Shim 15.8 for IGEL OS (x86_64)

[af-kulow]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/IGEL-Technology/shim-review/tree/IGEL-shim-x64-20240730-1

EDIT: In the meantime, linux kernel diffs, as well as additional sbat sections were requested in the review (see comments below). We included the information in the following tag of the review:
https://github.com/IGEL-Technology/shim-review/releases/tag/IGEL-shim-x64-20240807

---

What is the SHA256 hash of your final SHIM binary?

---

90ce33685c5ac241b582bdf27d0ae872b72263a5ae8271ef7f738bd1d13e8e63 shimx64.efi

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

N/A

---

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?

---

N/A

[steve-mcintyre]

Contact verification mails sent to:

• [email protected]
• [email protected]

[tina-igel]

Contact verification for [email protected]:

seethes demarcating softwood tuning imbecilities perfunctory bobbling voyager Wyoming bulwark

[af-kulow]

contact verification for [email protected]:

tines buttons noiseless atrocity Kempis Versailles forgot gambolled comprises colorfast

[steve-mcintyre]

Contact responses good!

[jclab-joseph]

Review for IGEL-shim-x64-20240730-1

review helper : https://github.com/jclab-joseph/other-shim-reviews/tree/master/20240802-IGEL-shim-x64-20240730-1

shim

• Version : 15.8 (Ref: https://github.com/IGEL-Technology/shim-review/blob/ab2ad0207ddbb93fe915915eb3847ba75af6e0a6/Dockerfile#L10)
• Reproducible (90ce33685c5ac241b582bdf27d0ae872b72263a5ae8271ef7f738bd1d13e8e63 ./build/output/shimx64.efi)
• SBAT of the built file matches the review request
• SBAT entries from shim looks fine : shim.igel,1,Igel,shim,15.8,https://www.igel.com
• NX flag not set

Patches

• 0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch
• 0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch
• https://github.com/IGEL-Technology/shim/blob/2eed136ae574185f1ed1fab0babb566bb19de3cb/debian/patches/IGEL-change-default-loader-to-igel.diff : Just changed "grubXXXX.efi" => "igelXXXX.efi"

$ git clone https://github.com/IGEL-Technology/shim.git igel-shim
=> commit id: 2eed136ae574185f1ed1fab0babb566bb19de3cb
$ diff -urN shim-15.8 igel-shim/ | grep -A3 -E "^diff " | grep -v '\.git'

diff -urN shim-15.8/debian/block_signed_deb igel-shim/debian/block_signed_deb
--- shim-15.8/debian/block_signed_deb	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/block_signed_deb	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,73 @@
--
diff -urN shim-15.8/debian/changelog igel-shim/debian/changelog
--- shim-15.8/debian/changelog	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/changelog	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,534 @@
--
diff -urN shim-15.8/debian/check_nx igel-shim/debian/check_nx
--- shim-15.8/debian/check_nx	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/check_nx	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,32 @@
--
diff -urN shim-15.8/debian/control igel-shim/debian/control
--- shim-15.8/debian/control	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/control	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,46 @@
--
diff -urN shim-15.8/debian/copyright igel-shim/debian/copyright
--- shim-15.8/debian/copyright	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/copyright	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,415 @@
--
diff -urN shim-15.8/debian/generate_dbx_list igel-shim/debian/generate_dbx_list
--- shim-15.8/debian/generate_dbx_list	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/generate_dbx_list	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,54 @@
--
diff -urN shim-15.8/debian/igel-dbx.hashes igel-shim/debian/igel-dbx.hashes
--- shim-15.8/debian/igel-dbx.hashes	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/igel-dbx.hashes	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,21 @@
--
diff -urN shim-15.8/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch igel-shim/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch
--- shim-15.8/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,42 @@
--
diff -urN shim-15.8/debian/patches/0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch igel-shim/debian/patches/0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch
--- shim-15.8/debian/patches/0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/patches/0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,47 @@
--
diff -urN shim-15.8/debian/patches/IGEL-change-default-loader-to-igel.diff igel-shim/debian/patches/IGEL-change-default-loader-to-igel.diff
--- shim-15.8/debian/patches/IGEL-change-default-loader-to-igel.diff	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/patches/IGEL-change-default-loader-to-igel.diff	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,39 @@
--
diff -urN shim-15.8/debian/patches/series igel-shim/debian/patches/series
--- shim-15.8/debian/patches/series	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/patches/series	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,5 @@
--
diff -urN shim-15.8/debian/rules igel-shim/debian/rules
--- shim-15.8/debian/rules	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/rules	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,106 @@
--
diff -urN shim-15.8/debian/salsa-ci.yml igel-shim/debian/salsa-ci.yml
--- shim-15.8/debian/salsa-ci.yml	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/salsa-ci.yml	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,3 @@
--
diff -urN shim-15.8/debian/sbat.debian.csv.in igel-shim/debian/sbat.debian.csv.in
--- shim-15.8/debian/sbat.debian.csv.in	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/sbat.debian.csv.in	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1 @@
--
diff -urN shim-15.8/debian/sbat.igel.csv.in igel-shim/debian/sbat.igel.csv.in
--- shim-15.8/debian/sbat.igel.csv.in	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/sbat.igel.csv.in	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1 @@
--
diff -urN shim-15.8/debian/shim-helpers-amd64-signed-template.lintian-overrides igel-shim/debian/shim-helpers-amd64-signed-template.lintian-overrides
--- shim-15.8/debian/shim-helpers-amd64-signed-template.lintian-overrides	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/shim-helpers-amd64-signed-template.lintian-overrides	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1 @@
--
diff -urN shim-15.8/debian/shim-helpers-arm64-signed-template.lintian-overrides igel-shim/debian/shim-helpers-arm64-signed-template.lintian-overrides
--- shim-15.8/debian/shim-helpers-arm64-signed-template.lintian-overrides	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/shim-helpers-arm64-signed-template.lintian-overrides	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1 @@
--
diff -urN shim-15.8/debian/shim-helpers-i386-signed-template.lintian-overrides igel-shim/debian/shim-helpers-i386-signed-template.lintian-overrides
--- shim-15.8/debian/shim-helpers-i386-signed-template.lintian-overrides	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/shim-helpers-i386-signed-template.lintian-overrides	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1 @@
--
diff -urN shim-15.8/debian/shim-unsigned.dirs igel-shim/debian/shim-unsigned.dirs
--- shim-15.8/debian/shim-unsigned.dirs	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/shim-unsigned.dirs	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1 @@
--
diff -urN shim-15.8/debian/shim-unsigned.install igel-shim/debian/shim-unsigned.install
--- shim-15.8/debian/shim-unsigned.install	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/shim-unsigned.install	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,4 @@
--
diff -urN shim-15.8/debian/signing-template/@[email protected] igel-shim/debian/signing-template/@[email protected]
--- shim-15.8/debian/signing-template/@[email protected]	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/signing-template/@[email protected]	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,93 @@
--
diff -urN shim-15.8/debian/signing-template/@[email protected] igel-shim/debian/signing-template/@[email protected]
--- shim-15.8/debian/signing-template/@[email protected]	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/signing-template/@[email protected]	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,57 @@
--
diff -urN shim-15.8/debian/signing-template/README.source igel-shim/debian/signing-template/README.source
--- shim-15.8/debian/signing-template/README.source	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/signing-template/README.source	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,4 @@
--
diff -urN shim-15.8/debian/signing-template/changelog.in igel-shim/debian/signing-template/changelog.in
--- shim-15.8/debian/signing-template/changelog.in	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/signing-template/changelog.in	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,11 @@
--
diff -urN shim-15.8/debian/signing-template/compat igel-shim/debian/signing-template/compat
--- shim-15.8/debian/signing-template/compat	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/signing-template/compat	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1 @@
--
diff -urN shim-15.8/debian/signing-template/control.in igel-shim/debian/signing-template/control.in
--- shim-15.8/debian/signing-template/control.in	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/signing-template/control.in	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,25 @@
--
diff -urN shim-15.8/debian/signing-template/copyright igel-shim/debian/signing-template/copyright
--- shim-15.8/debian/signing-template/copyright	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/signing-template/copyright	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,51 @@
--
diff -urN shim-15.8/debian/signing-template/rules igel-shim/debian/signing-template/rules
--- shim-15.8/debian/signing-template/rules	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/signing-template/rules	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,18 @@
--
diff -urN shim-15.8/debian/signing-template/source/format igel-shim/debian/signing-template/source/format
--- shim-15.8/debian/signing-template/source/format	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/signing-template/source/format	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1 @@
--
diff -urN shim-15.8/debian/signing-template.generate igel-shim/debian/signing-template.generate
--- shim-15.8/debian/signing-template.generate	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/signing-template.generate	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,43 @@
--
diff -urN shim-15.8/debian/signing-template.json.in igel-shim/debian/signing-template.json.in
--- shim-15.8/debian/signing-template.json.in	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/signing-template.json.in	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,11 @@
--
diff -urN shim-15.8/debian/source/format igel-shim/debian/source/format
--- shim-15.8/debian/source/format	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/source/format	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1 @@
--
diff -urN shim-15.8/debian/source/include-binaries igel-shim/debian/source/include-binaries
--- shim-15.8/debian/source/include-binaries	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/source/include-binaries	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,2 @@
--
diff -urN shim-15.8/debian/tests/01_sanity_tests.py igel-shim/debian/tests/01_sanity_tests.py
--- shim-15.8/debian/tests/01_sanity_tests.py	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/tests/01_sanity_tests.py	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,54 @@
--
diff -urN shim-15.8/debian/tests/05_signature_tests.py igel-shim/debian/tests/05_signature_tests.py
--- shim-15.8/debian/tests/05_signature_tests.py	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/tests/05_signature_tests.py	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,91 @@
--
diff -urN shim-15.8/debian/tests/10_uefi_boot_tests.py igel-shim/debian/tests/10_uefi_boot_tests.py
--- shim-15.8/debian/tests/10_uefi_boot_tests.py	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/tests/10_uefi_boot_tests.py	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,51 @@
--
diff -urN shim-15.8/debian/tests/control igel-shim/debian/tests/control
--- shim-15.8/debian/tests/control	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/tests/control	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,47 @@
--
diff -urN shim-15.8/debian/tests/uefi_tests_base.py igel-shim/debian/tests/uefi_tests_base.py
--- shim-15.8/debian/tests/uefi_tests_base.py	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/tests/uefi_tests_base.py	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,261 @@
--
diff -urN shim-15.8/debian/upstream/metadata igel-shim/debian/upstream/metadata
--- shim-15.8/debian/upstream/metadata	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/upstream/metadata	2024-08-02 15:48:22.091442471 +0900
@@ -0,0 +1,2 @@
--
diff -urN shim-15.8/debian/upstream/signing-key.asc igel-shim/debian/upstream/signing-key.asc
--- shim-15.8/debian/upstream/signing-key.asc	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/upstream/signing-key.asc	2024-08-02 15:48:22.095442243 +0900
@@ -0,0 +1,465 @@
--
diff -urN shim-15.8/debian/watch igel-shim/debian/watch
--- shim-15.8/debian/watch	1970-01-01 09:00:00.000000000 +0900
+++ igel-shim/debian/watch	2024-08-02 15:48:22.095442243 +0900
@@ -0,0 +1,5 @@

certificate

---

• Not After: Mar 19 08:55:59 2054 GMT
• self-signed 4096 bit cert and valid for almost 10 years
• The keys are generated on a NitroKey HSM, which is stored in a safe in the company's facility.

NEED MORE CHECKS

• No exact kernel source. There are additional patches, but I don't know the exact source : https://github.com/IGEL-Technology/shim-review/tree/IGEL-shim-x64-20240730-1#do-you-build-your-signed-kernel-with-additional-local-patches-what-do-they-do

We generally backport fixes and features from development kernels to our LTS kernels. For example, we're currently on 6.6.x but have quite a few backports from 6.8+
We apply various patches to support also the most recent hardware, e.g.

• MeteorLake processor generation
• HP mt645
• Surface tablets
  We have IGEL OS-specific features in the kernel
• IGEL Flash Driver, a kind of logical volume manager optimized for small flash memory devices providing checksum validation, encryption, etc.

• No SBAT for all binaries. They use fwupd and grub, but there is no sbat for this. : https://github.com/IGEL-Technology/shim-review/tree/IGEL-shim-x64-20240730-1#do-you-add-a-vendor-specific-sbat-entry-to-the-sbat-section-in-each-binary-that-supports-sbat-metadata--grub2-fwupd-fwupdate-systemd-boot-systemd-stub-shim--all-child-shim-binaries-

[af-kulow]

I will add the SBAT entries of the binaries we boot also in the questionnaire, for quick reference, here they are:

igelx64.efi

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md 
grub,4,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/ 
grub.debian,4,Debian,grub2,2.06-13+deb12u1,https://tracker.debian.org/pkg/grub2 
grub.igel,4,Igel,grub2,2.06-13+deb12u1igel1721912063,https://www.igel.com 

fwupdx64.efi

sbat,1,UEFI shim,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
fwupd-efi,1,Firmware update daemon,fwupd-efi,1.6,https://github.com/fwupd/fwupd-efi
fwupd-efi.debian,1,Debian,fwupd,1:1.6-1,https://tracker.debian.org/pkg/fwupd

Further, we are preparing the Kernel patches for review.

[af-kulow]

We now have included the patches to the linux kernel as well as the kernel build config in the shim-review repo (linux-patches/).
I created a new tag for the updated files as well as the updated, previously stated, sbat sections: https://github.com/IGEL-Technology/shim-review/releases/tag/IGEL-shim-x64-20240807

The source code of the kernel, initramfs et al. is available here for reviewers: https://github.com/IGEL-Technology

[zeetim]

Review of IGEL-shim-x64-20240807

I am not an authorized reviewer but I want to help

• shim sources sha256 sum matches in docker image:

# sha256sum shim-15.8.tar.bz2 
a79f0a9b89f3681ab384865b1a46ab3f79d88b11b4ca59aa040ab03fffae80a9  shim-15.8.tar.bz2

• shim patches:

# diff shim shim-15.8
Only in shim: .git
Common subdirectories: shim/.github and shim-15.8/.github
Common subdirectories: shim/Cryptlib and shim-15.8/Cryptlib
diff shim/Make.defaults shim-15.8/Make.defaults
31c31
< DEFAULT_LOADER        ?= \\\\igel$(ARCH_SUFFIX).efi
---
> DEFAULT_LOADER        ?= \\\\grub$(ARCH_SUFFIX).efi
Common subdirectories: shim/data and shim-15.8/data
Only in shim: dbx.esl
Only in shim: debian
Common subdirectories: shim/gnu-efi and shim-15.8/gnu-efi
Common subdirectories: shim/include and shim-15.8/include
Common subdirectories: shim/lib and shim-15.8/lib
Only in shim: sbat.igel.csv
diff shim/shim.h shim-15.8/shim.h
73c73
< #define DEFAULT_LOADER L"\\igelx64.efi"
---
> #define DEFAULT_LOADER L"\\grubx64.efi"
76c76
< #define DEFAULT_LOADER_CHAR "\\igelx64.efi"
---
> #define DEFAULT_LOADER_CHAR "\\grubx64.efi"
88c88
< #define DEFAULT_LOADER L"\\igelia32.efi"
---
> #define DEFAULT_LOADER L"\\grubia32.efi"
91c91
< #define DEFAULT_LOADER_CHAR "\\igelia32.efi"
---
> #define DEFAULT_LOADER_CHAR "\\grubia32.efi"
Common subdirectories: shim/test-data and shim-15.8/test-data

• build is reproducible:

# sha256sum build/output/shimx64.efi 
90ce33685c5ac241b582bdf27d0ae872b72263a5ae8271ef7f738bd1d13e8e63  build/output/shimx64.efi

• NX is not set:

# objdump -x /build/output/shimx64.efi | grep DllCharacteristics
DllCharacteristics      00000000

• shim sbat looks fine

# objcopy --only-section .sbat -O binary /build/output/shimx64.efi /dev/stdout
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.igel,1,Igel,shim,15.8,https://www.igel.com

• Certificate:
  • valid for 30 years
  • RSA 4096 bits key
  • Is a CA certificate

# openssl x509 -noout -inform DER -in igel-uefi-ca.der -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0e:88:b9:8d:0b:7e:00:6a:92:9c:9a:be:39:4e:af:54:57:f8:bc:85
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = DE, ST = Bremen, L = Bremen, O = IGEL Technology GmbH, OU = IGEL Technology GmbH Certificate Authority, CN = IGEL Technology GmbH Root CA
        Validity
            Not Before: Mar 26 08:55:59 2024 GMT
            Not After : Mar 19 08:55:59 2054 GMT
        Subject: C = DE, ST = Bremen, L = Bremen, O = IGEL Technology GmbH, OU = IGEL Technology GmbH Certificate Authority, CN = IGEL Technology GmbH Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)

---

Note:

I think you should split your kernel patch to make things easier to review.