Shim 15.8 for Blancco

[evilteq]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/evilteq/shim-review/tree/blancco-shim-15.8-ia32_x64_aa64-20240927

---

What is the SHA256 hash of your final SHIM binary?

---

67e69ba6aa0e789cd14048e9859aa16149d4741a1cff4be8960d4081c2583606  shimia32.efi
7d542b736364c3f614c0f7edb44d6f80f6535032ebee3eb2bcb03001b1953b3e  shimia32.nx.efi
8605e469427de5e75e36adc9a706ce9de1c51f8d0a6bc6259b3a6bcea5517075  shimx64.efi
90290dec09ba33b6bd61c93840dbb0d1355f6fb88c277d041f0c6515ff7f1c1c  shimx64.nx.efi
38a7caf9b5067bc552331ed54d9fb727f6305c26099978add7d663d2eccb51b8  shimaa64.efi
874b81c48dc218c62a5c49e1c23d371b394bc02b090ff38540b384c84a18c961  shimaa64.nx.efi

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

#290 #9

---

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?

---

#290

[lorddoskias]

• Build reproduces for x86:

#14 0.277 67e69ba6aa0e789cd14048e9859aa16149d4741a1cff4be8960d4081c2583606  /build/output/shimia32.efi
#14 0.278 7d542b736364c3f614c0f7edb44d6f80f6535032ebee3eb2bcb03001b1953b3e  /build/output/shimia32.nx.efi
#14 0.279 8605e469427de5e75e36adc9a706ce9de1c51f8d0a6bc6259b3a6bcea5517075  /build/output/shimx64.efi
#14 0.280 90290dec09ba33b6bd61c93840dbb0d1355f6fb88c277d041f0c6515ff7f1c1c  /build/output/shimx64.nx.efi

• Includes valid certificate:

  - Subject: CN = Blancco Secure Boot CA 2022, OU = Secure Boot, O = Blancco Technology Group IP Oy, C = FI 
  - Validity
        Not Before: Nov 11 12:06:43 2022 GMT
        Not After : Nov  8 12:06:43 2032 GMT
  
  - Certificate is kept from previous review #290
  

• Keys are protected in an HSM with restricted physical access

• SBAT data looks valid

• The only change is to the build system to preprocess shim.nx.efi, mm.efi, fb.efi with the -n flag

• Upstream 15.8 shim is used, checksum of downloaded file is verified in the container

• Security contacts are the same as previous Blancco Shim 15.7 for x64 & ia32 #290 submissions

• grub2 used has changed since last submission, it's now based off Ubuntu. The modules used as are the same as in Blancco Shim 15.7 for x64 & ia32 #290.

[steve-mcintyre]

Shim 15.8 for Blancco

Tag blancco-shim-15.8-ia32_x64_aa64-20240927

Good

General

• Victor is Already busy reviewing other submissions - good!
• Contact verification previously completed - OK
• Key management using a hardware token - OK
• Old builds provided to Microsoft for revocation, now on SBAT - OK

Shim

• Builds from 15.8 upstream, with 1 patch:

  • Build-an-additional-NX-shim-mark-MokManager-and-Fallback-.patch
    • Patch from Ubuntu to tweak NX building
    • Already reviewed and accepted before - OK

• shim builds reproduce here for both builds on all of x64, ia32 and
  aa64 with the Dockerfiles provided - OK

38a7caf9b5067bc552331ed54d9fb727f6305c26099978add7d663d2eccb51b8  /build/output/shimaa64.efi
874b81c48dc218c62a5c49e1c23d371b394bc02b090ff38540b384c84a18c961  /build/output/shimaa64.nx.efi
38a7caf9b5067bc552331ed54d9fb727f6305c26099978add7d663d2eccb51b8  shim-review/shimaa64.efi
874b81c48dc218c62a5c49e1c23d371b394bc02b090ff38540b384c84a18c961  shim-review/shimaa64.nx.efi
67e69ba6aa0e789cd14048e9859aa16149d4741a1cff4be8960d4081c2583606  /build/output/shimia32.efi
7d542b736364c3f614c0f7edb44d6f80f6535032ebee3eb2bcb03001b1953b3e  /build/output/shimia32.nx.efi
67e69ba6aa0e789cd14048e9859aa16149d4741a1cff4be8960d4081c2583606  shim-review/shimia32.efi
7d542b736364c3f614c0f7edb44d6f80f6535032ebee3eb2bcb03001b1953b3e  shim-review/shimia32.nx.efi
8605e469427de5e75e36adc9a706ce9de1c51f8d0a6bc6259b3a6bcea5517075  /build/output/shimx64.efi
90290dec09ba33b6bd61c93840dbb0d1355f6fb88c277d041f0c6515ff7f1c1c  /build/output/shimx64.nx.efi
8605e469427de5e75e36adc9a706ce9de1c51f8d0a6bc6259b3a6bcea5517075  shim-review/shimx64.efi
90290dec09ba33b6bd61c93840dbb0d1355f6fb88c277d041f0c6515ff7f1c1c  shim-review/shimx64.nx.efi

• NX bits set appropriately on each of the shim binaries - OK
• Reusing existing embedded CA cert with ~8 years of life
  left. RSA-2048 - OK

  Serial Number:
      10:fe:1c:d1:4b:2b:4c:4e:83:eb:d0:ec:9d:46:7f:0b
  Signature Algorithm: sha256WithRSAEncryption
  Issuer: CN = Blancco Secure Boot CA 2022, OU = Secure Boot, O = Blancco Technology Group IP Oy, C = FI
  Validity
      Not Before: Nov 11 12:06:43 2022 GMT
      Not After : Nov  8 12:06:43 2032 GMT
  Subject: CN = Blancco Secure Boot CA 2022, OU = Secure Boot, O = Blancco Technology Group IP Oy, C = FI
  Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
          Public-Key: (2048 bit)

• SBAT data looks fine for shim - OK

GRUB

• Using GRUB2 2.12, based on Ubuntu's build - OK
• Lists of modules looks OK
• SBAT data looks mostly OK, just one minor nit - see below
• GRUB patches look OK

Linux

• Lockdown patches applied and enforced - good
• Using build-time ephemeral keys - good

Issues / queries

• Minor nit in the GRUB SBAT data: you appear to be claiming version
  1.0.2 for the version. Is that really the case when you're basing
  on Ubuntu's version 2.12~rc1? (Not a blocker, just seems odd!)

Overall

Looks good! Accepting!