Change SBAT variable name to SbatLevel

Because a few shim builds were signed that did not properly initialize
the SBAT variable, and in doing so deleted valid SBAT variables, we need
to use a different name.

This changes the name from "SBAT" to "SbatLevel".

Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>

3 files changed, 28 insertions, 26 deletions

diff --git a/include/sbat.h b/include/sbat.h
index 656bf8d7..8551b74a 100644
--- a/include/sbat.h
+++ b/include/sbat.h
@@ -20,16 +20,16 @@
 	(UEFI_VAR_NV_BS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)
 
 #if defined(ENABLE_SHIM_DEVEL)
-#define SBAT_VAR_NAME L"SBAT_DEVEL"
-#define SBAT_VAR_NAME8 "SBAT_DEVEL"
-#define SBAT_RT_VAR_NAME L"SbatRT_DEVEL"
-#define SBAT_RT_VAR_NAME8 "SbatRT_DEVEL"
+#define SBAT_VAR_NAME L"SbatLevel_DEVEL"
+#define SBAT_VAR_NAME8 "SbatLevel_DEVEL"
+#define SBAT_RT_VAR_NAME L"SbatLevelRT_DEVEL"
+#define SBAT_RT_VAR_NAME8 "SbatLevelRT_DEVEL"
 #define SBAT_VAR_ATTRS UEFI_VAR_NV_BS_RT
 #else
-#define SBAT_VAR_NAME L"SBAT"
-#define SBAT_VAR_NAME8 "SBAT"
-#define SBAT_RT_VAR_NAME L"SbatRT"
-#define SBAT_RT_VAR_NAME8 "SbatRT"
+#define SBAT_VAR_NAME L"SbatLevel"
+#define SBAT_VAR_NAME8 "SbatLevel"
+#define SBAT_RT_VAR_NAME L"SbatLevelRT"
+#define SBAT_RT_VAR_NAME8 "SbatLevelRT"
 #define SBAT_VAR_ATTRS UEFI_VAR_NV_BS
 #endif
 
diff --git a/sbat.c b/sbat.c
index 4d6ddd22..5821475b 100644
--- a/sbat.c
+++ b/sbat.c
@@ -120,8 +120,8 @@ verify_single_entry(struct sbat_section_entry *entry, struct sbat_var_entry *sba
 		sbat_var_gen = atoi((const char *)sbat_var_entry->component_generation);
 
 		if (sbat_gen < sbat_var_gen) {
-			dprint(L"component %a, generation %d, was revoked by SBAT variable",
-			       entry->component_name, sbat_gen);
+			dprint(L"component %a, generation %d, was revoked by %s variable",
+			       entry->component_name, sbat_gen, SBAT_VAR_NAME);
 			LogError(L"image did not pass SBAT verification\n");
 			return EFI_SECURITY_VIOLATION;
 		}
@@ -157,7 +157,7 @@ verify_sbat_helper(list_t *local_sbat_var, size_t n, struct sbat_section_entry *
 	struct sbat_var_entry *sbat_var_entry;
 
 	if (list_empty(local_sbat_var)) {
-		dprint(L"SBAT variable not present\n");
+		dprint(L"%s variable not present\n", SBAT_VAR_NAME);
 		return EFI_SUCCESS;
 	}
 
@@ -324,16 +324,16 @@ set_sbat_uefi_variable(void)
 	efi_status = get_variable_attr(SBAT_VAR_NAME, &sbat, &sbatsize,
 				       SHIM_LOCK_GUID, &attributes);
 	/*
-	 * Always set the SBAT UEFI variable if it fails to read.
+	 * Always set the SbatLevel UEFI variable if it fails to read.
 	 *
-	 * Don't try to set the SBAT UEFI variable if attributes match and
-	 * the signature matches.
+	 * Don't try to set the SbatLevel UEFI variable if attributes match
+	 * and the signature matches.
 	 */
 	if (EFI_ERROR(efi_status)) {
 		dprint(L"SBAT read failed %r\n", efi_status);
 	} else if (preserve_sbat_uefi_variable(sbat, sbatsize, attributes)) {
-		dprint("SBAT variable is %d bytes, attributes are 0x%08x\n",
-		       sbatsize, attributes);
+		dprint(L"%s variable is %d bytes, attributes are 0x%08x\n",
+		       SBAT_VAR_NAME, sbatsize, attributes);
 		FreePool(sbat);
 		return EFI_SUCCESS;
 	} else {
@@ -346,7 +346,8 @@ set_sbat_uefi_variable(void)
 		efi_status = set_variable(SBAT_VAR_NAME, SHIM_LOCK_GUID,
 		                          attributes, 0, "");
 		if (EFI_ERROR(efi_status)) {
-			dprint(L"SBAT variable delete failed %r\n", efi_status);
+			dprint(L"%s variable delete failed %r\n", SBAT_VAR_NAME,
+					efi_status);
 			return efi_status;
 		}
 	}
@@ -355,7 +356,8 @@ set_sbat_uefi_variable(void)
 	efi_status = set_variable(SBAT_VAR_NAME, SHIM_LOCK_GUID, SBAT_VAR_ATTRS,
 	                          sizeof(SBAT_VAR)-1, SBAT_VAR);
 	if (EFI_ERROR(efi_status)) {
-		dprint(L"SBAT variable writing failed %r\n", efi_status);
+		dprint(L"%s variable writing failed %r\n", SBAT_VAR_NAME,
+				efi_status);
 		return efi_status;
 	}
 
@@ -363,7 +365,7 @@ set_sbat_uefi_variable(void)
 	efi_status = get_variable(SBAT_VAR_NAME, &sbat, &sbatsize,
 				  SHIM_LOCK_GUID);
 	if (EFI_ERROR(efi_status)) {
-		dprint(L"SBAT read failed %r\n", efi_status);
+		dprint(L"%s read failed %r\n", SBAT_VAR_NAME, efi_status);
 		return efi_status;
 	}
 
@@ -373,7 +375,7 @@ set_sbat_uefi_variable(void)
 		       strlen(SBAT_VAR));
 		efi_status = EFI_INVALID_PARAMETER;
 	} else {
-		dprint(L"SBAT variable initialization succeeded\n");
+		dprint(L"%s variable initialization succeeded\n", SBAT_VAR_NAME);
 	}
 
 	FreePool(sbat);
diff --git a/shim.c b/shim.c
index 117c8f42..5bed2446 100644
--- a/shim.c
+++ b/shim.c
@@ -1895,7 +1895,7 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
 		L"shim_init() failed",
 		L"import of SBAT data failed",
 		L"SBAT self-check failed",
-		L"SBAT UEFI variable setting failed",
+		SBAT_VAR_NAME L" UEFI variable setting failed",
 		NULL
 	};
 	enum {
@@ -1935,12 +1935,12 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
 
 	efi_status = set_sbat_uefi_variable();
 	if (EFI_ERROR(efi_status) && secure_mode()) {
-		perror(L"SBAT variable initialization failed\n");
+		perror(L"%s variable initialization failed\n", SBAT_VAR_NAME);
 		msg = SET_SBAT;
 		goto die;
 	} else if (EFI_ERROR(efi_status)) {
-		dprint(L"SBAT variable initialization failed: %r\n",
-		       efi_status);
+		dprint(L"%s variable initialization failed: %r\n",
+		       SBAT_VAR_NAME, efi_status);
 	}
 
 	if (secure_mode()) {
@@ -1950,8 +1950,8 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
 		INIT_LIST_HEAD(&sbat_var);
 		efi_status = parse_sbat_var(&sbat_var);
 		if (EFI_ERROR(efi_status)) {
-			perror(L"Parsing SBAT variable failed: %r\n",
-				efi_status);
+			perror(L"Parsing %s variable failed: %r\n",
+				SBAT_VAR_NAME, efi_status);
 			msg = IMPORT_SBAT;
 			goto die;
 		}