Shim 15.7 for Adaptech s.r.o.

[rehakp]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files - https://github.com/rehakp/shim-review/blob/adaptech-shim-x86_64-20221118/grub-patches.tar.gz
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/rehakp/shim-review/tree/adaptech-shim-x86_64-20221209

---

What is the SHA256 hash of your final SHIM binary?

---

4a1fb79dc5bbefcb5e93e9c9fe321f44117ed33f4cebdf768d527b5782046a92

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

#227

[rehakp]

Hi folks,
Although we are novice developers, we have a project roadmap and the project time frame. Our company is the business one, no non-profit, thus we have to invest our revenues into our development. I am well aware of voluntary nature of this community-driven process of reviewing a project, that, however, has the potential to finalize projects that could generate lots of money in the end if successful. We would like to have at least a rough time estimate, thus I would like to know, probably from your experience, at least the following:

1. How much does it take, in average, for a new vendor that needs verification like us, to be verified and advance to another phase of Shim review? We have created Shim 15.4 for Adaptech s.r.o. #227 where we waited for verification for approx. four months with no success. Are you, @julian-klode, the only one who can verify us? Well, we do have our very early Shim reviewed (see 2017-12-06 Adaptec.cz #1) from 2017, but not signed. There you could see our earlier EV code signing certificate to trust our company.
2. Is there anything except the pure nature of the task for us to try to help you proceed with this verification? Our certificates are at https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xc9fa48c01dcd9ff39ca578a0350e19be2cfb165f and https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x11d020a60f25092040a30116c335b2edbc540d91, respectively.
3. How long could it take for our Shim to be reviewed? I saw some submissions reviewed very quickly but those were probably recurring or well-known ones, but our company is still at the very beginning. However, without Shim, our software could be hardly offered to customers worldwide or at least among other commercial subjects who have no interest in turning off Secure Boot, running on a variety of hardware configurations of people who are inexperienced, blind customers, thus unable to deal with Secure Boot.
   Thank you for your feedback and effort so far.

[frozencemetery]

@cyphermox @vathpela was contact verification carried out previously for this vendor?

[rehakp]

Hello @frozencemetery, we haven't been verified yet. Our Shim was accepted in 2017 (see issue #1) but at that time we hadn't had any PGP set, didn't want it and it was not strictly requested and that old Shim has never been incorporated in any project.

[steve-mcintyre]

Verification mails sent

[steve-mcintyre]

• shim reproduces ok
• no shim patches, great!
• EV cert embedded, expiry 2023 from Comodo, looks ok
• HSM used for key control, good
• kernel sounds ok

Questions / issues:

• What's the significance of the grub-extras directory? It includes a load of object files etc. too - why?
• I can't tell if your grub build includes all the patches needed, and you haven't said
• Your grub SBAT level is still 1, which suggests no update here.
• We're going to need to know which grub modules you're building in

[rehakp]

faintness quips lasers sane Mingus urbaner underestimating Perez famishes tilling

[rehakp]

These were the words sent to [email protected] in order to verify us. Unfortunately we haven't been able to find a similar message on the 2nd security contact [email protected] so please resend if possible.

[steve-mcintyre]

resent now

[rehakp]

Verification words for [email protected]:
electroencephalograms neglectful weepings smooched metabolize anticlimaxes antiperspirants scandalizing Fitzgerald winking

[rehakp]

I have just edited the 1st post to reflect a new tag just created to accommodate changes. The following changes have been made:

• GRUB patch set without suspicious (although harmless) object files
• added the GRUB binary as well as a grub_aliases file containing my GRUB aliases and functions used while developing GRUB patches and to create this GRUB binary
• documented modules being part of the GRUB image
• synced with upstream changes

[rehakp]

SBAT metadata have just been incorporated into the GRUB image. If anything is incorrect about the metadata itself (including the generation number) please tell how we should proceed.
The grub-extras directory contains the lua module for extending GRUB's scripting capabilities we need for calculating date differences.

[steve-mcintyre]

identification complete

[steve-mcintyre]

In README.md, you still have upstream SBAT level 1 for the shim and GRUB binaries. Both should be up to 2 if you're following current stuff. Is this just a mistake in your README.md file?

[rehakp]

It is an overall mismatch. Where can I find the current generation numbers? I could not get them from the SBAT documentation nor example file. I will update to 2.

[steve-mcintyre]

If you look in the shim 15.6 source, it includes SBAT level 2.

The latest set of grub security patches from June 2022 are needed to meet grub SBAT level 2; this is less well documented, I'm afraid.

[rehakp]

OK thanks, If I understand correctly, should I add those security patches to my set? If so, and thus get to the SBAT level 2, where could I find them collected? I found a series of 30 patches but their message says my distro should tell me which of them to implement but gentoo hass not included them so far.

[rehakp]

Hope all is OK now. New tag for today's date created with all the rebuilt stuff. Will edit the 1st post.

[rehakp]

Hello, also our tag has been waiting for almost a month to review. We would be grateful for it to be finished to have at least our first Shim signed. Thank you for your time.

[rehakp]

Hello all,
another month has passed since my previous comment with no feedback toward us. Is there any issue why our Shim cannot be evaluated and ideally accepted for good? Shall we think our product or our company size is not worth your interest when other projects move forward? We've been around since February with no luck. Those who have helped us so far, @steve-mcintyre, @frozencemetery thank you for your hard work!

[rehakp]

Hello all,
reflecting yesterday's security patches we have prepared a new GRUB 2.06 with necessary patches (the first post updated). Feel free to comment. @steve-mcintyre @frozencemetery or whoever, please look at that if there are still any bugs left. We always strive to resolve them as quickly as possible to not delay on our side.

[julian-klode]

You likely also want to have a 15.7 shim or whatever the version is that bumps the SBAT levels. But it's not ready just yet. But also shouldn't be a blocker per se.

[rehakp]

OK, updated Shim to 15.7 along with SBAT of Shim and GRUB

[rehakp]

Hello, sorry to post again but I am just announcing that we were probably the first to upgrade to Shim 15.7, thus there should be possibly no reason we should be reviewed any later than others coming to this version. I don't mandate anything but our first signed Shim ever. We have been around since February with nothing accepted at all and don't really understand that. If I were skilled enough or felt like that, I could possibly help review others but being a member of a commercial subject I am a relative newbie to this world and am glad I have mastered to complete this procedure hopefully without any major issues and in short time. We have been striving to satisfy any requirement in no more than 24 hours. Any progress in our issue will be thus welcome but possibly making it to the accepted state very soon as our development including this procedure is very expensive already. Thank you all helping us!

[rehakp]

Hopefully that now when we have just enabled NX compatibility as per request from @julian-klode we can get our first Shim signed.

[rehakp]

@julian-klode @frozencemetery, could anybody please look at our issue and remove the Bug label if it is OK? We have been waiting with this label for quite many months, refreshing our repository with all requests. Thanks much for any comment that will make us feel our issue is still alive.

[rehakp]

Could you, @steve-mcintyre, please look at our issue, too? You already reviewed it but nobody has finished it or shifted it toward the successful end so far following our always quick updates. Our product release and associated sales are dependend on and waiting for this Shim. Everything is up to date in the 1st post. Thank you, or anybody else, who will be willing to devote their effort to our issue. We are, and will be, quick enough to address any problems.

[rehakp]

Hello all,
Please tell us what else we could do to help our issue move forward. We have been waiting for so long not only for Shim review, but for any progress in our issue. To our best knowledge, none of the Bug and Question labels applies to our issue any longer but having no feedback, we don't know for sure and can't do anything else. We would like to release our product and make it commercially successful but that won't be possible without our Shim being reviewed and accepted. Of course, we are not alone who is waiting so long, I found #280 in a similar position but we don't have any reviewed Shim so far. This feels a bit discriminating to us, being around since February 2022 and seeing so many issues closed or at least accepted through this period. We don't want to just look at our return on our investment slowly falling to zero, so please help us make our product a reality and a helpful tool for all blind and visually impaired people.

[rehakp]

Hello @frozencemetery and all,
our product should get released next month and we are #307 ready. Is there really anything else we should do to meet requirements? As we haven't received any reply so far, we don't know what to do next. I don't feel skilled to help review others, not having any reviewed Shim in the first place, so gaining no confidence. I will do my best to reply immediately to not block your or someone else's work.

[rehakp]

closed as obsolete