TencentOS Linux 3 shim-15.8 x64, ia32 and aarch64

[costinchen]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/costinchen/shim-review/tree/tencentos-3-shim-15.8-ia32-x86_64-aarch64-20240912

---

What is the SHA256 hash of your final SHIM binary?

---

ca145c15cd26430dda03c37fc2f079afb7c78b0cd3a15afa55b8e73266d4500b  shimaa64.efi
fab52ed62f16cef5a0b02b3ae985bc5b09f261482417cefed3e84a837c8e9831  shimia32.efi
a5e93e8908195fb79a4c781408193cb7e9128d44e165ae061f07cb66806835d1  shimx64.efi

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

N/A, this is our first application.

---

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?

---

N/A, this is our first application.

[steve-mcintyre]

Contact verification mails sent

[costinchen]

Contact verification mails sent

I got: secures spunkier vasectomies indecipherable uprisings shipboard Nescafe foxtrotting flawed defrays

[PrinterFranklin]

I got: unhurt recant proxies impeaching uniformed credence kickier Yemenis crates generate

[dbnicholson]

What is the link to your tag in a repo cloned from rhboot/shim-review?

https://github.com/costinchen/shim-review/tree/tencentos-3-shim-15.8-ia32-x86_64-aarch64-20240906

This is intended to be a tag rather than a branch.

[dbnicholson]

For your CA certificate:

$ openssl x509 -keyform DER -in tencentsecurebootca.der -text -noout 
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            57:45:90:d5:87:dd:bb:fe:86:a2:78:e4:f5:d5:22:3a:e5:bf:f2:40
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = Shanghai, O = Tencent, OU = TencentOS, CN = TencentOS Secure Boot CA, emailAddress = [email protected]
        Validity
            Not Before: Aug 29 09:08:07 2024 GMT
            Not After : Aug 27 09:08:07 2034 GMT
        Subject: C = CN, ST = Shanghai, O = Tencent, OU = TencentOS, CN = TencentOS Secure Boot CA, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:d0:86:82:72:67:2d:43:07:b3:e1:c7:38:07:8f:
                    dd:30:3c:ef:62:1f:cf:c8:e0:f6:78:02:83:40:1c:
                    51:ee:1f:2b:93:29:97:f4:ee:ba:68:18:40:db:55:
                    ff:e7:76:ff:8e:df:77:96:e0:73:67:8e:a9:7a:85:
                    a7:31:7d:8b:c0:86:6a:c8:e8:7d:0c:01:e3:cb:94:
                    dd:ff:42:c8:5b:49:66:3e:87:e4:4b:39:90:48:1a:
                    aa:b7:0b:1e:b2:5a:dd:2c:98:e6:de:7d:f5:16:1e:
                    68:9e:f1:1e:fa:e5:5a:ab:2b:ab:d3:01:19:ef:a1:
                    7b:06:4c:46:82:b8:1f:28:39:7d:6c:16:3f:0d:e7:
                    53:a6:a9:17:13:9a:cb:41:74:6a:20:0a:dd:0c:aa:
                    c9:18:4c:b0:dc:41:42:d2:87:75:5f:a4:b1:26:f5:
                    df:57:ba:fd:54:4f:cd:79:05:f1:3c:03:51:8b:fa:
                    e6:16:08:34:c9:f2:d8:90:86:db:9b:0e:29:81:ae:
                    18:1d:fb:1a:d9:bf:f5:a2:04:b1:ea:15:f0:dd:1b:
                    ab:44:65:d7:bd:27:63:07:e2:b6:e1:ff:eb:38:04:
                    7d:54:4b:ea:10:dc:3f:17:42:59:26:81:b2:06:c0:
                    9f:1f:d0:5d:8c:8a:cc:29:f4:e8:be:20:f5:5c:45:
                    81:a8:65:ac:32:53:23:0b:1f:24:fd:c7:b4:39:7e:
                    56:9b:06:6f:06:01:5d:9d:5a:6c:a6:e2:0b:c6:bc:
                    6e:24:ec:1f:96:cc:bc:69:36:ae:a7:52:11:ac:05:
                    d5:8d:93:0a:d1:d5:ad:0f:92:e5:69:c3:48:56:1a:
                    ca:82:f9:f6:a9:8b:b7:39:9c:46:e2:02:82:19:c7:
                    70:5d:52:22:30:e9:c8:68:74:25:b0:4c:73:9c:da:
                    e9:86:a9:63:fb:82:33:47:16:2d:7d:3c:33:28:7d:
                    0c:33:bd:c4:a3:19:fb:2a:88:7b:e5:32:d5:50:a4:
                    44:58:c6:81:8d:1b:21:3a:fc:22:92:ad:32:db:57:
                    ae:a2:a9:a3:1b:a0:62:ce:e7:cb:1b:35:35:b0:53:
                    01:fa:bd:a9:fc:61:a3:31:7f:4f:b1:d4:61:c6:c0:
                    70:e4:cd:14:cb:57:ca:08:2e:be:f7:42:6c:02:0a:
                    98:77:58:c8:85:bd:e6:5b:86:92:6d:91:8e:a6:07:
                    93:cd:77:a0:5a:d6:4c:ed:19:46:b0:87:38:11:05:
                    b8:60:d9:68:7c:35:85:1e:c5:7e:40:b1:a3:20:7e:
                    c8:0e:c1:eb:01:12:10:2f:c0:f3:4a:f4:b7:b6:7e:
                    69:ce:95:03:92:17:fc:80:e9:fd:f0:7b:25:cc:41:
                    62:c0:e5
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        3d:e2:a5:32:26:97:5d:4e:7f:37:2a:e2:77:65:e1:2b:e3:de:
        e3:79:07:28:3b:8b:68:54:9c:07:d6:4f:17:cd:69:7a:ca:8f:
        e4:49:0d:55:55:71:cb:3a:a5:8f:aa:59:05:f0:aa:00:51:06:
        89:11:f2:64:8b:2f:4e:b8:93:55:e2:1d:c4:aa:fe:e2:25:84:
        91:8f:7c:6a:9c:89:2d:f9:ad:76:fb:9b:d0:08:74:54:d0:26:
        0f:08:02:1a:34:c9:f3:a8:8e:cb:f6:89:74:ba:7c:1d:4e:3d:
        cd:56:2b:bc:20:4b:35:3d:85:87:f7:f8:62:89:c0:0f:ef:5e:
        1e:e3:9a:b4:8c:97:3e:04:26:13:b5:76:c8:4f:b4:f4:6d:fe:
        0e:dc:3c:11:04:70:0e:d9:0f:a3:72:53:a1:be:74:d2:27:e7:
        ea:f4:04:be:0c:82:7a:db:d2:88:96:bf:27:ad:c7:d4:b3:e3:
        0c:33:79:93:06:8f:1e:36:2d:2e:74:73:d7:b4:0d:bc:2c:b0:
        0a:cc:bb:8d:e4:9b:55:6e:8b:25:35:e9:b9:48:50:39:1d:f4:
        a3:be:f1:fb:e9:39:f4:aa:d6:b6:9d:c7:2f:1f:5c:76:5a:b5:
        91:80:b6:6c:26:da:b8:7b:db:c0:c9:0d:85:e7:f5:fd:aa:5f:
        91:1d:ee:da:ea:a7:e2:0e:93:fb:4e:1d:4b:15:d3:e0:6e:f9:
        b3:0c:ed:25:38:52:d3:17:76:35:18:49:04:ad:01:fc:12:95:
        b2:73:88:f8:ed:60:c6:a4:70:ba:ae:1d:d4:c5:75:91:9a:49:
        7d:d8:67:0e:21:7f:da:75:f2:0c:9a:67:c8:6e:03:6f:f6:b4:
        63:9a:7e:05:c2:44:d9:dc:a8:ef:92:a0:07:52:cd:c3:91:ab:
        8f:3b:3f:47:93:a6:d0:52:6d:b5:34:7f:2f:e9:64:d9:79:20:
        ef:f3:b4:c6:48:f7:ba:ac:59:5e:4b:5e:bc:ed:70:8b:80:9c:
        63:fe:3d:43:b0:26:36:a0:a0:b3:06:2d:08:66:f0:1d:6b:3a:
        52:0b:79:7d:3c:10:d3:ae:b7:4b:ed:1d:e4:14:db:6d:da:1b:
        0b:df:a3:31:db:2c:17:7c:ca:d3:71:f1:54:4f:08:d0:39:1d:
        99:ab:c6:14:32:4e:aa:b1:a6:15:f4:53:11:37:8a:89:56:8c:
        2e:ab:20:fd:31:ee:0b:58:e5:c9:ce:74:28:2e:3f:14:db:46:
        f1:de:bb:4b:16:66:57:ec:35:9e:1e:34:ce:ef:96:de:0d:3d:
        1a:a7:22:e6:65:5a:09:c1:60:a4:24:85:ff:84:6c:84:17:65:
        8d:15:00:db:af:59:e1:31

This certificate has no X.509v3 extensions. I don't know if I've ever seen that before. At a minimum I'd expect to see the CA:TRUE in basic constraints to indicate this self-signed certificate is a CA certificate. Also, a missing Subject Key Identifier means the chain to the CA can only be formed by looking at the Subject CN, which isn't robust. How did you generate this certificate?

[dbnicholson]

• Build is reproducible (sha256sum):
  • shimaa64.efi - 16e1cf3e03d7007b306e730fdc994c1931bba1bfaf3d270ae6b76597bfd6836e
  • shimia32.efi - 6d2af602bbfd8bba63d98aec5449ec87f45d9be9654ec8b835a0a8cddda0916c
  • shimx64.efi - 846799f52f2f310e1969d2a3d421c5d71ca44288530cd5c29f1dee4bfd27a347
• Revoked certs in dbx - None, first submission
• Embedded cert is CAish:
  • Subject: C = CN, ST = Shanghai, O = Tencent, OU = TencentOS, CN = TencentOS Secure Boot CA, emailAddress = [email protected]
  • Valid until: Aug 27 09:08:07 2034 GMT (10 years)
  • 4096 bit RSA key
  • Key in HSM
• NX bit disabled - DllCharacteristics 00000000
• SBAT sections look reasonable (although the grub vendor label is inconsistent):

  shim (x86_64/aarch64)
  sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
  shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
  shim.tencentos,1,TencentOS Linux 3,shim,15.8,[email protected]
  
  grub2 (x86_64/aarch64)
  sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
  grub,3,Free Software Foundation,grub,2.02,https//www.gnu.org/software/grub/
  grub.rh,2,Red Hat,grub2,2.02-156.tl3.1,mailto:[email protected]
  grub.tencentos3,1,TencentOS Linux 3,grub2,2.02,mail:[email protected]
  
  fwupd (x86_64/aarch64)
  sbat,1,UEFI shim,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
  fwupd-efi,1,Firmware update daemon,fwupd-efi,1.3,https://github.com/fwupd/fwupd-efi
  fwupd-efi.rhel,1,Red Hat Enterprise Linux,fwupd,1.7.8,mail:[email protected]
  fwupd-efi.tencentos,1,TencentOS Linux 3,fwupd,1.7.8,mail:[email protected]
  

• Build uses official shim tarball with no patches.

Issues/questions:

• See above CA certificate questions about lack of X.509v3 extensions.

[costinchen]

hi, @dbnicholson thanks for your review! and we have made some adjustments for your suggestions.

• switched the latest commit from a branch to a tag.
• rebuilt GRUB2 so that the vendor name in its sbat matches shim and fwupd.
• updated our CA certificate and rebuilt all shim binaries, fixing the missing X.509v3 field in the certificate.

Since we updated our efi files, could you please help us refresh you review? Thanks a lot!

[steve-mcintyre]

All contacts verified successfully

[dbnicholson]

CA certificate looks more like what I'd expect now:

$ openssl x509 -noout -text -inform der -in tencentsecurebootca.der 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            68:91:b3:b7:fa:a2:ac:2b:c7:e7:2e:fb:a2:70:b4:14:24:5c:83:31
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = Shanghai, O = Tencent, OU = TencentOS, CN = TencentOS Secure Boot CA, emailAddress = [email protected]
        Validity
            Not Before: Sep 12 09:01:59 2024 GMT
            Not After : Sep 10 09:01:59 2034 GMT
        Subject: C = CN, ST = Shanghai, O = Tencent, OU = TencentOS, CN = TencentOS Secure Boot CA, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a7:dc:a2:3b:f9:cf:85:bd:99:de:cc:36:5c:d3:
                    52:d2:a9:1c:9a:3b:83:8b:eb:11:f5:67:cb:67:ea:
                    13:49:7e:90:ab:36:f1:f7:17:5c:77:f6:d8:42:f1:
                    ed:d8:63:b8:a9:15:ba:a4:0e:cd:94:c9:02:15:61:
                    4b:95:c5:60:b5:fc:4c:0b:d1:8d:f0:1d:8f:0b:9f:
                    b9:13:76:dd:80:ea:68:d2:d1:69:d6:70:f3:ad:6e:
                    9f:e4:65:70:04:01:0e:ce:24:83:c3:18:e5:d3:0e:
                    d4:0a:40:cd:7f:5d:19:c0:bc:1d:d3:d1:4e:3c:06:
                    4a:ba:a0:a9:55:ed:c4:39:99:33:85:b6:9e:72:b0:
                    41:10:bb:4a:70:5c:64:c2:08:9f:7a:13:cc:24:02:
                    11:76:13:21:8c:e1:a9:02:f5:c7:b1:56:c9:da:2b:
                    a1:9d:94:de:53:17:09:64:3d:9a:b9:c7:f5:da:5c:
                    4f:24:b6:e4:86:81:7b:1f:c8:70:d8:44:10:be:80:
                    1e:8b:48:5c:4d:07:aa:39:28:84:21:d4:c5:c2:83:
                    cc:58:fb:af:e1:8c:66:c6:61:ed:d8:97:31:9d:5f:
                    9c:7a:1e:7e:2a:26:51:eb:0e:66:7e:d8:f3:6b:46:
                    b3:f9:c7:9e:d2:83:35:e6:49:8c:da:97:5b:36:b6:
                    f3:5e:73:03:75:ac:92:b4:7e:97:d2:e1:94:6d:bc:
                    e1:cf:9a:bc:77:95:c8:7a:76:3f:61:1a:a3:65:bd:
                    2e:3a:8e:87:b3:94:81:83:79:4b:51:c4:7b:ea:c5:
                    71:30:5e:3e:5c:77:c1:e2:74:48:d0:d0:8e:26:0f:
                    b6:31:0f:93:f4:74:b0:d1:de:7e:64:2c:06:79:ed:
                    81:67:dd:ab:82:c6:1f:91:ae:80:7c:71:43:f6:b6:
                    7f:eb:91:05:a8:10:75:1d:c3:0c:d0:e0:f5:bd:60:
                    60:db:ad:4c:56:5e:cb:8d:02:7d:19:ad:75:0a:34:
                    15:39:b4:00:e4:35:64:fe:73:a2:4b:de:96:a7:14:
                    08:4c:03:d6:0b:89:ee:c7:96:42:b5:44:d7:02:c0:
                    18:69:cf:34:7b:75:e2:9a:13:22:8e:65:29:b2:36:
                    6c:a6:7d:81:51:96:2e:d4:b8:30:78:76:ae:2d:7e:
                    c6:90:f3:8e:8c:33:b9:b8:ec:e8:a9:c3:01:44:52:
                    75:1e:b7:f9:41:d9:68:67:8e:e6:06:8d:9d:74:0d:
                    1e:b9:ae:c2:60:8c:08:fd:12:38:2a:f5:ad:1a:76:
                    6a:bf:88:53:90:0b:ff:f3:5a:ac:9d:78:d1:fc:da:
                    2f:3b:30:56:17:8c:cb:b9:2e:6f:d7:b2:7b:38:9f:
                    65:43:a5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                40:B9:D0:38:07:D4:30:80:92:9B:31:74:C1:2B:D0:5E:25:F6:D8:D1
            X509v3 Authority Key Identifier: 
                40:B9:D0:38:07:D4:30:80:92:9B:31:74:C1:2B:D0:5E:25:F6:D8:D1
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: 
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        12:7e:6f:f3:a1:71:92:05:87:04:dd:79:f9:d7:ec:11:3f:c6:
        e6:dc:91:f6:5f:49:70:c7:2f:9b:2f:44:fc:4e:56:5d:09:21:
        2d:2d:19:90:cd:1b:6c:b7:ba:2a:ad:b9:ce:e0:f1:85:67:94:
        c2:08:2b:48:57:4b:4d:62:85:59:9a:93:ce:59:0d:59:57:60:
        66:66:df:75:e9:63:d9:61:90:72:ad:21:e8:98:b5:5e:c6:18:
        b2:6c:bf:56:b6:e7:7b:d2:96:46:33:30:93:50:4f:a0:d7:bf:
        58:24:1c:8e:e6:bd:78:5a:85:d1:a6:0e:40:9a:3a:22:a0:e9:
        2c:b4:b6:53:a0:62:29:ac:8d:b1:c0:4b:13:c2:c2:61:ce:b9:
        53:75:c8:8b:83:49:d8:79:f0:f9:77:f7:7a:43:a0:9e:98:64:
        7b:50:36:8e:fb:ca:59:a1:87:51:f3:41:f7:d4:a8:bd:18:50:
        15:9d:82:b7:07:00:9d:dc:27:c2:aa:5f:d8:4a:f3:29:4d:2a:
        d8:0b:10:be:d6:28:6a:a1:de:e5:fc:f8:91:e1:5a:56:41:11:
        a9:67:5b:c6:c5:63:6c:cb:46:84:05:5a:56:72:32:30:6a:52:
        4c:d3:41:61:d2:2b:29:47:8b:4d:eb:49:fb:35:8e:28:41:38:
        24:72:9b:0f:a0:64:03:32:a7:aa:52:7f:ba:58:74:c0:fa:b5:
        6c:9f:78:f5:6b:b8:b4:24:ce:38:9d:31:b9:68:86:25:ad:a9:
        2d:c3:d2:c2:61:62:46:05:4b:07:e0:e0:e5:28:0b:80:30:1a:
        7e:c9:91:27:c1:9e:c9:d7:8b:5d:6d:72:5f:1a:4d:f9:34:07:
        db:c6:52:6d:1f:9f:19:f7:cb:75:90:2c:d0:21:99:bb:74:04:
        6c:08:28:f5:5c:29:48:22:17:5d:71:d9:c4:c4:72:8c:ad:b9:
        3c:cb:75:7d:37:7c:32:fa:bd:d4:e4:c9:5d:48:d2:9e:1c:ad:
        1d:f0:60:7b:90:cd:a1:53:c2:81:2f:b1:dd:72:7b:da:09:34:
        0e:96:21:e4:93:03:bd:66:e8:93:e0:8d:e5:1e:4a:5f:2a:b5:
        2d:d6:f0:eb:8a:0a:3c:0f:1b:55:e1:f8:a5:d5:ec:00:ab:7a:
        07:c0:4f:cc:05:50:7b:04:97:5b:ea:17:14:0c:63:52:64:30:
        47:79:16:f1:b6:f4:c8:5a:b2:54:58:03:35:57:32:6e:f9:b6:
        43:32:f6:d4:03:04:48:bc:62:61:23:dc:49:41:c7:9f:46:63:
        6b:71:2b:2a:b2:0d:9f:45:85:33:7b:4b:7c:95:94:08:80:c0:
        98:21:e3:9f:0b:38:f9:1e

That matches the certificate embedded in the shim .vendor_cert section.

[dbnicholson]

• Build is reproducible (sha256sum):
  • shimaa64.efi - ca145c15cd26430dda03c37fc2f079afb7c78b0cd3a15afa55b8e73266d4500b
  • shimia32.efi - fab52ed62f16cef5a0b02b3ae985bc5b09f261482417cefed3e84a837c8e9831
  • shimx64.efi - a5e93e8908195fb79a4c781408193cb7e9128d44e165ae061f07cb66806835d1
• Revoked certs in dbx - None, first submission
• Embedded cert is CA cert:
  • Subject: C = CN, ST = Shanghai, O = Tencent, OU = TencentOS, CN = TencentOS Secure Boot CA, emailAddress = [email protected]
  • Valid until: Aug 27 09:08:07 2034 GMT (10 years)
  • 4096 bit RSA key
  • Key in HSM
• NX bit disabled - DllCharacteristics 00000000
• SBAT sections look reasonable:

  shim (x86_64/aarch64)
  sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
  shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
  shim.tencentos,1,TencentOS Linux 3,shim,15.8,[email protected]
  
  grub2 (x86_64/aarch64)
  sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
  grub,3,Free Software Foundation,grub,2.02,https//www.gnu.org/software/grub/
  grub.rh,2,Red Hat,grub2,2.02-156.tl3.1,mailto:[email protected]
  grub.tencentos,1,TencentOS Linux 3,grub2,2.02,mail:[email protected]
  
  fwupd (x86_64/aarch64)
  sbat,1,UEFI shim,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
  fwupd-efi,1,Firmware update daemon,fwupd-efi,1.3,https://github.com/fwupd/fwupd-efi
  fwupd-efi.rhel,1,Red Hat Enterprise Linux,fwupd,1.7.8,mail:[email protected]
  fwupd-efi.tencentos,1,TencentOS Linux 3,fwupd,1.7.8,mail:[email protected]
  

• Build uses official shim tarball with no patches.

This all looks good from my perspective 👍

[evilteq]

Had to change the docker to amd64 from x64, I don't understand why. Ironically enough, qemu handled the arm one without asking.

I was able to reproduce all three efis.
SBAT and certs inside matches.
Pretty clean, no patches, pure upstream, tarball matches in both srpms.

All good for me!