rhboot / shim-review Goto Github PK
View Code? Open in Web Editor NEWReviews of shim
Reviews of shim
Date: Fri, 24 Nov 2017 14:50:01 +0100
From: Marcin Wcislo
Subject: [Shim-review] Shim review request (FileWave, submission ID: 1972187)
Hi,
We decided to switch embedded certificate in our shim and because of that we need another review from you. All required information and
files (as described in the review procedure) can be found here: https://github.com/fw-dev/shim-review
https://github.com/fw-dev/shim-review. This submission is almost exactly the same as the previous one with one exception, this time we
didn’t embed public key certificate of our self-signed CA but we used public key certificate of our Extended Validation certificate
acquired from Symantec. Everything else (code, build platform, packages, grub, kernel, test procedures) is exactly the same. I hope that
it can help with having this submission reviewed swiftly. If you have any more questions, please let me now.
Our first submission was handled in subject: Shim review request (FileWave, submission ID: 1956769).
Best regards, Marcin
Make sure you have provided the following information:
Broadband Computer Company Ltd (http://www.broadbandcomputer.com)
15
We were directed to the shim review board by Microsoft after submitting our shim to them for signing. Subsequently our original sysdev submission has been closed pending approval from the shim review board.
Secure COAST
Secure COAST is a security focused linux distro based on Ubuntu 18.04.
We encourage our customers to boot our OS with secure boot enabled, hence the need for a
signed shim.
Make sure you have provided the following information:
link to your code branch cloned from rhboot/shim-review in the form user/repo@tag
https://github.com/jongkyung/shim-review/releases/tag/Gooroom-shim-x64-20190328
completed README.md file with the necessary information
https://github.com/jongkyung/shim-review/blob/master/README.md
shim.efi to be signed
https://github.com/jongkyung/shim-review/blob/master/shimx64.efi
public portion of your certificate embedded in shim (the file passed to VENDOR_CERT_FILE)
https://github.com/jongkyung/shim-review/blob/master/gooroom-uefi-ca.der
any extra patches to shim via your own git tree or as files
No patched appied
any extra patches to grub via your own git tree or as files
https://github.com/jongkyung/shim-review/blob/master/gooroom-validate-linux-image-by-shim.patch
build logs
https://github.com/jongkyung/shim-review/blob/master/build.log
[Gooroom]
[Gooroom OS]
[shim 15+1533136590.3beb971-0ubuntu1+grm1u1]
[To make secure boot on Gooroom OS]
[no]
[no]
[grub2 2.02+beta3-5+grm1u6]
[none]
[We will show messages that execution of unauthenticated code isn't working]
[no]
[linux 4.9.110-3+deb9u6+grm1u2, no patches for secure boot]
[no, It's first time]
[sha256sum fb501b838fe9b91b6adfd9eaa5ff0c5824c7f802fcdc1f960d13a11f3a3db76c ./shimx64.efi]
Make sure you have provided the following information:
Red Hat, Inc.
CentOS Linux 7.6.1810
shim 15
CentOS Linux is deployed on a high number of nodes already using it in SecureBoot mode enabled
Can't discuss this publicly, but hardware HSM is used
no
grub2 rebuilt from upstream RHEL 7.6 tree, so https://git.centos.org/commit/rpms!grub2.git/28f7f8f0658e20412cba7a6af37539b1e1f567b2
nothing else than grub2 and then kernel
Our CI test shows that trying to boot an unsigned kernel isn't working, while a correct pesigned one works
NO
official RHEL 7.6 rebuild kernel.src.rpm
new release, so bumped from shim v12 to shim v15
Close Issue.
Make sure you have provided the following information:
UEFI File Submission ID: 14403955457868706
Cisco Systems
IANA Enterprise Number 9
Cisco Appliances and Virtual products that are using Linux based Operating Systems
https://github.com/rhboot/shim/releases/tag/14
Customers using Cisco Virtual products that run on 3rd party servers (DELL, HP...) do not have permissions to change the UEFI db and add our keys. The Microsoft signed SHIM allows these products to securely run on those platforms
Stored offline via a dedicated group within Cisco
yes
GRUB2 shipping with CentOS 7, and Ubuntu
n/a
no
Standard kernels from CentOS 7 and Ubuntu. Secure boot support flags enabled during builds
resubmit of the initial attempt. Only internal DevOps have changed to make the build more reproducible.
8cb61fc8da9f37aa1a05f153208f781ee791bac2a7a7c4a24b14d1e54f449d61 shimx64.efi
Make sure you have provided the following information:
Red Hat, Inc.
shim 12
CentOS Linux 7.5.1804
CentOS Linux is deployed on a high number of nodes already using it in SecureBoot mode enabled
Make sure you have provided the following information:
Oracle Corporation
Oracle Linux
https://www.oracle.com/linux/index.html
We have used upstream shim version 15
https://github.com/rhboot/shim/releases/tag/15
Oracle Linux is a popular enterprise Linux distribution with Secure Boot support.
The key is installed in the server with restricted physical and system access
Yes
grub2 - upstream plus number of patches from RedHat and Oracle
[your text here]
grub verifies signatures on booted kernels
no
UEK5 is based on 4.14 upstream version plus lock down patches for Secure Boot
Shim version upgrade
67579c3c8cb3ec0e70293f22acdb926656033e0a71022047c7c9e7c5393620c2 shimia32.efi
df2a2c8c30aaa80ecf81fdd7b9d088169a509515402dfde4ff6f242d8413219f shimx64.efi
Link to shim tag: https://github.com/AlexeyPetrenkoOracle/shim-review/releases/tag/oracle-shim-15-1.0.1.el7-x86_64-20180906
Public certificate:
-----BEGIN CERTIFICATE-----
MIIF7jCCBNagAwIBAgIQDy3AVtdL5VRRne9+wjMu0zANBgkqhkiG9w0BAQsFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBFViBDb2RlIFNpZ25p
bmcgQ0EgKFNIQTIpMB4XDTE1MTEyNDAwMDAwMFoXDTE4MTEyNzEyMDAwMFowggED
MR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGCysGAQQBgjc8AgED
EwJVUzEZMBcGCysGAQQBgjc8AgECEwhEZWxhd2FyZTEQMA4GA1UEBRMHNDAyODEy
NTEbMBkGA1UECRMSNTAwIE9yYWNsZSBQYXJrd2F5MQ4wDAYDVQQREwU5NDA2NTEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFzAVBgNVBAcTDlJlZHdv
b2QgU2hvcmVzMRswGQYDVQQKExJPcmFjbGUgQ29ycG9yYXRpb24xGzAZBgNVBAMT
Ek9yYWNsZSBDb3Jwb3JhdGlvbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALPe/7VsbNF6JMVE3gPoKSK+DDsGSmiporQbHSqdwsFcZElkYf5BYAb2Ju9k
2hu62d3bHcTsmYu6oBr9BBlZ5yGBkznLXwZ2EMNK7yNZ+TGDqN0JxwJFOQHV4PRt
QQYB6yS/yE8A19f0pSCoObSyf9keBq7lPSff5WGtne7bKxZWMtA2iqpVPWUiSjoc
rG2hO+1Gp9zBU1AkMmRGadZoBHiytgU73wDU22PfOa+9Q937qr0WfvdZihllXH9R
if627mqR8pic/iqfYInr3MabE/rm4AK3Irxm6qwOgqpAN7uX8+jYvywxGWtd2c+n
qUEuuF+hecUIAZ87fdhJiyb4OCcCAwEAAaOCAfEwggHtMB8GA1UdIwQYMBaAFI/o
fvBtMmoABSPHcJdqOpD/a+rUMB0GA1UdDgQWBBRRaY7Dvg9euMuo7Bl9KRh5CY+t
5DAuBgNVHREEJzAloCMGCCsGAQUFBwgDoBcwFQwTVVMtREVMQVdBUkUtNDAyODEy
NTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwewYDVR0fBHQw
cjA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0VWQ29kZVNpZ25pbmdT
SEEyLWcxLmNybDA3oDWgM4YxaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0VWQ29k
ZVNpZ25pbmdTSEEyLWcxLmNybDBLBgNVHSAERDBCMDcGCWCGSAGG/WwDAjAqMCgG
CCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAcGBWeBDAED
MH4GCCsGAQUFBwEBBHIwcDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNl
cnQuY29tMEgGCCsGAQUFBzAChjxodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20v
RGlnaUNlcnRFVkNvZGVTaWduaW5nQ0EtU0hBMi5jcnQwDAYDVR0TAQH/BAIwADAN
BgkqhkiG9w0BAQsFAAOCAQEAbUJYx/Gq2+dcf9NHKQr0t/fADlUpW3lgkXdP9uyz
p57hWuF5ckiKvWy5ccDekHa+VT5mjzBv/7e9psbus+diPl48jBzcgYIWVJJ6sn6G
8bkKOBZpxmftq1BLimQb/NWnnz47LbHbsSWhtLCkpC+tL9AX/o/QHnmdbYyp2FeX
u0FA5NrbosusSAYGso6K7FzDKUZOaXGRbpxv0//40JMqemHQbKm5iiXHL0K29rgH
JDwoxm+/auZJ2YCya9MtkCP5HWDBqfOB+xl8EpSoQ7O0MYjnjdesN37dkoY4hqQA
wCboBQFFztz0A6FcVizD9F4WTaUAi3jZo7kNNKHImzpfdQ==
-----END CERTIFICATE-----
This repo is for review of requests for signing shim. To create a request for review:
Note that we really only have experience with using grub2 on Linux, so asking
us to endorse anything else for signing is going to require some convincing on
your part.
Here's the template:
Service Planet Rotterdam B.V.
The product for which we are applying for shim signing is an appliance codenamed
"Cyric" which is designed to help support personnel in stores. Cyric consists of
a server and a client. The Cyric client is a Linux distribution which users can
boot via PXE or USB on any PC. Once the Linux distribution is booted the user is
launched into a special application and presented with a menu of diagnostic and
options interesting for store customer support personnel.
Cyric deals with a very large amount of different models, brands and types of
consumer PC's that are not under our direct control or ownership. Unfortunately
because we deal with a vast number of different types of consumer notebooks and
desktops we encounter all kinds of problems with UEFI's. Some of them don't have
the ability to turn of secure boot even though that ability was mandated for
getting the Windows sticker on the PC at that time. Some UEFI's are so
complicated or poorly designed that even support personel (which operate Cyric)
have trouble finding the off switch. Some machines interpret disabling secure
boot as "enable BIOS compatibility" and can no longer boot via UEFI. Also
Microsoft has dropped the requirement for UEFI implementations that they have to
provide the ability to disable secure boot. So besides that we would like to
offer our users a more seamless experience (not having to manually disable
secure boot and then not forgetting to re-enable it) we encounter a lot of
situations in which we need a signed bootloader. We also anticipate that the
need for being "supported by default" (ie. a signed shim) will only grow now
that Microsoft has dropped the requirement to disable secure boot.
https://github.com/rhboot/shim/releases/tag/12
https://github.com/serviceplanet/shim-builder
There are no patches being applied.
We are using CentOS 7.5 and the bundled gcc. Everything can be reproduced by
following the guide provided by the url **https://github.com/serviceplanet/shim-builder**
build_log
We are using grub2 bootleader provided by CentOS 7.5.1804. Grub2 provided by
CentOS 7.5.1804 contains secure-boot patches.
The srpm of CentOS 7.5.1804 grub2 is located at http://vault.centos.org/7.5.1804/os/Source/SPackages/grub2-2.02-0.65.el7.centos.2.src.rpm
The kernel we are using is fedora 28 kernel tagged **kernel-4.16.14-300.fc28**
with commit hash of **217860d07996562757ba22a1108c218c5a40b38e**.
https://github.com/serviceplanet/shim-builder/blob/master/keys/sp_code_signing_cert.der
b52df1bd99a29cd4e6f53c799fc6c2c89650925c8f073c8fdd1b21fcf985bd02 shimx64.efi
14105650530628646
Make sure you have provided the following information:
Peter Jones for Fedora Linux
shim 15
2216411 and 2216412
This is for Fedora Linux
We're a major linux distro
Date: Fri, 3 Nov 2017 12:24:37 +0100
From: Johannes Segitz
Subject: Re: [Shim-review] Shim review for SUSE
On Fri, Oct 27, 2017 at 09:44:28AM -0400, Mathieu Trudel-Lapierre wrote:
It's the right procedure; these include pretty much all the
information necessary to review shim. If anything is missing, we'll
ask about it :)
Then lets see how good my first try at this is :)
http://users.suse.com/~jsegitz/files/README.txt
http://users.suse.com/~jsegitz/files/SLES%20ES%20platform-7.4-x86_64-CHECKSUM
http://users.suse.com/~jsegitz/files/SLES%20ES%20platform-7.4-x86_64-DVD.iso
http://users.suse.com/~jsegitz/files/SLES%20ES%20platform-netinst-7.4-x86_64.iso
http://users.suse.com/~jsegitz/files/build-x86_64.log.gz
http://users.suse.com/~jsegitz/files/shim_cert.tar.gz
http://users.suse.com/~jsegitz/files/shim_cert.tar.gz.sha256
http://users.suse.com/~jsegitz/files/shimia32.efi
http://users.suse.com/~jsegitz/files/shimia32.efi.sha256
http://users.suse.com/~jsegitz/files/shimx64.efi
http://users.suse.com/~jsegitz/files/shimx64.efi.sha256
GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)
Make sure you have provided the following information:
HP Inc.
HP ThinPro
HP would like ThinPro to be bootable on any device without disabling SecureBoot.
Name: Eniac Zhang
Position: Engineer
Email address: [email protected]
PGP key, signed by the other security contacts, and preferably also with signatures that are reasonably well known in the linux community: n/a
Name: Clemenceau, Matthieu <[email protected]>
Position: Manager
Email address: [email protected]
PGP key, signed by the other security contacts, and preferably also with signatures that are reasonably well known in the linux community: n/a
https://github.com/rhboot/shim/tree/13
https://github.com/eniaczhp/ThinProShim/tree/20181001
abort_abort_abort.patch: define abort to avoid an unnecessary reloc.
See method.txt for configuration details
See build.log
It's grub2 with the well known set of secure boot patches (among other patches.)
It's currently targeted to ship with 4.18.7 kernel, which has the well known set of secure boot patches.
Make sure you have provided the following information:
SUSE, https://www.suse.com/
SLES Expanded Support platform 7, provided within the
"SUSE Linux Enterprise Server with Expanded Support" program,
https://www.suse.com/products/expandedsupport/
The origin is shim-15-1.el7 available through https://git.centos.org/summary/?r=rpms/shim.git
which tarball in turn completely matches shim 15 at https://github.com/rhboot/shim/releases/tag/15
Full version number of our shim: shim 15
Source RPM version: shim-15-1.el7.1 (included inside build-shim.tar)
Tarball sha256sum:
473720200e6dae7cfd3ce7fb27c66367a8d6b08233fe63f01aa1d6b3888deeb6 shim-15.tar.bz2
It is a part of a commercial support offering advertised publicly
The key is installed in a machine with restricted physical and system access.
Shim binaries do not include private portions of the key.
Yes
The origin of GRUB is CentOS 7 git https://git.centos.org/summary/?r=rpms/grub2.git
Source RPM is included for reference inside extra-srpms.tar: grub2-2.02-0.76.el7.src.rpm
Full version: grub2-2.02-0.76.el7
N/A
GRUB and kernel are patched to enforce Secure Boot.
Secure Boot enforcing is identical to available with grub2 within
Red Hat Enterprise Linux 7 and CentOS 7, for example:
https://git.centos.org/summary/?r=rpms/grub2.git
0093-Don-t-allow-insmod-when-secure-boot-is-enabled.patch
0220-Add-secureboot-support-on-efi-chainloader.patch
0221-Make-any-of-the-loaders-that-link-in-efi-mode-honor-.patch
0225-Rework-even-more-of-efi-chainload-so-non-sb-cases-wo.patch
Source RPM is included for reference inside extra-srpms.tar: grub2-2.02-0.76.el7.src.rpm
No
kernel-3.10.0-957.el7 is used. This kernel is identical to the one of Red Hat Enterprise
Linux 7 and CentOS 7, available through CentOS git: https://git.centos.org/summary/?r=rpms/kernel.git
Source RPM is included for reference inside extra-srpms.tar: kernel-3.10.0-957.el7.src.rpm
Kernel has EFI_SECURE_BOOT_SECURELEVEL kernel config option set disabling loading of untrusted code into kernel mode
and functionality around this option.
Update to upstream version 15.
shimia32.efi
sha256sum: 881c3d8981ccbe0d1efe3efcd78f842dacd7519923ee60619f20464be4b739f8
hash: c127f0eefc2e451989d88e4d1da8a3b08ca9d5884987a6157e04e9a71c01adfc
shimx64.efi
sha256sum: c167818fd5c06d75766da2a86bf0e5c000c495b981a3a2aaaea375ce56969258
hash: 7f49ccb309323b1c7ab11c93c955b8c744f0a2b75c311f495e18906070500027
Date: Tue, 24 Oct 2017 13:19:49 +0200
From: Volker Denkhaus
Subject: [Shim-review] Toolhouse Shim review request - Sysdev Submission #1967634
Hello to all,
Please review our signing request for Microsoft Sysdev Submission #1967634 based on the shim git repo (V.13).
The Shim, README.TXT and additional information can be found at https://www.toolhouse.de/partnerdownload/shim/shim-th.zip.
Please let me know any questions you might have. Thank you in advance.
Volker Denkhaus
Make sure you have provided the following information:
Red Hat, Inc.
shim 15
13878941703416604
14046466687601848
Red Hat Enterprise Linux 7.6
We're a major bigtime OS vendor
Make sure you have provided the following information:
Jetico Inc. Oy https://www.jetico.com/
BCWipe Total WipeOut
https://www.jetico.com/data-wiping/wipe-hard-drives-bcwipe-total-wipeout
shim-15
Jetico products are trusted by government and military agencies, all of the top 10 U.S. defense contractors, many national laboratories, as well as various other enterprises and a wide global base of home and small business users in over 100 countries.
It is stored on e-Token
Physically isolated
Only one person has access to it
Yes
GRUB 2.02
Custom Linux build with our bcwipe application
Components are protected by digital signatures, signed with our private key and verified by this shim build with our public key, which is embedded into application code.
No
kernel 4.19.2
This is first submission.
sha256
368a698a60df3fe2a95d782d35e651f079816813365ae2acde2537a9d206c917
Make sure you have provided the following information:
Cisco Systems IANA Enterprise Number 9
https://github.com/rhboot/shim/releases/tag/14
UEFI File Submission ID: 13985242977356081
Cisco Appliances and Virtual products that are using Linux based Operating Systems
Customers using Cisco Virtual products that run on 3rd party servers (DELL, HP...) do not have permissions to change the UEFI db and add our keys. The Microsoft signed SHIM allows these products to securely run on those platforms
NB: This request is not a duplicate of #33
This shim incorporates the new Oracle UEFI signing key. We need both shims for a transition period.
Make sure you have provided the following information:
Oracle Corporation
Oracle Linux
https://www.oracle.com/linux/index.html
We have used upstream shim version 15
https://github.com/rhboot/shim/releases/tag/15
Oracle Linux is a popular enterprise Linux distribution with Secure Boot support.
The key is installed in the server with restricted physical and system access
Yes
grub2 - upstream plus number of patches from RedHat and Oracle
[your text here]
grub verifies signatures on booted kernels
no
UEK5 is based on 4.14 upstream version plus lock down patches for Secure Boot
Shim version upgrade
6298ebfe23af8fd91027fb75f9c841b067a1baebc512a9ce0a11806bd1e9cb12 shimia32.efi
3f3ec782ea8423b9854dc86ccf6726db6bd91684c8a764693b3d28d369d6f574 shimx64.efi
Link to shim tag: https://github.com/AlexeyPetrenkoOracle/shim-review/releases/tag/oracle-shim-15-1.0.3.el7-x86_64-20181010
Public certificate:
-----BEGIN CERTIFICATE-----
MIIF2zCCBMOgAwIBAgIQA+YFGHHEE60dWTdlqxCjpDANBgkqhkiG9w0BAQsFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBFViBDb2RlIFNpZ25p
bmcgQ0EgKFNIQTIpMB4XDTE4MTAwODAwMDAwMFoXDTIxMTIyMjEyMDAwMFowgfEx
EzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUx
HTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwc0MDI4MTI1
MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMUmVk
d29vZCBDaXR5MRswGQYDVQQKExJPcmFjbGUgQ29ycG9yYXRpb24xGzAZBgNVBAsT
Ek9yYWNsZSBDb3Jwb3JhdGlvbjEbMBkGA1UEAxMST3JhY2xlIENvcnBvcmF0aW9u
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkvcd/qAEUeN9JpqzSGuh
7Azuy9FN2+ZwOZ0/WqWGBOxnDbVAKDIAxMT/XdezrtRGzGHwEDrKU3Wo1SOsZeNa
DXCy4mWxiXwYj4rvoDbwpq+uqFBs3fies1/YpHkx8SsOhuDGFdmLaXriYh8QyNHy
gqYUeaYNAcN4h7Cpxzthp3ER6Xx9giI597Ee9UArXzgmPH54UbJs2+8xflz9M7n4
GUhf9cTMmd1StSM0gJ6JmyTtqjl/QjCTFho6lN1MeWxKPBcUBP3ThQi3cEqvGixc
SwQ2ILbg3a+qXGa3EozK7FlZFf+bnRVu8wBECBh6oR+3P0TTeKWh2hZ9Tmjbxe1G
nwIDAQABo4IB8TCCAe0wHwYDVR0jBBgwFoAUj+h+8G0yagAFI8dwl2o6kP9r6tQw
HQYDVR0OBBYEFH9Vm46dngUYNICnFJ5aHeC8JlraMC4GA1UdEQQnMCWgIwYIKwYB
BQUHCAOgFzAVDBNVUy1ERUxBV0FSRS00MDI4MTI1MA4GA1UdDwEB/wQEAwIHgDAT
BgNVHSUEDDAKBggrBgEFBQcDAzB7BgNVHR8EdDByMDegNaAzhjFodHRwOi8vY3Js
My5kaWdpY2VydC5jb20vRVZDb2RlU2lnbmluZ1NIQTItZzEuY3JsMDegNaAzhjFo
dHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRVZDb2RlU2lnbmluZ1NIQTItZzEuY3Js
MEsGA1UdIAREMEIwNwYJYIZIAYb9bAMCMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwBwYFZ4EMAQMwfgYIKwYBBQUHAQEEcjBwMCQG
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wSAYIKwYBBQUHMAKG
PGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVWQ29kZVNpZ25p
bmdDQS1TSEEyLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAv
yMvkUcvctEwi+tJSviZ9TpvhI/pQvNpRoMyPkI3zlNWb6b+luJ0KLr3vgJRIk7un
u37gYJ6AfBnPrXmGyJykp13+qE5Xr/LBkvnpwIxxwjELLttRIi4u5aG7N/shIRcM
ASORa02c8TO1SeoxwjXcuTveGDJE4hmCMD19FMUKMf5bZJNFLyhl+XavG+mAAXZ2
YIp69dO8Q1CCIXzg6MJ45j7nSaXf6akAX2bm0IfJpXhUwfHM0rUGCyQI2TQwpp+/
8eg8hkganUOOPhZA1V5MVg8jFME9WnL08Zyrf7fH7M9rTOR+Y88JOtogmb698P3g
aE3h/+nD3ZP72Yj5AXhK
-----END CERTIFICATE-----
Hi,
I have a short question on shim-review project and what it is for. So basically it's for signing a shim bootloader, which loads a GRUB2 bootloader afterwards. That's clear so far. For loading next stage (Linux kernel, etc...) the GRUB2 is responsible and therefor you are out of it and only check if the shim loads the GRUB2 correct?
What if it comes to the following scenario:
shim -> GRUB2 -> chainload bootmgfw
the chainloaded bootmgfw has been signed by our KEK, which is built-in shim so that the verification succeeds within GRUB2. If I understood it correctly GRUB2 uses the verification methods provided by shim when executing LoadImage() and StartImage() first tries to valide using the MOKs (Machine Owner Keys) and if this fails with EFI_SECURITY_VIOLATION it will check if the built-in certificate will work for valication. In case the chainloaded bootmgfw would load itself other EFI components via LoadImage() and StartImage() it will have to use the same strategy for validation so that shim can validate as well - otherwise only the MOKs will be used and will again fail due to EFI_SECURITY_VIOLATION.
Is such a scenario also covered by the shim-review process and is it required to use a certain version of GRUB2 to get the shim with built-in certificate signed (e.g. latest version in rhboot project)? Signing a shim, which loads the bootmgfw directly is not supported, but with inserting the GRUB2 in between there should be no blocker any longer.
Thanks a lot for clarification!
Cheers
Make sure you have provided the following information:
Oracle Solaris
Version 0.9
2291429
Oracle Solaris OS
To secure boot solaris OS.
Hello,
As part of the Shim signing process as requested by Microsoft, I am kindly
asking you to approve our shim to get it signed by Microsoft.
You can download the shim package at:
http://git.altlinux.org/gears/s/shim.git
All the stuff requested by shim review board is at:
https://github.com/realnickel/shim-review.git
Basealt Ltd. (Bazalt Svobodnoe Programmnoe Obespechenie, OOO)
https://www.basealt.ru
OS ALT https://www.basealt.ru/go/download/
https://github.com/rhboot/shim/releases/tag/15
OS ALT is a linux distribution supporting Secure Boot
Access to server used to sign binaries is restricted physically
no EV certs, but selfsigned altlinux-ca.cer is embedded
GRUB2.02, elilo3.16, rEFInd0.11.4
http://git.altlinux.org/gears/g/grub.git
http://git.altlinux.org/gears/e/elilo.git
http://git.altlinux.org/gears/r/refind.git
rEFInd0.11.4 in case of LiveCD or OS installer boot
grub2.02 in case of installed system
How do the launched components prevent execution of unauthenticated code?
Does your SHIM load any loaders that support loading unsigned kernels (e.g. GRUB)?
Linux Kernel: 4.14 (std-def: standard longterm kernel), http://git.altlinux.org/gears/k/kernel-image-std-def.git;
4.19 (un-def: more modern than std-def and with forced preemption enabled), http://git.altlinux.org/gears/k/kernel-image-un-def.git?p=kernel-image-un-def.git;a=summary
Upstream version update (0.4 -> 15)
479b62c0a762692c45ff9f25c56789c1ede85982e2415f37b6d756de6b685b12 shimia32.efi 2bceb0c2a625ee289218dcc30a7eef8caa9551af82a2af1aba75d2a668c01094 shimx64.efi
Make sure you have provided the following information:
Advanced Design Corp. (https://www.a-d.co.jp/)
DataSweeper (This refers to methods of totally erasing data from storage media that can then be reused.)
15
The loader is used to load and start our native UEFI based pre-boot authentication.
It's essential to be able to provide software that works with every machine that has Secure Boot enabled.
Only public keys are in SHIM as it verifies signatures of loaded components.
No
grub2 2.02+dfsg1-12
No
N/A
grub2 2.02+dfsg1-12
Currently targeted to ship with 4.14.xx kernel.
No additional modifications or patches applied.
N/A
(sha256) ad49b4afbec5cf763b9ea97347c7a397802f0ba79412d2e4caa2e0b7776ca9b5 shimx64.efi
Date: Thu, 2 Nov 2017 13:26:05 +0000
From: Victor Gonzalo
Subject: [Shim-review] Blancco Technology Group shim review request (Submission ID: 1965978)
Hi
We are adding secure boot support. In order (naively ;)) to speed up the review processes
we took the shim and grub2 sources from Red Hat github repositories and submitted the
shim binary with our certificate to MS for signing.
A couple of days ago I was accepted into this mailing list. We have prepared the review
material in a tarball that can be found here:
http://download.blancco.com/downloads/blancco_shim_review/blancco_shim_review.tar.xz
Some of it is missing, as we didn't know about this by then, but I'd be happy to answer any
question that may arise.
Thanks a lot
-Víctor Gonzalo
Senior Software Engineer - Blancco Technology Group
Date: Thu, 12 Oct 2017 15:32:48 +0000
From: Alexey Kalgin
Subject: [Shim-review] Full Disk Encryption from EgoSecure - signing required
Dear Colleagues,
EgoSecure is a European-based security vendor specializing on Endpoint Data Security solutions.
We want to support Secure Boot in our Full Disk Encryption product. Please find our submission using this link:
https://egosecure.com/wp-content/uploads/2017/10/submission.tar
Feel free to contact us in case of any questions.
Best regards,
Alexey Kalgin
Head of Product Management
Hi, I told MS that I would provide some feedback that would hopefully smooth out the process for us non GIT experts. The instructions for ISSUE_TEMPLATE.md (below) and the ones in README.md (which I also put below) are a little confusing. Example, I figured out how to clone the repo (using tortoise git in windows), So then I updated the .md files, I copied in the shimx64.efi file, I saw something about commit on the right click menu so I did that, then I saw some tag option, did that, then I tried to push it and nothing but access denied. Another thing was how to create a git repo of the files used to compile. Okay, I fumbled through that and got it to work, but still not clear on the whole thing.
I would suggest creating a tutorial webpage (even if here in the git) on how to do things from linux and windows. I'd suggest having a new folder under shim-review called something like shim-for-review/source and shim-for-review/patches, have people branch shim-review, then they clone or pull down the branched copy, then they update the .md files, add the shim binary and build-instructions.txt under shim-for-review, the source files under shim-for-review/source and any patches to shim-for-review/patches (explain in instructions how to add the files and new subdirs and commit), then have them push that, (they could then put an issue either on the main shim-review or the newly branched version that it's ready for review) you could then just manage the branched version with everything in once place and everything consistent. People would be able to follow the process via the tutorial webpage.
Make sure you have provided the following information:
Here's the ones from README.md:
Date: Sat, 16 Dec 2017 14:05:44 +0800
Subject: [Shim-review] Shim review request for Deepin - MS Sysdev Submission #1935785
Hello Everyone.
I would like to request a shim review for Deepin to get it signed by UEFI CA. Submission id is #1935785.
Deepin (https://deepin.org/en) is yet another linux distribution based on Debian GNU/Linux. It has been actively maintained since 2011.
It is used in middle schools and governments in China.
Current submission is based on shim package found in Debian upstream repo. Only uefi-ca file is replaced by our own.
All of its content can be found at : https://github.com/xushaohua/shim-review. "shimx64-unsigned.efi" is the EFI file to be signed.
Wuhan Deepin Technology Co., Ltd.
Make sure you have provided the following information:
https://github.com/chscf/shim-review/tree/CPSD-shim-x86_64-20181114
The company is called cpsd (https://www.cpsd.at/), located in Austria. We're working in the field of IT security, with our main focus on full disk encryption.
The pre-boot authentication environment for our company's Full Disk Encryption CryptoPro Secure Disk (see https://www.cpsd.at/)
shim-15
Because we want the whole world to use our product ;)
The private key is on a FIPS 140-2 token.
Yes
see below
shim loads a self-developed boot component which does all further authorization/os loading stuff.
Our boot component does not load any unsigned binaries.
No
N/A
Upgraded from shim-0.8 to shim-15
44ed00a46d11e631f334f8cfc3747b02b53e0e48b89e9641a0e4a1775f3121e1 shim-15-SCF-unsigned.efi
Make sure you have provided the following information:
SUSE, https://suse.com/
SUSE Linux Enterprice Server 15 SP1
It is shim-15, up to rhboot/shim@b3e4d1f
Major linux distribution
The key is installed in a machine with restricted physical and system access.
Shim binaries do not include private portions of the key.
Yes
N/A
GRUB and kernel are patched to enforce Secure Boot.
No
kernel-4.12.14-29.1 is used with CONFIG_EFI_SECURE_BOOT_LOCK_DOWN=y
Update to upstream version 15.
shim-sles.efi
sha256sum: f3727c065c11fcff293eb8ea3004b3d5becc5ed499ff9b6c13da64db4ee53d4a
Thank you!
Make sure you have provided the following information:
Red Hat, Inc.
CentOS Linux 7.6.1810
shim 15
CentOS Linux is deployed on a high number of nodes already using it in SecureBoot mode enabled
Can't discuss this publicly, but hardware HSM is used
no
grub2 rebuilt from upstream RHEL 7.6 tree, so https://git.centos.org/commit/rpms!grub2.git/28f7f8f0658e20412cba7a6af37539b1e1f567b2
nothing else than grub2 and then kernel
Our CI test shows that trying to boot an unsigned kernel isn't working, while a correct pesigned one works
NO
official RHEL 7.6 rebuild kernel.src.rpm
new release, so bumped from shim v12 to shim v15
a69a1a415838825f0b7d78f852905366ac21465a935e2211da8ac0c603d68ec1 usr/share/shim/x64-15-1.el7.centos/shimx64.efi
Make sure you have provided the following information:
DriveLock SE (https://www.drivelock.com)
DriveLock Disk Protection (a full disk encryption with pre-boot authentication)
https://github.com/rhboot/shim/tree/0.8
DriveLock Disk Protection is a full disk encryption product with pre-boot authentication used on thousands of computers.
The loader is used to load and start our native UEFI based pre-boot authentication.
It's essential to be able to provide software that works with every machine that has Secure Boot enabled.
Only public keys are in the SHIM as it verifies signatures of loaded components.
Yes
Windows is booted (so no Linux bootloader is used)
SHIM launches Pre-boot authentication components (native EFI application and EFI drivers for smart card and keyboard)
SHIM verifies digital signatures of launched components and can only launch components signed with the embedded certificate.
No
Windows 7, 8, 10
Previous version was signed by Microsoft. We changed the certificate used due to change of the company name. Microsoft asked us to let the SHIM review board do a review of the SHIM.
dfa7a11aedca5bc092241aa6d9f5d83dda2097da86f2ed7140e4c8a910f7d7e8 (SHA256)
May I know where to get patches for Linux 4.19 kernel secure boot?
Date: Mon, 11 Sep 2017 13:18:55 -0600
From: Daniel Pedigo
Subject: [Shim-review] RESEND: WhiteCanyon Shim Review
This is being resubmitted due to a lack of response to our original
submission on 8/3.
Hi all,
We were unaware of this review process and as such were directed here by
Microsoft after submitting our shim.
The linked tarball has a readme with answers to the questions we found
listed here: https://pjones.fedorapeople.org/shim-signing-procedure.html.
Shims: https://orem.whitecanyon.com/downloads/dev/shims.tar.gz
Let me know if we've missed anything.
Make sure you have provided the following information:
秦皇岛易之数软件开发有限公司
Isoo (Qinhuangdao) software development Co., Ltd.
Qinhuangdao, Hebei, China
Isoo is a software developer for data recovery, disk utilities and system backup.
Managing Director: Hao Binnan
https://github.com/rhboot/shim/tree/14
Version: 14
ID: 2006375 (Name: shimia32_isoouefiboot_20180224)
ID: 2006374 (Name: shimx64_isoouefiboot_20180224)
This is Isoo’s Linux-based operating system. We are going to develop some function based on the OS, such as resize partition, back up & restore operating system, etc.
Isoo wants to employ Secure Boot for building a trusted operating system from Shim to GRUB to the kernel to signed filesystem partitions. Secure Boot is the first step for this.
Isoo would like customers to be able to run Isoo’s Linux-based system on any amd64(64Bit) and x86(32Bit) device without disabling Secure Boot.
https://github.com/haobinnan/shim-review/tree/isoo-shim-20180312
Make sure you have provided the following information:
Neverware Inc. (https://www.neverware.com)
15
Microsoft told us to get approval from the shim review board before submitting it to them.
CloudReady
CloudReady is a Linux distro; we'd like to encourage people to boot our OS with secure boot enabled.
Note: our submission was previously reviewed here: #21. Unfortunately I had not realized our certificate was close to expiration. Our new shim build should be identical to the previous release, except with a renewed certificate valid until September 2020.
Make sure you have provided the following information:
Kaspersky Lab.
Kaspersky Lab's products.
https://github.com/rhboot/shim/tree/15
Kaspersky Shim is a common component for some of Kaspersky Lab's products.
It loads a universal plugin manager for various features: Full disk encryption, Rescue Disk and Early boot protection component.
Private key is stored in hardware module with controlled access.
Yes.
GRUB or Linux kernel is not used.
This build of shim will be used to load and verify our custom preboot components.
Windows loader will be launched after that.
Full disk encryption, Rescue Disk, Early boot protection component.
All our components are signed with authenticode signatures and always verified during loading.
Windows loader is signed by Microsoft, it launched with LoadImage/StartImage and will be verified by firmware when SecureBoot is on.
No.
We launch Windows loader and kernel.
This is first submission.
414065ca4238bfff0ce2601ac4ac924bc8da98b0b75c0a81cde78f05f5de869a
Make sure you have provided the following information:
Neverware Inc. (https://www.neverware.com)
15
Microsoft told us to get approval from the shim review board before submitting it to them.
CloudReady
CloudReady is a Linux distro; we'd like to encourage people to boot our OS with secure boot enabled.
Make sure you have provided the following information:
https://github.com/CanonicalLtd/shim-review/tree/ubuntu-shim-amd64+arm64-20180822
Ubuntu
shim 15-based snapshot, up to commit 3beb971
Ubuntu
This is a well-known Linux distro.
Make sure you have provided the following information:
Matrix42 AG
Elbinger Straße 7
60487 Frankfurt am Main (Germany)
https://www.matrix42.com/
0.9
14574969938018768
Matrix42 Unified Endpoint Management; Empirum
The Matrix42 product is comparable to Microsoft SCCM to deploy operating systems in enterprise environments within a corporate network. Our customers use the product Matrix42 Unified Endpoint Management, and here the Empirum OS Installer module to install virtual hardware, personal computers or laptops with a Windows 7 or Windows 10 operating system - including Secure Boot. Our Tool is using a linux based Preinstallation Environment, called EPE, for installation Linux or Windows based operating systems in the customer’s environment. We’d like to use SHIM to support secure boot for os deployments via PXE scenarios in corporate environments. For example an OEM Hardware is delivered with activated secure boot by default and this includes the PXE boot. It is important to understand that our customers are deploying many computers at the same time, which requires a full unattended and silent installation process. Therefore it is necessary to support OS installations without manual steps - or interruptions - and without the need to configure BIOS/UEFI options.
Make sure you have provided the following information:
LLC "NTC IT ROSA"
"ROSA Fresh" - Linux Desktop
https://github.com/rhboot/shim/tree/13
ROSA Fresh is a non-profit Linux distribution developed by the community and has a long history. Is deployed on a high number of nodes already using it in SecureBoot mode enabled.
Shim has the public key of the EV Code Signing key pair (issued by DigiCert) built-in. The key is used to validate GRUB boot loader. No private keys are embedded.Shim binary itself is signed, so the built-in public key cannot be modified or removed without making the signature invalid. This guarantees that if shim has been tampered with and is then used in SecureBoot environments, this will be detected immediately.
Shim has the public key of the EV Code Signing key pair (issued by DigiCert) built-in.
The source code of GRUB is available here: ftp://ftp.gnu.org/gnu/grub/grub-2.02.tar.xz <ftp://ftp.gnu.org/gnu/grub/grub-2.02.tar.xz>. The patches to GRUB 2.02 specific to ROSA Linux, as well as build scripts, are available here: https://abf.io/import/grub2
Apart from the boot loader (GRUB), shim can launch MokManager tool (developed alongside shim, https://github.com/rhboot/shim )
Same as GRUB, MokManager executable must be signed with the appropriate key (EV Code Signing) for shim to validate and launch it. MokManager itself executes no unauthenticated code.
Shim launches GRUB
Our current kernel is based on the kernel 4.15.0-45.48-generic from Ubuntu 18.04 LTS (http://kernel.ubuntu.com/git/kernel-ppa/mirror/ubuntu-bionic.git/), which already contains the patches to enforce SecureBoot as needed. We have no additional SecureBoot-related patches on top of that.
Our patches, configs and build instructions for the kernel (RPM spec file) are available here: https://abf.io/import/kernel-desktop-4.15
This is an update from v0.9 to v13. From the changelog:
* MokManager: Stop using EFI_VARIABLE_APPEND_WRITE
* Better PCR usage for TPM
* Use authenticode signature length from WIN_CERTIFICATE structure
* More configurable build via make variables
* Workaround for signtool.exe bugs
* Bug fix for wrong options passed to second stage
* generate_hash(): fix the regression
* Ignore BDS when it tells us we got our own path on the command line
* Handle various different load option implementation differences
* TPM 1 and TPM 2 support`
* Use OpenSSL 1.0.2k
* Lots of minor bug fixes
sha256: a534a3c612472d517c20cc8771ec90bd5e59e285549ea16e54fff705a5e15415 shimia32.efi
Make sure you have provided the following information:
秦皇岛易之数软件开发有限公司
Isoo (Qinhuangdao) software development Co., Ltd.
Qinhuangdao, Hebei, China
Isoo is a software developer for data recovery, disk utilities and system backup.
Managing Director: Hao Binnan
https://github.com/rhboot/shim/tree/15
Version: 15
ID: 2313431 (Name: shimx64_v15)
ID: 2313430 (Name: shimia32_v15)
This is Isoo’s Linux-based operating system. We are going to develop some function based on the OS, such as resize partition, back up & restore operating system, etc.
Isoo wants to employ Secure Boot for building a trusted operating system from Shim to GRUB to the kernel to signed filesystem partitions. Secure Boot is the first step for this.
Isoo would like customers to be able to run Isoo’s Linux-based system on any amd64(64Bit) and x86(32Bit) device without disabling Secure Boot.
https://github.com/haobinnan/shim-review/tree/isoo-shim-20180609
Make sure you have provided the following information:
LLC "NTC IT ROSA"
"ROSA Fresh" - Linux Desktop
https://github.com/rhboot/shim/tree/13
ROSA Fresh is a non-profit Linux distribution developed by the community and has a long history. Is deployed on a high number of nodes already using it in SecureBoot mode enabled.
Shim has the public key of the EV Code Signing key pair (issued by DigiCert) built-in. The key is used to validate GRUB boot loader. No private keys are embedded.Shim binary itself is signed, so the built-in public key cannot be modified or removed without making the signature invalid. This guarantees that if shim has been tampered with and is then used in SecureBoot environments, this will be detected immediately.
Shim has the public key of the EV Code Signing key pair (issued by DigiCert) built-in.
The source code of GRUB is available here: ftp://ftp.gnu.org/gnu/grub/grub-2.02.tar.xz <ftp://ftp.gnu.org/gnu/grub/grub-2.02.tar.xz>. The patches to GRUB 2.02 specific to ROSA Linux, as well as build scripts, are available here: https://abf.io/import/grub2
Apart from the boot loader (GRUB), shim can launch MokManager tool (developed alongside shim, https://github.com/rhboot/shim )
Same as GRUB, MokManager executable must be signed with the appropriate key (EV Code Signing) for shim to validate and launch it. MokManager itself executes no unauthenticated code.
Shim launches GRUB
Our current kernel is based on the kernel 4.15.0-40.43-generic from Ubuntu 18.04 LTS (http://kernel.ubuntu.com/git/kernel-ppa/mirror/ubuntu-bionic.git/), which already contains the patches to enforce SecureBoot as needed. We have no additional SecureBoot-related patches on top of that.
Our patches, configs and build instructions for the kernel (RPM spec file) are available here: https://abf.io/import/kernel-desktop-4.15
This is an update from v0.9 to v13. From the changelog:
* MokManager: Stop using EFI_VARIABLE_APPEND_WRITE
* Better PCR usage for TPM
* Use authenticode signature length from WIN_CERTIFICATE structure
* More configurable build via make variables
* Workaround for signtool.exe bugs
* Bug fix for wrong options passed to second stage
* generate_hash(): fix the regression
* Ignore BDS when it tells us we got our own path on the command line
* Handle various different load option implementation differences
* TPM 1 and TPM 2 support`
* Use OpenSSL 1.0.2k
* Lots of minor bug fixes
sha256: b407cdeae8fee3c51300b6974599dff39cb5863223dc2617662fcdb07c68c55b shimx64.efi
Make sure you have provided the following information:
uib gmbh - we are the developers of opsi.
uib gmbh
Bonifaziusplatz 1b
55118 Mainz
https://www.uib.de
opsi is an open source operating system provisioning and software deployment framework.
We want to deploy Windows with support for SecureBoot and therefore request a signing of our SHIM. This SHIM contains ourt company key. With this key we will sign the following data and enable an easy to use way to deploy SecureBoot via opsi.
shim-14
https://github.com/rhboot/shim/releases/tag/14
psi is used to deploy operating systems on a large amount of devices. It would be a disadvantage to manually deploy a key on all SecureBoot enabled machines, especially when a customer has a couple hundreds or even more than throusand machines. Therefore we request a signed SHIM to further sign the rets of our deployment with our key, which is included in the shim, to ease the deployment process.
The keys are storen on a seperate machine. Only authorized members have access to this machine.
No
grub 2.02~beta2-36ubuntu3
Shim launches grub2, which shall launch a signed Linux Kernel and Miniroot to provide installation of SecureBoot enabled Windows OS
currently Vanilla Linux 4.17.6
Make sure you have provided the following information:
LLC "NTC IT ROSA"
"ROSA Fresh" - Linux Desktop
https://github.com/rhboot/shim/tree/13
ROSA Fresh is a non-profit Linux distribution developed by the community and has a long history. Is deployed on a high number of nodes already using it in SecureBoot mode enabled.
Shim has the public key of the EV Code Signing key pair (issued by DigiCert) built-in. The key is used to validate GRUB boot loader. No private keys are embedded.Shim binary itself is signed, so the built-in public key cannot be modified or removed without making the signature invalid. This guarantees that if shim has been tampered with and is then used in SecureBoot environments, this will be detected immediately.
Shim has the public key of the EV Code Signing key pair (issued by DigiCert) built-in.
The source code of GRUB is available here: ftp://ftp.gnu.org/gnu/grub/grub-2.02.tar.xz <ftp://ftp.gnu.org/gnu/grub/grub-2.02.tar.xz>. The patches to GRUB 2.02 specific to ROSA Linux, as well as build scripts, are available here: https://abf.io/import/grub2
Apart from the boot loader (GRUB), shim can launch MokManager tool (developed alongside shim, https://github.com/rhboot/shim )
Same as GRUB, MokManager executable must be signed with the appropriate key (EV Code Signing) for shim to validate and launch it. MokManager itself executes no unauthenticated code.
Shim launches GRUB
Our current kernel is based on the kernel 4.15.0-45.48-generic from Ubuntu 18.04 LTS (http://kernel.ubuntu.com/git/kernel-ppa/mirror/ubuntu-bionic.git/), which already contains the patches to enforce SecureBoot as needed. We have no additional SecureBoot-related patches on top of that.
Our patches, configs and build instructions for the kernel (RPM spec file) are available here: https://abf.io/import/kernel-desktop-4.15
This is an update from v0.9 to v13. From the changelog:
* MokManager: Stop using EFI_VARIABLE_APPEND_WRITE
* Better PCR usage for TPM
* Use authenticode signature length from WIN_CERTIFICATE structure
* More configurable build via make variables
* Workaround for signtool.exe bugs
* Bug fix for wrong options passed to second stage
* generate_hash(): fix the regression
* Ignore BDS when it tells us we got our own path on the command line
* Handle various different load option implementation differences
* TPM 1 and TPM 2 support`
* Use OpenSSL 1.0.2k
* Lots of minor bug fixes
sha256: 20c2d68f407506861098b4b2921dfb80253996a086ad6e71b31047425b38ffa1 shimx64.efi
Date: Wed, 6 Dec 2017 08:50:25 +0100
From: Petr Řehák
Subject: [Shim-review] Adaptech Shim for review
Hello,
As part of the Shim signing proces as requested by Microsoft, I am kindly
asking you to approve our Shim on behalf of Adaptech s.r.o. in order to get
it signed by Microsoft. You can download the package at:
https://www.adaptech.cz/bin/shim.tar.gz
Thanks,
Adaptech s.r.o.
Make sure you have provided the following information:
Cumulus Networks, Inc.
IANA Enterprise Number 40310
https://github.com/rhboot/shim/releases/tag/15
Note: Sysdev is deprecated as of June 2018. The new MS UEFI File signing service is located here:
https://developer.microsoft.com/en-us/dashboard/hardware/filesign/
Using the new service, our sub-mission ID is 13813503929849373
.
Cumulus Linux
Cumulus Linux is a Linux distribution for white box network switches. Secure Boot must be enabled going forward, as such we need a signed shim binary.
Date: Thu, 16 Nov 2017 12:27:08 +0100
Subject: [Shim-review] Request for review of SHIM-13 for Univention Corporate Server
Hello,
I request our SHIM for Univention Corporate Server to be reviewed.
I followed https://pjones.fedorapeople.org/shim-signing-procedure.html.
The requested data is available from our download server:
http://updates.software-univention.de/download/shim-13/
The corresponding request at Microsoft is
https://sysdev.microsoft.com/de-DE/Hardware/member/SubmissionCenter/UefiSubmissionDetails.aspx?SubmissionID=1970446
If you have any questions, just contact me.
Thank you in advance.
Philipp
Make sure you have provided the following information:
SUSE, https://suse.com/
openSUSE Leap 15.1
It is shim-15, up to rhboot/shim@b3e4d1f
Major linux distribution
The key is installed in a machine with restricted physical and system access.
Shim binaries do not include private portions of the key.
Yes
N/A
GRUB and kernel are patched to enforce Secure Boot.
No
kernel-4.12.14 is used
Update to upstream version 15.
shim-opensuse.efi
sha256sum: 274a3ace0db7c6cff4bbb8a843565102e4ad3571d65fb170bf34653fb9f64ebc
Please review the Shim submission from IGEL.
We have provided the following information:
IGEL Technology GmbH
Hermanstr. 17
86150 Augsburg,
Germany
IGEL Technology is a member of the Melchers group.
Managing Directors: Heiko Gloge and Nicolas C. S. Helms
District Court Bremen (Germany) HRB 20636, VAT: DE 219524359, WEEE-Reg.-No. DE 79295479
IGEL is a vendor of thin client hardware and software.
https://github.com/rhboot/shim/tree/13
rhboot/shim@13
UEFI submission #1973560
This is for IGEL's Linux-based thin client operating system, which is called IGEL OS. There are three products based on IGEL OS:
Make sure you have provided the following information:
Vercot-Serva
Serva 32/64
15+39b8345
Serva is a well know PXE server
Vault/password protected only used when signing release versions
No
pxeserva.efi is a Pxelinux 6.03 derivative
No
N/A
Only loads pxeserva.efi
-
N/A
shimx64=3DB001A1523AEF2BBD122F37DB7DDC5D347811ACA0907C741FB6324E3FFA1518 shimia32=E1053A4477A225093E5C880A1CC6DA587816F6E307B2CFECD2431BE90B499327
Make sure you have provided the following information:
LLC "NTC IT ROSA"
"ROSA Fresh" - Linux Desktop
https://github.com/rhboot/shim/tree/13
ROSA Fresh is a non-profit Linux distribution developed by the community and has a long history. Is deployed on a high number of nodes already using it in SecureBoot mode enabled.
Shim has the public key of the EV Code Signing key pair (issued by DigiCert) built-in. The key is used to validate GRUB boot loader. No private keys are embedded.Shim binary itself is signed, so the built-in public key cannot be modified or removed without making the signature invalid. This guarantees that if shim has been tampered with and is then used in SecureBoot environments, this will be detected immediately.
Shim has the public key of the EV Code Signing key pair (issued by DigiCert) built-in.
The source code of GRUB is available here: ftp://ftp.gnu.org/gnu/grub/grub-2.02.tar.xz <ftp://ftp.gnu.org/gnu/grub/grub-2.02.tar.xz>. The patches to GRUB 2.02 specific to ROSA Linux, as well as build scripts, are available here: https://abf.io/import/grub2
Apart from the boot loader (GRUB), shim can launch MokManager tool (developed alongside shim, https://github.com/rhboot/shim )
Same as GRUB, MokManager executable must be signed with the appropriate key (EV Code Signing) for shim to validate and launch it. MokManager itself executes no unauthenticated code.
Shim launches GRUB
Our current kernel is based on the kernel 4.15.0-40.43-generic from Ubuntu 18.04 LTS (http://kernel.ubuntu.com/git/kernel-ppa/mirror/ubuntu-bionic.git/), which already contains the patches to enforce SecureBoot as needed. We have no additional SecureBoot-related patches on top of that.
Our patches, configs and build instructions for the kernel (RPM spec file) are available here: https://abf.io/import/kernel-desktop-4.15
This is an update from v0.9 to v13. From the changelog:
* MokManager: Stop using EFI_VARIABLE_APPEND_WRITE
* Better PCR usage for TPM
* Use authenticode signature length from WIN_CERTIFICATE structure
* More configurable build via make variables
* Workaround for signtool.exe bugs
* Bug fix for wrong options passed to second stage
* generate_hash(): fix the regression
* Ignore BDS when it tells us we got our own path on the command line
* Handle various different load option implementation differences
* TPM 1 and TPM 2 support`
* Use OpenSSL 1.0.2k
* Lots of minor bug fixes
sha256: 67471d9a3d7a50500c4d18b13a0c1ee34c1edfa20d0f348b203d035b970dbb9a shimia32.efi
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.