:ed:
                    81:67:dd:ab:82:c6:1f:91:ae:80:7c:71:43:f6:b6:
                    7f:eb:91:05:a8:10:75:1d:c3:0c:d0:e0:f5:bd:60:
                    60:db:ad:4c:56:5e:cb:8d:02:7d:19:ad:75:0a:34:
                    15:39:b4:00:e4:35:64:fe:73:a2:4b:de:96:a7:14:
                    08:4c:03:d6:0b:89:ee:c7:96:42:b5:44:d7:02:c0:
                    18:69:cf:34:7b:75:e2:9a:13:22:8e:65:29:b2:36:
                    6c:a6:7d:81:51:96:2e:d4:b8:30:78:76:ae:2d:7e:
                    c6:90:f3:8e:8c:33:b9:b8:ec:e8:a9:c3:01:44:52:
                    75:1e:b7:f9:41:d9:68:67:8e:e6:06:8d:9d:74:0d:
                    1e:b9:ae:c2:60:8c:08:fd:12:38:2a:f5:ad:1a:76:
                    6a:bf:88:53:90:0b:ff:f3:5a:ac:9d:78:d1:fc:da:
                    2f:3b:30:56:17:8c:cb:b9:2e:6f:d7:b2:7b:38:9f:
                    65:43:a5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                40:B9:D0:38:07:D4:30:80:92:9B:31:74:C1:2B:D0:5E:25:F6:D8:D1
            X509v3 Authority Key Identifier: 
                40:B9:D0:38:07:D4:30:80:92:9B:31:74:C1:2B:D0:5E:25:F6:D8:D1
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: 
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        12:7e:6f:f3:a1:71:92:05:87:04:dd:79:f9:d7:ec:11:3f:c6:
        e6:dc:91:f6:5f:49:70:c7:2f:9b:2f:44:fc:4e:56:5d:09:21:
        2d:2d:19:90:cd:1b:6c:b7:ba:2a:ad:b9:ce:e0:f1:85:67:94:
        c2:08:2b:48:57:4b:4d:62:85:59:9a:93:ce:59:0d:59:57:60:
        66:66:df:75:e9:63:d9:61:90:72:ad:21:e8:98:b5:5e:c6:18:
        b2:6c:bf:56:b6:e7:7b:d2:96:46:33:30:93:50:4f:a0:d7:bf:
        58:24:1c:8e:e6:bd:78:5a:85:d1:a6:0e:40:9a:3a:22:a0:e9:
        2c:b4:b6:53:a0:62:29:ac:8d:b1:c0:4b:13:c2:c2:61:ce:b9:
        53:75:c8:8b:83:49:d8:79:f0:f9:77:f7:7a:43:a0:9e:98:64:
        7b:50:36:8e:fb:ca:59:a1:87:51:f3:41:f7:d4:a8:bd:18:50:
        15:9d:82:b7:07:00:9d:dc:27:c2:aa:5f:d8:4a:f3:29:4d:2a:
        d8:0b:10:be:d6:28:6a:a1:de:e5:fc:f8:91:e1:5a:56:41:11:
        a9:67:5b:c6:c5:63:6c:cb:46:84:05:5a:56:72:32:30:6a:52:
        4c:d3:41:61:d2:2b:29:47:8b:4d:eb:49:fb:35:8e:28:41:38:
        24:72:9b:0f:a0:64:03:32:a7:aa:52:7f:ba:58:74:c0:fa:b5:
        6c:9f:78:f5:6b:b8:b4:24:ce:38:9d:31:b9:68:86:25:ad:a9:
        2d:c3:d2:c2:61:62:46:05:4b:07:e0:e0:e5:28:0b:80:30:1a:
        7e:c9:91:27:c1:9e:c9:d7:8b:5d:6d:72:5f:1a:4d:f9:34:07:
        db:c6:52:6d:1f:9f:19:f7:cb:75:90:2c:d0:21:99:bb:74:04:
        6c:08:28:f5:5c:29:48:22:17:5d:71:d9:c4:c4:72:8c:ad:b9:
        3c:cb:75:7d:37:7c:32:fa:bd:d4:e4:c9:5d:48:d2:9e:1c:ad:
        1d:f0:60:7b:90:cd:a1:53:c2:81:2f:b1:dd:72:7b:da:09:34:
        0e:96:21:e4:93:03:bd:66:e8:93:e0:8d:e5:1e:4a:5f:2a:b5:
        2d:d6:f0:eb:8a:0a:3c:0f:1b:55:e1:f8:a5:d5:ec:00:ab:7a:
        07:c0:4f:cc:05:50:7b:04:97:5b:ea:17:14:0c:63:52:64:30:
        47:79:16:f1:b6:f4:c8:5a:b2:54:58:03:35:57:32:6e:f9:b6:
        43:32:f6:d4:03:04:48:bc:62:61:23:dc:49:41:c7:9f:46:63:
        6b:71:2b:2a:b2:0d:9f:45:85:33:7b:4b:7c:95:94:08:80:c0:
        98:21:e3:9f:0b:38:f9:1e

That matches the certificate embedded in the shim .vendor_cert section.

@dbnicholson
Copy link

dbnicholson commented Sep 16, 2024
edited
Loading

  • Build is reproducible (sha256sum):
    • shimaa64.efi - ca145c15cd26430dda03c37fc2f079afb7c78b0cd3a15afa55b8e73266d4500b
    • shimia32.efi - fab52ed62f16cef5a0b02b3ae985bc5b09f261482417cefed3e84a837c8e9831
    • shimx64.efi - a5e93e8908195fb79a4c781408193cb7e9128d44e165ae061f07cb66806835d1
  • Revoked certs in dbx - None, first submission
  • Embedded cert is CA cert:
    • Subject: C = CN, ST = Shanghai, O = Tencent, OU = TencentOS, CN = TencentOS Secure Boot CA, emailAddress = [email protected]
    • Valid until: Aug 27 09:08:07 2034 GMT (10 years)
    • 4096 bit RSA key
    • Key in HSM
  • NX bit disabled - DllCharacteristics 00000000
  • SBAT sections look reasonable: 
    shim (x86_64/aarch64)
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.tencentos,1,TencentOS Linux 3,shim,15.8,[email protected]

grub2 (x86_64/aarch64)
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,3,Free Software Foundation,grub,2.02,https//www.gnu.org/software/grub/
grub.rh,2,Red Hat,grub2,2.02-156.tl3.1,mailto:[email protected]
grub.tencentos,1,TencentOS Linux 3,grub2,2.02,mail:[email protected]

fwupd (x86_64/aarch64)
sbat,1,UEFI shim,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
fwupd-efi,1,Firmware update daemon,fwupd-efi,1.3,https://github.com/fwupd/fwupd-efi
fwupd-efi.rhel,1,Red Hat Enterprise Linux,fwupd,1.7.8,mail:[email protected]
fwupd-efi.tencentos,1,TencentOS Linux 3,fwupd,1.7.8,mail:[email protected]
  • Build uses official shim tarball with no patches.

This all looks good from my perspective 👍

@evilteq
Copy link

evilteq commented Sep 20, 2024

Had to change the docker to amd64 from x64, I don't understand why. Ironically enough, qemu handled the arm one without asking.

I was able to reproduce all three efis.
SBAT and certs inside matches.
Pretty clean, no patches, pure upstream, tarball matches in both srpms.

All good for me!

@costinchen costinchen mentioned this issue Sep 30, 2024
Closed
8 tasks
@costinchen
Copy link
Author

@steve-mcintyre Hi, could you help review this? Thanks!

@realnickel
Copy link

While I am not an official reviewer, looking at latest tag:
https://github.com/costinchen/shim-review/tree/tencentos-3-shim-15.8-ia32-x86_64-aarch64-20241028 and paying attention to discussion in #445 (same vendor, different distro branch) I can confirm that:

  • Security contacts verification for the new vendor was done succesfully.

  • Security contacts keys are RSA4096 and RSA3072;

  • Tencentos is a GNU/Linux distribution and shim signing procedure is reasonable for this submission.

  • In src.rpm shim-15.8 tarball sha256sum matches upstream's one:

a79f0a9b89f3681ab384865b1a46ab3f79d88b11b4ca59aa040ab03fffae80a9 ./shim-15.8.tar.bz2


ca145c15cd26430dda03c37fc2f079afb7c78b0cd3a15afa55b8e73266d4500b  shimaa64.efi
fab52ed62f16cef5a0b02b3ae985bc5b09f261482417cefed3e84a837c8e9831  shimia32.efi
a5e93e8908195fb79a4c781408193cb7e9128d44e165ae061f07cb66806835d1  shimx64.efi

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            68:91:b3:b7:fa:a2:ac:2b:c7:e7:2e:fb:a2:70:b4:14:24:5c:83:31
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = Shanghai, O = Tencent, OU = TencentOS, CN = TencentOS Secure Boot CA, emailAddress = [email protected]
        Validity
            Not Before: Sep 12 09:01:59 2024 GMT
            Not After : Sep 10 09:01:59 2034 GMT
        Subject: C = CN, ST = Shanghai, O = Tencent, OU = TencentOS, CN = TencentOS Secure Boot CA, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a7:dc:a2:3b:f9:cf:85:bd:99:de:cc:36:5c:d3:
                    52:d2:a9:1c:9a:3b:83:8b:eb:11:f5:67:cb:67:ea:
                    13:49:7e:90:ab:36:f1:f7:17:5c:77:f6:d8:42:f1:
                    ed:d8:63:b8:a9:15:ba:a4:0e:cd:94:c9:02:15:61:
                    4b:95:c5:60:b5:fc:4c:0b:d1:8d:f0:1d:8f:0b:9f:
                    b9:13:76:dd:80:ea:68:d2:d1:69:d6:70:f3:ad:6e:
                    9f:e4:65:70:04:01:0e:ce:24:83:c3:18:e5:d3:0e:
                    d4:0a:40:cd:7f:5d:19:c0:bc:1d:d3:d1:4e:3c:06:
                    4a:ba:a0:a9:55:ed:c4:39:99:33:85:b6:9e:72:b0:
                    41:10:bb:4a:70:5c:64:c2:08:9f:7a:13:cc:24:02:
                    11:76:13:21:8c:e1:a9:02:f5:c7:b1:56:c9:da:2b:
                    a1:9d:94:de:53:17:09:64:3d:9a:b9:c7:f5:da:5c:
                    4f:24:b6:e4:86:81:7b:1f:c8:70:d8:44:10:be:80:
                    1e:8b:48:5c:4d:07:aa:39:28:84:21:d4:c5:c2:83:
                    cc:58:fb:af:e1:8c:66:c6:61:ed:d8:97:31:9d:5f:
                    9c:7a:1e:7e:2a:26:51:eb:0e:66:7e:d8:f3:6b:46:
                    b3:f9:c7:9e:d2:83:35:e6:49:8c:da:97:5b:36:b6:
                    f3:5e:73:03:75:ac:92:b4:7e:97:d2:e1:94:6d:bc:
                    e1:cf:9a:bc:77:95:c8:7a:76:3f:61:1a:a3:65:bd:
                    2e:3a:8e:87:b3:94:81:83:79:4b:51:c4:7b:ea:c5:
                    71:30:5e:3e:5c:77:c1:e2:74:48:d0:d0:8e:26:0f:
                    b6:31:0f:93:f4:74:b0:d1:de:7e:64:2c:06:79:ed:
                    81:67:dd:ab:82:c6:1f:91:ae:80:7c:71:43:f6:b6:
                    7f:eb:91:05:a8:10:75:1d:c3:0c:d0:e0:f5:bd:60:
                    60:db:ad:4c:56:5e:cb:8d:02:7d:19:ad:75:0a:34:
                    15:39:b4:00:e4:35:64:fe:73:a2:4b:de:96:a7:14:
                    08:4c:03:d6:0b:89:ee:c7:96:42:b5:44:d7:02:c0:
                    18:69:cf:34:7b:75:e2:9a:13:22:8e:65:29:b2:36:
                    6c:a6:7d:81:51:96:2e:d4:b8:30:78:76:ae:2d:7e:
                    c6:90:f3:8e:8c:33:b9:b8:ec:e8:a9:c3:01:44:52:
                    75:1e:b7:f9:41:d9:68:67:8e:e6:06:8d:9d:74:0d:
                    1e:b9:ae:c2:60:8c:08:fd:12:38:2a:f5:ad:1a:76:
                    6a:bf:88:53:90:0b:ff:f3:5a:ac:9d:78:d1:fc:da:
                    2f:3b:30:56:17:8c:cb:b9:2e:6f:d7:b2:7b:38:9f:
                    65:43:a5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                40:B9:D0:38:07:D4:30:80:92:9B:31:74:C1:2B:D0:5E:25:F6:D8:D1
            X509v3 Authority Key Identifier: 
                40:B9:D0:38:07:D4:30:80:92:9B:31:74:C1:2B:D0:5E:25:F6:D8:D1
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: 
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        12:7e:6f:f3:a1:71:92:05:87:04:dd:79:f9:d7:ec:11:3f:c6:
        e6:dc:91:f6:5f:49:70:c7:2f:9b:2f:44:fc:4e:56:5d:09:21:
        2d:2d:19:90:cd:1b:6c:b7:ba:2a:ad:b9:ce:e0:f1:85:67:94:
        c2:08:2b:48:57:4b:4d:62:85:59:9a:93:ce:59:0d:59:57:60:
        66:66:df:75:e9:63:d9:61:90:72:ad:21:e8:98:b5:5e:c6:18:
        b2:6c:bf:56:b6:e7:7b:d2:96:46:33:30:93:50:4f:a0:d7:bf:
        58:24:1c:8e:e6:bd:78:5a:85:d1:a6:0e:40:9a:3a:22:a0:e9:
        2c:b4:b6:53:a0:62:29:ac:8d:b1:c0:4b:13:c2:c2:61:ce:b9:
        53:75:c8:8b:83:49:d8:79:f0:f9:77:f7:7a:43:a0:9e:98:64:
        7b:50:36:8e:fb:ca:59:a1:87:51:f3:41:f7:d4:a8:bd:18:50:
        15:9d:82:b7:07:00:9d:dc:27:c2:aa:5f:d8:4a:f3:29:4d:2a:
        d8:0b:10:be:d6:28:6a:a1:de:e5:fc:f8:91:e1:5a:56:41:11:
        a9:67:5b:c6:c5:63:6c:cb:46:84:05:5a:56:72:32:30:6a:52:
        4c:d3:41:61:d2:2b:29:47:8b:4d:eb:49:fb:35:8e:28:41:38:
        24:72:9b:0f:a0:64:03:32:a7:aa:52:7f:ba:58:74:c0:fa:b5:
        6c:9f:78:f5:6b:b8:b4:24:ce:38:9d:31:b9:68:86:25:ad:a9:
        2d:c3:d2:c2:61:62:46:05:4b:07:e0:e0:e5:28:0b:80:30:1a:
        7e:c9:91:27:c1:9e:c9:d7:8b:5d:6d:72:5f:1a:4d:f9:34:07:
        db:c6:52:6d:1f:9f:19:f7:cb:75:90:2c:d0:21:99:bb:74:04:
        6c:08:28:f5:5c:29:48:22:17:5d:71:d9:c4:c4:72:8c:ad:b9:
        3c:cb:75:7d:37:7c:32:fa:bd:d4:e4:c9:5d:48:d2:9e:1c:ad:
        1d:f0:60:7b:90:cd:a1:53:c2:81:2f:b1:dd:72:7b:da:09:34:
        0e:96:21:e4:93:03:bd:66:e8:93:e0:8d:e5:1e:4a:5f:2a:b5:
        2d:d6:f0:eb:8a:0a:3c:0f:1b:55:e1:f8:a5:d5:ec:00:ab:7a:
        07:c0:4f:cc:05:50:7b:04:97:5b:ea:17:14:0c:63:52:64:30:
        47:79:16:f1:b6:f4:c8:5a:b2:54:58:03:35:57:32:6e:f9:b6:
        43:32:f6:d4:03:04:48:bc:62:61:23:dc:49:41:c7:9f:46:63:
        6b:71:2b:2a:b2:0d:9f:45:85:33:7b:4b:7c:95:94:08:80:c0:
        98:21:e3:9f:0b:38:f9:1e
  • NX bit is not set (for x64 and ia32):

DllCharacteristics 00000000

The review is still going on. To be continued

@steve-mcintyre steve-mcintyre added 1 review needed Needs 1 (additional) successful review before being accepted Accredited review needed Needs a successful review by an accredited reviewer labels Nov 13, 2024
@realnickel
Copy link

While an attempt to review TencentOS grub and kernel packages I discovered a repository containing multiple grub2 release packages (and others as well) at the same time.
Am I correct and repository contains packages for TencentOS Linux 3?

https://mirrors.tencent.com/tlinux/3.3/BaseOS/x86_64/os/Packages/

grub2-common-2.02-129.tl3.3.noarch.rpm             25-Oct-2022 18:49              913528
grub2-common-2.02-142.tl3.1.noarch.rpm             16-Dec-2022 17:19              914604
grub2-common-2.02-142.tl3.3.noarch.rpm             22-Feb-2023 20:28              914996
grub2-common-2.02-148.tl3.4.noarch.rpm             14-Aug-2023 11:15              915496
grub2-common-2.02-150.tl3.1.noarch.rpm             25-Dec-2023 20:24              915356
grub2-common-2.02-150.tl3.2.noarch.rpm             11-Jan-2024 11:56              915588
grub2-common-2.02-156.tl3.1.noarch.rpm             23-May-2024 12:28              916316

@costinchen, @PrinterFranklin, would you please comment on how certain version of grub2 is chosen and delivered to an OS image (and therefore other potentially vulnerable versions are prevented to get into an image)?

Also a link to packages' SRPMS would be highly appreciated.

@realnickel
Copy link

  • SBAT for shim and fwupd looks reasonable:
shim (x86_64/aarch64)
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.tencentos,1,TencentOS Linux 3,shim,15.8,[email protected]

fwupd (x86_64/aarch64)
sbat,1,UEFI shim,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
fwupd-efi,1,Firmware update daemon,fwupd-efi,1.3,https://github.com/fwupd/fwupd-efi
fwupd-efi.rhel,1,Red Hat Enterprise Linux,fwupd,1.7.8,mail:[email protected]
fwupd-efi.tencentos,1,TencentOS Linux 3,fwupd,1.7.8,mail:[email protected]
  • SBAT for grub2 has a minor issue:
grub2 (x86_64/aarch64)
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,3,Free Software Foundation,grub,2.02,https//www.gnu.org/software/grub/
grub.rh,2,Red Hat,grub2,2.02-156.tl3.1,mailto:[email protected]
grub.tencentos,1,TencentOS Linux 3,grub2,2.02,mail:[email protected]

grub.rh entry contains version and release of Tencent OS 3 (2.02-156.tl3.1), but not an original RH release.
And last entry grub.tencentos doesn't contain release information at all.

While this doesn't affect SBAT revocation function it could be misleading for a maintainer in future.
In my opinion this should be fixed.

@costinchen
Copy link
Author

Hi, @realnickel Thanks for your review and suggestion, and we have fixed the SBAT for grub2. We retained the original Red Hat release information in grub.rh and completed the release information for TencentOS 3. Now it looks like:

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,3,Free Software Foundation,grub,2.02,https//www.gnu.org/software/grub/
grub.rh,2,Red Hat,grub2,2.02-158.el8,mailto:[email protected]
grub.tencentos,1,TencentOS Linux 3,grub2,2.02-158.tl3.ap.1,mail:[email protected]

@PrinterFranklin
Copy link

While an attempt to review TencentOS grub and kernel packages I discovered a repository containing multiple grub2 release packages (and others as well) at the same time. Am I correct and repository contains packages for TencentOS Linux 3?

https://mirrors.tencent.com/tlinux/3.3/BaseOS/x86_64/os/Packages/

grub2-common-2.02-129.tl3.3.noarch.rpm             25-Oct-2022 18:49              913528
grub2-common-2.02-142.tl3.1.noarch.rpm             16-Dec-2022 17:19              914604
grub2-common-2.02-142.tl3.3.noarch.rpm             22-Feb-2023 20:28              914996
grub2-common-2.02-148.tl3.4.noarch.rpm             14-Aug-2023 11:15              915496
grub2-common-2.02-150.tl3.1.noarch.rpm             25-Dec-2023 20:24              915356
grub2-common-2.02-150.tl3.2.noarch.rpm             11-Jan-2024 11:56              915588
grub2-common-2.02-156.tl3.1.noarch.rpm             23-May-2024 12:28              916316

@costinchen, @PrinterFranklin, would you please comment on how certain version of grub2 is chosen and delivered to an OS image (and therefore other potentially vulnerable versions are prevented to get into an image)?

Also a link to packages' SRPMS would be highly appreciated.

Hi, @realnickel Thank you for your review. This repository contains all the grub2 packages TencentOS has ever released in the history. The new OS image will always choose the newest grub2 package so that no potentially vulnerable versions will be integrated. The users who use the older versions of image will receive a security advisory to update to newer versions of grub2.

Here is the SRPMS link: grub2-2.02-158.tl3.ap.1.src.rpm

@realnickel
Copy link

Unfortunately, SRPMS link gives me

404 Not Found

The requested URL was not found on this server.
Powered by Tengine

@costinchen
Copy link
Author

costinchen commented Dec 10, 2024
edited
Loading

@realnickel Sorry, our SRPM repository is set to be invisible externally, so it cannot be retrieved from the mirror source directly. However, our SRPMs for TencentOS 3 are basically origined from RHEL. For grub2, we based it on RHEL's grub2-2.02-158.el8 with original patches, only modifying the SBAT, release information, and the efi signing process. You can refer directly to RHEL, or I’ve added it to our repo, which you can see here: grub2-2.02-158.tl3.ap.1.src.rpm

@FabioLolix FabioLolix mentioned this issue Dec 10, 2024
Open
@costinchen
Copy link
Author

@aronowski Hi, sorry to bother you. Could you please help review this? It has been a long time since we submitted, but we haven't had an accredited reviewer to review it. Thanks a lot!

@aronowski
Copy link
Collaborator

Review as per tencentos-3-shim-15.8-ia32-x86_64-aarch64-20241220.

As far as I understand, this is a RHEL8 fork, with a custom kernel (version 5.4 with custom patches).

The application looks alright, and the binaries are reproducible. I'd just like to make sure that you indeed do have the required security patches, as 2 of the 3 upstream commits, about which the application template asks, have been introduced in newer upstream kernel versions. Do you have them backported or mitigated with a different method (this happened historically for RHEL9-based systems)?

Is there a chance for the kernel SRPM to also become available, just like the GRUB2 one?

@aronowski aronowski self-assigned this Dec 22, 2024
@aronowski aronowski added the question Reviewer(s) waiting on response label Dec 22, 2024
@costinchen
Copy link
Author

@aronowski Hi, thanks for your review! Sorry, we are unable to provide the kernel SRPM as it contains source codes of kernel features developed for TencentOS, such as memory savings and performance optimizations. These features are proprietary and not publicly disclosed. Thank you for your understanding.
Here are the screenshots proving that we have the required three security patches applied to our kernel:

  • git log
    image
  • source code
    image

@aronowski
Copy link
Collaborator

Looks alright! Accepting.

Just a nitpick: next time instead of posting screenshots with text, just post the text itself, surrounded by three backticks (```).

@aronowski aronowski added accepted Submission is ready for sysdev and removed question Reviewer(s) waiting on response 1 review needed Needs 1 (additional) successful review before being accepted Accredited review needed Needs a successful review by an accredited reviewer labels Jan 6, 2025
@aronowski aronowski removed their assignment Jan 6, 2025
@costinchen
Copy link
Author

costinchen commented Feb 6, 2025
edited
Loading

@aronowski Hi, sorry to bother you. We have a question when requesting Microsoft's UEFI signing service. They ask for a .cab file contains all files to be signed, so I used Makecab to compress the three .efi files into a .cab file and signed it with our EV cert. But when I submitted it, there was an error:

There are files at the root of the cabinet: shimaa64.efi, shimia32.efi, shimx64.efi.

Did I make a mistake? What should the correct steps be?

@costinchen
Copy link
Author

costinchen commented Feb 7, 2025
edited
Loading

@steve-mcintyre @dbnicholson @es-fabricemarie
Hi, could you please help us with this? We got stuck at the step of requesting the Microsoft signature. Here are our previous attempts:

  1. We directly packaged shimx64.efi, shimia32.efi, and shimaa64.efi into a .cab file, signed it with our EV certificate, and submitted it to Microsoft's UEFI signing service. However, the Validation step failed with the error: “There are files at the root of the cabinet: shimaa64.efi, shimia32.efi, shimx64.efi.”

  2. Realizing the .cab file structure was incorrect, we adjusted it by placing the EFI files into a folder named shim, then packaged the folder into a .cab file. But the Validation failed again with the error: “No inf files found in driver directory/directories: shim.”

Could you please help us out and tell us how to properly create the .cab file for submission?

Thanks to everyone who is willing to provide advice and assistance。

@es-fabricemarie
Copy link

Are you sure you submitted to the right place? Sounds like you submitted for Driver Signing instead you need to make sure you submit for UEFI.

I placed my .efi shim in the root of the cab without any other files.

@costinchen
Copy link
Author

costinchen commented Feb 7, 2025
edited
Loading

@es-fabricemarie Thanks for you reply. We submitted to the file signing service in Microsoft partner hardware dashboard. Is is incorrect?

@es-fabricemarie
Copy link

Yes that looks correct.
What tool did you use to make your cab file? I used the standard windows utility.

@costinchen
Copy link
Author

costinchen commented Feb 7, 2025
edited
Loading

We used MakeCab on windows and lcab on linux, but they all get errors.
Is it possible we made a mistake when signing the cab file with our EV cert?

@dbnicholson
Copy link

It's hard to say. Per the requirements, you're definitely supposed to have the EFI programs at the root of the CAB file. When I last did this I used gcab and generated my initial CAB file with gcab -cz shimx64.cab shimx64.efi.

I don't know what that screenshot is showing. For signing the CAB file, we actually use a service called SignPath, which seemed to be able to make a valid Authenticode signature. Our completed CAB file is here.

You could try a single EFI program in a CAB file first. Maybe you should send an email to [email protected] for help.

@costinchen
Copy link
Author

@dbnicholson Thank you very much for your detailed response. We’ve confirmed that the issue was with the EV certificate signing process. The colleague responsible complicated the signing steps by applying for driver information after the EV signature, which mistakenly led Microsoft to identify it as a Windows driver.
After simplifing the process of signing the CAB file, we’ve successfully passed the Validation. We are now at the Review stage.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
accepted Submission is ready for sysdev contacts verified OK Contact verification is complete here (or in an earlier submission) new vendor This is a new vendor
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@dbnicholson @evilteq @PrinterFranklin @realnickel @steve-mcintyre @es-fabricemarie @aronowski @costinchen