2 files changed, 17 insertions, 0 deletions

diff --git a/README.tpm b/README.tpm
index 73dc468c..9e830b72 100644
--- a/README.tpm
+++ b/README.tpm
@@ -19,6 +19,7 @@ PCR7:
   - shim_cert - shim's build-time generated allowlist, logged as "Shim"
 - MokSBState will be extended into PCR7 if it is set, logged as
   "MokSBState".
+- SBAT will be extended into PCR7 if it is set, logged as "SBAT"
 
 PCR8:
 - If you're using the grub2 TPM patchset we cary in Fedora, the kernel command
diff --git a/mok.c b/mok.c
index c3288994..4b935a49 100644
--- a/mok.c
+++ b/mok.c
@@ -229,6 +229,22 @@ struct mok_state_variable mok_state_variables[] = {
 	 .no_attr = EFI_VARIABLE_RUNTIME_ACCESS,
 	 .state = &ignore_db,
 	},
+	{.name = L"SBAT",
+	 .name8 = "SBAT",
+	 .rtname = L"SbatRT",
+	 .rtname8 = "SbatRT",
+	 .guid = &SHIM_LOCK_GUID,
+	 .yes_attr = EFI_VARIABLE_BOOTSERVICE_ACCESS |
+		     EFI_VARIABLE_NON_VOLATILE,
+	 /*
+	  * we're enforcing that SBAT can't have an RT flag here because
+	  * there's no way to tell whether it's an authenticated variable.
+	  */
+	 .no_attr = EFI_VARIABLE_RUNTIME_ACCESS,
+	 .flags = MOK_MIRROR_DELETE_FIRST |
+		  MOK_VARIABLE_MEASURE,
+	 .pcr = 7,
+	},
 	{ NULL, }
 };