diff options
| author | Jan Setje-Eilers <jan.setjeeilers@oracle.com> | 2022-04-22 13:13:20 -0700 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2022-05-17 19:01:46 -0400 |
| commit | f81a7cc34e0b1a4f2d3104f44df80f93497eaa9e (patch) | |
| tree | 45dab9092c143ef6fd2fb63aa89137d0cbf884fe /include | |
| parent | b104fc480aae94eaa8d79717d0b7cf6dcc2253d3 (diff) | |
| download | efi-boot-shim-f81a7cc34e0b1a4f2d3104f44df80f93497eaa9e.tar.gz efi-boot-shim-f81a7cc34e0b1a4f2d3104f44df80f93497eaa9e.zip | |
SBAT revocation management
Support for updating SBAT revocations to latest or previous revocations.
Allow SBAT revocations to be reset to empty metadata only when UEFI
Secure Boot is disabled.
Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
Diffstat (limited to 'include')
| -rw-r--r-- | include/sbat.h | 33 |
1 files changed, 30 insertions, 3 deletions
diff --git a/include/sbat.h b/include/sbat.h index 8551b74a..f2ae93a5 100644 --- a/include/sbat.h +++ b/include/sbat.h @@ -8,8 +8,31 @@ #define SBAT_VAR_SIG "sbat," #define SBAT_VAR_VERSION "1," -#define SBAT_VAR_DATE "2021030218" -#define SBAT_VAR SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_DATE "\n" +#define SBAT_VAR_ORIGINAL_DATE "2021030218" +#define SBAT_VAR_ORIGINAL SBAT_VAR_SIG SBAT_VAR_VERSION \ + SBAT_VAR_ORIGINAL_DATE "\n" + +#if defined(ENABLE_SHIM_DEVEL) +#define SBAT_VAR_PREVIOUS_DATE "2022020101" +#define SBAT_VAR_PREVIOUS_REVOCATIONS "component,2\n" +#define SBAT_VAR_PREVIOUS SBAT_VAR_SIG SBAT_VAR_VERSION \ + SBAT_VAR_PREVIOUS_DATE "\n" SBAT_VAR_PREVIOUS_REVOCATIONS + +#define SBAT_VAR_LATEST_DATE "2022050100" +#define SBAT_VAR_LATEST_REVOCATIONS "component,2\nothercomponent,2\n" +#define SBAT_VAR_LATEST SBAT_VAR_SIG SBAT_VAR_VERSION \ + SBAT_VAR_LATEST_DATE "\n" SBAT_VAR_LATEST_REVOCATIONS +#else /* !ENABLE_SHIM_DEVEL */ +#define SBAT_VAR_PREVIOUS_DATE SBAT_VAR_ORIGINAL_DATE +#define SBAT_VAR_PREVIOUS_REVOCATIONS +#define SBAT_VAR_PREVIOUS SBAT_VAR_SIG SBAT_VAR_VERSION \ + SBAT_VAR_PREVIOUS_DATE "\n" SBAT_VAR_PREVIOUS_REVOCATIONS + +#define SBAT_VAR_LATEST_DATE SBAT_VAR_ORIGINAL_DATE +#define SBAT_VAR_LATEST_REVOCATIONS +#define SBAT_VAR_LATEST SBAT_VAR_SIG SBAT_VAR_VERSION \ + SBAT_VAR_LATEST_DATE "\n" SBAT_VAR_LATEST_REVOCATIONS +#endif /* ENABLE_SHIM_DEVEL */ #define UEFI_VAR_NV_BS \ (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS) @@ -33,6 +56,9 @@ #define SBAT_VAR_ATTRS UEFI_VAR_NV_BS #endif +#define SBAT_POLICY L"SbatPolicy" +#define SBAT_POLICY8 "SbatPolicy" + extern UINTN _sbat, _esbat; struct sbat_var_entry { @@ -51,7 +77,8 @@ extern list_t sbat_var; EFI_STATUS parse_sbat_var(list_t *entries); void cleanup_sbat_var(list_t *entries); EFI_STATUS set_sbat_uefi_variable(void); -bool preserve_sbat_uefi_variable(UINT8 *sbat, UINTN sbatsize, UINT32 attributes); +bool preserve_sbat_uefi_variable(UINT8 *sbat, UINTN sbatsize, + UINT32 attributes, char *sbar_var); struct sbat_section_entry { const CHAR8 *component_name; |