Shim 15.8 - shimx64.efi and shimia32.efi for OpenText(MicroFocus) ZENworks

[MuthuvelKuppusamy]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/MuthuvelKuppusamy/shim-review/releases/tag/opentext-shim-x64-ia32-20240417

---

What is the SHA256 hash of your final SHIM binary?

---

98f0017ba0040e495726953e82a61ad3de09ba5294c105c5a5e260363422dd85 shimx64.efi
b8f98e7f4a8c3d534def16bdfc13b6b605177ed9279936fd0d5453520e8657e2 shimia32.efi

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

#320

[Blarse]

Hi,

I'm not an authorized reviewer, but I'd like to contribute and help

Build reproducibility

Build is NOT reproducible:

$docker build -t shim-review-opentext . 
$docker run --rm shim-review-opentext sha256sum /shimia32/build-ia32/shimia32.efi /shim-review/shimia32.efi /shimx64/build-x64/shimx64.efi /shim-review/shimx64.efi
ba8dc7f458e67f7a06345bd9989552c92d5bf7547ed6a0ba78032701b41320e4  /shimia32/build-ia32/shimia32.efi
dcd462d24a5b619fc6bbc095e9950c136f651230cd81888e2dce4be675f69149  /shim-review/shimia32.efi
efe378a2f706296e60ba55e3d4aa0a826950857b82c8135bc74302b43dd61c04  /shimx64/build-x64/shimx64.efi
a7638a31b888686ceba5166fc27b80ff8fb65225d8f732059d07b0f96c7dac2a  /shim-review/shimx64.efi

[MuthuvelKuppusamy]

Thanks for review.
CRLF in the sbat file caused the sha256 different. Corrected the same and updated all required files and build.log

sha256sum:
ba8dc7f458e67f7a06345bd9989552c92d5bf7547ed6a0ba78032701b41320e4 /shimia32/build-ia32/shimia32.efi
ba8dc7f458e67f7a06345bd9989552c92d5bf7547ed6a0ba78032701b41320e4 /shim-review/shimia32.efi
efe378a2f706296e60ba55e3d4aa0a826950857b82c8135bc74302b43dd61c04 /shimx64/build-x64/shimx64.efi
efe378a2f706296e60ba55e3d4aa0a826950857b82c8135bc74302b43dd61c04 /shim-review/shimx64.efi

[Blarse]

I'm not an authorized reviewer, but I'd like to contribute and help

Review of OpenText(MicroFocus) ZENworks

Build reproducibility

• Shim is reproducible using Dockerfile:

$docker build -t shim-review-opentext .
$docker run --rm shim-review-opentext sha256sum /shimia32/build-ia32/shimia32.efi /shim-review/shimia32.efi /shimx64/build-x64/shimx64.efi /shim-review/shimx64.efi
ba8dc7f458e67f7a06345bd9989552c92d5bf7547ed6a0ba78032701b41320e4  /shimia32/build-ia32/shimia32.efi
ba8dc7f458e67f7a06345bd9989552c92d5bf7547ed6a0ba78032701b41320e4  /shim-review/shimia32.efi
efe378a2f706296e60ba55e3d4aa0a826950857b82c8135bc74302b43dd61c04  /shimx64/build-x64/shimx64.efi
efe378a2f706296e60ba55e3d4aa0a826950857b82c8135bc74302b43dd61c04  /shim-review/shimx64.efi

• Hash is matched for shimx64.efi and shimia32.efi OK

Shim

• Shim is built from the 15.8 shim release tar file: https://github.com/rhboot/shim/releases/download/15.8/shim-15.8.tar.bz2; OK

• Patches:
  1_prefer_proxyDhcpOfferReceived.patch applied OK
  This patch was already part of the 15.4 and 15.7 submissions
  Shim 15.4 - shimx64.efi and shimia32.efi for MicroFocus ZENworks #166 (comment)
  Shim 15.7 - shimx64.efi and shimia32.efi for OpenText(MicroFocus) ZENworks  #320 (comment)

• NX compatibility is disabled (boot stack is not fully NX-compatible) OK

$objdump -p shimx64.efi shimia32.efi | grep DllCharacteristics
DllCharacteristics	00000000
DllCharacteristics	00000000

• .sbat section seems OK

$objdump -s -j .sbat ./shimx64.efi

./shimx64.efi:     file format pei-x86-64

Contents of section .sbat:
 d6000 73626174 2c312c53 42415420 56657273  sbat,1,SBAT Vers
 d6010 696f6e2c 73626174 2c312c68 74747073  ion,sbat,1,https
 d6020 3a2f2f67 69746875 622e636f 6d2f7268  ://github.com/rh
 d6030 626f6f74 2f736869 6d2f626c 6f622f6d  boot/shim/blob/m
 d6040 61696e2f 53424154 2e6d640a 7368696d  ain/SBAT.md.shim
 d6050 2c342c55 45464920 7368696d 2c736869  ,4,UEFI shim,shi
 d6060 6d2c312c 68747470 733a2f2f 67697468  m,1,https://gith
 d6070 75622e63 6f6d2f72 68626f6f 742f7368  ub.com/rhboot/sh
 d6080 696d0a73 68696d2e 4d465a45 4e776f72  im.shim.MFZENwor
 d6090 6b732c31 2c4d6963 726f466f 6375732c  ks,1,MicroFocus,
 d60a0 7368696d 2c31352e 382c6874 7470733a  shim,15.8,https:
 d60b0 2f2f7777 772e6d69 63726f66 6f637573  //www.microfocus
 d60c0 2e636f6d 2f0a                        .com/.          

$objdump -s -j .sbat ./shimia32.efi

./shimia32.efi:     file format pei-i386

Contents of section .sbat:
 a2000 73626174 2c312c53 42415420 56657273  sbat,1,SBAT Vers
 a2010 696f6e2c 73626174 2c312c68 74747073  ion,sbat,1,https
 a2020 3a2f2f67 69746875 622e636f 6d2f7268  ://github.com/rh
 a2030 626f6f74 2f736869 6d2f626c 6f622f6d  boot/shim/blob/m
 a2040 61696e2f 53424154 2e6d640a 7368696d  ain/SBAT.md.shim
 a2050 2c342c55 45464920 7368696d 2c736869  ,4,UEFI shim,shi
 a2060 6d2c312c 68747470 733a2f2f 67697468  m,1,https://gith
 a2070 75622e63 6f6d2f72 68626f6f 742f7368  ub.com/rhboot/sh
 a2080 696d0a73 68696d2e 4d465a45 4e776f72  im.shim.MFZENwor
 a2090 6b732c31 2c4d6963 726f466f 6375732c  ks,1,MicroFocus,
 a20a0 7368696d 2c31352e 382c6874 7470733a  shim,15.8,https:
 a20b0 2f2f7777 772e6d69 63726f66 6f637573  //www.microfocus
 a20c0 2e636f6d 2f0a                        .com/.          

• .sbatlevel seems OK

$objdump -s -j .sbatlevel ./shimx64.efi

./shimx64.efi:     file format pei-x86-64

Contents of section .sbatlevel:
 89000 00000000 08000000 37000000 73626174  ........7...sbat
 89010 2c312c32 30323330 31323930 300a7368  ,1,2023012900.sh
 89020 696d2c32 0a677275 622c330a 67727562  im,2.grub,3.grub
 89030 2e646562 69616e2c 340a0073 6261742c  .debian,4..sbat,
 89040 312c3230 32343031 30393030 0a736869  1,2024010900.shi
 89050 6d2c340a 67727562 2c330a67 7275622e  m,4.grub,3.grub.
 89060 64656269 616e2c34 0a00               debian,4..      

$objdump -s -j .sbatlevel ./shimia32.efi

./shimia32.efi:     file format pei-i386

Contents of section .sbatlevel:
 6f000 00000000 08000000 37000000 73626174  ........7...sbat
 6f010 2c312c32 30323330 31323930 300a7368  ,1,2023012900.sh
 6f020 696d2c32 0a677275 622c330a 67727562  im,2.grub,3.grub
 6f030 2e646562 69616e2c 340a0073 6261742c  .debian,4..sbat,
 6f040 312c3230 32343031 30393030 0a736869  1,2024010900.shi
 6f050 6d2c340a 67727562 2c330a67 7275622e  m,4.grub,3.grub.
 6f060 64656269 616e2c34 0a00               debian,4..      

Certificate

• Organization matches OK

        Subject: CN = Micro Focus

• Certificate is valid until 2031 (7 years) OK

        Validity
            Not Before: Apr 14 00:13:05 2021 GMT
            Not After : Apr 12 00:13:05 2031 GMT

• Key is 2048 bit OK for now

                RSA Public-Key: (2048 bit)

• Keys are stored in HSM with restricted access. OK

• [README.md says] Older shim hashes provided to Microsoft. OK

• NOTE Old certificate reused but README.md is not changed
  @MuthuvelKuppusamy, README.md says:

We switched to new certificate now for shim15.8 signing, which blocks all the older signed grub2 binaries.

...

We switched to new certificate now for shim15.8 signing.

So, does your new chain of trust disallow booting old GRUB2 builds affected by the CVEs?

GRUB

• SUSE grub with updated sbat is used OK
• Used grub modules looks OK

grub-core all_video boot cat chain configfile echo true efinet font gfxmenu gfxterm gzio halt iso9660 jpeg 
minicmd normal part_apple part_msdos part_gpt password_pbkdf2 png reboot search search_fs_uuid search_fs_file 
search_label sleep test video fat loadenv linuxefi btrfs ext2 xfs jfs reiserfs efinet tftp http luks gcry_rijndael 
gcry_sha1 gcry_sha256 mdraid09 mdraid1x lvm serial

• GRUB 2.12 is used so all related CVEs are closed OK
• SBAT looks OK:

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,4,Free Software Foundation,grub,2.12,https://www.gnu.org/software/grub/
grub.sle,1,SUSE Linux Enterprise,grub2,2.12,mail:[email protected]
grub.MFZENworks,1,MicroFocus,grub2,2.12-ZENworks1,https://www.microfocus.com/

• GRUB would need a closer look from an authorized reviewer

Custom EFI binary

• Shim also loads custom EFI binary
• Not public, but was not a blocker in the other review

Kernel

• Suse Linux Enterprise kernel SLES15SP5 5.14.21-150400.53-default is used
• Kernel would need a closer look from an authorized reviewer

[MuthuvelKuppusamy]

Below submitted shims are not released, as shim15.4 has some freeze during the boot and with 15.7, full stack NX not ready.

We moved to new certificate to address the "Boot Hole vulnerability fix for grub2".

ntfs is not included in the grub2 and older grub2 with sbat < 3 will be disallowed. We are safe with older grub2 binaries.

[aronowski]

Build reproduces, checksums match, characteristics seem alright.

The lack of commit eadb2f47a3ced5c64b23b90fd2a3463f63726066 "lockdown: also lock down previous kgdb use" has been justified - debugging is not enabled.

The lack of ephemeral keys has been justified due to it being discussed as part of review #393, which got accepted.

---

Questions:

The SBAT entries still reference MicroFocus, despite the fact that I can see the name changed as part of this application and the company website. Should the entries be preserved, or do you prefer to update them due to the name change?

If the latter, ping me and I'll re-review the parts that changed ASAP.

---

Notes:

I am a bit worried about the current GRUB2 module list the same way as during the last review, but the same one got approved, so I guess we can leave it as-is.

[MuthuvelKuppusamy]

We thought of maintaining the sbat only with version changes, Kindly let me know is it mandatory to update or else i can do it next submission.

[aronowski]

On 2024.04.15 22:47:35, MuthuvelKuppusamy wrote: We thought of maintaining the sbat only with version changes, Kindly let me know is it mandatory to update or else i can do it next submission.

I myself don't mind it staying the way it is now especially if it's about some compatibility-related scenarios. I'm just suggesting that if you do want to change the entries, you can do so now and have the updated application re-reviewed fairly quickly. I'm speaking on behalf of myself only. I don't know what Microsoft will think about this - it's up to you to make the decision.

…

-- Reply to this email directly or view it on GitHub: #389 (comment) You are receiving this because you were assigned. Message ID: ***@***.***>

[MuthuvelKuppusamy]

Thanks for the review.

Please find the new changes in place, and sbat section details as below.

objdump -s -j .sbat shimx64.efi shimia32.efi

shimx64.efi: file format pei-x86-64

Contents of section .sbat:
d6000 73626174 2c312c53 42415420 56657273 sbat,1,SBAT Vers
d6010 696f6e2c 73626174 2c312c68 74747073 ion,sbat,1,https
d6020 3a2f2f67 69746875 622e636f 6d2f7268 ://github.com/rh
d6030 626f6f74 2f736869 6d2f626c 6f622f6d boot/shim/blob/m
d6040 61696e2f 53424154 2e6d640a 7368696d ain/SBAT.md.shim
d6050 2c342c55 45464920 7368696d 2c736869 ,4,UEFI shim,shi
d6060 6d2c312c 68747470 733a2f2f 67697468 m,1,https://gith
d6070 75622e63 6f6d2f72 68626f6f 742f7368 ub.com/rhboot/sh
d6080 696d0a73 68696d2e 4f545a45 4e776f72 im.shim.OTZENwor
d6090 6b732c31 2c4f7065 6e546578 742c7368 ks,1,OpenText,sh
d60a0 696d2c31 352e382c 68747470 733a2f2f im,15.8,https://
d60b0 7777772e 6f70656e 74657874 2e636f6d www.opentext.com
d60c0 2f0a /.

shimia32.efi: file format pei-i386

Contents of section .sbat:
a2000 73626174 2c312c53 42415420 56657273 sbat,1,SBAT Vers
a2010 696f6e2c 73626174 2c312c68 74747073 ion,sbat,1,https
a2020 3a2f2f67 69746875 622e636f 6d2f7268 ://github.com/rh
a2030 626f6f74 2f736869 6d2f626c 6f622f6d boot/shim/blob/m
a2040 61696e2f 53424154 2e6d640a 7368696d ain/SBAT.md.shim
a2050 2c342c55 45464920 7368696d 2c736869 ,4,UEFI shim,shi
a2060 6d2c312c 68747470 733a2f2f 67697468 m,1,https://gith
a2070 75622e63 6f6d2f72 68626f6f 742f7368 ub.com/rhboot/sh
a2080 696d0a73 68696d2e 4f545a45 4e776f72 im.shim.OTZENwor
a2090 6b732c31 2c4f7065 6e546578 742c7368 ks,1,OpenText,sh
a20a0 696d2c31 352e382c 68747470 733a2f2f im,15.8,https://
a20b0 7777772e 6f70656e 74657874 2e636f6d www.opentext.com
a20c0 2f0a /.

---

[aronowski]

On 2024.04.16 05:43:12, MuthuvelKuppusamy wrote: Thanks for the review. Please find the new changes in place, and sbat section details as below. [...] ----

Looks OK. Incorporate the change to the application, tag it appropriately, push the changes, update the tag in the Github issue's original post and I'll take another look at the application.

…

-- Reply to this email directly or view it on GitHub: #389 (comment) You are receiving this because you were assigned. Message ID: ***@***.***>

[MuthuvelKuppusamy]

Thanks for the review. I have created the tag with latest changes https://github.com/MuthuvelKuppusamy/shim-review/releases/tag/opentext-shim-x64-ia32-20240417 and updated the same in issues template.

[aronowski]

Awesome! Accepting it!