FixMeStick shim-15.6 x64 and ia32

[coreyvelan]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/coreyvelan/shim-review/tree/fixmestick-shim-ia32-x64-20220817

---

What is the SHA256 hash of your final SHIM binary?

---

df0014225da99306ef428b65e227bffc56ac085805de04d6d6a183d52c2672a5 shimia32.efi 92ff5ea0c20f2c9b1d786a000b075265a2c374e9b3d2d7a63fd3acf425794d81 shimx64.efi

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

N/A

[steve-mcintyre]

Mails sent for identity verification

[steve-mcintyre]

Looking:

• shim from upstream, no patches
• Includes a Sectigo EV code-signing cert with 3 years left, fine
• shim builds reproduce here (comment below!)
• SBAT data looks fine, mostly (see below!)
• no older shims signed, so no need for revocations
• grub (probably!) looks ok, borrowed from Debian
• kernel sounds ok
• key managed with an HSM, good

A couple of things to look at:

• You're using a Debian testing/bookworm docker image for building, which is a moving target. You're lucky that toolchains things haven't changed since you submitted! I'd recommend that in future you either use a stable release (e.g. bullseye) or snapshot your build-deps to make sure things stay reproducible. See what I did in Debian's bookworm submission (Debian GNU/Linux 12 shim-15.6-1 x64, ia32 and aarch64 #267) as an example, maybe.
• Your README.md suggests you're using Debian's grub 2.04-20 from Bullseye as a base, but your SBAT data there says you're using 2.06-3 which is in bookworm/sid. Which is it? :-)

[malgire]

gated goddamned Jarvis always peevish psalms Livingston waltzing irresistible universes

[coreyvelan]

Contact verification for Corey Velan: inertial machinist Nebraska spirituous Brahmaputra inspire pilaffs annex administrative streak

[coreyvelan]

Thanks for your review Steve!

We confirmed our contact email addresses above. Here are the responses to your review:

1. Great point- we'll move to a stable release next time for the docker image.
2. For grub, we are using the latest from bookworm which is 2.06-3 (i.e. the SBAT is right and the readme is wrong). Should I update the readme and move the fixmestick-shim-ia32-x64-2022081 git tag? Or create a new tag and update this issue with the new link?

[steve-mcintyre]

Thanks for your review Steve!

We confirmed our contact email addresses above. Here are the responses to your review:

1. Great point- we'll move to a stable release next time for the docker image.

Cool.

2. For grub, we are using the latest from bookworm which is 2.06-3 (i.e. the SBAT is right and the readme is wrong). Should I update the readme and move the fixmestick-shim-ia32-x64-2022081 git tag?  Or create a new tag and update this issue with the new link?

If you update, please add a new tag and update the issue. It's much
easier for us to follow history that way.

[coreyvelan]

OK- we updated the readme to indicate we're using Grub from bookworm rather than bullseye.

The new tag is fixmestick-shim-ia32-x64-20220908. Here is the link: https://github.com/coreyvelan/shim-review/tree/fixmestick-shim-ia32-x64-20220908

The readme was the only change.

[steve-mcintyre]

Cool, good stuff!

Accepted.

[frozencemetery]

@coreyvelan did you receive a signed shim?

[frozencemetery]

Well, closing in any case due to #307

[coreyvelan]

@frozencemetery yes, we did receive a signed shim.