Shim 15.8 for AlmaLinux OS 8 (aarch64)

[eabdullin1]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/AlmaLinux/shim-review/tree/almalinux-8-shim-aarch64-20240718

---

What is the SHA256 hash of your final SHIM binary?

---

1b3142f0c76df4942088fda2b2e4693d3d727893db2a7aaf5eb6fcefaec51b7a  shimaa64.efi

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

• shim-15.5: AlmaLinux 8 shim-15.5-1.el8.alma 20220405 #235
• shim-15.6: Shim 15.6 for AlmaLinux OS 8 #250
• shim-15.8: Shim 15.8 for AlmaLinux OS 8 #407

---

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?

---

• Shim 15.6 for AlmaLinux OS 8 #250

[steve-mcintyre]

Contacts verified previously

[aronowski]

As good as the application for x86_64: #407

The binary seems alright and the checksum matches the rebuilt one (Took me 32m29.073s to rebuild due to architectural differences ;-)). One more positive review (may be from a non-accredited reviewer) and it can be accepted.

[dennis-tseng99]

=== Review for Shim 15.8 Shim 15.8 for AlmaLinux OS 8 (aarch64) #432 ===

• Binaries are producible in aarch64 environment finally.
  Step 17/17 : RUN sha256sum /usr/share/shim/15.8-2.el8.alma.1/aa64/shimaa64.efi /shimaa64.efi
  ---> Running in b751a2017d14
  1b3142f0c76df4942088fda2b2e4693d3d727893db2a7aaf5eb6fcefaec51b7a /usr/share/shim/15.8-2.el8.alma.1/aa64/shimaa64.efi
  1b3142f0c76df4942088fda2b2e4693d3d727893db2a7aaf5eb6fcefaec51b7a /shimaa64.efi
  Removing intermediate container b751a2017d14
  ---> 98404190d868
  Successfully built 98404190d868

• Hash value is matched (ok)
  $ sha256sum shimaa64.efi
  1b3142f0c76df4942088fda2b2e4693d3d727893db2a7aaf5eb6fcefaec51b7a shimaa64.efi

• NX flag is disable: (ok)
  [method-1]
  objdump -x shimaa64.efi | grep -E 'Sec
  objdump: shimaa64.efi: file format not recognized
  [method-2]
  hexdump -n 0x0120 -C shimaa64.efi

00000000  4d 5a 90 00 03 00 00 00  04 00 00 00 ff ff 00 00  |MZ..............|
00000010  b8 00 00 00 00 00 00 00  40 00 00 00 00 00 00 00  |........@.......|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 80 00 00 00  |................|
00000040  0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
00000050  69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
00000060  74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
00000070  6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|
00000080  50 45 00 00 64 aa 0a 00  00 00 00 00 00 c8 0c 00  |PE..d...........|
00000090  a2 11 00 00 f0 00 06 02  0b 02 02 26 00 80 06 00  |...........&....|
000000a0  00 44 06 00 00 00 00 00  00 e0 01 00 00 e0 01 00  |.D..............|
000000b0  00 00 00 00 00 00 00 00  00 10 00 00 00 02 00 00  |................|
000000c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000d0  00 80 0d 00 00 04 00 00  af 85 0f 00 0a 00 00 00  |................| <-- DllCharacteristics=0x0000 (last 2 bytes)
000000e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

• sbat seems fine

shim:
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.almalinux,3,AlmaLinux,shim,15.8,[email protected]

grub2: NTFS module is not included.
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,3,Free Software Foundation,grub,2.02,https//www.gnu.org/software/grub/
grub.rh,2,Red Hat,grub2,2.02-156.el8,mailto:[email protected]
grub.almalinux,2,AlmaLinux,grub2,2.02-156.el8.alma.1,mail:[email protected]

NTFS module is not included, but you answer "Yes" in your questionnaire:

Do you have fixes for all the following GRUB2 CVEs applied? 
.........
October 2023 - NTFS vulnerabilities
Details: https://lists.gnu.org/archive/html/grub-devel/2023-10/msg00028.html, SBAT increase to 4
CVE-2023-4693
CVE-2023-4692

• Certificate Validity: 10 years is ok, but NIST deems RSA 2048 suffficient until 2030. hmm...
  openssl x509 -in almalinux-sb-cert-3.der -inform der -noout -text
  Certificate:
  Data:
  Version: 3 (0x2)
  Serial Number:
  c3:8b:43:54:da:0e:40:94:87:23:0d:e7:64:25:6a:db
  Signature Algorithm: sha256WithRSAEncryption
  Issuer: emailAddress = [email protected], O = AlmaLinux OS Foundation, CN = AlmaLinux Secure Boot CA
  Validity
  Not Before: Mar 14 01:51:13 2024 GMT
  Not After : Mar 14 01:51:13 2034 GMT
  Subject: emailAddress = [email protected], O = AlmaLinux OS Foundation, CN = AlmaLinux Secure Boot CA
  Subject Public Key Info:
  Public Key Algorithm: rsaEncryption
  RSA Public-Key: (2048 bit)
  Modulus:
  00:b0:c0:a1:22:01:fa:bd:f1:33:f7:83:f4:76:d9:
  eb:20:94:77:e0:a6:3d:87:b1:7a:1f:b4:53:a1:8a:
  ...

• Conclusion:
  Everything seems all right except some minor concerns. But that is ok at this stage. Let's accept it.

[andrewlukoshko]

@dennis-tseng99 @aronowski thank you so much for quick review.

[eabdullin1]

Signed by Microsoft.

Submission ID:
13945420415662615

Closing. Thanks everyone.