diff options
| author | Chris Coulson <chris.coulson@canonical.com> | 2022-02-28 21:29:16 +0000 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2022-04-05 13:37:03 -0400 |
| commit | a2da05fcb8972628bec08e4adfc13abbafc319ad (patch) | |
| tree | 7d2fbe3ee4e2cbf184510ad88d797e7998c73736 /.github | |
| parent | 448f096e5c3a139535f162dfbfe8c08c434ac742 (diff) | |
| download | efi-boot-shim-a2da05fcb8972628bec08e4adfc13abbafc319ad.tar.gz efi-boot-shim-a2da05fcb8972628bec08e4adfc13abbafc319ad.zip | |
shim: implement SBAT verification for the shim_lock protocol
This implements SBAT verification via the shim_lock protocol
by moving verification inside the existing verify_buffer()
function that is shared by both shim_verify() and handle_image().
The .sbat section is optional for code verified via the shim_lock
protocol, unlike for code that is verified and executed directly
by shim. For executables that don't have a .sbat section,
verification is skipped when using the protocol.
A vendor can enforce SBAT verification for code verified via the
shim_lock protocol by revoking all pre-SBAT binaries via a dbx
update or by using vendor_dbx and then only signing binaries that
have a .sbat section from that point.
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Diffstat (limited to '.github')
0 files changed, 0 insertions, 0 deletions