shim 15.6 for GOOROOM-20220814

[ozun215]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/ozun215/shim-review/tree/gooroom-shim-amd64-20220817-4

---

What is the SHA256 hash of your final SHIM binary?

---

cfa3cf6ac47e7714622a3f2bbedd00d12b455593e583edb27752becbedb1a55b shimx64.efi

[frozencemetery]

Presumably blocked on #265

[steve-mcintyre]

Assuming this is meant to supersede #265 (please confirm that!)

Docker build fails here:

Step 7/20 : RUN git clone https://github.com/ozun215/shim-review.git
 ---> Running in e472ef3e5f42
Cloning into 'shim-review'...
Removing intermediate container e472ef3e5f42
 ---> 76c05e040721
Step 8/20 : WORKDIR /shim-review
 ---> Running in 6e243825970f
Removing intermediate container 6e243825970f
 ---> c147eec00edb
Step 9/20 : RUN git checkout https://github.com/ozun215/shim-review/tree/gooroom-shim-amd64-20220814
 ---> Running in 1e9d7c5185e8
error: pathspec 'https://github.com/ozun215/shim-review/tree/gooroom-shim-amd64-20220814' did not match any file(s) known to git
The command '/bin/sh -c git checkout https://github.com/ozun215/shim-review/tree/gooroom-shim-amd64-20220814' returned a non-zero code: 1

[ozun215]

Yes it is superseded #265

We are working on dockerfile to be excitable soon

thanks for your patience

[ozun215]

We have fixed some bugs and update Readme.md and Dockerfile

New release is https://github.com/ozun215/shim-review/tree/gooroom-shim-amd64-20220817-4

new sha256 hash is

cfa3cf6ac47e7714622a3f2bbedd00d12b455593e583edb27752becbedb1a55b shimx64.efi

Thank you

[steve-mcintyre]

So finally I can reproduce this build. However, there are still issues in your submission

• It's very light on detail. I don't know what Gooroom is, and you've given us no clues.
• "To secure boot working on Gooroom OS" tells us nothing useful. Why should we care that Gooroom boots using Secure Boot?
• Contact 1 is just "Gooroom", which tells us nothing
• A large chunk of your README.md is copied directly from what I wrote in the Debian submission Debian GNU/Linux 12 shim-15.6-1 x64, ia32 and aarch64 #267, even where I don't think it makes sense.

You're clearly deriving from the Debian shim package (which is fine if it's done OK) and you've added your own key. However looking at your scripting around your key (debian/make-certs-gooroom) I'm really worried about how you're managing keys. You appear to be generating a key at build time, and it has the CA bit set. You're giving it a very generic name "Gooroom VENDOR CERT" and it's missing a lot of the key settings that I'd normally expect. You mention "a specially hardened machine that is in our build environment" - how exactly are you generating and managing keys?

You're still only using Debian SBAT data and not adding your own.

This is still nowhere near ready. Go and read the docs at https://github.com/rhboot/shim/wiki/submitting

[ozun215]

We have fixed some bugs and update Readme.md(include SBAT)

New release is https://github.com/ozun215/shim-review-1/tree/gooroom-shim-amd64-20220831-1

new sha256 hash is

cecaac151d3e06a1a70494d4bd66e13dbfa948858af80aaab94719176352f6ec shimx64.efi

Thank you

[ozun215]

Is there a problem with the current issue? Please let me know if you need any modifications.

[ozun215]

Hello~ Currently, there is no answer to our thread. It is true that it took a long time to revise the review we uploaded because there are many parts to modify. But I think I've improved a lot and I'm ready for review. Please review it. Thank you ============================================================== Gooroom OS Engineer YoungJun Park e-Mail : [email protected] ============================================================== 2022년 8월 17일 (수) 오후 7:42, Steve McIntyre ***@***.***>님이 작성:

…

So finally I can reproduce this build. However, there are still issues in your submission - It's very light on detail. I don't know what Gooroom is, and you've given us no clues. - "To secure boot working on Gooroom OS" tells us nothing useful. Why should we care that Gooroom boots using Secure Boot? - Contact 1 is just "Gooroom", which tells us nothing - A large chunk of your README.md is copied directly from what I wrote in the Debian submission #267 <#267>, even where I don't think it makes sense. You're clearly deriving from the Debian shim package (which is fine if it's done OK) and you've added your own key. *However* looking at your scripting around your key (debian/make-certs-gooroom) I'm really worried about how you're managing keys. You appear to be generating a key at build time, and it has the CA bit set. You're giving it a very generic name "Gooroom VENDOR CERT" and it's missing a lot of the key settings that I'd normally expect. You mention "a specially hardened machine that is in our build environment" - how *exactly* are you generating and managing keys? You're still *only* using Debian SBAT data and not adding your own. This is still nowhere near ready. Go and read the docs at https://github.com/rhboot/shim/wiki/submitting — Reply to this email directly, view it on GitHub <#270 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AQJFESK2WNZOOESWLTPX7UTVZS6YDANCNFSM56PVAQHA> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[steve-mcintyre]

Sorry for leaving you for quite a while - I'm a volunteer and I've been really busy on other work in Debian.

Could you please respond to my issues listed above(5adc7524bbd7774d8711d57037320852bc73af67) , explaining what you've done in each case? I'm looking through your updated shim and shim repos already, but I'd like you to explain things please.

[ozun215]

Hello~!!
Nice to meet you!!!

We thought a lot about your comment. and discussed so many times then follow things we modified

1. We have changed the contact information of the representative technician, including the introduction of our operating system and the contents of the organization.
2. A storage plan for keys
3. SBAT Related Contents
4. Module list
5. Grub version info
6. Certification management way
7. Also we added the answers to the questions we didn't understand before because it was our first application.

As already mentioned, we are trying this work for the first time in our country, so please understand if there is anything lacking.
We have scant information for reference

thank you and please review our issue again.

[frozencemetery]

Please note #307

[steve-mcintyre]

Superseded by #331