summaryrefslogtreecommitdiff
path: root/SbatLevel_Variable.txt
diff options
context:
space:
mode:
Diffstat (limited to 'SbatLevel_Variable.txt')
-rw-r--r--SbatLevel_Variable.txt108
1 files changed, 108 insertions, 0 deletions
diff --git a/SbatLevel_Variable.txt b/SbatLevel_Variable.txt
new file mode 100644
index 00000000..42a388e4
--- /dev/null
+++ b/SbatLevel_Variable.txt
@@ -0,0 +1,108 @@
+In order to apply SBAT based revocations on systems that will never
+run shim, code running in boot services context needs to set the
+following variable:
+
+Name: SbatLevel
+Attributes: (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS)
+Namespace Guid: 605dab50-e046-4300-abb6-3dd810dd8b23
+
+Variable content:
+
+Initialized, no revocations:
+
+sbat,1,2021030218
+
+To Revoke GRUB2 binaries impacted by
+
+* CVE-2021-3695
+* CVE-2021-3696
+* CVE-2021-3697
+* CVE-2022-28733
+* CVE-2022-28734
+* CVE-2022-28735
+* CVE-2022-28736
+
+sbat,1,2022052400
+grub,2
+
+and shim binaries impacted by
+
+* CVE-2022-28737
+
+sbat,1,2022052400
+shim,2
+grub,2
+
+Shim delivered both versions of these revocations with
+the same 2022052400 date stamp, once as an opt-in latest
+revocation with shim,2 and then as an automatic revocation without
+shim,2
+
+
+To revoke GRUB2 grub binaries impacted by
+
+* CVE-2022-2601
+* CVE-2022-3775
+
+sbat,1,2022111500
+shim,2
+grub,3
+
+To revoke Debian's grub.3 which missed
+the patches:
+
+sbat,1,2023012900
+shim,2
+grub,3
+grub.debian,4
+
+
+An additonal bug was fixed in shim that was not considered exploitable,
+can be revoked by setting:
+
+sbat,1,2023012950
+shim,3
+grub,3
+grub.debian,4
+
+shim did not deliver this payload at the time
+
+
+To Revoke GRUB2 binaries impacted by:
+
+* CVE-2023-4692
+* CVE-2023-4693
+
+These CVEs are in the ntfs module and vendors that do and do not
+ship this module as part of their signed binary are split.
+
+sbat,1,2023091900
+shim,2
+grub,4
+
+Since not everyone has shipped updated GRUB packages, shim did not
+deliver this revocation at the time.
+
+To Revoke shim binaries impacted by:
+
+* CVE-2023-40547
+* CVE-2023-40546
+* CVE-2023-40548
+* CVE-2023-40549
+* CVE-2023-40550
+* CVE-2023-40551
+
+sbat,1,2024010900
+shim,4
+grub,3
+grub.debian,4
+
+Since http boot shim CVE is considerably more serious than then GRUB
+ntfs CVEs shim is delivering the shim revocation without the updated
+GRUB revocation as a latest payload.
+
+To revoke both the impacted shim and impacted GRUB binaries:
+
+sbat,1,2024<date TBD>
+shim,4
+grub,4
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-16 08:11:21 +0000