Shim 15.7 - shimx64.efi and shimia32.efi for OpenText(MicroFocus) ZENworks

[MuthuvelKuppusamy]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/MuthuvelKuppusamy/shim-review/tree/opentext-shim-x64-ia32-20230929

---

What is the SHA256 hash of your final SHIM binary?

---

c11e597213af28f78c2f231ea9764748a84e49747993e7a9c24f73875516ef8b shimia32.efi
f88931998d2ee41e50671ba2528d93b1fcad2aa25706fbfe8bc9720fb0764b73 shimx64.efi

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

#166

[MuthuvelKuppusamy]

Done all cleanup and raised this request and closed the old request #311

[MuthuvelKuppusamy]

@frozencemetery @steve-mcintyre @julian-klode - Kindly review this request.
This is the very critical issue for many customers in the field for longtime to address the Boot Hole vulnerability.

[MuthuvelKuppusamy]

Kindly review this request and update the status.

[dennis-tseng99]

I'm not an authorized reviewer, but I'd like to contribute a little bit effort to help @frozencemetery @steve-mcintyre @julian-klode:

• reproducible is ok according to Dockfile:

        -j .dynamic -j .rodata -j .rel* \
        -j .rela* -j .dyn -j .reloc -j .eh_frame \
        -j .vendor_cert -j .sbat -j .sbatlevel \
        --target efi-app-ia32 fbia32.so fbia32.efi
./post-process-pe -vv  fbia32.efi
set_dll_characteristics():360: Updating DLL Characteristics from 0x0000 to 0x0100
ms_validation():375: NX-Compat-Flag: PASS
ms_validation():380:   4K-Alignment: PASS
ms_validation():394: Section-Wr-Exe: PASS
fix_checksum():446: Updating checksum from 0x00016fce to 0x000170ce
--> 87b57d25a89
STEP 17/19: RUN mkdir -p /shim-15.7/build-ia32 && cp shimia32.efi /shim-15.7/build-ia32/
--> 6f9b19e6ff3
STEP 18/19: RUN mv /shim-15.7 /shimia32
--> 16c23c6e048
STEP 19/19: RUN sha256sum /shimia32/build-ia32/shimia32.efi /shim-review/shimia32.efi /shimx64/build-x64/shimx64.efi /shim-review/shimx64.efi
b80b3505ed0d9802b781e668989b2d41fbf7d9fffb5f5364350f93dbfb179585  /shimia32/build-ia32/shimia32.efi
b80b3505ed0d9802b781e668989b2d41fbf7d9fffb5f5364350f93dbfb179585  /shim-review/shimia32.efi
25c77ed8bdd494f080cfa8583298cb1a638c6f34c1734c47f4b0bb036bd4416a  /shimx64/build-x64/shimx64.efi
25c77ed8bdd494f080cfa8583298cb1a638c6f34c1734c47f4b0bb036bd4416a  /shim-review/shimx64.efi
COMMIT ubuntu:15.7
--> 02596bdc3de
[Warning] one or more build args were not consumed: [ARCHITECTURE]
Successfully tagged localhost/ubuntu:15.7
02596bdc3deb20e8b5391bf2336ec52ed9f7aefb32a76dbd27308dfcddcf0134

• Hash are matched for shimia32.efi and shimx64.efi respectively.
• sbat seems okay for shimx64.efi

.sbat section：
 d4000 73626174 2c312c53 42415420 56657273  sbat,1,SBAT Vers
 d4010 696f6e2c 73626174 2c312c68 74747073  ion,sbat,1,https
 d4020 3a2f2f67 69746875 622e636f 6d2f7268  ://github.com/rh
 d4030 626f6f74 2f736869 6d2f626c 6f622f6d  boot/shim/blob/m
 d4040 61696e2f 53424154 2e6d640a 7368696d  ain/SBAT.md.shim
 d4050 2c332c55 45464920 7368696d 2c736869  ,3,UEFI shim,shi
 d4060 6d2c312c 68747470 733a2f2f 67697468  m,1,https://gith
 d4070 75622e63 6f6d2f72 68626f6f 742f7368  ub.com/rhboot/sh
 d4080 696d0a73 68696d2e 4d465a45 4e776f72  im.shim.MFZENwor
 d4090 6b732c33 2c4d6963 726f466f 6375732c  ks,3,MicroFocus,
 d40a0 7368696d 2c31352e 372c6874 7470733a  shim,15.7,https:
 d40b0 2f2f7777 772e6d69 63726f66 6f637573  //www.microfocus
 d40c0 2e636f6d 2f0a                        .com/.

• sbat seems okay for shimia32.efi

 a3000 73626174 2c312c53 42415420 56657273  sbat,1,SBAT Vers
 a3010 696f6e2c 73626174 2c312c68 74747073  ion,sbat,1,https
 a3020 3a2f2f67 69746875 622e636f 6d2f7268  ://github.com/rh
 a3030 626f6f74 2f736869 6d2f626c 6f622f6d  boot/shim/blob/m
 a3040 61696e2f 53424154 2e6d640a 7368696d  ain/SBAT.md.shim
 a3050 2c332c55 45464920 7368696d 2c736869  ,3,UEFI shim,shi
 a3060 6d2c312c 68747470 733a2f2f 67697468  m,1,https://gith
 a3070 75622e63 6f6d2f72 68626f6f 742f7368  ub.com/rhboot/sh
 a3080 696d0a73 68696d2e 4d465a45 4e776f72  im.shim.MFZENwor
 a3090 6b732c33 2c4d6963 726f466f 6375732c  ks,3,MicroFocus,
 a30a0 7368696d 2c31352e 372c6874 7470733a  shim,15.7,https:
 a30b0 2f2f7777 772e6d69 63726f66 6f637573  //www.microfocus
 a30c0 2e636f6d 2f0a                        .com/.

• grub sbat seems okay
  grub: sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md grub,3,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/ grub.sle,3,SUSE Linux Enterprise,grub2,2.06,mail:[[email protected]](mailto:[email protected]) grub.MFZENworks,3,MicroFocus,grub2,2.06-0-ZENworks1,https://www.microfocus.com/

• The validity date of CA key is 2031; it is okay

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            fc:dc:0d:af:d2:cf:c3:bc
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Micro Focus
        Validity
            Not Before: Apr 14 00:13:05 2021 GMT
            Not After : Apr 12 00:13:05 2031 GMT
        Subject: CN = Micro Focus
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:d3:07:40:f7:ae:36:eb:3b:3a:fc:65:c7:42:3e:
                    e7:75:c6:9d:a5:26:e4:be:cb:68:ad:a9:6a:5c:a1:
                    95:a8:48:27:2f:b9:07:04:5b:43:6c:5f:9f:c2:b7:
                    69:2f:a9:f3:39:1b:e4:97:e0:73:1c:04:5d:8e:49:
                    74:70:a3:69:ee:f2:56:9a:26:ab:c3:71:38:19:5e:
                    1c:2b:d2:80:4c:94:c7:50:d2:5b:7f:bc:da:c5:93:
                    e8:43:1c:fe:b2:82:1a:e5:c6:1e:31:71:5d:e0:8a:
                    ...........

[MuthuvelKuppusamy]

Kindly update the status for this review request.

[Zenworksuser]

hi, whats the current Status of this request??

[aronowski]

While I'm not an official reviewer, I can see a few curiosities:

*******************************************************************************
### Do you add a vendor-specific SBAT entry to the SBAT section in each binary that supports SBAT metadata ( grub2, fwupd, fwupdate, shim + all child shim binaries )?
### Please provide exact SBAT entries for all SBAT binaries you are booting or planning to boot directly through shim.
### Where your code is only slightly modified from an upstream vendor's, please also preserve their SBAT entries to simplify revocation.
*******************************************************************************
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,3,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.MFZENworks,3,MicroFocus,shim,15.7,https://www.microfocus.com/

[...]

I can see the earlier shim you got approved was 15.4 here. It had the entry shim,1,UEFI shim,shim,1,https://github.com/rhboot/shim.

Therefore if this is the first time 15.7 is used (i.e. with shim,3,UEFI shim,shim,1,https://github.com/rhboot/shim), why is your product specific generation number set to 3?

---

*******************************************************************************
### Do you add a vendor-specific SBAT entry to the SBAT section in each binary that supports SBAT metadata ( grub2, fwupd, fwupdate, shim + all child shim binaries )?
### Please provide exact SBAT entries for all SBAT binaries you are booting or planning to boot directly through shim.
### Where your code is only slightly modified from an upstream vendor's, please also preserve their SBAT entries to sim
plify revocation.
*******************************************************************************
[...]

grub:
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md                                            grub,3,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/
grub.sle,3,SUSE Linux Enterprise,grub2,2.06,mail:[email protected]
grub.MFZENworks,3,MicroFocus,grub2,2.06-0-ZENworks1,https://www.microfocus.com/
### Which modules are built into your signed grub image?
*******************************************************************************
grub-core all_video boot cat chain configfile echo true efinet font gfxmenu gfxterm gzio halt iso9660 jpeg
minicmd normal part_apple part_msdos part_gpt password_pbkdf2 png reboot search search_fs_uuid search_fs_file
search_label sleep test video fat loadenv linuxefi btrfs ext2 xfs jfs reiserfs efinet tftp http luks gcry_rijndael
gcry_sha1 gcry_sha256 mdraid09 mdraid1x lvm serial

*******************************************************************************
### What is the origin and full version number of your bootloader (GRUB or other)?
*******************************************************************************
http://download.opensuse.org/tumbleweed/repo/oss/src/grub2-2.06-28.3.src.rpm

The source RPM link doesn't work. Therefore I can't proceed with further verification.

Though I suspect the grub-core entry is an error the same as I mentioned here.

Regarding your product specific generation number, I can't verify if it's correct as I have no knowledge, if you just take SUSE Linux Enterprise GRUB2 and rebuild it or add custom patches, where security issues to your custom build were addressed twice.

[MuthuvelKuppusamy]

There was a review comment to increase the number to 3, which required to revoke the shim <=2.
Please refer my previous request. #311 (comment)

With respect to grub source repo updated as below https://download.opensuse.org/repositories/openSUSE:/Factory/standard/src/grub2-2.06-49.1.src.rpm

[aronowski]

There was a review comment to increase the number to 3, which required to revoke the shim <=2.
Please refer my previous request. #311 (comment)

This was about increasing the Red Hat Bootloader Team's shim global generation number to 3, not about MicroFocus's product specific generation number.

Normally it should be like this, assuming there were no security issues addressed beforehand

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,3,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.MFZENworks,1,MicroFocus,shim,15.7,https://www.microfocus.com/

---

There seems to be a difference between the modules listed in this review and your specfile.
(the ones with < are mentioned only in your review, the ones with > are mentioned only in specfile)

6a7
> crypttab
7a9
> efifwsetup
15a18
> gcry_sha512
18d20
< grub-core
26a29
> loopback
27a31
> luks2
35a40
> password
37a43
> read
47a54,55
> tpm
> tpm2

I was right about the grub-core error. Also, take look - some modules from the specfile haven't been provided in the review.

If they are unused, even though they are listed, let me know, how that's implemented.

PS: there are more modules in the specfile but seem to be architecture-specific (ppc/ppc64/ppc64le) so the macro parser I have in my head ignored these. ;)

[MuthuvelKuppusamy]

It is typo issue, grub-core is folder , where all the modules output files are placed as per below command.
./grub-mkimage -O x86_64-efi -o grub.efi --prefix= --sbat sbat.csv -d grub-core all_video boot cat chain configfile echo true efinet font gfxmenu gfxterm gzio halt iso9660 jpeg minicmd normal part_apple part_msdos part_gpt password_pbkdf2 png reboot search search_fs_uuid search_fs_file search_label sleep test video fat loadenv linuxefi btrfs ext2 xfs jfs reiserfs efinet tftp http luks gcry_rijndael gcry_sha1 gcry_sha256 mdraid09 mdraid1x lvm serial

[jrbnovell]

@frozencemetery @steve-mcintyre @julian-klode - Can you please provide any additional information regarding changes that need to be made or approve this review. As has been stated we have several thousand customers depending on this shim who have been broken since the fall of 2022. We need to be able to release this shim so that those customers can continue to provision their devices.

[aronowski]

@jrbnovell, the point of this project is that issues should be peer-reviewed:

shim-review is meant to be distros reviewing each other and right now it's very much not.

As far as I can see the best people can do to speed up the reviewing process is to help review other issues. I helped you with yours, please help me with mine as a token of appreciation (I wrote more on this in this comment).

Also, I pointed out some errors in the issue you posted. Please, fix these as it is pointless for official reviewers to spend more time on pointing out the same.

Thank you in advance.

[THS-on]

Review for microfocus-shim-x64-ia32-20230224.

• Last signed Shim seems to be 15.4
• They require a Shim because of Shim patches and a custom second stage bootloader
• Security contacts seem to not have changed, but the old review tag is no longer online to confirm this
  • Muthuvel K ([email protected])
  • Anand Navale ([email protected])
  • PGP key fingerprints are not in the Readme and I cannot find a reference on keyserver.ubuntu.com
• Shim is reproducible using the Dockerfile

Hashes

#22 [18/19] RUN sha256sum /shimia32/build-ia32/shimia32.efi /shim-review/shimia32.efi /shimx64/build-x64/shimx64.efi /shim-review/shimx64.efi
#22 0.427 b80b3505ed0d9802b781e668989b2d41fbf7d9fffb5f5364350f93dbfb179585  /shimia32/build-ia32/shimia32.efi
#22 0.432 b80b3505ed0d9802b781e668989b2d41fbf7d9fffb5f5364350f93dbfb179585  /shim-review/shimia32.efi
#22 0.438 25c77ed8bdd494f080cfa8583298cb1a638c6f34c1734c47f4b0bb036bd4416a  /shimx64/build-x64/shimx64.efi
#22 0.443 25c77ed8bdd494f080cfa8583298cb1a638c6f34c1734c47f4b0bb036bd4416a  /shim-review/shimx64.efi
#22 DONE 0.5s

SBAT

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,3,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.MFZENworks,3,MicroFocus,shim,15.7,https://www.microfocus.com/

• SBAT level for shim.MFZENworks is set to 3. As already mentioned by @aronowski this should only be the case if the vendor specific Shim hat some vulnerabilities.
• Upstream 15.7 is used with NX + custom patches applied
  • 1_Enable_the_NX_compatibility_flag_by_default.patch matches rhboot/shim@7c76425
  • 2_Add_validation_function_for_Microsoft_signing.patch matches (modulo formatting changes) Add validation function for Microsoft signing shim#531
    • Note that is patch is not in shim upstream
    • This patch is superseded by Add validation function for Microsoft signing(supersede #531) shim#567
  • 3_Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch matches rhboot/shim@657b248
  • 4_prefer_proxyOfferReceived.patch
    • not upstream, but was already part of the 15.4 submission
• Certificate matches the organization
  • Serial: fc:dc:0d:af:d2:cf:c3:bc
  • Subject: CN = Micro Focus
  • Valid till Apr 12 00:13:05 2031 GMT (10 years)
  • Certificate is an CA certificate, KeyUsage/DigitalSignature and ExtKeyUsage/CodeSigning are not set
• Keys are stored in a HSM
• Shim launches GRUB2 and custom EFI binary
  • GRUB2
    • Linked upstream URL does not work
    • Modules List looks fine: grub-core all_video boot cat chain configfile echo true efinet font gfxmenu gfxterm gzio halt iso9660 jpeg minicmd normal part_apple part_msdos part_gpt password_pbkdf2 png reboot search search_fs_uuid search_fs_file search_label sleep test video fat loadenv linuxefi btrfs ext2 xfs jfs reiserfs efinet tftp http luks gcry_rijndael gcry_sha1 gcry_sha256 mdraid09 mdraid1x lvm serial
    • SBAT entry grub.MFZENworks is set to 3
  • Custom EFI binary
    • Not public, but was not a blocker in the other review
• Kernel is based on SLES15SP4 5.14.21-150400.22-default

Notes/Questions

• Can we confirm which PGP keys are used for the security contacts? @steve-mcintyre which did you use for the last review?
• The SBAT level for shim.MFZENworks and grub.MFZENworks should likely set to 1. See here for an example: https://github.com/rhboot/shim/blob/main/SBAT.md#starting-point
• Is there are reason for the CA certificate not having KeyUsage/DigitalSignature and ExtKeyUsage/CodeSigning set?
• Are you switching to a new CA certificate or another certificate for singing GRUB2? Because the CA certificate was already issued in 2021.
• Do you have any modifications (besides custom SBAT) for GRUB2?

[MuthuvelKuppusamy]

Thanks for reviewing. Will update required details asap.

[THS-on]

@MuthuvelKuppusamy since the submission, two new questions were added:

• Do you build your signed kernel with additional local patches? What do they do?
• Do you use an ephemeral key for signing kernel modules?
  If not, please describe how you ensure that one kernel build does not load modules built for another kernel.

Can you also include them in the updated submission?

[MuthuvelKuppusamy]

1. SBAT updated as per review comment.
2. grub2 source is cloned from SUSE project and build with our sbat.
3. We will not alter kernel and modules. Using the same provided by SUSE.
4. Shim154 is not released, as it has issues with most of the customer hardware's.
5. Our shim is not patched in the machine, it will be provided thro PXE boot/Netboot/LiveCD.
6. Shim 15.4 - shimx64.efi and shimia32.efi for MicroFocus ZENworks #166 is verified by using random string to primary mail.

[THS-on]

Ok

• SBAT entries are now looking good
• GRUB2 is taken from SUSE
• New shim builds correctly

Notes

• CA certificate is the same as in the 15.4 submission (https://github.com/MuthuvelKuppusamy/shim-review/blob/c8975f030a21d87ffe57b60a652b5c4046a3d104/shimx64.efi)
• MicroFocus is now part of OpenText (https://www.opentext.com/microfocus)

Questions

• The email addresses have changed and there are no PGP keys associated with them, so contact verification is again likely needed. Can you add the used PGP keys, from last contact verification?
• Just to confirm, you just directly take the SUSE Kernel without any rebuilds? Can someone more familiar with SUSE's kernel build process confirm, that each time new keys are used for signing modules?

[MuthuvelKuppusamy]

Last submission validated by mailing random string to the both security contacts.
Refer the below link.
#166 (comment)
#166 (comment)

[THS-on]

@MuthuvelKuppusamy thank you. So this validation was done without any PGP keys then right?

[MuthuvelKuppusamy]

Yes, It was validated by sending random string to both mail-ids and pasting the same in the issue for verification.

[MuthuvelKuppusamy]

Kindly let me know, Is there any other information need to be provided. As the question label is not yet removed.

[THS-on]

What still needs to be figured out is how SUSE handles the signing of the kernel modules and if they are preventing older kernels to load older modules. At least for openSUSE Tumbleweed this seems not to be the case: #333 (comment)

[MuthuvelKuppusamy]

We will sign the kernel itself, using the shim embedded keys or else it will not be successful to chain load from our grub.

[THS-on]

Yes, but the kernel generally also has a certificate embedded to verify loaded kernel modules. The question is on how this is implemented e.g. new certificate for every build, kernel is build without module support etc.

[MuthuvelKuppusamy]

Thanks for the quick review and feedback.

Hi, I have looked in to sles15sp3 and sles15sp5 kernel signature and modules signatures.
Each version of the kernel has different signature embedded in the kernel which is same as module signature.

Hope this helps for your review. Let me know if any other information required.

[THS-on]

Thanks, also looking at https://github.com/SUSE/kernel-source it seems that they are using a new key for every build. Maybe @jsegitz can confirm this, but otherwise my questions are now answered.

Because the contacts have changed, I would like to do another round of contact verification (https://github.com/rhboot/shim-review/blob/main/docs/reviewer-guidelines.md#contact-verification). Can you provide me with which PGP keys I should use for those email addresses?

[MuthuvelKuppusamy]

Added the GPG key for contact verification. Please let me know if any other information required.

[THS-on]

@MuthuvelKuppusamy thanks, I sent out emails for contact verification.

@dennis-tseng99 @aronowski can you have another look at this? Once the contact verification is done, it is ready to go from my side

[aronowski]

@THS-on, I'm kind of tied up at the moment and will be able to review the application as early as of November 18.

[MuthuvelKuppusamy]

wakings
angostura
reappraising
linkage
mainspring
might've
deletes
cords
hangouts
quizzes

[anavale-ot]

semaphores
colloquiums
adaptors
breakfast
anatomical
microcode
bleep
microcode
outsourced
grade

[MuthuvelKuppusamy]

Updated the random strings for contacts verification.

[THS-on]

@MuthuvelKuppusamy contact verification is complete. What is now left is at least one (also unofficial) review from another person. There are also currently a lot of reviews that need one more review which are tagged with "extra review wanted". I would like to encourage you to have a look at a couple of them and do an unofficial review (the guide can be found here: https://github.com/rhboot/shim-review/blob/main/docs/reviewer-guidelines.md). This helps us out, to keep the queue moving and catching mistakes.

[ClaudioGranatiero-10zig]

I'm not an authorized reviewer, I'm just trying to help and learn.

---

• build is reproducible, sha256 is confirmed:

sha256:

f88931998d2ee41e50671ba2528d93b1fcad2aa25706fbfe8bc9720fb0764b73  shimx64.efi
c11e597213af28f78c2f231ea9764748a84e49747993e7a9c24f73875516ef8b  shimia32.efi

---

Obj Alignment:

Alignment is ok

shimx64.efi

SectionAlignment	00001000
DllCharacteristics	00000100

shimia32.efi

SectionAlignment	00001000
DllCharacteristics	00000100

---

DllCharacteristics:

NX_COMPAT is enabled

shimx64.efi

            DllCharacteristics:        256         0x100  NX_COMPAT

shimx64.efi

            DllCharacteristics:        256         0x100  NX_COMPAT

---

Sections:

shimx64.efi

=== SECTIONS ===

  NAME          RVA      VSZ   RAW_SZ  RAW_PTR  nREL  REL_PTR nLINE LINE_PTR     FLAGS
  "/4"         5000    1d744    1d800      400     0        0     0        0  40400040  R-- IDATA
  .text       23000    6148e    61600    1dc00     0        0     0        0  60300020  R-X CODE
  .reloc      85000        a      200    7f200     0        0     0        0  42100040  R-- IDATA DISCARDABLE
  "/14"       87000       86      200    7f400     0        0     0        0  c0600040  RW- IDATA
  "/26"       88000       47      200    7f600     0        0     0        0  40300040  R-- IDATA
  .data       89000    2cef8    2d000    7f800     0        0     0        0  c0600040  RW- IDATA
  "/37"       b6000      316      400    ac800     0        0     0        0  40300040  R-- IDATA
  .dynamic    b7000      100      200    acc00     0        0     0        0  c0400040  RW- IDATA
  .rela       b8000    1b468    1b600    ace00     0        0     0        0  40400040  R-- IDATA
  .sbat       d4000       c6      200    c8400     0        0     0        0  40100040  R-- IDATA

Code section is not writable: OK

shimia32.efi

=== SECTIONS ===

  NAME          RVA      VSZ   RAW_SZ  RAW_PTR  nREL  REL_PTR nLINE LINE_PTR     FLAGS
  .text        5000    684bd    68600      400     0        0     0        0  60300020  R-X CODE
  .reloc      6e000        a      200    68a00     0        0     0        0  42100040  R-- IDATA DISCARDABLE
  "/4"        70000       86      200    68c00     0        0     0        0  c0600040  RW- IDATA
  "/16"       71000       47      200    68e00     0        0     0        0  40300040  R-- IDATA
  .data       72000    242b4    24400    69000     0        0     0        0  c0600040  RW- IDATA
  "/27"       97000      316      400    8d400     0        0     0        0  40300040  R-- IDATA
  .dynamic    98000       80      200    8d800     0        0     0        0  c0300040  RW- IDATA
  .rel        99000     96f8     9800    8da00     0        0     0        0  40300040  R-- IDATA
  .sbat       a3000       c6      200    97200     0        0     0        0  40100040  R-- IDATA

Code section is not writable: OK

SBAT:

shimx64.efi

shimx64.efi:     file format pei-x86-64

Contents of section .sbat:
 d4000 73626174 2c312c53 42415420 56657273  sbat,1,SBAT Vers
 d4010 696f6e2c 73626174 2c312c68 74747073  ion,sbat,1,https
 d4020 3a2f2f67 69746875 622e636f 6d2f7268  ://github.com/rh
 d4030 626f6f74 2f736869 6d2f626c 6f622f6d  boot/shim/blob/m
 d4040 61696e2f 53424154 2e6d640a 7368696d  ain/SBAT.md.shim
 d4050 2c332c55 45464920 7368696d 2c736869  ,3,UEFI shim,shi
 d4060 6d2c312c 68747470 733a2f2f 67697468  m,1,https://gith
 d4070 75622e63 6f6d2f72 68626f6f 742f7368  ub.com/rhboot/sh
 d4080 696d0a73 68696d2e 4d465a45 4e776f72  im.shim.MFZENwor
 d4090 6b732c31 2c4d6963 726f466f 6375732c  ks,1,MicroFocus,
 d40a0 7368696d 2c31352e 372c6874 7470733a  shim,15.7,https:
 d40b0 2f2f7777 772e6d69 63726f66 6f637573  //www.microfocus
 d40c0 2e636f6d 2f0a                        .com/.          

shimx64.efi:     file format pei-x86-64

Contents of section .sbatlevel:
 88000 00000000 08000000 22000000 73626174  ........"...sbat
 88010 2c312c32 30323230 35323430 300a6772  ,1,2022052400.gr
 88020 75622c32 0a007362 61742c31 2c323032  ub,2..sbat,1,202
 88030 32313131 3530300a 7368696d 2c320a67  2111500.shim,2.g
 88040 7275622c 330a00                      rub,3..         

shimx64.efi

shimia32.efi:     file format pei-i386

Contents of section .sbat:
 a3000 73626174 2c312c53 42415420 56657273  sbat,1,SBAT Vers
 a3010 696f6e2c 73626174 2c312c68 74747073  ion,sbat,1,https
 a3020 3a2f2f67 69746875 622e636f 6d2f7268  ://github.com/rh
 a3030 626f6f74 2f736869 6d2f626c 6f622f6d  boot/shim/blob/m
 a3040 61696e2f 53424154 2e6d640a 7368696d  ain/SBAT.md.shim
 a3050 2c332c55 45464920 7368696d 2c736869  ,3,UEFI shim,shi
 a3060 6d2c312c 68747470 733a2f2f 67697468  m,1,https://gith
 a3070 75622e63 6f6d2f72 68626f6f 742f7368  ub.com/rhboot/sh
 a3080 696d0a73 68696d2e 4d465a45 4e776f72  im.shim.MFZENwor
 a3090 6b732c31 2c4d6963 726f466f 6375732c  ks,1,MicroFocus,
 a30a0 7368696d 2c31352e 372c6874 7470733a  shim,15.7,https:
 a30b0 2f2f7777 772e6d69 63726f66 6f637573  //www.microfocus
 a30c0 2e636f6d 2f0a                        .com/.          

shimia32.efi:     file format pei-i386

Contents of section .sbatlevel:
 71000 00000000 08000000 22000000 73626174  ........"...sbat
 71010 2c312c32 30323230 35323430 300a6772  ,1,2022052400.gr
 71020 75622c32 0a007362 61742c31 2c323032  ub,2..sbat,1,202
 71030 32313131 3530300a 7368696d 2c320a67  2111500.shim,2.g
 71040 7275622c 330a00                      rub,3..         

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,3,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.MFZENworks,1,MicroFocus,shim,15.7,https://www.microfocus.com/

---

Certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            fc:dc:0d:af:d2:cf:c3:bc
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Micro Focus
        Validity
            Not Before: Apr 14 00:13:05 2021 GMT
            Not After : Apr 12 00:13:05 2031 GMT
        Subject: CN = Micro Focus
        Subject Public Key Info:

[THS-on]

@ClaudioGranatiero-10zig thanks for taking a look. Marking now as accepted

[THS-on]

What is the status of this? Did you get a signed shim back or are you creating a new submission for 15.8?

[MuthuvelKuppusamy]

We are going to submit the new request for 15.8.