shim: implement SBAT verification for the shim_lock protocol - efi-boot-shim.git - (mirror of https://github.com/vyos/efi-boot-shim.git)

diff options

author	Chris Coulson <chris.coulson@canonical.com>	2022-02-28 21:29:16 +0000
committer	Peter Jones <pjones@redhat.com>	2022-04-05 13:37:03 -0400
commit	a2da05fcb8972628bec08e4adfc13abbafc319ad (patch)
tree	7d2fbe3ee4e2cbf184510ad88d797e7998c73736 /.github/workflows
parent	448f096e5c3a139535f162dfbfe8c08c434ac742 (diff)
download	efi-boot-shim-a2da05fcb8972628bec08e4adfc13abbafc319ad.tar.gz efi-boot-shim-a2da05fcb8972628bec08e4adfc13abbafc319ad.zip

shim: implement SBAT verification for the shim_lock protocol

This implements SBAT verification via the shim_lock protocol by moving verification inside the existing verify_buffer() function that is shared by both shim_verify() and handle_image(). The .sbat section is optional for code verified via the shim_lock protocol, unlike for code that is verified and executed directly by shim. For executables that don't have a .sbat section, verification is skipped when using the protocol. A vendor can enforce SBAT verification for code verified via the shim_lock protocol by revoking all pre-SBAT binaries via a dbx update or by using vendor_dbx and then only signing binaries that have a .sbat section from that point. Signed-off-by: Chris Coulson <chris.coulson@canonical.com>

Diffstat (limited to '.github/workflows')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: