blob: d3e506042b5f1920f93e4ac2f63e8acc5d14109f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
When new sbat based revocations become public they are added to
https://github.com/rhboot/shim/blob/main/SbatLevel_Variable.txt They
are identified by their year, month, day, counter YYYYMMDDCC field in
the header.
If secure boot is disabled, shim will always clear the applied
revocations.
shim binaries will include the opt-in latest revocation payload
available at the time that they are built. This can be applied by
running mokutil --set-sbat-policy latest and rebooting with the new
shim binary in place. A shim build can also specify a
-DSBAT_AUTOMATIC_DATE=YYYYMMDDCC on the command line which will
include and automatically apply that revocation. shim will never
downgrade a revocation. The only way to roll back is to disable secure
boot, load shim to clear the revocations and then re-apply the desired
level.
In addition to building revocation levels into shim, they can also be
delivered via a revocations_sbat.efi binary. These binaries can be
created from the https://github.com/rhboot/certwrapper
repository. This repository uses the same
https://github.com/rhboot/shim/blob/main/SbatLevel_Variable.txt file
as the source of the revocation metadata. Both
SBAT_LATEST_DATE=YYYYMMDDCC and SBAT_AUTOMATIC_DATE=YYYYMMDDCC can be
specified there. These files need to be signed with a certificate that
your shim trusts. These files can be created without the need to
deliver a new shim and can be set to have shim automatically apply a
new revocations whey they are delivered into the system partition.
|
