Shim 15.8 for Mariner 2.0

[ddstreetmicrosoft]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/microsoft/shim-review/tree/cbl-mariner-shim-x64-20240221

Add missing shim sbat in README: https://github.com/microsoft/shim-review/tree/cbl-mariner-shim-x64-20240222

---

What is the SHA256 hash of your final SHIM binary?

---

82ede1584e7de1347446a241f09c05cf3efc134206c446be3d548a748e4752e3

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

#223

[aronowski]

Note for reviewers: please see rhboot/shim#634 in regard to the SBAT generation numbers provided in the application.

[eduardacatrinei]

Hey @ddstreetmicrosoft, it looks like you forgot to mention shim sbat in section of the readme.

[ddstreetmicrosoft]

Hey @ddstreetmicrosoft, it looks like you forgot to mention shim sbat in section of the readme.

Ah ok sorry, I had interpreted "...booting or planning to boot directly through shim" as meaning "...booting directly through shim, or planning to boot directly through shim" but I assume it actually was intended to mean "...booting (or planning to boot) directly from UEFI firmare or directly from shim". Might be clearer to just say "Please provide exact SBAT entries for all shim binaries as well as all SBAT binaries that shim will directly boot."

I added the shim sbat and pushed a new tag (with today's date). thanks!

[ddstreetmicrosoft]

Hey @ddstreetmicrosoft, it looks like you forgot to mention shim sbat in section of the readme.

Ah ok sorry, I had interpreted "...booting or planning to boot directly through shim" as meaning "...booting directly through shim, or planning to boot directly through shim" but I assume it actually was intended to mean "...booting (or planning to boot) directly from UEFI firmare or directly from shim". Might be clearer to just say "Please provide exact SBAT entries for all shim binaries as well as all SBAT binaries that shim will directly boot."

I added the shim sbat and pushed a new tag (with today's date). thanks!

opened #388 to clarify the question wording (assuming I understand it correctly now)

[ddstreet]

Hello, just checking if anything is needed for this review. Thanks!

[es-fabricemarie]

I'm not an official reviewer, just trying to help with the official reviewers load.

• build reproduces fine
• SHA256 of shim matches (82ede1584e7de1347446a241f09c05cf3efc134206c446be3d548a748e4752e3)
• Issues with the certificates (they are not part of the shim or shim-review repos):
  • Found mentioned expired certificate cbl-mariner-ca-20211013.pem
  • Could not find new cbl-mariner-ca-20230216.der/pem certificate to inspect it.

Expired cbl-mariner-ca-20211013.pem certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            33:00:00:04:ee:7f:94:de:8d:43:27:a5:1f:00:01:00:00:04:ee
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = Microsoft Testing PCA 2010
        Validity
            Not Before: Oct 14 17:28:05 2021 GMT
            Not After : Oct 13 17:28:05 2022 GMT
        Subject: C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = Mariner Secure Boot(Production Signing)
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c5:e3:98:53:1c:f4:00:03:bc:9c:ea:0d:e2:56:
                    ea:9c:40:a1:79:d7:29:42:ca:78:d4:c9:26:2a:a9:
                    08:5a:da:c4:33:13:bb:5b:27:67:a0:56:45:b8:71:
                    f6:35:51:b2:6c:9b:ae:62:db:f5:46:23:53:8b:66:
                    26:b8:b1:1c:17:44:de:ed:a1:12:b9:68:49:58:7e:
                    9b:20:84:c8:06:11:a0:92:3e:ce:bd:d7:90:55:a8:
                    ee:16:5f:48:f1:5e:cc:2a:45:9d:82:3c:7f:9e:bc:
                    d0:82:85:09:ce:aa:d8:ef:14:2a:a9:ed:a7:90:e3:
                    86:ff:0e:96:66:68:c8:9c:2f:f0:f0:6c:8e:3d:db:
                    91:d6:19:26:1a:fb:f3:29:d4:5b:37:c8:68:4f:e5:
                    7e:f9:f9:cf:6f:c3:88:09:e4:aa:31:70:e1:51:99:
                    01:2d:d1:ce:e5:39:c9:4e:8b:93:69:e6:3c:ac:ee:
                    5a:eb:76:63:cf:6e:3a:00:2c:44:41:6a:d8:97:8f:
                    cc:3b:d8:b5:19:bb:8f:88:f7:bd:3f:ea:3a:8d:12:
                    41:de:1b:1a:95:48:f4:51:34:81:19:b9:b8:ef:44:
                    87:e0:f2:e5:0b:af:c9:3f:2a:3f:13:6f:39:c2:5a:
                    81:ae:69:3f:fd:ca:85:5b:1e:1a:94:29:03:09:c7:
                    11:6b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage: 
                Code Signing
            X509v3 Subject Key Identifier: 
                B4:2D:6B:9E:28:09:B7:B9:09:7C:FF:9E:9B:01:94:B8:6E:80:BF:95
            X509v3 Subject Alternative Name: 
                DirName:/OU=Microsoft Corporation/serialNumber=460897\+468597
            X509v3 Authority Key Identifier: 
                BF:65:A2:AB:6F:75:A3:4E:45:96:57:05:CF:39:87:F4:C0:15:1C:1C
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://www.microsoft.com/pkiops/crl/Microsoft%20Testing%20PCA%202010(1).crl
            Authority Information Access: 
                CA Issuers - URI:http://www.microsoft.com/pkiops/certs/Microsoft%20Testing%20PCA%202010(1).crt
            X509v3 Basic Constraints: critical
                CA:FALSE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        b2:6e:eb:fa:92:68:53:db:2f:7b:14:e2:d1:96:32:c2:2e:f4:
        25:04:bf:c4:77:12:8f:0d:83:45:84:70:8a:21:47:79:e7:4c:
        94:a1:45:bc:5c:8c:52:61:af:83:9b:1f:f5:f8:d6:12:e0:dc:
        6a:97:b7:9c:b9:1e:20:f7:ee:22:d0:33:a6:36:36:0e:35:8f:
        1e:a4:fb:29:22:98:d4:77:d3:80:88:a3:4a:25:2b:36:df:4d:
        e2:d9:34:28:8d:74:1c:65:57:93:3b:cf:5b:2b:7a:57:fa:ca:
        68:00:21:ae:11:51:2e:59:27:4b:ab:ea:0f:0d:86:70:35:32:
        b2:a1:b8:fd:c0:76:0e:e9:65:c9:7d:c7:4b:3e:56:19:82:10:
        e3:47:f5:8d:3b:96:f3:bf:3a:62:da:79:ff:73:83:98:bc:c8:
        a1:2c:da:b4:e6:e3:4e:d0:80:7f:ce:ab:b2:01:a0:8a:6e:2d:
        79:bf:f3:ea:62:8b:35:06:c4:fe:61:fb:78:cd:ff:2b:cb:5e:
        f2:15:50:48:a8:93:1a:d8:09:fa:19:ec:7b:48:d5:a3:8e:3d:
        52:ee:e0:60:6b:7a:19:71:31:ef:47:cc:6f:dd:f9:9b:c1:f4:
        0c:22:b6:51:99:9a:ea:f3:19:32:4b:14:15:ef:17:9a:d2:c1:
        3b:5f:fa:49

• did not review/comment on grub2 sbat levels/patches.
• shim sbat version looks correct:

objcopy --only-section .sbat -O binary shimx64.efi /dev/stdout

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.mariner,1,Microsoft,shim,15.8-1.cm2,https://github.com/microsoft/CBL-Mariner

• NX compat is disabled:

  objdump -p shimx64.efi  | grep DllCharacteristics
  

  DllCharacteristics      00000000
  

[aronowski]

Reviewing as much as I can right now. The build does reproduce, checksum matches, characteristics seem alright! <hr> ``` ******************************************************************************* ### If you use vendor_db functionality of providing multiple certificates and/or hashes please briefly describe your certificate setup. ### If there are allow-listed hashes please provide exact binaries for which hashes are created via file sharing service, available in public with anonymous access for verification. ******************************************************************************* The ESL contains both our current signing certificate, which is expired, as well as our new signing certificate. Including both certificates allows existing signed kernels to continue to be loadable under secure boot. There are no hashes in the ESL. We have generated a GUID for Azure Linux to use as the cert owner in the ESL, f4de3b90-399b-4eb0-aa3f-041c434a2de3. The ESL was generated using the efivar release 39 source tarball, compiled and installed locally, with the command: $ efisecdb -o db.x64.esl -g 'f4de3b90-399b-4eb0-aa3f-041c434a2de3' -a -c cbl-mariner-ca-20211013.der -c cbl-mariner-ca-20230216.der ``` Alright! I've checked the ESL and the certificates are right there as mentioned. Here's how I did it: ``` $ rpmdev-extract -C /tmp/ shim-unsigned-x64-15.8-1.el8.src.rpm $ binwalk -Mre --dd='.*' /tmp/shim-unsigned-x64-15.8-1.cm2.src/db.x64.esl $ openssl x509 -noout -text -in _db.x64.esl.extracted/2C | less $ openssl x509 -noout -text -in _db.x64.esl.extracted/562 | less ``` `562` is the current one. It's valid for 15 years, uses SHA-512 as the hash function and has a modulus size of 4096 (Wow!). I'll paste the details here for convenience. ``` Certificate: Data: Version: 3 (0x2) Serial Number: 33:00:00:00:02:63:94:70:7a:16:d9:f1:da:00:00:00:00:00:02 Signature Algorithm: sha512WithRSAEncryption Issuer: C = US, O = Microsoft Corporation, CN = Microsoft Mariner RSA Root CA 2023 Validity Not Before: Feb 16 19:39:02 2023 GMT Not After : Feb 9 21:25:53 2038 GMT Subject: C = US, O = Microsoft Corporation, CN = Mariner Trusted Base RSA Code Signing CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:bf:bc:4c:59:f0:49:7e:a9:13:52:7a:11:be:1f: 75:52:72:d2:92:e6:16:b6:35:1b:ca:2a:c5:f3:ea: 63:49:74:ad:ec:e8:7a:2d:69:f2:16:6b:3c:0b:24: d6:5f:e5:a7:e0:48:0e:b6:25:ff:44:e2:64:e4:a4: 54:13:28:77:9e:bd:fc:90:e7:b6:88:6f:8f:27:19: b4:22:8a:fb:d3:d8:32:8a:61:b3:20:f9:5e:fb:0a: ef:13:5a:46:2c:71:4d:33:8b:27:9e:b5:88:a4:2a: 9f:2d:bd:6c:93:60:3b:f3:7d:d3:db:3d:a5:71:5a: d5:c8:50:29:69:b7:21:bf:08:4a:26:70:8f:40:a2: c5:64:f0:7c:69:93:a9:af:69:47:59:b0:43:27:54: 2b:c1:d2:e2:e3:b9:8b:65:aa:07:4e:b9:6f:54:78: f2:b1:06:98:2d:26:e1:66:17:df:b3:9d:10:55:3b: 67:3a:2b:32:b7:46:f2:d6:05:2f:ea:c2:7d:91:31: 90:1a:2a:71:40:fa:4a:8d:d9:b3:3f:ca:41:e9:f1: 4c:d2:b2:bf:75:08:57:7b:33:4c:fe:d6:f2:02:c6: fb:72:93:af:86:12:e9:4f:ba:cf:3b:53:a7:e6:ad: dc:39:47:d0:61:41:22:81:8c:36:7c:67:b3:fe:ed: 66:85:0b:d8:47:bd:08:bf:75:81:7e:45:11:0d:62: c9:ce:77:b3:36:21:43:cd:8b:8f:04:3e:31:15:51: a6:96:ec:0d:37:6e:4c:2a:e5:e3:dc:69:f8:e7:dd: ee:f4:2e:b0:dc:3c:b7:69:83:03:86:dd:a1:78:0f: 3a:b1:c7:bf:ed:00:91:1e:32:5c:3c:31:76:15:8c: 31:0e:e9:ad:42:8e:f6:56:06:0c:92:fd:ed:be:38: 07:4a:e5:c8:13:e9:a8:c6:19:b2:18:19:08:61:98: 87:3c:3e:51:77:0e:43:58:73:33:e8:00:29:c4:97: fe:23:25:d7:64:46:19:ea:9d:e3:54:9e:7b:2b:17: 5d:e7:d0:2d:f2:65:c9:5b:23:af:84:f1:ed:18:de: 99:67:e2:c0:98:8b:e5:1a:cc:dc:c5:df:52:64:61: 64:93:cf:0d:dd:10:4c:cf:bb:2c:2a:21:b8:f8:77: 0b:5e:36:15:cb:41:dc:34:ac:cc:73:79:39:6c:5c: 1c:62:d5:16:cc:3b:dd:4b:43:fa:32:e1:67:65:83: e3:76:2a:6f:e8:87:29:a7:e3:63:78:53:05:42:d0: 76:8c:e4:d7:88:d5:2d:37:b6:c5:f4:e5:af:c4:d3: 52:29:48:a0:07:68:13:4d:8b:89:5b:4b:e5:55:2a: 66:af:71 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign 1.3.6.1.4.1.311.21.1: ... X509v3 Subject Key Identifier: 75:54:B1:5F:7D:70:FC:F0:8D:B9:0F:AA:6A:75:C1:BE:B4:8A:7E:5C 1.3.6.1.4.1.311.20.2: . .S.u.b.C.A X509v3 Basic Constraints: critical CA:TRUE X509v3 Authority Key Identifier: ED:B3:FF:0C:D5:FC:0C:BB:C5:1D:45:F5:72:5F:70:15:F9:C8:C6:A6 X509v3 CRL Distribution Points: Full Name: URI:http://www.microsoft.com/pkiops/crl/Microsoft%20Mariner%20RSA%20Root%20CA%202023.crl Authority Information Access: CA Issuers - URI:http://www.microsoft.com/pkiops/certs/Microsoft%20Mariner%20RSA%20Root%20CA%202023.crt Signature Algorithm: sha512WithRSAEncryption Signature Value: 60:a2:2e:8f:a4:2e:61:c4:4c:13:48:8f:03:41:0a:94:72:6a: 6b:b3:7d:78:c6:e7:86:cc:62:b4:b4:90:f8:c0:58:3f:2f:6b: 10:38:1b:36:97:c8:cf:f2:93:6a:b9:d3:19:84:6d:17:43:96: 17:dd:93:f3:e4:99:83:85:4e:f2:3e:e0:37:77:de:49:6d:30: 2c:b6:fe:5c:1f:d4:28:bc:5c:89:58:00:7f:de:22:23:b8:94: aa:88:93:60:db:7e:7d:9e:30:23:1e:14:5c:74:05:0d:33:bf: 11:c9:61:43:16:cf:f9:2a:75:3c:51:e7:b2:d9:72:50:54:18: f9:fe:43:fd:a9:0d:96:1f:b9:71:ac:4b:5a:d0:a8:50:55:eb: 2c:52:80:32:c0:00:ef:40:b8:1b:f3:df:6a:f0:94:6c:a2:72: 1a:ee:7c:71:0c:d7:e6:1f:8c:ff:30:eb:0a:62:d2:ef:c9:1d: 37:aa:03:ac:c5:b2:19:17:c5:74:18:2f:b4:7c:22:39:42:51: 55:88:1b:db:c1:03:46:20:75:c6:98:5d:8e:4c:4f:55:9c:b4: c7:16:08:2b:b5:da:05:ad:53:77:ce:0b:ce:97:ad:ff:80:fb: e5:2d:09:85:c0:2f:58:78:83:46:0e:a5:92:0b:e8:b4:61:ec: 28:91:e4:a8:7b:73:0f:72:95:8b:fd:df:e6:04:49:01:d8:d9: 50:30:0a:cf:a3:ff:14:5e:c6:4b:f9:a1:64:46:93:30:2a:11: 24:af:d2:22:5f:66:0e:c3:ce:fc:84:fb:d5:db:21:82:86:a1: 2d:8d:ac:fc:86:09:2b:59:b1:79:7b:07:74:29:03:87:40:be: 3d:28:c9:ee:58:65:76:c5:b4:88:07:4b:8b:86:c9:46:2f:11: 86:1e:74:d0:b8:fe:e8:d9:ee:d7:01:bf:12:81:dc:1c:ca:26: bc:bb:32:42:ed:50:98:5f:a9:09:d5:0c:59:18:f3:0a:72:db: 8c:9e:9b:d2:03:47:49:f6:51:ad:5a:f7:f9:1b:9b:10:d3:fa: 52:78:ab:b7:cc:c4:f2:5f:d9:09:d3:91:d4:17:4a:e3:5e:8f: 3e:8d:e3:25:2a:89:7d:b6:d8:72:e6:90:31:5d:85:ea:b6:84: c6:34:a2:2e:4f:92:2b:ec:9d:89:fb:6f:8b:03:72:5c:ae:7a: 7d:38:04:50:48:c1:fc:b4:47:04:52:58:47:f3:c1:37:dd:ac: 64:fa:57:f5:d3:ff:79:fd:b7:00:c8:15:9c:8a:f2:84:63:52: 5c:28:d0:60:22:ab:ca:f4:bb:03:ce:2a:72:d0:3e:92:89:a5: 60:b8:20:2b:35:2e:39:01 ``` Note: I've never worked with an `.esl` file being embedded inside a shim binary, hence why I don't know, how it will behave under UEFI with Secure Boot enabled. Historically I've witnessed a lot of low-level curiosities to be unsure. <hr> I'll send verification emails soon, since the contact pair has changed. I'll need to do this for both contacts, as that's the process. Please check your spam folder if no messages arrive soon.

[ddstreetmicrosoft]

I'll send verification emails soon

The verification email to me decrypted to the words:

serotonin aflame surgery calorie cosmos subdivide attempt implicate calculate
nursing

[dennis-tseng99]

@ddstreet Just remind you that the pem format of certificate file cbl-mariner-ca-20211013.pem found in the review of @es-fabricemarie is not allowed according to https://github.com/rhboot/shim-review/pull/402/files

Besides, I found shim-15.7 is also included in db.x64.esl file. Is it useful ?

sig-list-to-certs db.x64.esl db.x64
-rw-r--r-- 1 dennis users 1290 Apr  9 16:04 db.x64-0.der
-rw-r--r-- 1 dennis users 1722 Apr  9 16:04 db.x64-1.der
-rw-r--r-- 1 root   root  3100 Apr  9 16:03 db.x64.esl
drwxr-xr-x 1 dennis users  224 Apr 11  2023 shim-15.7

[ddstreetmicrosoft]

@ddstreet Just remind you that the pem format of certificate file cbl-mariner-ca-20211013.pem found in the review of @es-fabricemarie is not allowed according to https://github.com/rhboot/shim-review/pull/402/files

That isn't in the shim, so unless I'm missing something, it's not at all relevant to this shim review.

Besides, I found shim-15.7 is also included in db.x64.esl file. Is it useful ?

sig-list-to-certs db.x64.esl db.x64
-rw-r--r-- 1 dennis users 1290 Apr  9 16:04 db.x64-0.der
-rw-r--r-- 1 dennis users 1722 Apr  9 16:04 db.x64-1.der
-rw-r--r-- 1 root   root  3100 Apr  9 16:03 db.x64.esl
drwxr-xr-x 1 dennis users  224 Apr 11  2023 shim-15.7

Again, unless I'm missing something, it's not in the esl; probably you just had it in your filesystem already?

$ ls -la
total 12
drwxrwxr-x 2 ddstreet ddstreet 4096 Apr  9 08:44 .
drwxrwxr-x 3 ddstreet ddstreet 4096 Apr  9 08:44 ..
-rw-r----- 1 ddstreet ddstreet 3100 Apr  9 08:44 db.x64.esl

$ sig-list-to-certs db.x64.esl cert
X509 Header sls=1334, header=0, sig=1290
file cert-0.der: Guid f4de3b90-399b-4eb0-aa3f-041c434a2de3
Written 1290 bytes
X509 Header sls=1766, header=0, sig=1722
file cert-1.der: Guid f4de3b90-399b-4eb0-aa3f-041c434a2de3
Written 1722 bytes

$ ls -la
total 20
drwxrwxr-x 2 ddstreet ddstreet 4096 Apr  9 08:44 .
drwxrwxr-x 3 ddstreet ddstreet 4096 Apr  9 08:44 ..
-rw-rw-r-- 1 ddstreet ddstreet 1290 Apr  9 08:44 cert-0.der
-rw-rw-r-- 1 ddstreet ddstreet 1722 Apr  9 08:44 cert-1.der
-rw-r----- 1 ddstreet ddstreet 3100 Apr  9 08:44 db.x64.esl

[ddstreetmicrosoft]

I'll send verification emails soon, since the contact pair has changed. I'll
need to do this for both contacts, as that's the process.

Just FYI, @christopherco has just left for extended vacation so unfortunately it's unlikely he will be able to handle the verification email until he is back; if the review does require verification from him also (as well as the verification I already provided) can we at least get through all the rest of the review so this can be approved right away once he gets back?

[aronowski]

Looks like some errors happened that shall be clarified.

The comment I sent earlier through an e-mail did not get formatted by GitHub as Markdown properly. Despite that, the text itself mentions that the ESL certificates match the ones provided as part of the application, i.e. they are DER-formatted. Simply running binwalk, like I mentioned, shall print a hint about them:

[...]
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
44            0x2C            Certificate in DER format (x509 v3), header length: 4, sequence length: 1286
1378          0x562           Certificate in DER format (x509 v3), header length: 4, sequence length: 1718

---

Just FYI, @christopherco has just left for extended vacation so unfortunately it's unlikely he will be able to handle the verification email until he is back; if the review does require verification from him also (as well as the verification I already provided) can we at least get through all the rest of the review so this can be approved right away once he gets back?

Yes, I'll kindly do further review and learn how the ESL embedding into a shim binary behaves, but that will take me a while to recreate a laboratory I made some time ago.

I understand that the PGP key hasn't changed, but I'm sticking to the current process, where both contacts need to be verified like here - I was supposed to type the decrypted random words, although my key has been and still is the same.

[aronowski]

@ddstreetmicrosoft, as promised, I'm preparing a laboratory to check the ESL things out in the context of the whole bootloader chain working.

However, I couldn't get Secure Boot to work - when attempting to boot, I immediately get a security violation error.

As part of recreating this setup, I generated two separate CAs with their corresponding certificates and private keys (used a date hooking library to more-or-less recreate their application-equivalent actual validity periods). I merged them into an .esl file and built an unsigned shim, which has this file embedded into the binary.

I then manually signed the shim binary with my own db-related assets akin to:

$ sudo sbsign --cert db.crt --key db.key shimx64.efi

and then attempted to rebuild the RPM with a self-signed shim, which should work with my own EFI signature lists enrolled into the firmware.

However, in order to rebuild the RPM, a command similar to the following shall be ran:

$ rpmbuild -D 'pe_signing_token NSS Certificate DB' -D 'pe_signing_cert XXX' -ba *.spec

Question: what should be present in place of the placeholder entry XXX? A nickname that represents the certificate bound to the newer CA, or something else? Is this kind of signing assets sufficient, or do the further components contain multiple signatures for this to work? Maybe you have a completely different build process, which handles this scenario well, that I'm not aware of?

[ddstreetmicrosoft]

I then manually signed the shim binary with my own db-related assets akin to:

$ sudo sbsign --cert db.crt --key db.key shimx64.efi

The esl is what gets embedded inside the shim, none of the keys in the esl are used to sign the shim. For production use, after a successful review here, the shim itself will be signed by the Microsoft UEFI signing cert (i.e. the one that's included by default inside most UEFI firmware DB across the world), and that Microsoft UEFI signing cert should not be embedded inside the shim.

Conversely, to accurately test the normal secure boot configuration, none of the certs that are embedded inside the shim should be added to the UEFI DB.

However, in order to rebuild the RPM, a command similar to the following shall be ran:

$ rpmbuild -D 'pe_signing_token NSS Certificate DB' -D 'pe_signing_cert XXX' -ba *.spec

If you're trying to build the Mariner 2.0 unsigned shim rpm, then the pe_signing* defines are almost certainly not going to work, as we don't use pesign during any RPM build process.

I would suggest first starting with the srpm that's included in the review repo: https://github.com/microsoft/shim-review/raw/cbl-mariner-shim-x64-20240222/shim-unsigned-x64-15.8-1.cm2.src.rpm

You can install that on any rpm-based distro (e.g. Fedora) and then you simply need to replace the db.x64.esl file with whatever esl file you've locally created (with your own locally-created certs), e.g.:

$ rpm -i shim-unsigned-x64-15.8-1.cm2.src.rpm 
$ cp db.esl rpmbuild/SOURCES/db.x64.esl

You'll need to install the proper deps (which are slightly different on Fedora than Mariner) and then build it normally (but with --nodeps since you won't have vim-extra installed):

$ sudo dnf install dos2unix xxd efivar-devel
...
$ rpmbuild --nodeps -bb rpmbuild/SPECS/shim-unsigned-x64.spec
...

That will produce an rpm with the unsigned shim efi, that has your esl embedded inside it. You can extract this unsigned shim efi from the rpm:

$ sudo dnf install rpmdevtools
...
$ mkdir shim-files
$ rpmdev-extract -C shim-files rpmbuild/RPMS/x86_64/shim-unsigned-x64-15.8-1.fc39.x86_64.rpm
shim-unsigned-x64-15.8-1.fc39.x86_64/usr/share/licenses/shim-unsigned-x64
shim-unsigned-x64-15.8-1.fc39.x86_64/usr/share/licenses/shim-unsigned-x64/COPYRIGHT
shim-unsigned-x64-15.8-1.fc39.x86_64/usr/share/shim-unsigned-x64/shimx64.efi
$ cp shim-files/shim-unsigned-x64-15.8-1.fc39.x86_64/usr/share/shim-unsigned-x64/shimx64.efi

Now sign the shimx64.efi manually with your local self-signed cert (not a cert that you put into the esl that you embedded; instead use the cert that you added to your local system UEFI DB).

Note that you will also need to resign (or add a signature to) your boot loader (e.g. grubx64.efi) and your kernel - using one of the certs you put in your local esl file - and your grub must be at the SBAT level that the shim requires, of course.

[ddstreetmicrosoft]

Oh also I forgot to point out that our shim builds with no EFIDIR= so you will also need to place your grubx64.efi into the same dir as the shim, i.e. you should have:

/boot/efi/EFI/BOOT/bootx64.efi
/boot/efi/EFI/BOOT/grubx64.efi

Once the shim loads grub, it's up to your particular grub build to determine where grub will look for its config file(s).

[aronowski]

The esl is what gets embedded inside the shim, none of the keys in the esl are used to sign the shim. For production use, after a successful review here, the shim itself will be signed by the Microsoft UEFI signing cert (i.e. the one that's included by default inside most UEFI firmware DB across the world), and that Microsoft UEFI signing cert should not be embedded inside the shim.

Conversely, to accurately test the normal secure boot configuration, none of the certs that are embedded inside the shim should be added to the UEFI DB.

Exactly that! What I did were these two separate actions:

The first is that I built an unsigned shim with the .esl file I got from merging the two self-generated CAs (the ones I generated with the time-hooking library to simulate the validity period of your cert-0.der and cert-1.der CAs)

The second is that I created my own lists that I enrolled into my firmware (since I myself am not Microsoft and don't own the private part used for signing binaries), equivalent to the following:

• Microsoft Corporation KEK CA 2011
• Microsoft Corporation UEFI CA 2011

Later on I manually signed the unsigned shim binary (having the ESL embedded into it) with my equivalent of Microsoft Corporation UEFI CA 2011 (which in my case are just the db.crt and db.key files).

Then I wanted to build an RPM with a signed shim (signed by my equivalent of Microsoft Corporation UEFI CA 2011), what I normally do by running rpmbuild and defining the macros pe_signing_token and pe_signing_cert, using my equivalent of the certificate issued by the "newer CA" (my equivalent of the one by Microsoft Mariner RSA Root CA 2023).

Since that's just a laboratory, I was not using a real HSM or a smartcard, only the internal NSS certificate database.

---

your grub must be at the SBAT level that the shim requires, of course
[...]
Oh also I forgot to point out that our shim builds with no EFIDIR= so you will also need to place your grubx64.efi into the same dir as the shim

I might have missed something - thank you! I'll take a closer look soon.

[ddstreetmicrosoft]

Then I wanted to build an RPM with a signed shim (signed by my equivalent of Microsoft Corporation UEFI CA 2011), what I normally do by running rpmbuild and defining the macros pe_signing_token and pe_signing_cert, using my equivalent of the certificate issued by the "newer CA" (my equivalent of the one by Microsoft Mariner RSA Root CA 2023).

For reference, the current spec file (not updated yet for 15.8) for Mariner 2.0 that takes the signed shim and builds an rpm is here, however you really don't need to do that, you can just copy the signed shim into place on your test system, to /boot/efi/EFI/BOOT/bootx64.efi (i.e. replacing the previous shim since that's the standard location). The rpm package, at least for Mariner 2.0, doesn't do anything at all other than carry the externally-signed shim at that location. There is no additional signing of anything.

[aronowski]

I've finished the laboratory - it does work! However, I did it in a slightly different way than suggested, e.g. putting the self-signed shim binary in /boot/efi/EFI/fedora/ and having the further Fedora bootloader-related components rebuilt with appropriate SBAT entries and certificates.

If anyone wants, I can write a guide on how to recreate the setup.

As mentioned in #387 (comment), waiting for a reply with the decrypted random words. Then we can celebrate!

[christopherco]

As mentioned in #387 (comment), waiting for a reply with the decrypted random words. Then we can celebrate!

@aronowski just returned from vacation and here are the decrypted words for my verification. Thanks for doing this review! Please let us know if there is any more information we can help provide.

change swimwear bondless alkalize custard irritant clicker chop cotton idealism

[aronowski]

Thank you for the update. Accepting!

[christopherco]

Update - We have received the signed shim. This issue can now be closed. Thanks!