Rocky Linux 9 shim-15.6 x64

[SherifNagy]

Confirm the following are included in your repo, checking each box:

• [x] completed README.md file with the necessary information
• [x] shim.efi to be signed
• [x] public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• [x] binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• [x] any extra patches to shim via your own git tree or as files
• [x] any extra patches to grub via your own git tree or as files
• [x] build logs
• [x] a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/rocky-linux/shim-review/tree/refs/tags/rockylinux-9-shim-15.6-x86_64-20220816

---

What is the SHA256 hash of your final SHIM binary?

---

3a1cd2e7836a49de591057f23ae6deaa755453f97dd5be6b283ba3cea0fa107e shimx64.efi

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

For Rocky Linux 8 we have #194 , this is our 1st submission for Rocky Linux 9

[SherifNagy]

We had older submission accepted, but I think we never got contact verification emails before

[steve-mcintyre]

We had older submission accepted, but I think we never got contact verification emails before

Ask and ye shall receive... :-)

[SherifNagy]

matriarchal campanile sanest envelope Odets huger journey darken reappraised noting

[SherifNagy]

We had older submission accepted, but I think we never got contact verification emails before

Ask and ye shall receive... :-)

Thanks :) I should have asked for pizza xD

[steve-mcintyre]

Looking:

• shim reproduces here
• shim from upstream, no patches
• Includes a CA key with ~9 years left, ok
• SBAT data looks ok for shim and grub
• revocation story is fine
• kernel looks fine, borrowed from RHEL
• HSM for key management
• grub looks ok, borrowed from RHEL
• list of grub modules looks fine

Queries:

• I assume your fwupd derives from RHEL too? If so, please add the RHEL SBAT data there too like for grub

Just waiting on that and the verification

[SherifNagy]

Looking:

• shim reproduces here
• shim from upstream, no patches
• Includes a CA key with ~9 years left, ok
• SBAT data looks ok for shim and grub
• revocation story is fine
• kernel looks fine, borrowed from RHEL
• HSM for key management
• grub looks ok, borrowed from RHEL
• list of grub modules looks fine

Queries:

• I assume your fwupd derives from RHEL too? If so, please add the RHEL SBAT data there too like for grub

Just waiting on that and the verification

I will check if I can rebuild fwupd with both SBAT entries

[rfelsburg-rockylinux]

refulgence immobilized ex searcher Basho ringmaster anarchist infields marital mislead

[SherifNagy]

@steve-mcintyre Fixed the fwupd SBAT entry names and added RHEL entry as requested, re-tagged everything again. Thanks :)

[steve-mcintyre]

looks good, marking as accepted

[SherifNagy]

Thanks @steve-mcintyre !

[SherifNagy]

Closing, we got back the signed shim from Microsoft