Shim 15.7 for ChromeOS Flex

[nicholasbishop]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://chromium.googlesource.com/chromiumos/shim-review/+/refs/tags/google-shim-20221201

---

What is the SHA256 hash of your final SHIM binary?

---

5130b19ee82dd6ddd2fd41eeb7114c4fd517e5320bd5fdf19ac8f6fd185a99c8  shimia32.efi
81852d2dc5fd212d41cf807da9ee75bef75f1d50abf15b40698804921b5f0dd2  shimx64.efi

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

#256

[THS-on]

Disclaimer: I am not a not an authorized reviewer

• Google is a well known vendor
• A signed Shim is needed because ChromeOS Flex uses a custom kernel and is used on off the shelf hardware with Secure Boot enabled
• Last signed Shim for ChromeOS Flex was 15.6
• Security contacts have not changed since the last review
  • Nicholas Bishop nicholasbishop@google.com (5E364228DBEAEFA86D30CB0595DC3DE7652C0245)
  • Paul Nardini nardini@google.com (CD690E1BF09662FA2241B82198660DA23B199183)
• Shim build is reproducible using the Dockerfile

Hashes

06966b345d587e574aac743e17a36c31cbaf31b11995d67cca13a9b86256c514  /build/install/shimia32.efi
cc71a146efab48e3da8c5a342be0e36338f8abf3fb33b99bb23961becaa9271f  /build/install/shimx64.efi

SBAT

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,3,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.chromeos,2,ChromeOS,shim,15.7,https://chromium.googlesource.com/chromiumos/shim-review

• Upstream 15.7 Shim is used with no patches applied
• SBAT entries are matching the provided one
• Embedded certificate matches the organization (has not changed since last review)
  • Serial: 5c:88:ba:db:66:21:7a:7a:e6:32:7f:47:90:6c:40:b6:99:fe:45:ac
  • Subject: C = US, ST = CA, L = Mountain View, O = Google Inc., CN = Google Chrome OS Business Unit
  • Valid till: Jul 22 15:58:26 2026 GMT (5 years)
  • Is a CA certificate and Code Signing attribute is set
• Keys are stored in an HSM
• Shim launches only GRUB
  • shim_lock protocol is used
  • Old custom patches have not changed
  • GRUB SBAT level is set to 3
  • The only new patches are for the November CVEs
    • Debian adds one more patch: https://salsa.debian.org/grub-team/grub/-/blob/master/debian/patches/cve_2022_2601/0001-video-readers-Add-artificial-limit-to-image-dimensio.patch
    • Is this patch not needed because only a small set of commands in GRUB are used or is this already covered by one of the other patches?
• The SBAT level for shim.chromeos and grub.chromeos are set to 2. Is there a specific reason for that?
• Kernel has the stated patches applied

[nicholasbishop]

Thanks for your thorough review, I appreciate it.

Responding to your questions:

1. The image-dimensions patch wasn't included in ours because it wasn't mentioned in the grub security announcement for the 2022-11-15 vulnerabilities: https://lists.gnu.org/archive/html/grub-devel/2022-11/msg00059.html. However, I think we might as well include it as a good precaution, I'm working on adding that patch to our grub now.
2. Re shim.chromeos and grub.chromeos SBAT levels being set to 2, this was a mistake on our part when we updated the SBATs for our shim 15.6 submission. Basically the same as shim 15.6 for MIRACLE LINUX 9 #264 (comment). However, we didn't notice this until now. Since the mistake is already out there in a previous signed submission, I think we can't just decrement the level, so it should stay at 2.

I'll update our submission once I've finished adding that patch to our grub.

[nicholasbishop]

Submission updated. New tag is https://chromium.googlesource.com/chromiumos/shim-review/+/refs/tags/google-shim-20221201

Changes since previous tag:

• Switched the Docker image base to Ubuntu 22.04 LTS. The shim SHAs changed, updated those in the readme and issue description. The current hashes are:

  5130b19ee82dd6ddd2fd41eeb7114c4fd517e5320bd5fdf19ac8f6fd185a99c8  shimia32.efi
  81852d2dc5fd212d41cf807da9ee75bef75f1d50abf15b40698804921b5f0dd2  shimx64.efi
  

• Added the image-dimensions patch to grub, updated the readme accordingly.
• Updated the readme with an upstream change: d0ba08c94f

[THS-on]

@nicholasbishop everything LGTM.

• GRUB now includes also the image-dimensions patch.
• I agree that it makes sense to keep shim.chromeos and grub.chromeos now at SBAT level 2.
• New shim hashes are reproducible using the Dockerfile:

5130b19ee82dd6ddd2fd41eeb7114c4fd517e5320bd5fdf19ac8f6fd185a99c8  /build/install/shimia32.efi
81852d2dc5fd212d41cf807da9ee75bef75f1d50abf15b40698804921b5f0dd2  /build/install/shimx64.efi

[nicholasbishop]

We've received a one-time exception from Microsoft for a submission without NX compat enabled, so I think this submission is ready for review again.

[julian-klode]

Not a whole lot different from the last submission, this all still looks equally good. Accepted.

(and no, this is not an invitation for other submitters to spam me with requests)

[nicholasbishop]

Thanks for your review, I appreciate it.

[nicholasbishop]

Closing, signed shims received.