1 files changed, 27 insertions, 8 deletions

diff --git a/SbatLevel_Variable.txt b/SbatLevel_Variable.txt
index 42a388e4..7afdcd0d 100644
--- a/SbatLevel_Variable.txt
+++ b/SbatLevel_Variable.txt
@@ -1,6 +1,15 @@
-In order to apply SBAT based revocations on systems that will never
-run shim, code running in boot services context needs to set the
-following variable:
+This file is the single source for SbatLevel revocations the format
+follows the variable payload and should not have any leading or
+trailing whitespace on the same line.
+
+Short descriptions of the revocations as well as CVE assignments (when
+available) should be provided when an entry is added.
+
+On systems that run shim, shim will manage these revocations. Sytems
+that never run shim, primarily Windows, but this applies to any OS
+that supports UEFI Secure Boot under the UEFI CA without shim can
+apply SBAT based revocations by setting the following variable
+from code running in boot services context.
 
 Name: SbatLevel
 Attributes: (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS)
@@ -97,12 +106,22 @@ shim,4
 grub,3
 grub.debian,4
 
-Since http boot shim CVE is considerably more serious than then GRUB
-ntfs CVEs shim is delivering the shim revocation without the updated
-GRUB revocation as a latest payload.
 
-To revoke both the impacted shim and impacted GRUB binaries:
+Revocations for:
+ - January 2024 shim CVEs
+ - October 2023 grub CVEs
+ - Debian/Ubuntu (peimage) CVE-2024-2312
 
-sbat,1,2024<date TBD>
+sbat,1,2024040900
 shim,4
 grub,4
+grub.peimage,2
+
+
+Revocations for:
+ - Februady 2025 GRUB CVEs
+
+sbat,1,2025021800
+shim,4
+grub,5
+