efi-boot-shim.git/data, branch 15.7

Update shim's .sbat to sbat,3

2022-11-16T21:35:47+00:00

Though we don't need to bump SBAT_LEVEL for this, we've decided to change the level to 3 here in case 53509eaf2253e23bfb552e9386fd0877abe592b4 turns out to be worse than we think it is, so we can fix that easily later. Signed-off-by: Peter Jones

Update advertised sbat generation number for shim

2022-05-24T20:28:35+00:00

Signed-off-by: Jan Setje-Eilers

Fix two errant 'shim,0' outdated sbat cases.

2021-02-25T15:34:14+00:00

Two places we missed still have 0 for an sbat version - one doc and one in our data csv. This fixes those. Signed-off-by: Peter Jones

Add a .sbat section to EFI binaries

2021-02-12T17:51:32+00:00

The Secure Boot Advanced Targeting (SBAT) [0] is a Generation Number Based Revocation mechanism that is meant to replace the DBX revocation file list. Binaries must contain a .sbat data section that has a set entries, each of them consisting of UTF-8 strings as comma separated values. Allow to embed this information into the fwupd EFI binary at build time. The SBAT metadata must contain at least two entries. One that defines the SBAT version used and another one that defines the component generation. This patch adds a sbat.csv that contains these two entries and downstream users can override if additional entries are needed due changes that make them diverge from upstream code and potentially add other vulnerabilities. The same SBAT metadata is added to the fallback and MOK manager binaries because these are built from the same shim source. These need to have SBAT metadata as well to be booted if a .sbat section is mandatory. [0]: https://github.com/rhboot/shim/blob/sbat/SBAT.md Signed-off-by: Javier Martinez Canillas