summaryrefslogtreecommitdiff
path: root/SBAT.md
AgeCommit message (Collapse)Author
2021-09-08Specify that the section is ASCII not UTF-8Daniel Axtens
The SBAT variable is defined as ASCII, but the SBAT section in a binary was defined as UTF-8. These should match. Use ASCII rather than UTF-8, because naive parsing of UTF-8 could lead to unexpected results. For example the character 'ä' can be encoded as 0xe4 or as 0x61 0x0308, and these should be considered equivalent. The shim is not smart enough to do this. This could lead to missed verifications, if the variable and section use different encodings. Define everything as ASCII. It's sad not to be able to have 🦀 in our bootloader names, and potentially annoying for vendor names as well, but oh well.
2021-09-08Modify sbat.md to help with readability.Esther Shimanovich
Signed-off-by: Esther Shimanovich eshimanovich@google.com
2021-07-15SBAT.md: fix "will should"Serge Hallyn
Use the stronger "will" rather than "will should". I'm not sure based on what's there, but suspect "must" would be appropriate instead? Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-07-15SBAT.md: trivial fixesSerge Hallyn
1. Use : instead of , to separate a list. 2. Fix spelling of therefore. 3. Pull unrelated clause out of parenthesized clause. Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-02-25SBAT: update the raw Markdown to look less terriblePaul Moore
The raw text of the SBAT.md file is a bit of a mess, this patch attempts to introduce some consistentcy to the text without affecting the rendered Markdown. The only content change was the addition of a missing period ('.') at the end of sentence/paragraph; all of the other changes were purely formatting changes. Signed-off-by: Paul Moore <pmoore2@cisco.com>
2021-02-25SBAT: fix some typos in the SBAT docsPaul Moore
Signed-off-by: Paul Moore <pmoore2@cisco.com>
2021-02-25Fix two errant 'shim,0' outdated sbat cases.Peter Jones
Two places we missed still have 0 for an sbat version - one doc and one in our data csv. This fixes those. Signed-off-by: Peter Jones <pjones@redhat.com>
2021-02-22Drop --set-section-alignment from Makefile since linker ALIGN(4096)Jan Setje-Eilers
already enforces the alignment, clarify that objcopy only needs to do the alignment in the SBAT spec.
2021-02-20Add --set-section-alignment '.sbat=512' to objcopy command lineupstream/15+1613861442.888f5b5Jan Setje-Eilers
2021-02-17Fixups after Peter's reviewSteve McIntyre
2021-02-17Second attempt at SBAT doc tweaksSteve McIntyre
2021-02-17fix nitJan Setje-Eilers
Co-authored-by: Christopher Co <christopher.co@microsoft.com>
2021-02-17fix nitJan Setje-Eilers
Co-authored-by: Christopher Co <christopher.co@microsoft.com>
2021-02-17fix nitJan Setje-Eilers
Co-authored-by: Christopher Co <christopher.co@microsoft.com>
2021-02-17SBAT: Fix all the docs examples to start with version 1Peter Jones
Since we have atol() but not strtoul(), we need to make all versions positive integers. Signed-off-by: Peter Jones <pjones@redhat.com>
2021-02-17SBAT: make the variable be CSV in our spec.Peter Jones
We noticed that we'd originally specified the SBAT variable as binary records, but talked as if they're CSV. Woops. Anyway, this makes them CSV, which also means they don't need the size field. Signed-off-by: Peter Jones <pjones@redhat.com>
2021-02-13Add Secure Boot Advanced Targeting (SBAT) specification documentJan Setje-Eilers
SBAT is a new Generation Number Based Revocation meant to replace the DBX Revocation List Files mechanism. It is more flexible and allow to revoke sets of binaries, instead of having to list all of them as with the DBX. Metadata that includes the vendor, product family, product, component, version and generation are added to artifacts in a .sbat section. This is protected by the digital signature and so it cannot be tampered. Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com> Signed-off-by: Peter Jones <pjones@redhat.com> Signed-off-by: Gary Lin <glin@suse.com>
generated by cgit v1.2.3 (git 2.39.1) at 2025-09-01 11:53:58 +0000