Shim 15.8 for ZeeOS (x86_64)

[zeetim]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/zeetim/shim-review/tree/zeetim-shim-x64-20240906

---

What is the SHA256 hash of your final SHIM binary?

---

26cb646f44e7592bfce836206f2dc81f9aa80b7cdcbd1b440e5b2e49e4962a6f shimx64.efi

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

N/A. This is our first application

---

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?

---

N/A. This is our first application

[steve-mcintyre]

Contact verification emails sent

[Kal42]

Hi,

Verification for [email protected] :

eunuchs drowned milkier awkwardness dilute coiffuring deserve similarities lingoes trotters

[zeetim]

Hello,
Contact verification for [email protected]:
mulishness Ewing furnish calamity emblems remounts infinitesimals Swansea fusing protrusion

[evilteq]

Just to clarify: "We use an ephemeral key to sign kernel modules" or "Kernel modules are signed using the same vendor keypair used inside shim image." ?

[zeetim]

Just to clarify: "We use an ephemeral key to sign kernel modules" or "Kernel modules are signed using the same vendor keypair used inside shim image." ?

We are using a different keypair to sign kernel modules. Vendor keypair included in shim image is only used to sign mokmanager (mmx64.efi), fallback (fbx64.efi), grub (grubx64.efi) and kernel image (bzImage).

[evilteq]

And that key is unique for each release (ephemeral) or is it fixed?

[zeetim]

And that key is unique for each release (ephemeral) or is it fixed?

The key is unique for each release

[evilteq]

Shim is pretty much by the book, only one patch to make it NX and non-NX (only the the NX is used).
Reproduced it with the same sha256.

Certificate inside is valid for 30 years, 4K, key inside a yubike, these details:
Subject: C = FR, ST = Ile-de-France, L = Vitry-Sur-Seine, O = ZEETIM SAS, OU = ZEETIM SAS CERTIFICATE AUTHORITY, CN = ZEETIM SAS ROOT CA

Grub has many patches, but all known. (I found them exactly in the ubuntu sources).

I guess there is a mistake in the grub .sbat as it says 2.06 version, then states to be 2.12. I guess its just forgotten to add the new one for this review?

Looks good to me!

[zeetim]

I guess there is a mistake in the grub .sbat as it says 2.06 version, then states to be 2.12. I guess its just forgotten to add the new one for this review?

Thank you for your review! We have fixed the grub sbat mismatch in our repository.