Ctrl IQ, Inc Shim 15.8 for x64 & ia32

[jason-rodri]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://bitbucket.org/ciqinc/ciq-shim-build/src/ctrliq-shim-x64-ia32-20240131/
Orginal repo migrated to
https://github.com/ctrliq/ciq-shim-build/tree/ctrliq-shim-x64-ia32-20240131

---

What is the SHA256 hash of your final SHIM binary?

---

SHA256 (shimx64.efi) = 654d8efe248cd113f7ecb5a1f4fc9c309cc0d65a66b4bb8d9b2991f57f2dbcf6
SHA256 (shimia32.efi) = b739423471c03d32f2918906286076ea73c1385ced3f175a60ceeb8fadf009de

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

Ctrl IQ, Inc Shim 15.7 for x64 & ia32 #339

[SherifNagy]

While I am not an official reviewer, here are my comments "looking at latest tag: https://bitbucket.org/ciqinc/ciq-shim-build/src/ctrliq-shim-x64-ia32-20240131/":

• SHIM sources within the SRPM matches the release hash
• SHIM's CA valid for almost 24 years and it's 4096 bits
• SHIM binary reproducible correctly and hashes matches
• Contacts GPG keys looks good and has been verified before Ctrl IQ, Inc Shim 15.7 for x64 & ia32 #339
• CA and certs protection story looks good
• Kernel patches and lockdown configurations story looks good "Kernel is RHEL"
• Grub modules looks good, matches RHEL "source is borrowed from Rocky which is borrowed from RHEL"
• SBAT entry for grub should grub,3 not grub,4, upstream vendors didn't back port the patches for the NTFS CVEs as far as I can tell and NTFS module isn't being shipped

Regarding certwrapper(mule), it's great tool, however based on my understanding, it's still in early stages, while you can sign the .EFI with your certs and package it to your users, you must know it is still not fully tested and might causes some issues

I think we need two more official reviewer to look at this submission, best of luck with the submission :)

[aronowski]

The build does reproduce, checksums match. No NX compatibility bit, as the whole chain is not NX-compatible. No binutils bug. OK.

---

*******************************************************************************
### If your boot chain of trust includes a Linux kernel:
[...]
### Is upstream commit [eadb2f47a3ced5c64b23b90fd2a3463f63726066 "lockdown: also lock down previous kgdb use"](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eadb2f47a3ced5c64b23b90fd2a3463f63726066) applied?
*******************************************************************************
Yes, all of these patches are already in the Rocky/RHEL 8 + 9 kernels we plan to base on.

👍

Yes, this is a thing I got aware of recently - the Enterprise Linux 8.9 kernel does have the CVE-2022-21499 fix implemented by the commit eadb2f47a3ced5c64b23b90fd2a3463f63726066 ported by disabling writing to kernel memory in lockdown mode.

Furthermore, debugging appears to be enabled only in aarch64 debug config:

$ grep -r CONFIG_KDB_DEFAULT_ENABLE kernel-*.config
kernel-aarch64-debug.config:CONFIG_KDB_DEFAULT_ENABLE=0x1
kernel-aarch64.config:CONFIG_KDB_DEFAULT_ENABLE=0x0
kernel-ppc64le-debug.config:CONFIG_KDB_DEFAULT_ENABLE=0x0
kernel-ppc64le.config:CONFIG_KDB_DEFAULT_ENABLE=0x0
kernel-s390x-debug.config:CONFIG_KDB_DEFAULT_ENABLE=0x0
kernel-s390x-zfcpdump.config:CONFIG_KDB_DEFAULT_ENABLE=0x0
kernel-s390x.config:CONFIG_KDB_DEFAULT_ENABLE=0x0
kernel-x86_64-debug.config:CONFIG_KDB_DEFAULT_ENABLE=0x0
kernel-x86_64.config:CONFIG_KDB_DEFAULT_ENABLE=0x0

---

LGTM! Let's wait for another official review.

[kukrimate]

(Not an official reviewer, but here we go)

Basics

• Reasonable looking downstream (RHEL -> Rocky -> CIQ)
• Contact already verified (Ctrl IQ, Inc Shim 15.7 for x64 & ia32 #339)
• Custom kernels to be used on commodity hardware
• Support prospect looking okay

CA

• Looks good: 4096-bit self-signed CA with signing flag
• No pre-SBAT EFIs to revoke on the CA

Shim

• Correct 15.8 source, no patches applied
• Both ia32 and amd64 EFIs reproduce via provided Dockerfile
• shim SBAT looks good
• Using default built-in revocations
• No previous shims signed

GRUB

• Looks good, seems to be using RHEL GRUB as is

sd-boot

• Not used.

Kernel

• Security story okay, using lockdown backports from RHEL
• Custom patches seem unrelated to lockdown enforcement

[kukrimate]

Shim point I missed:

• NX compat flag correctly off, whole chain definitely not NX compat yet.

[jason-rodri]

Signed binaries returned, closing