While attempting to update the UEFI Secure Boot blacklist (dbx) on my laptop, I discovered that the current version of shim in Portage, labeled 15.5-r1, is blacklisted due to security issues. The latest version from Fedora, 15.4-5, is not blacklisted. Upstream packages: - https://kojipkgs.fedoraproject.org//packages/shim/15.4/5/x86_64/shim-ia32-15.4-5.x86_64.rpm - https://kojipkgs.fedoraproject.org//packages/shim/15.4/5/x86_64/shim-x64-15.4-5.x86_64.rpm Note that the current 15.5-r1 package actually installs 15-5, or what would be considered 15_p5 in Gentoo. 15.5-r1 should be removed and 15.4-5 added as 15.4_p5.
In further testing, it seems that I forgot to re-enable Secure Boot when installing shim-15.4. After enabling Secure Boot, every EFI binary that I self-signed using a certificate enrolled using MokUtil failed to boot with error 0x1A: security violation. (e.g. grub, UEFI shell.) The only way to fix this was to clear the dbx variable and roll back to shim-15-5. Tested using sbsign from sbsigntool-0.9.2 (stable) and 0.9.4 (~amd64). No change between the two versions. When testing this, the dbx variable on my system was completely empty, so it's not caused by a blacklisted hash. Based on this, it's probably not safe to immediately add 15.4 to Gentoo unless we can figure out exactly why 15.4 isn't recognizing self-signed EFI binaries properly.
Found the issue. As of shim-15.3, an "SBAT" section is needed in grub. grub-2.06_rc1 supports this using grub-mkimage's --sbat option. For my build, I'm using the following SBAT: sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md grub,1,Free Software Foundation,grub,2.06-rc1,https://www.gnu.org/software/grub/ See https://github.com/rhboot/shim/blob/main/SBAT.md for more information.
It seems that shim-15-5, aka sys-boot/shim-15.5, has no less than 7 associated CVEs, fixed in Fedora since 15.3-1. From the latest spec: * Wed Mar 24 2021 Peter Jones <pjones@redhat.com> - 15.3-0~1 - Update to shim 15.3 - Support for revocations via the ".sbat" section and SBAT EFI variable - A new unit test framework and a bunch of unit tests - No external gnu-efi dependency - Better CI Resolves: CVE-2020-14372 Resolves: CVE-2020-25632 Resolves: CVE-2020-25647 Resolves: CVE-2020-27749 Resolves: CVE-2020-27779 Resolves: CVE-2021-20225 Resolves: CVE-2021-20233 I think I'll see how feasible it would be to get a proper source-based ebuild following Fedora's spec file.
> I think I'll see how feasible it would be to get a proper source-based > ebuild following Fedora's spec file. For a moment, I forgot the fedora build is presumably signed by Windows UEFI signing service. I suppose an unsigned shim ebuild wouldn't justify the effort.
shim-15.6 is in portage, so this can be closed. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4ab4aacf953585804ca6fb7e8a94cf74fc5cc1c9 commit 4ab4aacf953585804ca6fb7e8a94cf74fc5cc1c9 Author: Mathieu Strypsteen <mathieu@strypsteen.me> Date: Tue Jul 12 16:59:23 2022 +0000 sys-boot/shim: add 15.6 Signed-off-by: Mathieu Strypsteen <mathieu@strypsteen.me> Signed-off-by: Rick Farina <zerochaos@gentoo.org>