diff options
| author | Jan Setje-Eilers <jan.setjeeilers@oracle.com> | 2022-11-09 19:37:53 -0800 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2023-12-05 13:20:00 -0500 |
| commit | ea0f9dfe8ae49ead3204be4c3166b08cc96fad7e (patch) | |
| tree | c44ce2618578ddccd969b9b7eec6f5f12377d33d /include | |
| parent | dae82f6bd72cf600e5d48046ec674a441d0f49d7 (diff) | |
| download | efi-boot-shim-ea0f9dfe8ae49ead3204be4c3166b08cc96fad7e.tar.gz efi-boot-shim-ea0f9dfe8ae49ead3204be4c3166b08cc96fad7e.zip | |
Allow SbatLevel data from external binary
Ingest SBAT Levels from revocations binary thereby allowing level
requirements to be updated independently from shipping a new shim.
Do not automatically apply any revocations from a stock shim at
this point.
Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
Diffstat (limited to 'include')
| -rw-r--r-- | include/sbat.h | 4 | ||||
| -rw-r--r-- | include/sbat_var_defs.h | 17 |
2 files changed, 10 insertions, 11 deletions
diff --git a/include/sbat.h b/include/sbat.h index c94c4fba..84f5ef01 100644 --- a/include/sbat.h +++ b/include/sbat.h @@ -34,6 +34,7 @@ #define SBAT_POLICY_LATEST 1 #define SBAT_POLICY_PREVIOUS 2 #define SBAT_POLICY_RESET 3 +#define SBAT_POLICY_NOTREAD 255 extern UINTN _sbat, _esbat; @@ -52,7 +53,8 @@ extern list_t sbat_var; EFI_STATUS parse_sbat_var(list_t *entries); void cleanup_sbat_var(list_t *entries); -EFI_STATUS set_sbat_uefi_variable(void); +EFI_STATUS set_sbat_uefi_variable_internal(void); +EFI_STATUS set_sbat_uefi_variable(char *, char *); bool preserve_sbat_uefi_variable(UINT8 *sbat, UINTN sbatsize, UINT32 attributes, char *sbar_var); diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h index 5b1a764f..2ea98e4e 100644 --- a/include/sbat_var_defs.h +++ b/include/sbat_var_defs.h @@ -13,11 +13,9 @@ SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_ORIGINAL_DATE "\n" #if defined(ENABLE_SHIM_DEVEL) -#define SBAT_VAR_PREVIOUS_DATE "2022020101" -#define SBAT_VAR_PREVIOUS_REVOCATIONS "component,2\n" +#define SBAT_VAR_PREVIOUS_DATE "2021030218" #define SBAT_VAR_PREVIOUS \ - SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_PREVIOUS_DATE "\n" \ - SBAT_VAR_PREVIOUS_REVOCATIONS + SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_PREVIOUS_DATE "\n" #define SBAT_VAR_LATEST_DATE "2022050100" #define SBAT_VAR_LATEST_REVOCATIONS "component,2\nothercomponent,2\n" @@ -26,14 +24,13 @@ SBAT_VAR_LATEST_REVOCATIONS #else /* !ENABLE_SHIM_DEVEL */ /* - * As of 2022-11-16, most folks (including Ubuntu, SUSE, openSUSE) don't have - * a "shim,2" yet, so adding that here would end up unbootable. + * At this point we do not want shim to automatically apply a + * previous revocation unless it is delivered by a separately + * installed signed revocations binary. */ -#define SBAT_VAR_PREVIOUS_DATE "2022052400" -#define SBAT_VAR_PREVIOUS_REVOCATIONS "grub,2\n" +#define SBAT_VAR_PREVIOUS_DATE "2021030218" #define SBAT_VAR_PREVIOUS \ - SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_PREVIOUS_DATE "\n" \ - SBAT_VAR_PREVIOUS_REVOCATIONS + SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_PREVIOUS_DATE "\n" /* * Debian's grub.3 update was broken - some binaries included the SBAT |