Shim 15.4+ for Leidos

[Doncuppjr]

Make sure you have provided the following information:

• link to your code branch cloned from rhboot/shim-review in the form user/repo@tag
  https://github.com/Doncuppjr/shim-review/tree/Leidos-shim-x64-20210422
• completed README.md file with the necessary information
  https://raw.githubusercontent.com/Doncuppjr/shim-review/master/README.md
• shim.efi to be signed
  https://raw.githubusercontent.com/Doncuppjr/shim-review/master/shimx64.efi
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
  https://raw.githubusercontent.com/Doncuppjr/shim-review/master/Leidos-UEFI-CA.cer
• binaries, for which hashes are added do vendor_db ( if you use vendor_db and have hashes allow-listed )
  N/A
• any extra patches to shim via your own git tree or as files
  https://github.com/Thinstation/thinstation/tree/6.2-Stable/ts/ports/components/shim
• any extra patches to grub via your own git tree or as files
  https://github.com/Thinstation/thinstation/tree/6.2-Stable/ts/ports/opt/grub2-efi
• build logs
  https://raw.githubusercontent.com/Doncuppjr/shim-review/master/shim-build.log
• a Dockerfile to reproduce the build of the provided shim EFI binaries
  https://raw.githubusercontent.com/Doncuppjr/shim-review/master/Dockerfile

What organization or people are asking to have this signed:

Leidos, Inc.

What product or service is this for:

TENS Public

Please create your shim binaries starting with the 15.4 shim release tar file:

https://github.com/rhboot/shim/releases/download/15.4/shim-15.4.tar.bz2

This matches https://github.com/rhboot/shim/releases/tag/15.4 and contains

the appropriate gnu-efi source.

Please confirm this as the origin your shim.

https://github.com/rhboot/shim/releases/download/15.4/shim-15.4.tar.bz2 15.4

What's the justification that this really does need to be signed for the whole world to be able to boot it:

We produce a 'LiveCD' to be used as a remote access and emergency access terminal, while also being certified by DISA. Wherever applicable, FIPS standards are applied, and all STIG's are implemented. The focus of the distribution is to provide a verifiable known state on BYOE devices that is secure when running and leaves no residue. We necessarily must compile our own kernel to achieve all of these objectives, and would like a signed shim, so we don't need to enroll keys or change the contents of firmware in any way. We provide the image to the public as well as the source code, should anybody want to use our build or make their own, but we don't distribute keys.

How do you manage and protect the keys used in your SHIM?

The CA is stored on a DATASHUR PRO2 hardware encryption key. The signing key is stored an a Taglio C980 SmartCard. Both are FIPS 140-2 Level 3. Both are located in a secure storage area.

Do you use EV certificates as embedded certificates in the SHIM?

No

If you use new vendor_db functionality, are any hashes allow-listed, and if yes: for what binaries ?

No

Is kernel upstream commit 75b0cea7bf307f362057cc778efe89af4c615354 present in your kernel, if you boot chain includes a Linux kernel ?

Yes

if SHIM is loading GRUB2 bootloader, are CVEs CVE-2020-14372,

CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779,

CVE-2021-20225, CVE-2021-20233, CVE-2020-10713, CVE-2020-14308,

CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705,

( July 2020 grub2 CVE list + March 2021 grub2 CVE list )

and if you are shipping the shim_lock module CVE-2021-3418

fixed ?

Yes

"Please specifically confirm that you add a vendor specific SBAT entry for SBAT header in each binary that supports SBAT metadata

( grub2, fwupd, fwupdate, shim + all child shim binaries )" to shim review doc ?

Please provide exact SBAT entries for all SBAT binaries you are booting or planning to boot directly through shim

Shim looks like
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,1,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.leidos,1,Leidos,shim,15.4,donald.cupp@leidos.com

Grub looks like
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,1,Free Software Foundation,grub,2.06-rc1,https//www.gnu.org/software/grub/
grub.leidos,1,Leidos,grub,2.06-rc1-1,donald.cupp@leidos.com

Were your old SHIM hashes provided to Microsoft ?

N/A New Vendor

Did you change your certificate strategy, so that affected by CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749,

CVE-2020-27779, CVE-2021-20225, CVE-2021-20233, CVE-2020-10713,

CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705 ( July 2020 grub2 CVE list + March 2021 grub2 CVE list )

grub2 bootloaders can not be verified ?

N/A New Vendor, never signed those.

What exact implementation of Secureboot in grub2 ( if this is your bootloader ) you have ?

* Upstream grub2 shim_lock verifier or * Downstream RHEL/Fedora/Debian/Canonical like implementation ?

I am using the Fedora recipe.

What is the origin and full version number of your bootloader (GRUB or other)?

https://git.savannah.gnu.org/cgit/grub.git/snapshot/grub-$version.tar.gz 2.06-rc1 Fedora patches 0001 - 0196

If your SHIM launches any other components, please provide further details on what is launched

Just GRUB2 fbx64.efi and mmx64.efi

If your GRUB2 launches any other binaries that are not Linux kernel in SecureBoot mode,

please provide further details on what is launched and how it enforces Secureboot lockdown

N/A we only do Linux

If you are re-using a previously used (CA) certificate, you

will need to add the hashes of the previous GRUB2 binaries

exposed to the CVEs to vendor_dbx in shim in order to prevent

GRUB2 from being able to chainload those older GRUB2 binaries. If

you are changing to a new (CA) certificate, this does not

apply. Please describe your strategy.

N/A

How do the launched components prevent execution of unauthenticated code?

Shim verifies GRUB, GRUB verifies kernel, kernel verifies modules.

Does your SHIM load any loaders that support loading unsigned kernels (e.g. GRUB)?

No

What kernel are you using? Which patches does it includes to enforce Secure Boot?

5.10.28, all secureboot patches should be applied

What changes were made since your SHIM was last signed?

N/A

What is the SHA256 hash of your final SHIM binary?

ab2fd40d3238ac1e0c29d74ca0a423a586cb43e214f0f4059d6236e2c3c69787
Submission ID 14223084907713587

[Doncuppjr]

Added a Dockerfile

[realnickel]

As a response to a call for assistance (#120 (comment)) I'd like to help in reviewing this submission.
I'll post my results ASAP.

[realnickel]

First of all the link in the header leads to nowhere.
It should better be like this one I guess.

[realnickel]

Shim looks like
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,1,UEFI shim,shim,1,https://github.com/rhboot/shim
shimx64.efi,1,Leidos,shim,15.4,donald.cupp@leidos.com

Grub looks like
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,1,Free Software Foundation,grub,2.06-rc1,https//www.gnu.org/software/grub/
grub.leidos,1,Leidos,grub,2.06-rc1-1,donald.cupp@leidos.com

Although I'm not sure 100% it seems "shimx64.efi" is not an appropriate vendor specific name for SBAT section. It should have been named "shim.leidos" instead.
If this is a real blocker, then shim should be rebuilt and resubmitted.
@vathpela, @julian-klode, what do you think about that?

[vathpela]

Yeah, that should probably be shim.leidos

[realnickel]

I encountered one more issue worth being fixed before resubmission: rebuilt shim binary contains information about build host CPU, which breaks reproduction of sha256sum.

I used following commands to reproduce the build with supplied Docker file.

$ sudo docker image build -t leidos:reproducer . --file ./Dockerfile

$ sudo docker container run -it --name test_rebuild leidos:reproducer /bin/bash

bash-5.1# sha256sum /usr/share/shim/15.4/x64/shimx64.efi
34115e2d8a0cc538a76a2eeeca65b63d0e4fa1604bb5c238c972e029e1fc5d84  /usr/share/shim/15.4/x64/shimx64.efi

test@comp-gen-intel ~ $ sudo docker container cp test_rebuild:/usr/share/shim/15.4/x64/shimx64.efi ./shimx64.efi.rebuilt

test@comp-gen-intel shim-review $ sha256sum ./shimx64.efi ./shimx64.efi.rebuilt
ba0fe814dc482a4cca9f2c3f70e73efef674456d68d416d371130b30dcb067f8  ./shimx64.efi
34115e2d8a0cc538a76a2eeeca65b63d0e4fa1604bb5c238c972e029e1fc5d84  ./shimx64.efi.rebuilt

test@comp-gen-intel shim-review $ diff -y --width=180 --suppress-common-lines orig.hexdump rebuilt.hexdump
000000d0    |.........E......|        | 000000d0    |........;.......|
00000200    |/14.............|        | 00000200    |/14.............|
00079a30    |x86_64 Intel(R) |        | 00079a30    |x86_64 11th Gen |
00079a40    |Core(TM) i7-7820|        | 00079a40    |Intel(R) Core(TM|
00079a50    |X CPU @ 3.60GHz |        | 00079a50    |) i7-1165G7 @ 2.|
00079a60    |GenuineIntel GNU|        | 00079a60    |80GHz GenuineInt|
00079a70    |/Linux $.$Commit|        | 00079a70    |el GNU/Linux $.$|
00079a80    |: 20e4d9486fcae5|        | 00079a80    |Commit: 20e4d948|
00079a90    |4ee44d2323ae342f|        | 00079a90    |6fcae54ee44d2323|
00079aa0    |fe68c920e6 $....|        | 00079aa0    |ae342ffe68c920e6|
00079ab0    |................|        | 00079ab0    | $..............|

shim_rebuild_results_for_Leidos.txt

[Doncuppjr]

Interesting, I would have guessed that such a thing would have been scrubbed during make.

[Doncuppjr]

@realnickel Thanks for the review. I've updated my Dockerfile to address the mentioned issues. I also updated the issue with the new tag, hash and link. If you could confirm, that would be great.

[realnickel]

@realnickel [...] If you could confirm, that would be great.

I confirm that shim in updated submission is rebuildable with provided Docker file, obtained artifact has the same sha256sum:
fc3febdd460d158710b47165e658f746811b3cce54dbd197d2d13de44f2079d6
Also I checked that public portion of UEFI CA certificate incorporated into shim binary matches to one provided in git repository. As well as SBAT section content which now seems appropriate to me.

[jsetje]

Is there some way to create or unpack a public thinstation image without running the setup-root script as root?

[Doncuppjr]

Not really. Back before Docker, chroot was the way to container. We developed our OS around that technology. I converted our resulting filesystem into a docker image for the shim-review. You should be able to get any package info you need from the docker. The internal package manager is from Crux, pkgutils and prt-get. Running a command like docker run thinstation prt-get info glibc, should tell you about glibc.

[Doncuppjr]

It's a source based distro. All the packages and the scripts to compile them are placed in ts/ports/*/. You could inspect them without running setup-chroot.

[Doncuppjr]

@jsetje If you tell me what kind of information you need, I can tell you the quickest way to get it.

[jsetje]

Thanks, pkgutils is a useful hint. I may not be able to get back to this until Monday, but can probably work through it then. What I would like to be able to show is that the content of the docker file matches the historical repo on github.

Otherwise I can reproduce the build with your dockerfile, so this is close, it's just a slightly complex final step. :)

[Doncuppjr]

I was trying to figure out the best way to make my build work in docker. Container in container seemed silly, but I was working on a docker fs that just had git and chroot that would host the checkout. I just can't figure out what I really want to do with docker......other than get this review signed-off.

[Doncuppjr]

Ty.
docker run -it thinstation cat /ts/ports/components/shim/Pkgfile
should do the trick.

[jsetje]

As much as a source based repo should promote transparency, it makes it hard, or rather, with the current state of the gnu toolchain, impossible, to reproduce the exact binaries.

I've done a thinstation build from the public repo with the shim sources from the docker repo (which do indeed match the shim 15.4 release tar file), and the binary doesn't quite match what I get out of the docker build which does in fact match the submitted one.

There are a number of files, libraries in particular in my thinstation build that don't match the docker file either, none of which is inherently unexpected.

I'm checking with some folks to see where the line should be for something like this.

Meanwhile I wonder if doing a full thinstation build inside something like the fedora docker image would result in a reproducible shim binary.

[Doncuppjr]

@jsetje Yes. I feel the same way. I finally decided to just do container in container, a chroot in docker. The docker takes a little while to build, and I know it's not the way docker was meant to be used, but it will meet your needs. I'll have it done in a little bit. Thanks for the feedback.

[Doncuppjr]

@jsetje I have updated the docker to more closely work through our normal usage pattern. Sorry for the terrible build times, docker doesn't like to do git inside a container. I also added the MOK patch, so my sum changed.
b72831848b9eaf562f1847ca37a6d0082069a1d912968bf3fb3ac16ea5e27d7b
Issue and README updated.

[jsetje]

Of course I docker ran out of disk space on my first try. :) I think I have it moved to a larger disk properly now and am letting it run.

[jsetje]

After recovering from a power failure, that did in fact reproduce your binary. Neat!

@realnickel can you please confirm that you are happy to sign off on this? If so, I'll bump the label.

@Doncuppjr thank you for working with me on this!

[Doncuppjr]

@jsetje Thank you for your patience. Any word on 15.5? I assume I can submit for it as well, when it drops.

[jsetje]

The biggest issue with 15.4 is rhboot/shim#364 which impacts older Macbooks, that may or may not matter to you, I guess you're doing end-point, so it may.

[Doncuppjr]

rhboot/shim#362 looks to be the more menacing issue for me, as it would affect new Macbooks and anything that is EFI but has no SB or SB is disabled. I don't really need to support very old Macbooks.

[Doncuppjr]

Added patches for PR#362 and #364. New sha is ab2fd40d3238ac1e0c29d74ca0a423a586cb43e214f0f4059d6236e2c3c69787

[Doncuppjr]

@jsetje Should I restart this?

[realnickel]

After recovering from a power failure, that did in fact reproduce your binary. Neat!

@realnickel can you please confirm that you are happy to sign off on this? If so, I'll bump the label.

Reinvented dockerfile produces a huge overlay (>12Gb) so I'm unable to reproduce at the moment, suddenly I ran out of space. I'll try to reproduce with another machine later.

[Doncuppjr]

@realnickel Yeah, it's like 14.8gb. Thank your for trying.

[steve-mcintyre]

Wow, that's a big and long build. But I do get the same binary at the end, so reproducible here

[Doncuppjr]

@steve-mcintyre , yes, not even trying to do the same thing as everyone else. Docker is engineered to compliment legacy package distribution mechanisms. We use git, and docker does not like it at all. Thanks for the review.

[steve-mcintyre]

10 year life on the embedded CA key, ok.
SBAT looks ok
Let's approve this.