summaryrefslogtreecommitdiff
path: root/data
AgeCommit message (Collapse)Author
2024-01-17Updated Revocations for January 2024 CVEsJan Setje-Eilers
Since shim is inherently updated by shipping a new shim, the latest built in revocations can include the most recent shim revocations. Since CVE-2023-40547 is high impact, this revocation should be available to everyone as soon as possible. GRUB2 CVE-2023-4692 and CVE-2023-4693 are in the ntfs module that only some vendors ship. Since some vendors did not ship an updated GRUB2 for these issues, the revocation for these CVEs is not included in the payload at this time. Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
2022-11-16Update shim's .sbat to sbat,3Peter Jones
Though we don't need to bump SBAT_LEVEL for this, we've decided to change the level to 3 here in case 53509eaf2253e23bfb552e9386fd0877abe592b4 turns out to be worse than we think it is, so we can fix that easily later. Signed-off-by: Peter Jones <pjones@redhat.com>
2022-05-24Update advertised sbat generation number for shimJan Setje-Eilers
Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
2021-02-25Fix two errant 'shim,0' outdated sbat cases.Peter Jones
Two places we missed still have 0 for an sbat version - one doc and one in our data csv. This fixes those. Signed-off-by: Peter Jones <pjones@redhat.com>
2021-02-12Add a .sbat section to EFI binariesJavier Martinez Canillas
The Secure Boot Advanced Targeting (SBAT) [0] is a Generation Number Based Revocation mechanism that is meant to replace the DBX revocation file list. Binaries must contain a .sbat data section that has a set entries, each of them consisting of UTF-8 strings as comma separated values. Allow to embed this information into the fwupd EFI binary at build time. The SBAT metadata must contain at least two entries. One that defines the SBAT version used and another one that defines the component generation. This patch adds a sbat.csv that contains these two entries and downstream users can override if additional entries are needed due changes that make them diverge from upstream code and potentially add other vulnerabilities. The same SBAT metadata is added to the fallback and MOK manager binaries because these are built from the same shim source. These need to have SBAT metadata as well to be booted if a .sbat section is mandatory. [0]: https://github.com/rhboot/shim/blob/sbat/SBAT.md Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
generated by cgit v1.2.3 (git 2.39.1) at 2025-09-01 21:06:44 +0000