Shim 15.8 for UOS Linux (x86_64)

[kyrie-z]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/kyrie-z/shim-review/tree/uos-shim-15.8-amd64-20240711
https://github.com/kyrie-z/shim-review/tree/uos-shim-15.8-amd64-20240806

---

What is the SHA256 hash of your final SHIM binary?

---

958987f06da4438ab43a873e2c0dd65478299b284ad6e53ca2528524e3a069dd shimx64.efi

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

[UOS shim 15.4 for x86_64 #173 ]

---

If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?

---

N/A

[steve-mcintyre]

verification emails sent

[kyrie-z]

@steve-mcintyre Sorry for the late reply, but I want to confirm what went wrong. I did not receive the verification email about "shim review". The contact email is zhouzilong@uniontech.com.
Please confirm again whether it has been sent. Thanks!

[jclab-joseph]

Review of reproducibility for uos-shim-15.8-amd64-20240711

review helper : https://github.com/jclab-joseph/other-shim-reviews/tree/master/20240730-uos-shim-15.8-amd64-20240711

shim

• Version : 15.8 (Ref: https://github.com/kyrie-z/shim-review/blob/eb9a22ce75074d4bb692a553b6cf7fb7555b7e66/build_shim#L26)
• Reproducible
• No patches
• SBAT of the built file matches the review request
• BAT entries from shim looks fine : shim.uos,1,Uos,shim,15.8,mail:secureboot@uniontech.com
• NX flag not set

certificate

• Not After: Jan 16 00:00:00 2054 GMT
• 4096 bit cert and valid for almost 30 years
• The key is kept in a red zone room with strict physical and network isolation mechanisms. Compliant with FIPS 140-2 Level 2 security standards

grub

• debian's 2.06-3~deb10u4
• ntfs module is included, sbat is grub,4.

[steve-mcintyre]

Re-sent verification mails to

• yanbowen@uniontech.com
• lichenggang@uniontech.com

[steve-mcintyre]

And also sending to zhouzilong@uniontech.com

Not sure where I found the yanbowen mail - maybe an older review. Sorry.

[kyrie-z]

Contact verification for zhouzilong@uniontech.com:

gages schoolboy raving preview diagramming holds results cicatrix linger sulphuring

[steve-mcintyre]

Just waiting on the response from lichenggang@uniontech.com now.

[Zeno-sole]

Just waiting on the response from lichenggang@uniontech.com now.

The old key has expired. Can I use a new key?
new key：https://github.com/kyrie-z/shim-review/blob/uos-shim-15.8-amd64-20240711/key/ChenggangLi.pub

[steve-mcintyre]

Just waiting on the response from lichenggang@uniontech.com now.

The old key has expired. Can I use a new key? new key：https://github.com/kyrie-z/shim-review/blob/uos-shim-15.8-amd64-20240711/key/ChenggangLi.pub

The mail I sent was encrypted to this key, which does not appear to have expired:

pub   rsa3072/B4EE92960BB8C880 2021-04-23 [SC]
      B711456DD79BDCA3100EE9B6B4EE92960BB8C880
uid                 [ unknown] lichenggang <lichenggang@uniontech.com>
sub   rsa3072/66A6A001ED9D8D69 2021-04-23 [E]

The new key you're suggesting I use does not match the email address lichenggang@uniontech.com:

pub   rsa4096/A757694FF3D0B626 2024-07-11 [SC]
      61AE69171770E71B39D842F1A757694FF3D0B626
uid                 [ unknown] lichenggang <lichenggang@deepin.org>
sub   rsa4096/0EC1F8845EC8DD6B 2024-07-11 [E]

Please fix this.

Could you also please explain for us: what is the relationship between:

• UnionTech Software Technology (uniontech.com)
• UOS (chinauos.com)
• Deepin (deepin.org)

Some consistency in UIDs and keys here is necessary.

[kyrie-z]

Could you also please explain for us: what is the relationship between:

• UnionTech Software Technology (uniontech.com)
• UOS (chinauos.com)
• Deepin (deepin.org)

I apologize for any confusion regarding the names. Please allow me to clarify:
Deepin Technology Co., Ltd. ("Deepin Technology") is a wholly-owned subsidiary of UnionTech Software Technology Co., Ltd. ("UnionTech Software").
Deepin Technology owns the product "deepin" (product website: https://www.deepin.org/), while UnionTech Software owns the product "UOS" (product website: https://www.chinauos.com/).

[kyrie-z]

@steve-mcintyre I have updated the secondary contact email address to keep the email address consistent with the UID. Please use the new key for contact verification. Looking forward to hearing from you, thanks！
https://github.com/kyrie-z/shim-review/blob/uos-shim-15.8-amd64-20240711/README.md#who-is-the-secondary-contact-for-security-updates-etc

[steve-mcintyre]

Mail on the way. As you've updated your submission in git, please also add a new tag and update the issue here with that new tag.

[kyrie-z]

I have created a new tag and updated the issue.
New tag: https://github.com/kyrie-z/shim-review/tree/uos-shim-15.8-amd64-20240806

[kyrie-z]

By the way, the tags uos-shim-15.8-amd64-20240711 and uos-shim-15.8-amd64-20240806 are associated with the same commit (kyrie-z/shim-review@02e5eb2). I believe that jclab-joseph's review #431 (comment) is very useful, so I'm mentioning this to avoid duplicate review efforts.
I hope this helps with your review. Thank you.

[Zeno-sole]

Contact verification for lichenggang@deepin.org:

puritan segregate expatriating Alnitak homily daffodils Avalon bountiful blurted Hecuba