TencentOS Linux 3 shim-15.8 x64, ia32 and aarch64

[costinchen]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/costinchen/shim-review/tree/tencentos-3-shim-15.8-ia32-x86_64-aarch64-20240912
https://github.com/costinchen/shim-review/tree/tencentos-3-shim-15.8-ia32-x86_64-aarch64-20241028
(only updated our contributions)
https://github.com/costinchen/shim-review/tree/tencentos-3-shim-15.8-ia32-x86_64-aarch64-20241205
(only updated sbat and release info of grub2)
https://github.com/costinchen/shim-review/tree/tencentos-3-shim-15.8-ia32-x86_64-aarch64-20241210
(added SRPM of grub2)

---

What is the SHA256 hash of your final SHIM binary?

---

ca145c15cd26430dda03c37fc2f079afb7c78b0cd3a15afa55b8e73266d4500b  shimaa64.efi
fab52ed62f16cef5a0b02b3ae985bc5b09f261482417cefed3e84a837c8e9831  shimia32.efi
a5e93e8908195fb79a4c781408193cb7e9128d44e165ae061f07cb66806835d1  shimx64.efi

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

N/A, this is our first application.

---

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?

---

N/A, this is our first application.

[steve-mcintyre]

Contact verification mails sent

[costinchen]

Contact verification mails sent

I got: secures spunkier vasectomies indecipherable uprisings shipboard Nescafe foxtrotting flawed defrays

[PrinterFranklin]

I got: unhurt recant proxies impeaching uniformed credence kickier Yemenis crates generate

[dbnicholson]

What is the link to your tag in a repo cloned from rhboot/shim-review?

https://github.com/costinchen/shim-review/tree/tencentos-3-shim-15.8-ia32-x86_64-aarch64-20240906

This is intended to be a tag rather than a branch.

[dbnicholson]

For your CA certificate:

$ openssl x509 -keyform DER -in tencentsecurebootca.der -text -noout 
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            57:45:90:d5:87:dd:bb:fe:86:a2:78:e4:f5:d5:22:3a:e5:bf:f2:40
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = Shanghai, O = Tencent, OU = TencentOS, CN = TencentOS Secure Boot CA, emailAddress = [email protected]
        Validity
            Not Before: Aug 29 09:08:07 2024 GMT
            Not After : Aug 27 09:08:07 2034 GMT
        Subject: C = CN, ST = Shanghai, O = Tencent, OU = TencentOS, CN = TencentOS Secure Boot CA, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:d0:86:82:72:67:2d:43:07:b3:e1:c7:38:07:8f:
                    dd:30:3c:ef:62:1f:cf:c8:e0:f6:78:02:83:40:1c:
                    51:ee:1f:2b:93:29:97:f4:ee:ba:68:18:40:db:55:
                    ff:e7:76:ff:8e:df:77:96:e0:73:67:8e:a9:7a:85:
                    a7:31:7d:8b:c0:86:6a:c8:e8:7d:0c:01:e3:cb:94:
                    dd:ff:42:c8:5b:49:66:3e:87:e4:4b:39:90:48:1a:
                    aa:b7:0b:1e:b2:5a:dd:2c:98:e6:de:7d:f5:16:1e:
                    68:9e:f1:1e:fa:e5:5a:ab:2b:ab:d3:01:19:ef:a1:
                    7b:06:4c:46:82:b8:1f:28:39:7d:6c:16:3f:0d:e7:
                    53:a6:a9:17:13:9a:cb:41:74:6a:20:0a:dd:0c:aa:
                    c9:18:4c:b0:dc:41:42:d2:87:75:5f:a4:b1:26:f5:
                    df:57:ba:fd:54:4f:cd:79:05:f1:3c:03:51:8b:fa:
                    e6:16:08:34:c9:f2:d8:90:86:db:9b:0e:29:81:ae:
                    18:1d:fb:1a:d9:bf:f5:a2:04:b1:ea:15:f0:dd:1b:
                    ab:44:65:d7:bd:27:63:07:e2:b6:e1:ff:eb:38:04:
                    7d:54:4b:ea:10:dc:3f:17:42:59:26:81:b2:06:c0:
                    9f:1f:d0:5d:8c:8a:cc:29:f4:e8:be:20:f5:5c:45:
                    81:a8:65:ac:32:53:23:0b:1f:24:fd:c7:b4:39:7e:
                    56:9b:06:6f:06:01:5d:9d:5a:6c:a6:e2:0b:c6:bc:
                    6e:24:ec:1f:96:cc:bc:69:36:ae:a7:52:11:ac:05:
                    d5:8d:93:0a:d1:d5:ad:0f:92:e5:69:c3:48:56:1a:
                    ca:82:f9:f6:a9:8b:b7:39:9c:46:e2:02:82:19:c7:
                    70:5d:52:22:30:e9:c8:68:74:25:b0:4c:73:9c:da:
                    e9:86:a9:63:fb:82:33:47:16:2d:7d:3c:33:28:7d:
                    0c:33:bd:c4:a3:19:fb:2a:88:7b:e5:32:d5:50:a4:
                    44:58:c6:81:8d:1b:21:3a:fc:22:92:ad:32:db:57:
                    ae:a2:a9:a3:1b:a0:62:ce:e7:cb:1b:35:35:b0:53:
                    01:fa:bd:a9:fc:61:a3:31:7f:4f:b1:d4:61:c6:c0:
                    70:e4:cd:14:cb:57:ca:08:2e:be:f7:42:6c:02:0a:
                    98:77:58:c8:85:bd:e6:5b:86:92:6d:91:8e:a6:07:
                    93:cd:77:a0:5a:d6:4c:ed:19:46:b0:87:38:11:05:
                    b8:60:d9:68:7c:35:85:1e:c5:7e:40:b1:a3:20:7e:
                    c8:0e:c1:eb:01:12:10:2f:c0:f3:4a:f4:b7:b6:7e:
                    69:ce:95:03:92:17:fc:80:e9:fd:f0:7b:25:cc:41:
                    62:c0:e5
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        3d:e2:a5:32:26:97:5d:4e:7f:37:2a:e2:77:65:e1:2b:e3:de:
        e3:79:07:28:3b:8b:68:54:9c:07:d6:4f:17:cd:69:7a:ca:8f:
        e4:49:0d:55:55:71:cb:3a:a5:8f:aa:59:05:f0:aa:00:51:06:
        89:11:f2:64:8b:2f:4e:b8:93:55:e2:1d:c4:aa:fe:e2:25:84:
        91:8f:7c:6a:9c:89:2d:f9:ad:76:fb:9b:d0:08:74:54:d0:26:
        0f:08:02:1a:34:c9:f3:a8:8e:cb:f6:89:74:ba:7c:1d:4e:3d:
        cd:56:2b:bc:20:4b:35:3d:85:87:f7:f8:62:89:c0:0f:ef:5e:
        1e:e3:9a:b4:8c:97:3e:04:26:13:b5:76:c8:4f:b4:f4:6d:fe:
        0e:dc:3c:11:04:70:0e:d9:0f:a3:72:53:a1:be:74:d2:27:e7:
        ea:f4:04:be:0c:82:7a:db:d2:88:96:bf:27:ad:c7:d4:b3:e3:
        0c:33:79:93:06:8f:1e:36:2d:2e:74:73:d7:b4:0d:bc:2c:b0:
        0a:cc:bb:8d:e4:9b:55:6e:8b:25:35:e9:b9:48:50:39:1d:f4:
        a3:be:f1:fb:e9:39:f4:aa:d6:b6:9d:c7:2f:1f:5c:76:5a:b5:
        91:80:b6:6c:26:da:b8:7b:db:c0:c9:0d:85:e7:f5:fd:aa:5f:
        91:1d:ee:da:ea:a7:e2:0e:93:fb:4e:1d:4b:15:d3:e0:6e:f9:
        b3:0c:ed:25:38:52:d3:17:76:35:18:49:04:ad:01:fc:12:95:
        b2:73:88:f8:ed:60:c6:a4:70:ba:ae:1d:d4:c5:75:91:9a:49:
        7d:d8:67:0e:21:7f:da:75:f2:0c:9a:67:c8:6e:03:6f:f6:b4:
        63:9a:7e:05:c2:44:d9:dc:a8:ef:92:a0:07:52:cd:c3:91:ab:
        8f:3b:3f:47:93:a6:d0:52:6d:b5:34:7f:2f:e9:64:d9:79:20:
        ef:f3:b4:c6:48:f7:ba:ac:59:5e:4b:5e:bc:ed:70:8b:80:9c:
        63:fe:3d:43:b0:26:36:a0:a0:b3:06:2d:08:66:f0:1d:6b:3a:
        52:0b:79:7d:3c:10:d3:ae:b7:4b:ed:1d:e4:14:db:6d:da:1b:
        0b:df:a3:31:db:2c:17:7c:ca:d3:71:f1:54:4f:08:d0:39:1d:
        99:ab:c6:14:32:4e:aa:b1:a6:15:f4:53:11:37:8a:89:56:8c:
        2e:ab:20:fd:31:ee:0b:58:e5:c9:ce:74:28:2e:3f:14:db:46:
        f1:de:bb:4b:16:66:57:ec:35:9e:1e:34:ce:ef:96:de:0d:3d:
        1a:a7:22:e6:65:5a:09:c1:60:a4:24:85:ff:84:6c:84:17:65:
        8d:15:00:db:af:59:e1:31

This certificate has no X.509v3 extensions. I don't know if I've ever seen that before. At a minimum I'd expect to see the CA:TRUE in basic constraints to indicate this self-signed certificate is a CA certificate. Also, a missing Subject Key Identifier means the chain to the CA can only be formed by looking at the Subject CN, which isn't robust. How did you generate this certificate?

[dbnicholson]

• Build is reproducible (sha256sum):
  • shimaa64.efi - 16e1cf3e03d7007b306e730fdc994c1931bba1bfaf3d270ae6b76597bfd6836e
  • shimia32.efi - 6d2af602bbfd8bba63d98aec5449ec87f45d9be9654ec8b835a0a8cddda0916c
  • shimx64.efi - 846799f52f2f310e1969d2a3d421c5d71ca44288530cd5c29f1dee4bfd27a347
• Revoked certs in dbx - None, first submission
• Embedded cert is CAish:
  • Subject: C = CN, ST = Shanghai, O = Tencent, OU = TencentOS, CN = TencentOS Secure Boot CA, emailAddress = [email protected]
  • Valid until: Aug 27 09:08:07 2034 GMT (10 years)
  • 4096 bit RSA key
  • Key in HSM
• NX bit disabled - DllCharacteristics 00000000
• SBAT sections look reasonable (although the grub vendor label is inconsistent):

  shim (x86_64/aarch64)
  sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
  shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
  shim.tencentos,1,TencentOS Linux 3,shim,15.8,[email protected]
  
  grub2 (x86_64/aarch64)
  sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
  grub,3,Free Software Foundation,grub,2.02,https//www.gnu.org/software/grub/
  grub.rh,2,Red Hat,grub2,2.02-156.tl3.1,mailto:[email protected]
  grub.tencentos3,1,TencentOS Linux 3,grub2,2.02,mail:[email protected]
  
  fwupd (x86_64/aarch64)
  sbat,1,UEFI shim,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
  fwupd-efi,1,Firmware update daemon,fwupd-efi,1.3,https://github.com/fwupd/fwupd-efi
  fwupd-efi.rhel,1,Red Hat Enterprise Linux,fwupd,1.7.8,mail:[email protected]
  fwupd-efi.tencentos,1,TencentOS Linux 3,fwupd,1.7.8,mail:[email protected]
  

• Build uses official shim tarball with no patches.

Issues/questions:

• See above CA certificate questions about lack of X.509v3 extensions.

[costinchen]

hi, @dbnicholson thanks for your review! and we have made some adjustments for your suggestions.

• switched the latest commit from a branch to a tag.
• rebuilt GRUB2 so that the vendor name in its sbat matches shim and fwupd.
• updated our CA certificate and rebuilt all shim binaries, fixing the missing X.509v3 field in the certificate.

Since we updated our efi files, could you please help us refresh you review? Thanks a lot!

[steve-mcintyre]

All contacts verified successfully

[dbnicholson]

CA certificate looks more like what I'd expect now:

$ openssl x509 -noout -text -inform der -in tencentsecurebootca.der 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            68:91:b3:b7:fa:a2:ac:2b:c7:e7:2e:fb:a2:70:b4:14:24:5c:83:31
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = Shanghai, O = Tencent, OU = TencentOS, CN = TencentOS Secure Boot CA, emailAddress = [email protected]
        Validity
            Not Before: Sep 12 09:01:59 2024 GMT
            Not After : Sep 10 09:01:59 2034 GMT
        Subject: C = CN, ST = Shanghai, O = Tencent, OU = TencentOS, CN = TencentOS Secure Boot CA, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a7:dc:a2:3b:f9:cf:85:bd:99:de:cc:36:5c:d3:
                    52:d2:a9:1c:9a:3b:83:8b:eb:11:f5:67:cb:67:ea:
                    13:49:7e:90:ab:36:f1:f7:17:5c:77:f6:d8:42:f1:
                    ed:d8:63:b8:a9:15:ba:a4:0e:cd:94:c9:02:15:61:
                    4b:95:c5:60:b5:fc:4c:0b:d1:8d:f0:1d:8f:0b:9f:
                    b9:13:76:dd:80:ea:68:d2:d1:69:d6:70:f3:ad:6e:
                    9f:e4:65:70:04:01:0e:ce:24:83:c3:18:e5:d3:0e:
                    d4:0a:40:cd:7f:5d:19:c0:bc:1d:d3:d1:4e:3c:06:
                    4a:ba:a0:a9:55:ed:c4:39:99:33:85:b6:9e:72:b0:
                    41:10:bb:4a:70:5c:64:c2:08:9f:7a:13:cc:24:02:
                    11:76:13:21:8c:e1:a9:02:f5:c7:b1:56:c9:da:2b:
                    a1:9d:94:de:53:17:09:64:3d:9a:b9:c7:f5:da:5c:
                    4f:24:b6:e4:86:81:7b:1f:c8:70:d8:44:10:be:80:
                    1e:8b:48:5c:4d:07:aa:39:28:84:21:d4:c5:c2:83:
                    cc:58:fb:af:e1:8c:66:c6:61:ed:d8:97:31:9d:5f:
                    9c:7a:1e:7e:2a:26:51:eb:0e:66:7e:d8:f3:6b:46:
                    b3:f9:c7:9e:d2:83:35:e6:49:8c:da:97:5b:36:b6:
                    f3:5e:73:03:75:ac:92:b4:7e:97:d2:e1:94:6d:bc:
                    e1:cf:9a:bc:77:95:c8:7a:76:3f:61:1a:a3:65:bd:
                    2e:3a:8e:87:b3:94:81:83:79:4b:51:c4:7b:ea:c5:
                    71:30:5e:3e:5c:77:c1:e2:74:48:d0:d0:8e:26:0f:
                    b6:31:0f:93:f4:74:b0:d1:de:7e:64:2c:06:79:ed:
                    81:67:dd:ab:82:c6:1f:91:ae:80:7c:71:43:f6:b6:
                    7f:eb:91:05:a8:10:75:1d:c3:0c:d0:e0:f5:bd:60:
                    60:db:ad:4c:56:5e:cb:8d:02:7d:19:ad:75:0a:34:
                    15:39:b4:00:e4:35:64:fe:73:a2:4b:de:96:a7:14:
                    08:4c:03:d6:0b:89:ee:c7:96:42:b5:44:d7:02:c0:
                    18:69:cf:34:7b:75:e2:9a:13:22:8e:65:29:b2:36:
                    6c:a6:7d:81:51:96:2e:d4:b8:30:78:76:ae:2d:7e:
                    c6:90:f3:8e:8c:33:b9:b8:ec:e8:a9:c3:01:44:52:
                    75:1e:b7:f9:41:d9:68:67:8e:e6:06:8d:9d:74:0d:
                    1e:b9:ae:c2:60:8c:08:fd:12:38:2a:f5:ad:1a:76:
                    6a:bf:88:53:90:0b:ff:f3:5a:ac:9d:78:d1:fc:da:
                    2f:3b:30:56:17:8c:cb:b9:2e:6f:d7:b2:7b:38:9f:
                    65:43:a5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                40:B9:D0:38:07:D4:30:80:92:9B:31:74:C1:2B:D0:5E:25:F6:D8:D1
            X509v3 Authority Key Identifier: 
                40:B9:D0:38:07:D4:30:80:92:9B:31:74:C1:2B:D0:5E:25:F6:D8:D1
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: 
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        12:7e:6f:f3:a1:71:92:05:87:04:dd:79:f9:d7:ec:11:3f:c6:
        e6:dc:91:f6:5f:49:70:c7:2f:9b:2f:44:fc:4e:56:5d:09:21:
        2d:2d:19:90:cd:1b:6c:b7:ba:2a:ad:b9:ce:e0:f1:85:67:94:
        c2:08:2b:48:57:4b:4d:62:85:59:9a:93:ce:59:0d:59:57:60:
        66:66:df:75:e9:63:d9:61:90:72:ad:21:e8:98:b5:5e:c6:18:
        b2:6c:bf:56:b6:e7:7b:d2:96:46:33:30:93:50:4f:a0:d7:bf:
        58:24:1c:8e:e6:bd:78:5a:85:d1:a6:0e:40:9a:3a:22:a0:e9:
        2c:b4:b6:53:a0:62:29:ac:8d:b1:c0:4b:13:c2:c2:61:ce:b9:
        53:75:c8:8b:83:49:d8:79:f0:f9:77:f7:7a:43:a0:9e:98:64:
        7b:50:36:8e:fb:ca:59:a1:87:51:f3:41:f7:d4:a8:bd:18:50:
        15:9d:82:b7:07:00:9d:dc:27:c2:aa:5f:d8:4a:f3:29:4d:2a:
        d8:0b:10:be:d6:28:6a:a1:de:e5:fc:f8:91:e1:5a:56:41:11:
        a9:67:5b:c6:c5:63:6c:cb:46:84:05:5a:56:72:32:30:6a:52:
        4c:d3:41:61:d2:2b:29:47:8b:4d:eb:49:fb:35:8e:28:41:38:
        24:72:9b:0f:a0:64:03:32:a7:aa:52:7f:ba:58:74:c0:fa:b5:
        6c:9f:78:f5:6b:b8:b4:24:ce:38:9d:31:b9:68:86:25:ad:a9:
        2d:c3:d2:c2:61:62:46:05:4b:07:e0:e0:e5:28:0b:80:30:1a:
        7e:c9:91:27:c1:9e:c9:d7:8b:5d:6d:72:5f:1a:4d:f9:34:07:
        db:c6:52:6d:1f:9f:19:f7:cb:75:90:2c:d0:21:99:bb:74:04:
        6c:08:28:f5:5c:29:48:22:17:5d:71:d9:c4:c4:72:8c:ad:b9:
        3c:cb:75:7d:37:7c:32:fa:bd:d4:e4:c9:5d:48:d2:9e:1c:ad:
        1d:f0:60:7b:90:cd:a1:53:c2:81:2f:b1:dd:72:7b:da:09:34:
        0e:96:21:e4:93:03:bd:66:e8:93:e0:8d:e5:1e:4a:5f:2a:b5:
        2d:d6:f0:eb:8a:0a:3c:0f:1b:55:e1:f8:a5:d5:ec:00:ab:7a:
        07:c0:4f:cc:05:50:7b:04:97:5b:ea:17:14:0c:63:52:64:30:
        47:79:16:f1:b6:f4:c8:5a:b2:54:58:03:35:57:32:6e:f9:b6:
        43:32:f6:d4:03:04:48:bc:62:61:23:dc:49:41:c7:9f:46:63:
        6b:71:2b:2a:b2:0d:9f:45:85:33:7b:4b:7c:95:94:08:80:c0:
        98:21:e3:9f:0b:38:f9:1e

That matches the certificate embedded in the shim .vendor_cert section.

[dbnicholson]

• Build is reproducible (sha256sum):
  • shimaa64.efi - ca145c15cd26430dda03c37fc2f079afb7c78b0cd3a15afa55b8e73266d4500b
  • shimia32.efi - fab52ed62f16cef5a0b02b3ae985bc5b09f261482417cefed3e84a837c8e9831
  • shimx64.efi - a5e93e8908195fb79a4c781408193cb7e9128d44e165ae061f07cb66806835d1
• Revoked certs in dbx - None, first submission
• Embedded cert is CA cert:
  • Subject: C = CN, ST = Shanghai, O = Tencent, OU = TencentOS, CN = TencentOS Secure Boot CA, emailAddress = [email protected]
  • Valid until: Aug 27 09:08:07 2034 GMT (10 years)
  • 4096 bit RSA key
  • Key in HSM
• NX bit disabled - DllCharacteristics 00000000
• SBAT sections look reasonable:

  shim (x86_64/aarch64)
  sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
  shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
  shim.tencentos,1,TencentOS Linux 3,shim,15.8,[email protected]
  
  grub2 (x86_64/aarch64)
  sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
  grub,3,Free Software Foundation,grub,2.02,https//www.gnu.org/software/grub/
  grub.rh,2,Red Hat,grub2,2.02-156.tl3.1,mailto:[email protected]
  grub.tencentos,1,TencentOS Linux 3,grub2,2.02,mail:[email protected]
  
  fwupd (x86_64/aarch64)
  sbat,1,UEFI shim,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
  fwupd-efi,1,Firmware update daemon,fwupd-efi,1.3,https://github.com/fwupd/fwupd-efi
  fwupd-efi.rhel,1,Red Hat Enterprise Linux,fwupd,1.7.8,mail:[email protected]
  fwupd-efi.tencentos,1,TencentOS Linux 3,fwupd,1.7.8,mail:[email protected]
  

• Build uses official shim tarball with no patches.

This all looks good from my perspective 👍

[evilteq]

Had to change the docker to amd64 from x64, I don't understand why. Ironically enough, qemu handled the arm one without asking.

I was able to reproduce all three efis.
SBAT and certs inside matches.
Pretty clean, no patches, pure upstream, tarball matches in both srpms.

All good for me!

[costinchen]

@steve-mcintyre Hi, could you help review this? Thanks!

[realnickel]

While I am not an official reviewer, looking at latest tag:
https://github.com/costinchen/shim-review/tree/tencentos-3-shim-15.8-ia32-x86_64-aarch64-20241028 and paying attention to discussion in #445 (same vendor, different distro branch) I can confirm that:

• Security contacts verification for the new vendor was done succesfully.

• Security contacts keys are RSA4096 and RSA3072;

• Tencentos is a GNU/Linux distribution and shim signing procedure is reasonable for this submission.

• In src.rpm shim-15.8 tarball sha256sum matches upstream's one:

a79f0a9b89f3681ab384865b1a46ab3f79d88b11b4ca59aa040ab03fffae80a9 ./shim-15.8.tar.bz2

• No patches introducing additional cryptography algorithms are applied to shim (as in TencentOS Linux 4 shim-15.8 x64 and aarch64 #445);

• Builds for all 3 architectures are reproducible with sha256sum hashes as follows:

ca145c15cd26430dda03c37fc2f079afb7c78b0cd3a15afa55b8e73266d4500b  shimaa64.efi
fab52ed62f16cef5a0b02b3ae985bc5b09f261482417cefed3e84a837c8e9831  shimia32.efi
a5e93e8908195fb79a4c781408193cb7e9128d44e165ae061f07cb66806835d1  shimx64.efi

• dbx is empty

• CA cert (10 years, RSA4096) matches to the legal entity, matches to cert embedded into shim binaries, addresses the issue mention previously (TencentOS Linux 3 shim-15.8 x64, ia32 and aarch64 #440 (comment));

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            68:91:b3:b7:fa:a2:ac:2b:c7:e7:2e:fb:a2:70:b4:14:24:5c:83:31
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = Shanghai, O = Tencent, OU = TencentOS, CN = TencentOS Secure Boot CA, emailAddress = [email protected]
        Validity
            Not Before: Sep 12 09:01:59 2024 GMT
            Not After : Sep 10 09:01:59 2034 GMT
        Subject: C = CN, ST = Shanghai, O = Tencent, OU = TencentOS, CN = TencentOS Secure Boot CA, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a7:dc:a2:3b:f9:cf:85:bd:99:de:cc:36:5c:d3:
                    52:d2:a9:1c:9a:3b:83:8b:eb:11:f5:67:cb:67:ea:
                    13:49:7e:90:ab:36:f1:f7:17:5c:77:f6:d8:42:f1:
                    ed:d8:63:b8:a9:15:ba:a4:0e:cd:94:c9:02:15:61:
                    4b:95:c5:60:b5:fc:4c:0b:d1:8d:f0:1d:8f:0b:9f:
                    b9:13:76:dd:80:ea:68:d2:d1:69:d6:70:f3:ad:6e:
                    9f:e4:65:70:04:01:0e:ce:24:83:c3:18:e5:d3:0e:
                    d4:0a:40:cd:7f:5d:19:c0:bc:1d:d3:d1:4e:3c:06:
                    4a:ba:a0:a9:55:ed:c4:39:99:33:85:b6:9e:72:b0:
                    41:10:bb:4a:70:5c:64:c2:08:9f:7a:13:cc:24:02:
                    11:76:13:21:8c:e1:a9:02:f5:c7:b1:56:c9:da:2b:
                    a1:9d:94:de:53:17:09:64:3d:9a:b9:c7:f5:da:5c:
                    4f:24:b6:e4:86:81:7b:1f:c8:70:d8:44:10:be:80:
                    1e:8b:48:5c:4d:07:aa:39:28:84:21:d4:c5:c2:83:
                    cc:58:fb:af:e1:8c:66:c6:61:ed:d8:97:31:9d:5f:
                    9c:7a:1e:7e:2a:26:51:eb:0e:66:7e:d8:f3:6b:46:
                    b3:f9:c7:9e:d2:83:35:e6:49:8c:da:97:5b:36:b6:
                    f3:5e:73:03:75:ac:92:b4:7e:97:d2:e1:94:6d:bc:
                    e1:cf:9a:bc:77:95:c8:7a:76:3f:61:1a:a3:65:bd:
                    2e:3a:8e:87:b3:94:81:83:79:4b:51:c4:7b:ea:c5:
                    71:30:5e:3e:5c:77:c1:e2:74:48:d0:d0:8e:26:0f:
                    b6:31:0f:93:f4:74:b0:d1:de:7e:64:2c:06:79:ed:
                    81:67:dd:ab:82:c6:1f:91:ae:80:7c:71:43:f6:b6:
                    7f:eb:91:05:a8:10:75:1d:c3:0c:d0:e0:f5:bd:60:
                    60:db:ad:4c:56:5e:cb:8d:02:7d:19:ad:75:0a:34:
                    15:39:b4:00:e4:35:64:fe:73:a2:4b:de:96:a7:14:
                    08:4c:03:d6:0b:89:ee:c7:96:42:b5:44:d7:02:c0:
                    18:69:cf:34:7b:75:e2:9a:13:22:8e:65:29:b2:36:
                    6c:a6:7d:81:51:96:2e:d4:b8:30:78:76:ae:2d:7e:
                    c6:90:f3:8e:8c:33:b9:b8:ec:e8:a9:c3:01:44:52:
                    75:1e:b7:f9:41:d9:68:67:8e:e6:06:8d:9d:74:0d:
                    1e:b9:ae:c2:60:8c:08:fd:12:38:2a:f5:ad:1a:76:
                    6a:bf:88:53:90:0b:ff:f3:5a:ac:9d:78:d1:fc:da:
                    2f:3b:30:56:17:8c:cb:b9:2e:6f:d7:b2:7b:38:9f:
                    65:43:a5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                40:B9:D0:38:07:D4:30:80:92:9B:31:74:C1:2B:D0:5E:25:F6:D8:D1
            X509v3 Authority Key Identifier: 
                40:B9:D0:38:07:D4:30:80:92:9B:31:74:C1:2B:D0:5E:25:F6:D8:D1
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: 
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        12:7e:6f:f3:a1:71:92:05:87:04:dd:79:f9:d7:ec:11:3f:c6:
        e6:dc:91:f6:5f:49:70:c7:2f:9b:2f:44:fc:4e:56:5d:09:21:
        2d:2d:19:90:cd:1b:6c:b7:ba:2a:ad:b9:ce:e0:f1:85:67:94:
        c2:08:2b:48:57:4b:4d:62:85:59:9a:93:ce:59:0d:59:57:60:
        66:66:df:75:e9:63:d9:61:90:72:ad:21:e8:98:b5:5e:c6:18:
        b2:6c:bf:56:b6:e7:7b:d2:96:46:33:30:93:50:4f:a0:d7:bf:
        58:24:1c:8e:e6:bd:78:5a:85:d1:a6:0e:40:9a:3a:22:a0:e9:
        2c:b4:b6:53:a0:62:29:ac:8d:b1:c0:4b:13:c2:c2:61:ce:b9:
        53:75:c8:8b:83:49:d8:79:f0:f9:77:f7:7a:43:a0:9e:98:64:
        7b:50:36:8e:fb:ca:59:a1:87:51:f3:41:f7:d4:a8:bd:18:50:
        15:9d:82:b7:07:00:9d:dc:27:c2:aa:5f:d8:4a:f3:29:4d:2a:
        d8:0b:10:be:d6:28:6a:a1:de:e5:fc:f8:91:e1:5a:56:41:11:
        a9:67:5b:c6:c5:63:6c:cb:46:84:05:5a:56:72:32:30:6a:52:
        4c:d3:41:61:d2:2b:29:47:8b:4d:eb:49:fb:35:8e:28:41:38:
        24:72:9b:0f:a0:64:03:32:a7:aa:52:7f:ba:58:74:c0:fa:b5:
        6c:9f:78:f5:6b:b8:b4:24:ce:38:9d:31:b9:68:86:25:ad:a9:
        2d:c3:d2:c2:61:62:46:05:4b:07:e0:e0:e5:28:0b:80:30:1a:
        7e:c9:91:27:c1:9e:c9:d7:8b:5d:6d:72:5f:1a:4d:f9:34:07:
        db:c6:52:6d:1f:9f:19:f7:cb:75:90:2c:d0:21:99:bb:74:04:
        6c:08:28:f5:5c:29:48:22:17:5d:71:d9:c4:c4:72:8c:ad:b9:
        3c:cb:75:7d:37:7c:32:fa:bd:d4:e4:c9:5d:48:d2:9e:1c:ad:
        1d:f0:60:7b:90:cd:a1:53:c2:81:2f:b1:dd:72:7b:da:09:34:
        0e:96:21:e4:93:03:bd:66:e8:93:e0:8d:e5:1e:4a:5f:2a:b5:
        2d:d6:f0:eb:8a:0a:3c:0f:1b:55:e1:f8:a5:d5:ec:00:ab:7a:
        07:c0:4f:cc:05:50:7b:04:97:5b:ea:17:14:0c:63:52:64:30:
        47:79:16:f1:b6:f4:c8:5a:b2:54:58:03:35:57:32:6e:f9:b6:
        43:32:f6:d4:03:04:48:bc:62:61:23:dc:49:41:c7:9f:46:63:
        6b:71:2b:2a:b2:0d:9f:45:85:33:7b:4b:7c:95:94:08:80:c0:
        98:21:e3:9f:0b:38:f9:1e

• NX bit is not set (for x64 and ia32):

DllCharacteristics 00000000

The review is still going on. To be continued

[realnickel]

While an attempt to review TencentOS grub and kernel packages I discovered a repository containing multiple grub2 release packages (and others as well) at the same time.
Am I correct and repository contains packages for TencentOS Linux 3?

https://mirrors.tencent.com/tlinux/3.3/BaseOS/x86_64/os/Packages/

grub2-common-2.02-129.tl3.3.noarch.rpm             25-Oct-2022 18:49              913528
grub2-common-2.02-142.tl3.1.noarch.rpm             16-Dec-2022 17:19              914604
grub2-common-2.02-142.tl3.3.noarch.rpm             22-Feb-2023 20:28              914996
grub2-common-2.02-148.tl3.4.noarch.rpm             14-Aug-2023 11:15              915496
grub2-common-2.02-150.tl3.1.noarch.rpm             25-Dec-2023 20:24              915356
grub2-common-2.02-150.tl3.2.noarch.rpm             11-Jan-2024 11:56              915588
grub2-common-2.02-156.tl3.1.noarch.rpm             23-May-2024 12:28              916316

@costinchen, @PrinterFranklin, would you please comment on how certain version of grub2 is chosen and delivered to an OS image (and therefore other potentially vulnerable versions are prevented to get into an image)?

Also a link to packages' SRPMS would be highly appreciated.

[realnickel]

• SBAT for shim and fwupd looks reasonable:

shim (x86_64/aarch64)
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.tencentos,1,TencentOS Linux 3,shim,15.8,[email protected]

fwupd (x86_64/aarch64)
sbat,1,UEFI shim,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
fwupd-efi,1,Firmware update daemon,fwupd-efi,1.3,https://github.com/fwupd/fwupd-efi
fwupd-efi.rhel,1,Red Hat Enterprise Linux,fwupd,1.7.8,mail:[email protected]
fwupd-efi.tencentos,1,TencentOS Linux 3,fwupd,1.7.8,mail:[email protected]

• SBAT for grub2 has a minor issue:

grub2 (x86_64/aarch64)
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,3,Free Software Foundation,grub,2.02,https//www.gnu.org/software/grub/
grub.rh,2,Red Hat,grub2,2.02-156.tl3.1,mailto:[email protected]
grub.tencentos,1,TencentOS Linux 3,grub2,2.02,mail:[email protected]

grub.rh entry contains version and release of Tencent OS 3 (2.02-156.tl3.1), but not an original RH release.
And last entry grub.tencentos doesn't contain release information at all.

While this doesn't affect SBAT revocation function it could be misleading for a maintainer in future.
In my opinion this should be fixed.

[costinchen]

Hi, @realnickel Thanks for your review and suggestion, and we have fixed the SBAT for grub2. We retained the original Red Hat release information in grub.rh and completed the release information for TencentOS 3. Now it looks like:

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,3,Free Software Foundation,grub,2.02,https//www.gnu.org/software/grub/
grub.rh,2,Red Hat,grub2,2.02-158.el8,mailto:[email protected]
grub.tencentos,1,TencentOS Linux 3,grub2,2.02-158.tl3.ap.1,mail:[email protected]

[PrinterFranklin]

While an attempt to review TencentOS grub and kernel packages I discovered a repository containing multiple grub2 release packages (and others as well) at the same time. Am I correct and repository contains packages for TencentOS Linux 3?

https://mirrors.tencent.com/tlinux/3.3/BaseOS/x86_64/os/Packages/

grub2-common-2.02-129.tl3.3.noarch.rpm             25-Oct-2022 18:49              913528
grub2-common-2.02-142.tl3.1.noarch.rpm             16-Dec-2022 17:19              914604
grub2-common-2.02-142.tl3.3.noarch.rpm             22-Feb-2023 20:28              914996
grub2-common-2.02-148.tl3.4.noarch.rpm             14-Aug-2023 11:15              915496
grub2-common-2.02-150.tl3.1.noarch.rpm             25-Dec-2023 20:24              915356
grub2-common-2.02-150.tl3.2.noarch.rpm             11-Jan-2024 11:56              915588
grub2-common-2.02-156.tl3.1.noarch.rpm             23-May-2024 12:28              916316

@costinchen, @PrinterFranklin, would you please comment on how certain version of grub2 is chosen and delivered to an OS image (and therefore other potentially vulnerable versions are prevented to get into an image)?

Also a link to packages' SRPMS would be highly appreciated.

Hi, @realnickel Thank you for your review. This repository contains all the grub2 packages TencentOS has ever released in the history. The new OS image will always choose the newest grub2 package so that no potentially vulnerable versions will be integrated. The users who use the older versions of image will receive a security advisory to update to newer versions of grub2.

Here is the SRPMS link: grub2-2.02-158.tl3.ap.1.src.rpm

[realnickel]

Unfortunately, SRPMS link gives me

404 Not Found

The requested URL was not found on this server.
Powered by Tengine 

[costinchen]

@realnickel Sorry, our SRPM repository is set to be invisible externally, so it cannot be retrieved from the mirror source directly. However, our SRPMs for TencentOS 3 are basically origined from RHEL. For grub2, we based it on RHEL's grub2-2.02-158.el8 with original patches, only modifying the SBAT, release information, and the efi signing process. You can refer directly to RHEL, or I’ve added it to our repo, which you can see here: grub2-2.02-158.tl3.ap.1.src.rpm