<feed xmlns='http://www.w3.org/2005/Atom'>
<title>efi-boot-shim.git/include/sbat_var_defs.h, branch rolling</title>
<subtitle> (mirror of https://github.com/vyos/efi-boot-shim.git)
</subtitle>
<id>https://git.amelek.net/vyos/efi-boot-shim.git/atom?h=rolling</id>
<link rel='self' href='https://git.amelek.net/vyos/efi-boot-shim.git/atom?h=rolling'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/'/>
<updated>2025-02-05T14:10:35+00:00</updated>
<entry>
<title>Generate and use generated_sbat_var_defs.h</title>
<updated>2025-02-05T14:10:35+00:00</updated>
<author>
<name>Jan Setje-Eilers</name>
<email>jan.setjeeilers@oracle.com</email>
</author>
<published>2025-02-04T01:15:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=5ae408aede0a410f28de92a5fdc5ce406f2c4515'/>
<id>urn:sha1:5ae408aede0a410f28de92a5fdc5ce406f2c4515</id>
<content type='text'>
Build changes to generate include/generated_sbat_var_defs.h from
SbatLevel_Variable.txt and use that header file. From here on
forward SbatLevel_Variable.txt should be the only place a new
revocation needs to be recorded.

Signed-off-by: Jan Setje-Eilers &lt;Jan.SetjeEilers@oracle.com&gt;
</content>
</entry>
<entry>
<title>sbat: Also bump latest for grub,4 (and to todays date)</title>
<updated>2024-04-09T19:03:34+00:00</updated>
<author>
<name>Julian Andres Klode</name>
<email>julian.klode@canonical.com</email>
</author>
<published>2024-04-09T16:55:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=3e1394e8e6fd0071a69196230f991612a960c154'/>
<id>urn:sha1:3e1394e8e6fd0071a69196230f991612a960c154</id>
<content type='text'>
Back in January we decided to bump the SBAT level for the shim
CVE without bumping the grub level for the previous NTFS issues
- CVE-2023-4692 CVE-2023-4693 - as not every vendor was signing
the ntfs module.

Catch up on this revocation to ensure it doesn't get lost. Doing
so also allows us to remove the grub.debian,4 revocation as this
happened before grub,4 and hence is obsolete.

Also bump the date of the sbat variable to today's. Don't copy
the April 5 one to a previous selection, as it wasn't shipped
to anyone.

Signed-off-by: Julian Andres Klode &lt;julian.klode@canonical.com&gt;
</content>
</entry>
<entry>
<title>sbat: Add grub.peimage,2 to latest (CVE-2024-2312)</title>
<updated>2024-04-09T16:40:44+00:00</updated>
<author>
<name>Julian Andres Klode</name>
<email>julian.klode@canonical.com</email>
</author>
<published>2024-04-05T19:57:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=63edf92f8ae11b884bc7d24aecb8229cbc4ae014'/>
<id>urn:sha1:63edf92f8ae11b884bc7d24aecb8229cbc4ae014</id>
<content type='text'>
Add the previous latest level to the switch for automatic.

Signed-off-by: Julian Andres Klode &lt;julian.klode@canonical.com&gt;
</content>
</entry>
<entry>
<title>Build time selectable automatic SBATLevel revocations</title>
<updated>2024-01-22T19:17:20+00:00</updated>
<author>
<name>Jan Setje-Eilers</name>
<email>jan.setjeeilers@oracle.com</email>
</author>
<published>2023-12-14T04:32:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=6f395c23466a2bc08a28bbc216d6665ade0b117d'/>
<id>urn:sha1:6f395c23466a2bc08a28bbc216d6665ade0b117d</id>
<content type='text'>
The ability to automatically apply SBATLevel revocations varies
from distro to distro. This allows distros that are able to
automatically apply SBATLevel revocations when shim is updated to
select a level by supplying SBAT_AUTOMATIC_DATE=&lt;datestamp&gt; on the
make command line. Currently the following options are available:

2021030218 no revocations - useful for distros that need to rely on
                            an externally delivered revocations.efi

2022052400 grub,2

2022111500 shim,2
	   grub,3

2023012900 shim,2
           grub,3
           grub.debian,4

If no datestamp is specified the build will default to the
most recent 2023012900.

Signed-off-by: Jan Setje-Eilers &lt;Jan.SetjeEilers@oracle.com&gt;
</content>
</entry>
<entry>
<title>Rename "previous" revocations to "automatic"</title>
<updated>2024-01-22T19:17:20+00:00</updated>
<author>
<name>Jan Setje-Eilers</name>
<email>jan.setjeeilers@oracle.com</email>
</author>
<published>2023-12-14T01:59:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=30a4f3751a8da09ab0853f1a384b80096828cc34'/>
<id>urn:sha1:30a4f3751a8da09ab0853f1a384b80096828cc34</id>
<content type='text'>
When the term previous was introduced for revocations to be
automatically applied there was a hope that everytime a new
revocation was built into shim, the previous revocation could
be applied automatically. Further experience has shown the
real world to be more complex than that. The automatic payload
will realistically contain a set of revocations governed by
both the cadence at which a distro's customer base updates
as well as the severity of the issue being revoked.

This is not a functional change.

Signed-off-by: Jan Setje-Eilers &lt;Jan.SetjeEilers@oracle.com&gt;
</content>
</entry>
<entry>
<title>Updated Revocations for January 2024 CVEs</title>
<updated>2024-01-17T19:49:38+00:00</updated>
<author>
<name>Jan Setje-Eilers</name>
<email>jan.setjeeilers@oracle.com</email>
</author>
<published>2023-09-21T01:03:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=57c0eedfa1ebf6e2132a9cb26a7b0fcdee82557f'/>
<id>urn:sha1:57c0eedfa1ebf6e2132a9cb26a7b0fcdee82557f</id>
<content type='text'>
Since shim is inherently updated by shipping a new shim, the
latest built in revocations can include the most recent shim
revocations. Since CVE-2023-40547 is high impact, this revocation
should be available to everyone as soon as possible.

GRUB2 CVE-2023-4692 and CVE-2023-4693 are in the ntfs module that
only some vendors ship. Since some vendors did not ship an updated
GRUB2 for these issues, the revocation for these CVEs is not
included in the payload at this time.

Signed-off-by: Jan Setje-Eilers &lt;jan.setjeeilers@oracle.com&gt;
</content>
</entry>
<entry>
<title>BS Variables for bootmgr revocations</title>
<updated>2023-12-05T18:20:00+00:00</updated>
<author>
<name>Jan Setje-Eilers</name>
<email>jan.setjeeilers@oracle.com</email>
</author>
<published>2023-04-29T02:54:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=7dfb6871b8a54710d9e9d8d56146e7c083d2e6a8'/>
<id>urn:sha1:7dfb6871b8a54710d9e9d8d56146e7c083d2e6a8</id>
<content type='text'>
This adds support for applying SkuSiPolicy UEFI BS variables. These
varaibles are needed for non-dbx based Windows revocations and are
described here:

https://support.microsoft.com/en-us/topic/kb5027455-guidance-for-blocking-vulnerable-windows-boot-managers-522bb851-0a61-44ad-aa94-ad11119c5e91

Signed-off-by: Jan Setje-Eilers &lt;Jan.SetjeEilers@oracle.com&gt;
</content>
</entry>
<entry>
<title>Allow SbatLevel data from external binary</title>
<updated>2023-12-05T18:20:00+00:00</updated>
<author>
<name>Jan Setje-Eilers</name>
<email>jan.setjeeilers@oracle.com</email>
</author>
<published>2022-11-10T03:37:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=ea0f9dfe8ae49ead3204be4c3166b08cc96fad7e'/>
<id>urn:sha1:ea0f9dfe8ae49ead3204be4c3166b08cc96fad7e</id>
<content type='text'>
Ingest SBAT Levels from revocations binary thereby allowing level
requirements to be updated independently from shipping a new shim.
Do not automatically apply any revocations from a stock shim at
this point.

Signed-off-by: Jan Setje-Eilers &lt;Jan.SetjeEilers@oracle.com&gt;
</content>
</entry>
<entry>
<title>Block Debian grub binaries with SBAT &lt; 4</title>
<updated>2023-05-02T18:09:52+00:00</updated>
<author>
<name>Steve McIntyre</name>
<email>steve@einval.com</email>
</author>
<published>2023-01-30T18:15:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=cca3933f48e3a52863322f358c2e8cb8ea80bd57'/>
<id>urn:sha1:cca3933f48e3a52863322f358c2e8cb8ea80bd57</id>
<content type='text'>
(See https://bugs.debian.org/1024617)

One of the Debian builds of grub bumped the SBAT to 3, but didn't
include the patches needed. Add "grub.debian,4" to block those
binaries.

Signed-off-by: Steve McIntyre &lt;steve@einval.com&gt;
</content>
</entry>
<entry>
<title>Bump grub's sbat requirement to grub,3</title>
<updated>2022-11-16T21:35:47+00:00</updated>
<author>
<name>Peter Jones</name>
<email>pjones@redhat.com</email>
</author>
<published>2022-11-16T18:25:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=dd8be98cf0fceddd9f156d2917565b18d38c4830'/>
<id>urn:sha1:dd8be98cf0fceddd9f156d2917565b18d38c4830</id>
<content type='text'>
Due to the issues addressed in the 2022-11-15 batch of grub CVEs[0], we
need to bump the sbat version from grub.  This patch changes it from 2
to 3.

[0] https://lists.gnu.org/archive/html/grub-devel/2022-11/msg00059.html

Signed-off-by: Peter Jones &lt;pjones@redhat.com&gt;
</content>
</entry>
</feed>
