Shim 15.7 for Adaptech s.r.o.

[rehakp]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files - enable_nx.patch
• any extra patches to grub via your own git tree or as files - https://github.com/rehakp/shim-review/blob/adaptech-shim-x86_64-20231127/grub-gentoo
• build logs - in the logs/ subdirectory
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/rehakp/shim-review/tree/adaptech-shim-x86_64-20231127

---

What is the SHA256 hash of your final SHIM binary?

---

170bb326192ac637137df71a0fa1916e0a243308cb0bdfc66ff285580282bd4c

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

#248

[dennis-tseng99]

I am not an official reviewer. I just want to help and learn.

• Reproducible is okay. To make sure your make procedure is correct, I revealed make_shim.sh and checked some details:

ld -o shimx64.so --hash-style=sysv -nostdlib -znocombreloc -T /shim-15.7/elf_x86_64_efi.lds -shared -Bsymbolic -Lgnu-efi/x86_64/gnuefi -Lgnu-efi/x86_64/lib -LCryptlib -LCryptlib/OpenSSL gnu-efi/x86_64/gnuefi/crt0-efi-x86_64.o --build-id=sha1  --no-undefined shim.o globals.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o sbat_var.o pe.o httpboot.o csv.o load-options.o Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a gnu-efi/x86_64/lib/libefi.a gnu-efi/x86_64/gnuefi/libgnuefi.a -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group /usr/lib/gcc/x86_64-linux-gnu/11/libgcc.a lib/lib.a
gcc -std=gnu11 -Og -g3 -Wall -Wextra -Wno-missing-field-initializers -Werror -o post-process-pe /shim-15.7/post-process-pe.c
objcopy -D -j .text -j .sdata -j .data -j .data.ident \
        -j .dynamic -j .rodata -j .rel* \
        -j .rela* -j .dyn -j .reloc -j .eh_frame \
        -j .vendor_cert -j .sbat -j .sbatlevel \
        --target efi-app-x86_64 shimx64.so shimx64.efi
./post-process-pe -vv  shimx64.efi

• Hash value is okay.
  c5ae0d41bbbab851d628cbf9d75e7563ce457883833d14a3d267a796c3492310 /shim-review/shimx64.efi
  c5ae0d41bbbab851d628cbf9d75e7563ce457883833d14a3d267a796c3492310 shimx64.efi

• sbat seems okay for me:

 d4000 73626174 2c312c53 42415420 56657273  sbat,1,SBAT Vers
 d4010 696f6e2c 73626174 2c312c68 74747073  ion,sbat,1,https
 d4020 3a2f2f67 69746875 622e636f 6d2f7268  ://github.com/rh
 d4030 626f6f74 2f736869 6d2f626c 6f622f6d  boot/shim/blob/m
 d4040 61696e2f 53424154 2e6d640a 7368696d  ain/SBAT.md.shim
 d4050 2c332c55 45464920 7368696d 2c736869  ,3,UEFI shim,shi
 d4060 6d2c312c 68747470 733a2f2f 67697468  m,1,https://gith
 d4070 75622e63 6f6d2f72 68626f6f 742f7368  ub.com/rhboot/sh
 d4080 696d0a73 68696d2e 61646170 74656368  im.shim.adaptech
 d4090 2c312c41 64617074 65636820 732e722e  ,1,Adaptech s.r.
 d40a0 6f2e2c73 68696d2c 31352e37 2c696e66  o.,shim,15.7,inf
 d40b0 6f406164 61707465 63682e63 7a0a      [email protected].

• sbatlevel has no binutils issue

 88000 00000000 08000000 22000000 73626174  ........"...sbat
 88010 2c312c32 30323230 35323430 300a6772  ,1,2022052400.gr
 88020 75622c32 0a007362 61742c31 2c323032  ub,2..sbat,1,202
 88030 32313131 3530300a 7368696d 2c320a67  2111500.shim,2.g
 88040 7275622c 330a00                      rub,3..

• CA validity will expire soon (Sep 9, 2023). Would you please prolong it ?

shim-review# openssl x509 -in Adaptech.cer -inform der -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3f:54:a6:80:31:fb:26:aa:8f:00:8b:05:b4:bf:3c:e2
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Extended Validation Code Signing CA
Validity
Not Before: Sep 9 00:00:00 2020 GMT
Not After : Sep 9 23:59:59 2023 GMT
Subject: serialNumber = 271 96 992, jurisdictionC = CZ, businessCategory = Private Organization, C = CZ, postalCode = 15800, ST = "Praha, Hlavn\C3\AD m\C4\9Bsto", L = Praha, street = Praha 5 - Stodulky, street = Smet\C3\A1\C4\8Dkova 1484/2, O = Adaptech s.r.o., CN = Adaptech s.r.o.

• check whether Dllcharacteristics is set to 0x0100

> hexdump -n 0x120 -C shimx64.efi 
00000000  4d 5a 90 00 03 00 00 00  04 00 00 00 ff ff 00 00  |MZ..............|
00000010  b8 00 00 00 00 00 00 00  40 00 00 00 00 00 00 00  |........@.......|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 80 00 00 00  |................|
00000040  0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
00000050  69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
00000060  74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
00000070  6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|
00000080  50 45 00 00 64 86 0a 00  00 00 00 00 00 8c 0c 00  |PE..d...........|
00000090  50 0e 00 00 f0 00 06 02  0b 02 02 26 00 14 06 00  |P..........&....|
000000a0  00 74 06 00 00 00 00 00  00 30 02 00 00 30 02 00  |.t.......0...0..|
000000b0  00 00 00 00 00 00 00 00  00 10 00 00 00 02 00 00  |................|
000000c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000d0  00 50 0d 00 00 04 00 00  99 64 0f 00 0a 00 00 01  |.P.......d......| <--- DllCharacteristics
000000e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000100  00 00 00 00 10 00 00 00  00 00 00 00 00 00 00 00  |................|
00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000120

• You have screenshot to show each section in shimx64.efi binary. Good job !

[aronowski]

Good job with the review!

The technicalities have already been provided by @dennis-tseng99, but I'd like to point out, how well this review has been written.

For starters, the company seems to have a deep understanding of how SBAT works. Everything, that is, the decision behind using grub.adaptech,4, has been justified, and the process of updating generation numbers has been properly explained.

The company proves its experience working with source code and porting patches. I primarily focus on the company's GRUB2 entry, where Gentoo is used for building and the required assets are provided in the grub-gentoo directory. And let's keep in mind that we only see the tip of the iceberg since, as far as I understand, the development is being worked on internally.

For now only shim needs to be NX-compatible, but there's already an NX-compatible kernel provided, as well as the description of hard work being done on making GRUB2 NX-compatible. To sum it up, there has been more work done than enough!

The only thing I'm worried a bit is the certificate, which expires soon, but I believe this is due to the company using an external Certificate Authority rather than generating its own.

Again, good job and wish you the review goes well!

[THS-on]

Unfortunately I cannot reproduce the shim using the Dockerfile (switched the hexdump and sha256sum steps):

#10 [6/8] RUN sha256sum /shim-review/shimx64.efi && sha256sum shimx64.efi
#10 0.427 c5ae0d41bbbab851d628cbf9d75e7563ce457883833d14a3d267a796c3492310  /shim-review/shimx64.efi
#10 0.437 328ee9afef4e14f59c5cb245b5dd1461cceaf3a3ba3797a4952a19f961e71e8e  shimx64.efi
#10 DONE 0.5s

This is likely because of an compiler update. Regarding the EV certificate being expired: for the shim this still should be fine because time checks are disabled (https://github.com/rhboot/shim/blob/7ba7440c49d32f911fb9e1c213307947a777085d/Cryptlib/Pk/CryptPkcs7Verify.c#L952), but for the submission to MS you'll need an valid certificate.

[rehakp]

Hello @THS-on, all should be OK, first post updated. Many enhancements and fixes done including ephemeral kernel keys, our brand new EV code signing certificate and much more. Everything should be reproducible and much better organized now.

[THS-on]

I'll try to do a full review later this week, but here already some notes:

• The certificate now looks good
• Trying to build the shim with docker build . --progress plain --no-cache fails with:

#9 [5/7] RUN ./make_shim.sh
#9 ERROR: process "/bin/sh -c ./make_shim.sh" did not complete successfully: exit code: 1
------
 > [5/7] RUN ./make_shim.sh:
------
Dockerfile:10
--------------------
   8 |     
   9 |     WORKDIR /shim-review
  10 | >>> RUN ./make_shim.sh
  11 |     
  12 |     RUN hexdump -Cv shimx64.efi > orig && \
--------------------
ERROR: failed to solve: process "/bin/sh -c ./make_shim.sh" did not complete successfully: exit code: 1

• Can you reproduce that issue on your side? Which Docker version are you using?
• For the build script wget is not installed and therefore
• We currently have no accepted submission of upstream Gentoo GRUB. Can you make a list which patches fix which CVEs and cross check against either Fedora or Debian if there are some missing? This makes it simpler for me to review those 65 patches.
• If you include all the necessary patches for also the new ntfs CVEs you can increase the GRUB upstream SBAT to 4
• If you want to revoke your old GRUB versions in the shim you currently need to add patch similarly to rhboot/shim@cca3933

[dennis-tseng99]

@rehakp To skip the error, I modified Dockerfile, and found your build result shimx64.efi is different from the original one:

• Dockerfile modified:

RUN hexdump -Cv /shim-review/shimx64.efi > orig && \
    hexdump -Cv shimx64.efi > build && \
    ls -l orig && \
    ls -l build
    #diff -u orig build
RUN sha256sum /shim-review/shimx64.efi && \
sha256sum shimx64.efi

• Hash values are not matched:
  build cmd: podman build --build-arg ARCHITECTURE=x86_64 -t ubuntu:15.7

STEP 7/8: RUN hexdump -Cv /shim-review/shimx64.efi > orig &&     hexdump -Cv shimx64.efi > build &&     ls -l orig &&     ls -l build
-rw-r--r-- 1 root root 4683512 Oct 25 16:08 orig
-rw-r--r-- 1 root root 4683512 Oct 25 16:08 build
--> 3cfdc0a7966
STEP 8/8: RUN sha256sum /shim-review/shimx64.efi && sha256sum shimx64.efi
4a1fb79dc5bbefcb5e93e9c9fe321f44117ed33f4cebdf768d527b5782046a92  /shim-review/shimx64.efi
4a515479459db09a6fc951203baa91c3e632eb125085c3b2e8e7fbd4f486f362  shimx64.efi

[rehakp]

To answer comments above:

• I tried to build again (using podman), with --no-cache, to reproduce your observation, with no luck - I can build everything OK. I was starting from my repo working copy. My podman has the /etc/containers/registries.conf containing unqualified-search-registries = ["docker.io"]. What could be wrong here?
• I have created a document called grub-gentoo/backports-description.md that should explain most of the Gentoo patches by associating them to well-known GRUB packages and their patches.
• I have bumped the global SBAT generation for GRUB to 4 as advised as the NTFS patches are being included.
• As for the Shim patch to reject GRUB whose SBAT is less than 4, I am not applying it for now because we haven't distributed any older GRUB to the public, just to our customers (individuals). Should I include it regardless of that matter, how should I handle dates in that patch (rhboot/shim@cca3933)? They seem a bit outdated to me. What do they mean?
• README.md updated to reflect changes.

[rehakp]

Hello @THS-on and @dennis-tseng99,
I have finally managed to spot an issue in my repo causing you not being able to review it. The 1st post has been updated and all should work now - I tried to clone myself and just run podman as before with no problems.

[dennis-tseng99]

@rehakp Sorry for the late response due to busy project running.
Your binary codes can be reproduced now. Good job!

............
STEP 7/7: RUN sha256sum shimx64.efi &&     sha256sum tmp/shimx64.efi
170bb326192ac637137df71a0fa1916e0a243308cb0bdfc66ff285580282bd4c  shimx64.efi
170bb326192ac637137df71a0fa1916e0a243308cb0bdfc66ff285580282bd4c  tmp/shimx64.efi
COMMIT adaptech:15.7
--> 5a136c9f73f
[Warning] one or more build args were not consumed: [ARCHITECTURE]
Successfully tagged localhost/adaptech:15.7
5a136c9f73fbbc7a516ba18c3113c009da3ecf1f2675048d7e95c35e6ec75e89

I will continue reviewing the rest part. Thanks for your patience.

[dennis-tseng99]

===== Review for Shim 15.7 for Adaptech s.r.o. #335 ======

• Binary codes are reproducible
• Hash values are matched:

170bb326192ac637137df71a0fa1916e0a243308cb0bdfc66ff285580282bd4c  shimx64.efi
170bb326192ac637137df71a0fa1916e0a243308cb0bdfc66ff285580282bd4c  tmp/shimx64.efi

• extra patch:
  There is only one extra patch for NX flag setting (enable_nx.patch) which is good.
  Please also note that NX enabled is good but is not MUST currently if your grub2 and kernel (NX-chain) are not ready for now.

• NX flag is enable, 4K-Alignment is set, and R/Wr sections are correct:

objdump -x shimx64.efi | grep -E 'SectionAlignment|DllCharacteristics'

SectionAlignment        00001000
DllCharacteristics      00000100

hexdump -n 0x0120 -C shimx64.efi

00000000  4d 5a 90 00 03 00 00 00  04 00 00 00 ff ff 00 00  |MZ..............|
00000010  b8 00 00 00 00 00 00 00  40 00 00 00 00 00 00 00  |........@.......|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 80 00 00 00  |................|
00000040  0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
00000050  69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
00000060  74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
00000070  6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|
00000080  50 45 00 00 64 86 0a 00  00 00 00 00 00 88 0c 00  |PE..d...........|
00000090  50 0e 00 00 f0 00 06 02  0b 02 02 26 00 14 06 00  |P..........&....|
000000a0  00 70 06 00 00 00 00 00  00 30 02 00 00 30 02 00  |.p.......0...0..|
000000b0  00 00 00 00 00 00 00 00  00 10 00 00 00 02 00 00  |................| <-- SectAlig=0x00001000=4096 (4K alignment)
000000c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000d0  00 50 0d 00 00 04 00 00  79 55 0f 00 0a 00 00 01  |.P......yU......| <-- DllCharacteristics=0x0100
000000e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000100  00 00 00 00 10 00 00 00  00 00 00 00 00 00 00 00  |................|
00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000120

objdump -x shimx64.efi

Idx Name          Size      VMA               LMA               File off  Algn
  0 .eh_frame     0001db44  0000000000005000  0000000000005000  00000400  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  1 .text         0006120a  0000000000023000  0000000000023000  0001e000  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  2 .reloc        0000000a  0000000000085000  0000000000085000  0007f400  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  3 .data.ident   00000086  0000000000087000  0000000000087000  0007f600  2**4
                  CONTENTS, ALLOC, LOAD, DATA
  4 .sbatlevel    00000047  0000000000088000  0000000000088000  0007f800  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  5 .data         0002ce74  0000000000089000  0000000000089000  0007fa00  2**4
                  CONTENTS, ALLOC, LOAD, DATA
  6 .vendor_cert  000003fd  00000000000b6000  00000000000b6000  000aca00  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  7 .dynamic      00000100  00000000000b7000  00000000000b7000  000ace00  2**2
                  CONTENTS, ALLOC, LOAD, DATA
  8 .rela         0001b468  00000000000b8000  00000000000b8000  000ad000  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  9 .sbat         000000be  00000000000d4000  00000000000d4000  000c8600  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA

• SBAT is okay; no binutil extra NUL character problem

objdump -j .sbatlevel -s shimx64.efi

.sbatlevel section
 88000 00000000 08000000 22000000 73626174  ........"...sbat
 88010 2c312c32 30323230 35323430 300a6772  ,1,2022052400.gr
 88020 75622c32 0a007362 61742c31 2c323032  ub,2..sbat,1,202
 88030 32313131 3530300a 7368696d 2c320a67  2111500.shim,2.g
 88040 7275622c 330a00                      rub,3..
 
 sbat,1,2022052400
 grub,2
 sbat,1,2022111500
 shim,2
 grub,3

objdump -s -j .sbat shimx64.efi

.sbat section：
 d4000 73626174 2c312c53 42415420 56657273  sbat,1,SBAT Vers
 d4010 696f6e2c 73626174 2c312c68 74747073  ion,sbat,1,https
 d4020 3a2f2f67 69746875 622e636f 6d2f7268  ://github.com/rh
 d4030 626f6f74 2f736869 6d2f626c 6f622f6d  boot/shim/blob/m
 d4040 61696e2f 53424154 2e6d640a 7368696d  ain/SBAT.md.shim
 d4050 2c332c55 45464920 7368696d 2c736869  ,3,UEFI shim,shi
 d4060 6d2c312c 68747470 733a2f2f 67697468  m,1,https://gith
 d4070 75622e63 6f6d2f72 68626f6f 742f7368  ub.com/rhboot/sh
 d4080 696d0a73 68696d2e 61646170 74656368  im.shim.adaptech
 d4090 2c312c41 64617074 65636820 732e722e  ,1,Adaptech s.r.
 d40a0 6f2e2c73 68696d2c 31352e37 2c696e66  o.,shim,15.7,inf
 d40b0 6f406164 61707465 63682e63 7a0a      [email protected]. 
 
 sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
 shim,3,UEFI shim,shim,1,https://github.com/rhboot/shim
 shim.adaptech,1,Adaptech s.r.o.,shim,15.7,[email protected]

• Certificate Validity:
  The certificate is an EV signed by Sectigo, so the 3 years for validity is not too short. And the issuer is Sectigo with policy oid 6449 which matches the company name - COMODO(previous) or Sectigo.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            31:6b:56:10:72:8e:e9:9a:4f:02:1d:b3:1c:ab:1a:e2
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = GB, O = Sectigo Limited, CN = Sectigo Public Code Signing CA EV E36
        Validity
            Not Before: Aug 14 00:00:00 2023 GMT
            Not After : Aug 13 23:59:59 2026 GMT
        ...........
       X509v3 extensions:
            X509v3 Authority Key Identifier: 
                1A:74:A4:38:D7:B9:B6:0E:B3:5B:FA:DC:5E:AE:3F:B6:F0:73:3D:88
            X509v3 Subject Key Identifier: 
                1D:10:24:EF:51:28:6B:02:04:CE:A5:0C:F8:A6:7C:A1:5C:4C:76:7D
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: 
                Code Signing
            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.6449.1.2.1.6.1   <--------------
                  CPS: https://sectigo.com/CPS
                Policy: 2.23.140.1.3

This release is acceptable to me, but I would like to invite @aronowski, @THS-on or other experts for help to speed up this reviewing, although reviewing job will reduce our time on our own project.

[aronowski]

I would like to invite @aronowski, @THS-on or other experts for help to speed up this reviewing

Alright, self-assigning this one.

I'll try my best and do this ASAP, despite already having some delays with older applications due to some personal issues I've been dealing with for some time, that take lots of time and energy.

Let's see who can handle this application first and once it's reviewed, most likely label it as accepted (we've reviewed it back then and I wrote, how well this application has been written).

[aronowski]

There seems to be some confusion on the NX-related requirements and exceptions, but since we've been accepting applications that have the bit enabled, while the whole chain is not yet ready, I think we should continue on, unless an official announcement from Microsoft is there to prove that we should be doing otherwise.

I've checked the application and there's just one error - since the GRUB2 global generation number has been bumped from 3 to 4, let's change grub.adaptech,5 to grub.adaptech,1 - just this one number in the README.

And once that's done and no new requirements are made public, I'm tagging the application as accepted, so we can celebrate at last!

[rehakp]

Hi @aronowski,
for sake of completeness I've updated not just README, but all of the places referencing either vendor SBAT 5 to say 1 or the GRUB OEM revision to say 86. To ease reviewing, I've made a hex dump diff of two grubx64.efi revisions - one from the previous commit, and the new one having both numbers updated. The hex dump is as follows (ASCII representation on the right should be the most informative part):

--- ../grubold	2023-11-27 09:35:11.861874797 +0100
+++ grubnew	2023-11-27 09:47:06.851837518 +0100
@@ -35421,7 +35421,7 @@
 0008a5c0  3e 00 67 72 75 62 3e 00  6e 6f 74 20 69 6e 20 6e  |>.grub>.not in n|
 0008a5d0  6f 72 6d 61 6c 20 65 6e  76 69 72 6f 6e 6d 65 6e  |ormal environmen|
 0008a5e0  74 00 47 4e 55 20 47 52  55 42 20 20 76 65 72 73  |t.GNU GRUB  vers|
-0008a5f0  69 6f 6e 20 25 73 00 32  2e 30 36 2d 72 38 34 00  |ion %s.2.06-r84.|
+0008a5f0  69 6f 6e 20 25 73 00 32  2e 30 36 2d 72 38 36 00  |ion %s.2.06-r86.|
 0008a600  70 72 65 66 69 78 00 63  6f 6e 66 69 67 5f 66 69  |prefix.config_fi|
 0008a610  6c 65 00 63 6f 6e 66 69  67 5f 64 69 72 65 63 74  |le.config_direct|
 0008a620  6f 72 79 00 72 6f 6f 74  00 28 25 73 29 25 73 00  |ory.root.(%s)%s.|
@@ -35455,7 +35455,7 @@
 0008a7e0  5f 76 65 72 00 32 00 67  72 75 62 5f 76 65 72 5f  |_ver.2.grub_ver_|
 0008a7f0  6d 61 6a 6f 72 00 30 36  00 67 72 75 62 5f 76 65  |major.06.grub_ve|
 0008a800  72 5f 6d 69 6e 6f 72 00  67 72 75 62 5f 76 65 72  |r_minor.grub_ver|
-0008a810  5f 67 69 74 5f 63 6f 6d  6d 69 74 00 72 38 34 00  |_git_commit.r84.|
+0008a810  5f 67 69 74 5f 63 6f 6d  6d 69 74 00 72 38 36 00  |_git_commit.r86.|
 0008a820  67 72 75 62 5f 76 65 72  5f 6f 65 6d 00 66 65 61  |grub_ver_oem.fea|
 0008a830  74 75 72 65 5f 63 68 61  69 6e 6c 6f 61 64 65 72  |ture_chainloader|
 0008a840  5f 62 70 62 00 66 65 61  74 75 72 65 5f 6e 74 6c  |_bpb.feature_ntl|
@@ -55758,7 +55758,7 @@
 000d9cd0  6c 6f 63 61 74 69 6f 6e  20 66 61 69 6c 65 64 20  |location failed |
 000d9ce0  25 64 0a 00 2f 76 61 72  2f 74 6d 70 2f 70 6f 72  |%d../var/tmp/por|
 000d9cf0  74 61 67 65 2f 73 79 73  2d 62 6f 6f 74 2f 67 72  |tage/sys-boot/gr|
-000d9d00  75 62 2d 32 2e 30 36 2d  72 38 34 2f 77 6f 72 6b  |ub-2.06-r84/work|
+000d9d00  75 62 2d 32 2e 30 36 2d  72 38 36 2f 77 6f 72 6b  |ub-2.06-r86/work|
 000d9d10  2f 67 72 75 62 2d 32 2e  30 36 2f 67 72 75 62 2d  |/grub-2.06/grub-|
 000d9d20  63 6f 72 65 2f 6c 69 62  2f 72 65 6c 6f 63 61 74  |core/lib/relocat|
 000d9d30  6f 72 2e 63 00 25 73 3a  25 64 20 66 72 65 65 20  |or.c.%s:%d free |
@@ -77202,12 +77202,12 @@
 0012d910  66 61 69 6c 65 64 20 61  74 20 25 73 3a 25 64 0a  |failed at %s:%d.|
 0012d920  00 2f 76 61 72 2f 74 6d  70 2f 70 6f 72 74 61 67  |./var/tmp/portag|
 0012d930  65 2f 73 79 73 2d 62 6f  6f 74 2f 67 72 75 62 2d  |e/sys-boot/grub-|
-0012d940  32 2e 30 36 2d 72 38 34  2f 77 6f 72 6b 2f 67 72  |2.06-r84/work/gr|
+0012d940  32 2e 30 36 2d 72 38 36  2f 77 6f 72 6b 2f 67 72  |2.06-r86/work/gr|
 0012d950  75 62 2d 32 2e 30 36 2f  67 72 75 62 2d 63 6f 72  |ub-2.06/grub-cor|
 0012d960  65 2f 6c 69 62 2f 67 6e  75 6c 69 62 2f 72 65 67  |e/lib/gnulib/reg|
 0012d970  63 6f 6d 70 2e 63 00 2f  76 61 72 2f 74 6d 70 2f  |comp.c./var/tmp/|
 0012d980  70 6f 72 74 61 67 65 2f  73 79 73 2d 62 6f 6f 74  |portage/sys-boot|
-0012d990  2f 67 72 75 62 2d 32 2e  30 36 2d 72 38 34 2f 77  |/grub-2.06-r84/w|
+0012d990  2f 67 72 75 62 2d 32 2e  30 36 2d 72 38 36 2f 77  |/grub-2.06-r86/w|
 0012d9a0  6f 72 6b 2f 67 72 75 62  2d 32 2e 30 36 2f 67 72  |ork/grub-2.06/gr|
 0012d9b0  75 62 2d 63 6f 72 65 2f  6c 69 62 2f 67 6e 75 6c  |ub-core/lib/gnul|
 0012d9c0  69 62 2f 72 65 67 65 78  65 63 2e 63 00 61 6c 70  |ib/regexec.c.alp|
@@ -88336,7 +88336,7 @@
 001590f0  6e 20 6e 6f 72 6d 61 6c  20 6d 70 69 0a 00 2f 76  |n normal mpi../v|
 00159100  61 72 2f 74 6d 70 2f 70  6f 72 74 61 67 65 2f 73  |ar/tmp/portage/s|
 00159110  79 73 2d 62 6f 6f 74 2f  67 72 75 62 2d 32 2e 30  |ys-boot/grub-2.0|
-00159120  36 2d 72 38 34 2f 77 6f  72 6b 2f 67 72 75 62 2d  |6-r84/work/grub-|
+00159120  36 2d 72 38 36 2f 77 6f  72 6b 2f 67 72 75 62 2d  |6-r86/work/grub-|
 00159130  32 2e 30 36 2f 67 72 75  62 2d 63 6f 72 65 2f 6c  |2.06/grub-core/l|
 00159140  69 62 2f 6c 69 62 67 63  72 79 70 74 2d 67 72 75  |ib/libgcrypt-gru|
 00159150  62 2f 6d 70 69 2f 6d 70  69 75 74 69 6c 2e 63 00  |b/mpi/mpiutil.c.|
@@ -88348,7 +88348,7 @@
 001591b0  6e 20 62 79 20 7a 65 72  6f 00 2f 76 61 72 2f 74  |n by zero./var/t|
 001591c0  6d 70 2f 70 6f 72 74 61  67 65 2f 73 79 73 2d 62  |mp/portage/sys-b|
 001591d0  6f 6f 74 2f 67 72 75 62  2d 32 2e 30 36 2d 72 38  |oot/grub-2.06-r8|
-001591e0  34 2f 77 6f 72 6b 2f 67  72 75 62 2d 32 2e 30 36  |4/work/grub-2.06|
+001591e0  36 2f 77 6f 72 6b 2f 67  72 75 62 2d 32 2e 30 36  |6/work/grub-2.06|
 001591f0  2f 67 72 75 62 2d 63 6f  72 65 2f 6c 69 62 2f 6c  |/grub-core/lib/l|
 00159200  69 62 67 63 72 79 70 74  2d 67 72 75 62 2f 6d 70  |ibgcrypt-grub/mp|
 00159210  69 2f 6d 70 69 2d 70 6f  77 2e 63 00 21 62 70 5f  |i/mpi-pow.c.!bp_|
@@ -88356,7 +88356,7 @@
 00159230  72 00 72 65 73 2d 3e 64  20 3d 3d 20 72 70 00 2f  |r.res->d == rp./|
 00159240  76 61 72 2f 74 6d 70 2f  70 6f 72 74 61 67 65 2f  |var/tmp/portage/|
 00159250  73 79 73 2d 62 6f 6f 74  2f 67 72 75 62 2d 32 2e  |sys-boot/grub-2.|
-00159260  30 36 2d 72 38 34 2f 77  6f 72 6b 2f 67 72 75 62  |06-r84/work/grub|
+00159260  30 36 2d 72 38 36 2f 77  6f 72 6b 2f 67 72 75 62  |06-r86/work/grub|
 00159270  2d 32 2e 30 36 2f 67 72  75 62 2d 63 6f 72 65 2f  |-2.06/grub-core/|
 00159280  6c 69 62 2f 6c 69 62 67  63 72 79 70 74 2d 67 72  |lib/libgcrypt-gr|
 00159290  75 62 2f 6d 70 69 2f 6d  70 69 2d 6d 70 6f 77 2e  |ub/mpi/mpi-mpow.|
@@ -88368,7 +88368,7 @@
 001592f0  49 5f 4e 55 4c 4c 5d 00  2d 00 30 00 25 73 3a 00  |I_NULL].-.0.%s:.|
 00159300  0a 00 2f 76 61 72 2f 74  6d 70 2f 70 6f 72 74 61  |../var/tmp/porta|
 00159310  67 65 2f 73 79 73 2d 62  6f 6f 74 2f 67 72 75 62  |ge/sys-boot/grub|
-00159320  2d 32 2e 30 36 2d 72 38  34 2f 77 6f 72 6b 2f 67  |-2.06-r84/work/g|
+00159320  2d 32 2e 30 36 2d 72 38  36 2f 77 6f 72 6b 2f 67  |-2.06-r86/work/g|
 00159330  72 75 62 2d 32 2e 30 36  2f 67 72 75 62 2d 63 6f  |rub-2.06/grub-co|
 00159340  72 65 2f 6c 69 62 2f 6c  69 62 67 63 72 79 70 74  |re/lib/libgcrypt|
 00159350  2d 67 72 75 62 2f 6d 70  69 2f 6d 70 69 63 6f 64  |-grub/mpi/mpicod|
@@ -91448,7 +91448,7 @@
 00165370  00 00 00 00 00 00 ff e0  64 6f 5f 73 65 74 6b 65  |........do_setke|
 00165380  79 00 2f 76 61 72 2f 74  6d 70 2f 70 6f 72 74 61  |y./var/tmp/porta|
 00165390  67 65 2f 73 79 73 2d 62  6f 6f 74 2f 67 72 75 62  |ge/sys-boot/grub|
-001653a0  2d 32 2e 30 36 2d 72 38  34 2f 77 6f 72 6b 2f 67  |-2.06-r84/work/g|
+001653a0  2d 32 2e 30 36 2d 72 38  36 2f 77 6f 72 6b 2f 67  |-2.06-r86/work/g|
 001653b0  72 75 62 2d 32 2e 30 36  2f 67 72 75 62 2d 63 6f  |rub-2.06/grub-co|
 001653c0  72 65 2f 6c 69 62 2f 6c  69 62 67 63 72 79 70 74  |re/lib/libgcrypt|
 001653d0  2d 67 72 75 62 2f 63 69  70 68 65 72 2f 69 64 65  |-grub/cipher/ide|
@@ -100547,7 +100547,7 @@
 00188c20  9e 47 17 dd 66 7c ee fb  33 83 5a ad 07 bf 2d ca  |.G..f|..3.Z...-.|
 00188c30  2f 76 61 72 2f 74 6d 70  2f 70 6f 72 74 61 67 65  |/var/tmp/portage|
 00188c40  2f 73 79 73 2d 62 6f 6f  74 2f 67 72 75 62 2d 32  |/sys-boot/grub-2|
-00188c50  2e 30 36 2d 72 38 34 2f  77 6f 72 6b 2f 67 72 75  |.06-r84/work/gru|
+00188c50  2e 30 36 2d 72 38 36 2f  77 6f 72 6b 2f 67 72 75  |.06-r86/work/gru|
 00188c60  62 2d 32 2e 30 36 2f 67  72 75 62 2d 63 6f 72 65  |b-2.06/grub-core|
 00188c70  2f 6c 69 62 2f 6c 69 62  67 63 72 79 70 74 2d 67  |/lib/libgcrypt-g|
 00188c80  72 75 62 2f 63 69 70 68  65 72 2f 77 68 69 72 6c  |rub/cipher/whirl|
@@ -102659,14 +102659,14 @@
 00191020  3a 2f 2f 67 69 74 68 75  62 2e 63 6f 6d 2f 72 68  |://github.com/rh|
 00191030  62 6f 6f 74 2f 73 68 69  6d 2f 62 6c 6f 62 2f 6d  |boot/shim/blob/m|
 00191040  61 69 6e 2f 53 42 41 54  2e 6d 64 0a 67 72 75 62  |ain/SBAT.md.grub|
-00191050  2c 33 2c 46 72 65 65 20  53 6f 66 74 77 61 72 65  |,3,Free Software|
+00191050  2c 34 2c 46 72 65 65 20  53 6f 66 74 77 61 72 65  |,4,Free Software|
 00191060  20 46 6f 75 6e 64 61 74  69 6f 6e 2c 67 72 75 62  | Foundation,grub|
 00191070  2c 32 2e 30 36 2c 68 74  74 70 73 3a 2f 2f 77 77  |,2.06,https://ww|
 00191080  77 2e 67 6e 75 2e 6f 72  67 2f 73 6f 66 74 77 61  |w.gnu.org/softwa|
 00191090  72 65 2f 67 72 75 62 2f  0a 67 72 75 62 2e 61 64  |re/grub/.grub.ad|
-001910a0  61 70 74 65 63 68 2c 35  2c 41 64 61 70 74 65 63  |aptech,5,Adaptec|
+001910a0  61 70 74 65 63 68 2c 31  2c 41 64 61 70 74 65 63  |aptech,1,Adaptec|
 001910b0  68 20 73 2e 72 2e 6f 2e  2c 67 72 75 62 2c 32 2e  |h s.r.o.,grub,2.|
-001910c0  30 36 2d 72 38 34 2c 69  6e 66 6f 40 61 64 61 70  |06-r84,info@adap|
+001910c0  30 36 2d 72 38 36 2c 69  6e 66 6f 40 61 64 61 70  |06-r86,info@adap|
 001910d0  74 65 63 68 2e 63 7a 0a  00 00 00 00 00 00 00 00  |tech.cz.........|
 001910e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 001910f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

1st comment updated again.

[aronowski]

Awesome!

[rehakp]

Closing the issue as we have just received signed Shim from Microsoft.

[rehakp]

Closing the issue as we have received signed Shim from Microsoft.