shim-15.8 for CentOS Stream 8

[bstinsonmhk]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/CentOS/shim-review/commit/4c3f4a82bc70abd56737f2c023cf6ab59120381b

---

What is the SHA256 hash of your final SHIM binary?

---

478f378b1ffa1bdea33d623cc969bd3abb1214605c4c91a01942f343dfa03a19

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

#65

[SherifNagy]

Grub2 SBAT entries are wrong:

• grub,1 can't be right, this should be grub,3 if you don't have NTFS CVE fixes or grub,4 if you do have them
• grub.rh is already at grub.rh,2 based on this https://github.com/vathpela/shim-review/tree/rhel-8-x64-20231201 nor from the binary

[root@rhel8 ~]# objcopy --only-section .sbat -O binary /boot/efi/EFI/redhat/grubx64.efi /dev/stdout
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,3,Free Software Foundation,grub,2.02,https//www.gnu.org/software/grub/
grub.rh,2,Red Hat,grub2,2.02-150.el8,mailto:secalert@redhat.com

[msmeissn]

The readme.md seems not up to date with the template. the section with ephemeral keys is missing at least.

[steve-mcintyre]

@bstinsonmhk Could you please update your submission to match the most recent template please?

[steve-mcintyre]

No responses to questions in several months, closing

[AlexBaranowski]

@steve-mcintyre -> They EOLed about 10 days ago :) https://www.centos.org/cl-vs-cs/ so 👍🏻