| Age | Commit message (Collapse) | Author |
|---|
|
Moves the minimum GRUB SBAT Level to 5 in order to require fixes
for the following GRUB CVEs:
CVE-2024-45774
CVE-2024-45775
CVE-2024-45776
CVE-2024-45777
CVE-2024-45778
CVE-2024-45779
CVE-2024-45780
CVE-2024-45781
CVE-2024-45782
CVE-2024-45783
CVE-2025-0622
CVE-2025-0624
CVE-2025-0677
CVE-2025-0678
CVE-2025-0684
CVE-2025-0685
CVE-2025-0686
CVE-2025-0689
CVE-2025-0690
CVE-2025-1118
CVE-2025-1125
This also bumps the default SBAT_AUTOMATIC_DATE to 2024040900.
Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
|
|
Comments to clarify that revocations should only be recorded
in SbatLevel_Variable.txt and not in any other header files.
Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
|
|
Add revocations for
- January 2024 shim CVEs
- October 2023 grub CVEs
- Debian/Ubuntu (peimage) CVE-2024-2312
to SbatLevel_Variable.txt. This was missed when they were commited
to include/sbat_var_defs.h
Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
|
|
Since shim is inherently updated by shipping a new shim, the
latest built in revocations can include the most recent shim
revocations. Since CVE-2023-40547 is high impact, this revocation
should be available to everyone as soon as possible.
GRUB2 CVE-2023-4692 and CVE-2023-4693 are in the ntfs module that
only some vendors ship. Since some vendors did not ship an updated
GRUB2 for these issues, the revocation for these CVEs is not
included in the payload at this time.
Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
|
|
This serves to document the SbatLevel Boot Services variable so that
other boot services code, such as bootmgr can update the revocation
level.
Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
|
