2017-12-27 IGEL

[igelboot]

Please review the Shim submission from IGEL.

We have provided the following information:

• link to your code branch cloned from rhboot/shim-review in the form user/repo@tag
  igelboot/shim-review@igel.com-shim-amd64-20171227
• completed README.md file with the necessary information
• shim.efi to be signed
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs

What organization or people are asking to have this signed:

IGEL Technology GmbH
Hermanstr. 17
86150 Augsburg,
Germany

https://www.igel.com/

IGEL Technology is a member of the Melchers group.
Managing Directors: Heiko Gloge and Nicolas C. S. Helms
District Court Bremen (Germany) HRB 20636, VAT: DE 219524359, WEEE-Reg.-No. DE 79295479

IGEL is a vendor of thin client hardware and software.

Version of shim:

https://github.com/rhboot/shim/tree/13
rhboot/shim@13

Sysdev Submission ID:

UEFI submission #1973560

What product or service is this for:

This is for IGEL's Linux-based thin client operating system, which is called IGEL OS. There are three products based on IGEL OS:

• IGEL OS (LX), the operating system for IGEL's own thin client devices
• Universal Desktop Converter 3 (UDC3), a live-bootable Linux system that installs IGEL OS on third-party devices
• UD Pocket, a live-bootable variant of IGEL OS on a pen drive

What's the justification that this really does need to be signed for the whole world to be able to boot it:

• IGEL wants to employ Secure Boot for building a trusted operating system from Shim to GRUB to the kernel to signed filesystem partitions. Secure Boot is the first step for this.
• IGEL would like customers to be able to run Universal Desktop Converter 3 (UDC3) on any amd64 device without disabling Secure Boot.
• IGEL would like UD Pocket to be bootable on any amd64 device without disabling Secure Boot.

[cyphermox]

How is this shim built?

I'm running:
make VENDOR_CERT_FILE=cyphermox.crt EFI_PATH=/usr/lib ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1 EFIDIR=igel

as an educated guess based on the builds being based on Ubuntu, and using my own certificate given that none was provided. The issue is, I most definitely can't reproduce the same binary, since mine here appears to have a .rela.plt section (as I'd expect from an unpatched build of shim 13). (This is why the shim 14 release exists or shim 13 uploads include further patches)

I'd also be missing the patches that are mentioned to be applied. I thought I had seen them before in the igelboot/shim tree, but this one appears to be strictly up to date with rhboot/shim now.

Please provide the patches used, and if possible, the public certificate portion used to build this shim submission so we can attempt a test rebuild of the binary.

[igelboot]

Hi Mathieu,

I am very happy to hear from you.

I think I have caused some confusion. Our first submission (now cancelled) was based on Ubuntu. I made the mistake of deleting that Github repo and creating a new one of the same name. So you might want to throw away your local copy and clone again from https://github.com/igelboot/shim

This (our current submission) is a Red Hat Shim 13 with a small patch:
igelboot/shim@35f3c2a

You're right, you can't reproduce the build without our certificate. I've committed that plus our build script. You can now build by simply running ./igelbuild . There is new tag now with these additions:
https://github.com/igelboot/shim/tree/igel.com-shim-amd64-20180124

Does this work for you?

Best,
Mathias

[cyphermox]

I am unable to reproduce this build with or without the provided script. There are multiple issues:

• ia32 does not build:
  gcc -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin -Werror=sign-compare -ffreestanding -std=gnu89 -I/usr/lib/gcc/x86_64-linux-gnu/5/include -DDEFAULT_LOADER=L"igelia32.efi" -DDEFAULT_LOADER_CHAR="igelia32.efi" -nostdinc -I/root/shim/Cryptlib -I/root/shim/Cryptlib/Include -I/usr/include/efi -I/usr/include/efi/ia32 -I/usr/include/efi/protocol -I/root/shim/include -iquote /root/shim -iquote /root/shim/build-ia32 -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32 -DMDE_CPU_IA32 -DPAGE_SIZE=4096 -DEFI_ARCH=L"ia32" -DDEBUGDIR=L"/usr/lib/debug/usr/share/shim/ia32-14/" -DVENDOR_CERT_FILE="../igel-efi-pub-key.der" -c -o security_policy.o /root/shim/lib/security_policy.c
  ar rcs lib.a simple_file.o guid.o console.o execute.o configtable.o shell.o variables.o security_policy.o
  make[1]: Leaving directory '/root/shim/build-ia32/lib'
  ld -o shimia32.so --hash-style=sysv -nostdlib -znocombreloc -T /root/shim/elf_ia32_efi.lds -shared -Bsymbolic -L/usr/lib32 -L/usr/lib -LCryptlib -LCryptlib/OpenSSL /usr/lib32/crt0-efi-ia32.o --build-id=sha1 --no-undefined shim.o netboot.o cert.o replacements.o tpm.o version.o errlog.o Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group /usr/lib/gcc/x86_64-linux-gnu/5/libgcc.a
  /usr/lib32/libefi.a(math.o): In function DivU64x32': (.text+0x95): undefined reference to __umoddi3'
  /usr/lib32/libefi.a(math.o): In function DivU64x32': (.text+0xaa): undefined reference to __udivdi3'
  ../Makefile:203: recipe for target 'shimia32.so' failed
  make: *** [shimia32.so] Error 1
  ld -o shimia32.so --hash-style=sysv -nostdlib -znocombreloc -T /root/shim/elf_ia32_efi.lds -shared -Bsymbolic -L/usr/lib32 -L/usr/lib -LCryptlib -LCryptlib/OpenSSL /usr/lib32/crt0-efi-ia32.o --build-id=sha1 --no-undefined shim.o netboot.o cert.o replacements.o tpm.o version.o errlog.o Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group /usr/lib/gcc/x86_64-linux-gnu/5/libgcc.a
  /usr/lib32/libefi.a(math.o): In function DivU64x32': (.text+0x95): undefined reference to __umoddi3'
  /usr/lib32/libefi.a(math.o): In function DivU64x32': (.text+0xaa): undefined reference to __udivdi3'
  ../Makefile:203: recipe for target 'shimia32.so' failed
  make: *** [shimia32.so] Error 1

• x64 ends up very different from the build in the submission.

• igel.com-shim-amd64-20180124 is based on shim 14, that does not match with the specifications in this submission, or with the build info in the binaries to be signed.

For one noticeable thing, Cryptlib/ ends up containing a directory named "
"{Hash,Hmac,Cipher,Rand,Pk,Pem,SysCall}", which makes me think that even if I managed to reproduce the build, this shim submission is likely broken in some fundamental way.

[cyphermox]

The above build is likely a difference in the toolchain, please make sure you specify the exact versions of all the pieces. I'm approximating binutils, since I don't know the exact version number:

ii binutils 2.26.1-1ubuntu1~16.04.5 amd64 GNU assembler, linker and binary utilities

ii gnu-efi 3.0.2-1ubuntu1 amd64 Library for developing EFI applications

ii gcc 4:5.3.1-1ubuntu1 amd64 GNU C compiler

root@gorgeous-buzzard:# apt-cache policy binutils
binutils:
Installed: 2.26.1-1ubuntu116.04.5
Candidate: 2.26.1-1ubuntu116.04.5
Version table:
2.26.1-1ubuntu116.04.6 100
100 http://archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages
*** 2.26.1-1ubuntu116.04.5 500
500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
100 /var/lib/dpkg/status
2.26.1-1ubuntu116.04.3 500
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
2.26-8ubuntu2 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages`

[igelboot]

Hi Mathieu,

sorry, I accidentally merged with 14 :-(

We'll put up a clean repo and also look into the build issues.

Mathias

[igelboot]

Hi Mathieu,

we now have a cleaned-up tag at https://github.com/igelboot/shim/tree/igel.com-shim-amd64-20180125

We can reproduce the build on an up-to-date xenial xerus. Additionally I am attaching the package list from the build system.
shim-build-system-apt-list-installed.txt

Best,
Mathias

[igelboot]

Hi Mathieu,

Im am sorry for all work this causes, but we are making another, completely overhauled submission that should build reproducibly:
https://github.com/igelboot/shim/tree/igel-shim

• Thank you for the warning about ia32. This is fixed now.
• The new submission is based on Red Hat Shim version 14
• We have aimed at making the build reproducible by eliminating paths that may vary across build hosts, and 'uname -a'
• We have added NO_MOK_MANAGER and NO_FALLBACK switches.

I have also updated everything that has changed in https://github.com/igelboot/shim-review and submitted the new binaries at Microsoft Sysdev under UEFI submission #1974022.

[igelboot]

Hi Mathieu,

I was so glad we had the technical discussion going. However, it is stalled now. Could you please have a look at our latest submission. We have tried hard to fulfil all the requirements.

Mathias

[cyphermox]

I have reviewed this submission and I find that both shimia32.efi and shimx64.efi are acceptable for signing.

84b291682febed26e7df144a67c4feda0755fa14e2bf9296c5df1fa9d20141b2 *bootia32.efi e25f512d2971a4b3a881cc1306677b11badcc8360ae4f1d9999a4a64467df3e8 *bootx64.efi

Please consider sending your build reproducibility patches for inclusion in rhboot/shim.

[igelboot]

Thank you!

[haobinnan]

hi ,@cyphermox isoo shim15: #17