SHIM 15.4 for AmZetta Technologies, LLC

[amzdev0401]

Make sure you have provided the following information:

• link to your code branch cloned from rhboot/shim-review in the form user/repo@tag
  https://github.com/amzdev0401/shim-review/tree/AmZettaTech-shim-X86_64-shim-15.4
• completed README.md file with the necessary information
• shim.efi to be signed
  https://github.com/amzdev0401/shim-review/blob/AmZettaTech-shim-X86_64-shim-15.4/shimx64.efi
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
  https://github.com/amzdev0401/shim-review/blob/AmZettaTech-shim-X86_64-shim-15.4/AMZ.cer
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
  no binaries
• any extra patches to shim via your own git tree or as files
  no patches
• any extra patches to grub via your own git tree or as files
  no patches
• build logs
  https://github.com/amzdev0401/shim-review/blob/AmZettaTech-shim-X86_64-shim-15.4/build.log
• a Dockerfile to reproduce the build of the provided shim EFI binaries
  https://github.com/amzdev0401/shim-review/blob/AmZettaTech-shim-X86_64-shim-15.4/Dockerfile

What organization or people are asking to have this signed:

[AmZetta Technologies, LLC, For more info https://amzetta.com/ztc/]

What product or service is this for:

[SnapVDI Thin Client (zTC)-ENDPOINT DEVICES Hardware Thin client product. Powerful hardware components and native compatibility with VMware, Citrix, and Microsoft, as well as Azure and AWS cloud platforms, the AmZetta zTC thin client device seamlessly integrates into virtually any IT environment. Using the included AmZetta Client Manager (SCM) software, administrators can manage, monitor, and secure their entire zTC deployment from a single intuitive interface. More than ever before, businesses today need the ability to adapt to unforeseen circumstances. Equip your company with the agility to adapt without compromising power, compatibility, or security with the AmZetta zTC thin client. For More info: https://amzetta.com/ztc/]

Please create your shim binaries starting with the 15.4 shim release tar file:

https://github.com/rhboot/shim/releases/download/15.4/shim-15.4.tar.bz2

This matches https://github.com/rhboot/shim/releases/tag/15.4 and contains

the appropriate gnu-efi source.

Please confirm this as the origin your shim.

[yes, our repo https://github.com/amzdev0401/shim.git, tag Ver-15.4, is copy of https://github.com/rhboot/shim/releases/tag/15.4]

What's the justification that this really does need to be signed for the whole world to be able to boot it:

[Snap OS (TAILORED FOR VIRTUAL SPACES from Linux distribution) for Linux software endpoint solution by AmZetta Technologies. Snap OS is currently used in Hardware thin clients(zTC), It can be used to Repurposing the old laptop and desktops without any hassle. AmZetta Technologies would like customers to be able to run Snap OS Linux endpoint on any x86-64 devices without disabling Secure Boot.]

How do you manage and protect the keys used in your SHIM?

[[Hardware security module]

Do you use EV certificates as embedded certificates in the SHIM?

[yes, Amzetta generated self-signed certificate using OpenSSL embedded into shim]

If you use new vendor_db functionality, are any hashes allow-listed, and if yes: for what binaries ?

[vendor_db is not used]

Is kernel upstream commit 75b0cea7bf307f362057cc778efe89af4c615354 present in your kernel, if you boot chain includes a Linux kernel ?

[yes, Kernel 5.10 is used in SnapOS. Kernel 5.10 has "ACPI: configfs: Disallow loading ACPI tables when locked down" fix]

if SHIM is loading GRUB2 bootloader, are CVEs CVE-2020-14372,

CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779,

CVE-2021-20225, CVE-2021-20233, CVE-2020-10713, CVE-2020-14308,

CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705,

( July 2020 grub2 CVE list + March 2021 grub2 CVE list )

and if you are shipping the shim_lock module CVE-2021-3418

fixed ?

[We use upstream GRUB 2.06 with all above CVEs fixed]

"Please specifically confirm that you add a vendor specific SBAT entry for SBAT header in each binary that supports SBAT metadata

( grub2, fwupd, fwupdate, shim + all child shim binaries )" to shim review doc ?

Please provide exact SBAT entries for all SBAT binaries you are booting or planning to boot directly through shim

[Our SHIM has embedded SBAT section with following 3 lines:]
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,1,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.amzetta,1,SnapOS,shim,15.4,https://amzetta.com

[Our GRUB2 has embedded SBAT section with following 3 lines:]
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,1,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/
grub.amzetta,1,SnapOS,grub2,2.06,https://amzetta.com

Were your old SHIM hashes provided to Microsoft ?

[No, this is first time submission, we have no older SHIMs]

Did you change your certificate strategy, so that affected by CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749,

CVE-2020-27779, CVE-2021-20225, CVE-2021-20233, CVE-2020-10713,

CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705 ( July 2020 grub2 CVE list + March 2021 grub2 CVE list )

grub2 bootloaders can not be verified ?

[We use upstream GRUB 2.06 trusting it's strategy]

What exact implementation of Secureboot in grub2 ( if this is your bootloader ) you have ?

* Upstream grub2 shim_lock verifier or * Downstream RHEL/Fedora/Debian/Canonical like implementation ?

[We use upstream GRUB 2.06 with SBAT section]

What is the origin and full version number of your bootloader (GRUB or other)?

[GRUB https://ftp.gnu.org/gnu/grub/grub-2.06.tar.xz sha256 b79ea44af91b93d17cd3fe80bdae6ed43770678a9a5ae192ccea803ebb657ee1 grub-2.06.tar.xz]

If your SHIM launches any other components, please provide further details on what is launched

[No, shim launches GRUB only]

If your GRUB2 launches any other binaries that are not Linux kernel in SecureBoot mode,

please provide further details on what is launched and how it enforces Secureboot lockdown

[GRUB2 launches Kernel only]

If you are re-using a previously used (CA) certificate, you

will need to add the hashes of the previous GRUB2 binaries

exposed to the CVEs to vendor_dbx in shim in order to prevent

GRUB2 from being able to chainload those older GRUB2 binaries. If

you are changing to a new (CA) certificate, this does not

apply. Please describe your strategy.

[This is first time submission, we do not have older GRUB2 binaries]

How do the launched components prevent execution of unauthenticated code?

[We use chained loading: shim -> grub2 -> kernel with all components signed]

Does your SHIM load any loaders that support loading unsigned kernels (e.g. GRUB)?

[No]

What kernel are you using? Which patches does it includes to enforce Secure Boot?

[Kernel 5.10]

What changes were made since your SHIM was last signed?

[This is first time submission]

What is the SHA256 hash of your final SHIM binary?

[f8f35ad9fec3763b45eae7beaab74eb3d006f3eb94f7382dd1290dd488200980]

[julian-klode]

This submission is inappropriate, it hijacks the ubuntu namespace. Surely you are aware that there already is an ubuntu vendor? It probably should use a .amzetta suffix.

The repositories are not forks of the main ones, but hand-stitched together, so to speak. Please rebase the repositories on top of the official ones, so that any changes can be clearly identified.

There is no tag as required.

I do not know if linux 5.10 contains all necessary fixes.

[julian-klode]

I'm confused because this just seems a copy-paste job of #206

[amzdev0401]

I'm confused because this just seems a copy-paste job of #206

We are different company, Our product is thin client solution. We are planning to provide secure boot option to our next generation products.

Product Info.
https://amzetta.com/products/ztc/

[amzdev0401]

This submission is inappropriate, it hijacks the ubuntu namespace. Surely you are aware that there already is an ubuntu vendor? It probably should use a .amzetta suffix.

The repositories are not forks of the main ones, but hand-stitched together, so to speak. Please rebase the repositories on top of the official ones, so that any changes can be clearly identified.

There is no tag as required.

I do not know if linux 5.10 contains all necessary fixes.

This submission is inappropriate, it hijacks the ubuntu namespace. Surely you are aware that there already is an ubuntu vendor? It probably should use a .amzetta suffix.

The repositories are not forks of the main ones, but hand-stitched together, so to speak. Please rebase the repositories on top of the official ones, so that any changes can be clearly identified.

There is no tag as required.

I do not know if linux 5.10 contains all necessary fixes.

Thank you, We will fix all mentioned issues. Linux 5.10 kernel has the fix for
"ACPI: configfs: Disallow loading ACPI tables when locked down", We verified the kernel source code 5.10.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=75b0cea7bf307f362057cc778efe89af4c615354

[amzdev0401]

We have updated the needed changes, please review the updated files. Thank you.

[amzdev0401]

1. We have applied following security patches on SHIM 15.4 based on the following recommendations
   [tracking] shim 15.4 critical regressions #165

0001-Fix-handling-of-ignore_db-and-user_insecure_mode.patch( 822d07ad4f07ef66fe447a130e1027c88d02a394 )
0003-Fix-a-broken-file-header-on-ia32.patch ( 5b3ca0d2f7b5f425ba1a14db8ce98b8d95a2f89f )
0004-mok-allocate-MOK-config-table-as-BootServicesData.patch (4068fd42c891ea6ebdec056f461babc6e4048844 )
0005-Don-t-call-QueryVariableInfo-on-EFI-1.10-machines.patch ( 493bd940e5c6e28e673034687de7adef9529efff )
0007-Relax-the-check-for-import_mok_state.patch ( 9f973e4e95b1136b8c98051dbbdb1773072cc998 )
0010-shim-another-attempt-to-fix-load-options-handling.patch ( 4d64389c6c941d21548b06423b8131c872e3c3c7 )

2. Compiled shimx64.efi and build.log file has been uploaded.
3. Latest Docker file and latest branch information updated.

Could you please review the updated files. If anything wrong in the submission please let me know. Thank you.

[tSU-RooT]

Hi, I have tried to confirm your shim is reproducible.
but your shimx64.efi was unreproducible on my environment.
(builded on some different OSes for testing, checksum was different for unknown reason)

Please make sure your shim build is replayable from Dockerfile.

Sample Cases:
CentOS 8.4(podman)

STEP 19: RUN sha256sum shimx64.efi                                                                          
9550063f1ccb9ccec4274a84e3b9b184b5d02a48bece97af18667338f36a178d  shimx64.efi  

Debian 10(docker)

Step 19/20 : RUN sha256sum shimx64.efi
 ---> Running in ef4b6d84e314
50c6fa6330ff02a398516f649d24d16cacf8107512e9a607a990259c0e9a9204  shimx64.efi

Ubuntu 20.04.2(docker)

Step 19/20 : RUN sha256sum shimx64.efi
 ---> Running in e65015007474
791b9b62ec5cd2c750d9ff397bb442ef10a74621a8bb962b8adc4ac2b5527752  shimx64.efi

[tSU-RooT]

@amzdev0401
I found buggy point in your Dockerfile.
https://github.com/amzdev0401/shim-review/blob/AmZettaTech-shim-X86_64-shim-15.4/Dockerfile#L35
RUN curl -O https://github.com/amzdev0401/shim-review/blob/AmZettaTech-shim-X86_64-shim-15.4/AMZ.cer
is not working as expected, because curl this URL doesn't returns raw cer file.
Roughly 132k file size of HTML will be save as AMZ.cer.

$ curl -O https://github.com/amzdev0401/shim-review/blob/AmZettaTech-shim-X86_64-shim-15.4/AMZ.cer
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  132k    0  132k    0     0  1247k      0 --:--:-- --:--:-- --:--:-- 1247k
$ head AMZ.cer 






<!DOCTYPE html>
<html lang="en" data-color-mode="auto" data-light-theme="light" data-dark-theme="dark">
  <head>
    <meta charset="utf-8">
$ file AMZ.cer 
AMZ.cer: HTML document, UTF-8 Unicode text, with very long lines

According to build.log in your repository, latest build did above mistakes probably.
https://github.com/amzdev0401/shim-review/blob/06245e478a5b8fe5758d3f7b9bb8a9f4b40f2e61/build.log#L810

I think better just use COPY to inside of container instead of using RUN curl.

[amzdev0401]

I have noticed the same issue while testing in different operating systems and I have fixed the issue. I will update the modified files after testing is completed.
Thank you for your quick response. We appreciate the attention you are giving to this review process.

[amzdev0401]

Following files have been modified and uploaded for different checksums for different OSes issue.

1. Dockerfile
2. make-shim.sh
3. shimx64.efi
4. build.log

Once again, thank you for the Shim review process.

[tSU-RooT]

I am trying cross-review while refferring reviewer-guidelines:

• Reproducibility is OK now.

Step 19/20 : RUN sha256sum shimx64.efi
 ---> Running in f93aa27d6b89
f8f35ad9fec3763b45eae7beaab74eb3d006f3eb94f7382dd1290dd488200980  shimx64.efi

Corresponding line in new build log is https://github.com/amzdev0401/shim-review/blob/a9bd5d4daa44d23f897dfeb739ac479cda5b5fce/build.log#L1438

• SBAT in shim binary looks good.

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,1,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.amzetta,1,SnapOS,shim,15.4,https://amzetta.com

• Organization(amzetta) looks match with cert(NOTE: self-signed certificate).

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            2a:30:c9:a9:9f:0a:3d:c0:70:03:ba:5a:c8:e6:77:58:3a:e4:13:4a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = amzetta
        Validity
            Not Before: Feb 26 21:00:39 2021 GMT
            Not After : Feb 24 21:00:39 2031 GMT
        Subject: CN = amzetta

• Storing private key in hardware token(SafeNet eToken 5110) looks good.
• Vendor extension looks good(i.e. unique).
• Duration of cert is 10 years(embedded CA cert).
• According to the description, grub2 2.0.6(latest upstream release) is used.
• shim extra patches were all cherry-picked from upstream main branch.
  These back port patches are already passed at Rocky Linux's submission(tagged as accepted), so I think these patches are OK.

Could someone(has authority to accept) review this submission?

[frozencemetery]

• amzdev0401/shim-review is not a fork of this repo; please recreate it as one
• email verification could not be completed as PGP key fingerprints were not provided

[amzdev0401]

Thank you for the update, I have updated the requested info, please let me know If I need to do anything in this SHIM submission.

1. amzdev0401/shim-review is not a fork of this repo; please recreate it as one
   In following branch we pull the SHIM source code 15.4 branch directly from https://github.com/rhboot/shim.git and building the SHIM binary. That information is available in the following docker file.

   i.   https://github.com/amzdev0401/shim-review/blob/AmZettaTech-shim-X86_64-shim-15.4/Dockerfile
        RUN  git clone --recursive -b 15.4 https://github.com/rhboot/shim.git shim
   ii.  Requested changes updated in AmZettaTech-shim-X86_64-shim-15.4 branch and merged in the main branch.
   iii. New changes tagged with in https://github.com/amzdev0401/shim-review/releases/tag/amzetta-shim-x64-20211129
   

2. email verification could not be completed as PGP key fingerprints were not provided
   Primary contact : [email protected]
   PGP Key ID: 2A2CF3A69E739955
   PGP Key Fingerprint: 1920 A439 96A8 431B 6113 E95A 2A2C F3A6 9E73 9955,
   HKP key server: https://keyserver.ubuntu.com

   Secondary contact : [email protected]
   PGP Key ID: 52D3D8F74C848F3A
   PGP Key Fingerprint: 87F2 B43A F046 F217 11CB 22AA 52D3 D8F7 4C84 8F3A,
   HKP key server: https://keyserver.ubuntu.com

[frozencemetery]

amzdev0401/shim-review is not a fork of this repo; please recreate it as one

In following branch we pull the SHIM source code 15.4 branch directly from https://github.com/rhboot/shim.git and building the SHIM binary. That information is available in the following docker file.

While I can't speak for other reviewers, if you want a review from me, you need to adhere to the guidelines, which strongly suggest it to be an actual fork.

Note that this is about your shim-review tree, not your shim tree.

[amzdev0401]

Thank you for your quick response. We appreciate the attention you are giving to this review process.

1. amzdev0401/shim-review is forked from rhboot/shim-review.
2. Source code is available in https://github.com/amzdev0401/shim-review/releases/tag/amzetta-shim-x64-20211130
3. Other method to get source code,
   "git clone https://github.com/amzdev0401/shim-review.git" or
   "git clone --branch AmZettaTech-shim-X86_64-shim-15.4 https://github.com/amzdev0401/shim-review.git"

Please let us know if we need to anything. Thank you once again.

[frozencemetery]

While PGP key fingerprints have been provided and a keyserver is mentioned, keys do not appear to have been pushed to said keyserver.

Your two security contacts are an Engineering Manager and a Sales Director. Since neither of those are typically technical roles, I need to check: are both of these contacts able to handle security updates? And: which one is you @amzdev0401 ?

[amzdev0401]

Thank you for the update.

1. When I search by E-mail address in https://keyserver.ubuntu.com/ it provides the public key.

[email protected]
https://keyserver.ubuntu.com/pks/lookup?search=loganathanr%40amzetta.com&fingerprint=on&op=index

[email protected]
https://keyserver.ubuntu.com/pks/lookup?search=justinb%40amzetta.com&fingerprint=on&op=index

2. @amzdev0401
   This git account is belongs to the company ( AmZetta Technologies,). Authorized users only can use. Now I am using for the SHIM submission.

Please let me know, If I need to do anything from my side.

[amzdev0401]

About security contacts : Yes we will handle security updates, that is not a problem for us.

[amzdev0401]

We are planning to add the secure boot feature in the upcoming product release, we are waiting for the SHIM approval. Can you please review the SHIM. Thank you.

[frozencemetery]

I am going to send you some words. When you receive them, please post them here.

[amzdev0401]

Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

spartanerer
vekstomr=C3=A5dets
utvis
godtgjorde
ferdigbehandlingens
Dardanellenes
held=C3=B8gnsomsorgens
omsetningsgjeldsbrevene
markmusas
varmfyllinger
encefalogrammer
testsalga
maratonforestillinga

[amzdev0401]

Thank you for the update. Do I need to do anything from my end ?. Please let me know.

[frozencemetery]

You don't, but your other contact does - I emailed you both.

[amzdev0401]

Hi, I have check my secondary contact, he said he didn't get any mail, he is waiting for the mail to reply.
Could you please check.

Name: Justine Bagby

• Position: Director - Sales
• Email address: [email protected]
• PGP Key ID: 52D3D8F74C848F3A PGP Key Fingerprint: 87F2 B43A F046 F217 11CB 22AA 52D3 D8F7 4C84 8F3A, HKP key server: https://keyserver.ubuntu.com

[frozencemetery]

Mail was sent to ***@***.*** from ***@***.*** on Thu, 03 Feb 2022 19:05:03 -0500 with subject "shim words" and encrypted body. It was sent with Message-id of ***@***.*** . Delivery appears successful from my end - I have no indication otherwise.

[amzdev0401]

Thank you. Can you please resend the mail.

[frozencemetery]

Resent.

[amzdev0401]

Thank you very much, He send the decrypted data of your mail to me.
This Github account is the Amzetta office account, I am posting this message behalf of him.

Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

spredningsevners
lekeren
petroleumsleveranse
politiangrepene
forsyningslinjene
flodb=C3=B8lgens
sparebankfondet
kunstsenters
planlaus
finanslovgivning
morderbander
indikasjonsgrensens
mosjonisten

[frozencemetery]

Contact information is verified. You might want to look into whatever's not processing utf-8 in your email stack properly, but that's not related to shim review :)

[amzdev0401]

Thank you for the quick and prompt response. Greatly appreciated !!.

[ecos-platypus]

I find it problematic that most of this submission is copy-pasted from #206 (as noted before by @julian-klode). If you diff the ISSUE_TEMPLATE.md (not filled out for AmZetta, you have to quote the first post in this issue and remove the leading quote markers) and README.md, most is exactly the same (e.g., [keys are on HW eToken (SafeNet eToken 5110 FIPS) kept by authorized persons]) or only with minimal changes. I simply cannot derive whether the vendor has taken time to familiarize with secure boot.

[amzdev0401]

Yes we familiarized with secure boot. Regarding procedure for submission we had some issues but those were corrected based on the suggestions from the reviewer. Sorry for the issues earlier. Please let us know if anything needs to be updated for your review and we will take care of it immediately.

[amzdev0401]

Could you please let us know anything do we need to do from our end.
We are waiting for this SHIM approval, we need to integrate this SHIM to our upcoming product release.

[amzdev0401]

Could you please finish this review, we are waiting for the product release.

[julian-klode]

Closing outdated request due to the recent round of CVEs in grub and shim requiring a new submission with fixes for all these CVEs.