ChromeOS (reven board)
ChromeOS is a Linux distribution. We want to enable (and encourage) our user base to boot ChromeOS (reven) with secure boot enabled.
Reusing another distro's shim would require reusing their grub and kernel as well. We need to build our own kernel, so this would not work.
(Key should be signed by the other security contacts, pushed to a keyserver like keyserver.ubuntu.com, and preferably have signatures that are reasonably well known in the Linux community.)
(Key should be signed by the other security contacts, pushed to a keyserver like keyserver.ubuntu.com, and preferably have signatures that are reasonably well known in the Linux community.)
Please create your shim binaries starting with the 15.7 shim release tar file: https://github.com/rhboot/shim/releases/download/15.7/shim-15.7.tar.bz2
This matches https://github.com/rhboot/shim/releases/tag/15.7 and contains the appropriate gnu-efi source.
We confirm that our shim binaries are built from the referenced tarball.
https://github.com/rhboot/shim/tree/15.7
No patches are applied.
Upstream GRUB2 2.06 with shim_lock
verifier. This verifier is included as long as --disable-shim-lock
wasn't passed to grub-mkimage
(and we do not set that flag). The verifier is enabled automatically when UEFI Secure Boot is enabled. Reference: https://www.gnu.org/software/grub/manual/grub/html_node/UEFI-secure-boot-and-shim.html
CVE-2020-14372
CVE-2020-25632
CVE-2020-25647
CVE-2020-27749
CVE-2020-27779
CVE-2021-20225
CVE-2021-20233
CVE-2020-10713
CVE-2020-14308
CVE-2020-14309
CVE-2020-14310
CVE-2020-14311
CVE-2020-15705
CVE-2021-3418 (if you are shipping the shim_lock module)
CVE-2021-3695
CVE-2021-3696
CVE-2021-3697
CVE-2022-28733
CVE-2022-28734
CVE-2022-28735
CVE-2022-28736
CVE-2022-28737
CVE-2022-2601
CVE-2022-3775
Yes.
Yes.
Pre-SBAT shim builds have been sent to Microsoft for revocation. Our current cert has not been used to sign anything pre-SBAT.
Yes, all three commits are in the chromeos-5.10
branch our kernel is built from: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/refs/heads/chromeos-5.10
Our kernel is built from the chromeos-5.10
branch: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/refs/heads/chromeos-5.10
This is the same kernel branch as all other ChromeOS devices that are on the 5.10 kernel. The chromeos-5.10
branch frequently merges the latest changes from the 5.10 stable kernel. There are a significant number of backports and ChromeOS-specific patches, too many to list here. ChromeOS-specific patches can be identified by the CHROMIUM:
prefix in the commit message.
We do not use this functionality.
N/A: we already switched to a new certificate for our Shim 15.4 submission: https://github.com/rhboot/shim-review/issues/204
The Dockerfile
in this repository will reproduce our shim build. As a convenience, make build-no-cache
will do a clean build.
This should include logs for creating the buildroots, applying patches, doing the build, creating the archives, etc.
5130b19ee82dd6ddd2fd41eeb7114c4fd517e5320bd5fdf19ac8f6fd185a99c8 shimia32.efi 81852d2dc5fd212d41cf807da9ee75bef75f1d50abf15b40698804921b5f0dd2 shimx64.efi
The keys used in this shim are generated and stored in an HSM. They are then encrypted for export to a signing fleet for usage in build signing by our CI pipeline, where they remain encrypted at rest. Only 4 trusted individuals in the org have access to the signing fleet machines, enforced by ACL and 2FA.
No.
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md shim,3,UEFI shim,shim,1,https://github.com/rhboot/shim shim.chromeos,2,ChromeOS,shim,15.7,https://chromium.googlesource.com/chromiumos/shim-review
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md grub,3,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/ grub.chromeos,2,ChromeOS,grub2,2.06,https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/refs/heads/main/sys-boot/grub/grub-2.06.ebuild
Grub 2.06
Grub patches are the same as our previous submission, except for adding the 2022-11-15 CVE patches.
0001-Forward-port-ChromeOS-specific-GRUB-environment-vari.patch
and 0002-Forward-port-gptpriority-command-to-GRUB-2.00.patch
for picking the A or B boot slot.0003-Add-configure-option-to-reduce-visual-clutter-at-boo.patch
from a Debian patch to make boot quieter.N/A
N/A
Our shim will only launch our signed GRUB2, which has built-in secure-boot support. GRUB2 will only launch our signed kernel, which is configured to enable lockdown.
No
Our kernel is based on 5.10 and enforces lockdown. Source repo: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/refs/heads/chromeos-5.10
N/A