Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

uefi-sbat: Add a new plugin that can apply revocations to SbatLevelRT #7328

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

uefi-sbat: Add a new plugin that can apply revocations to SbatLevelRT #7328

wants to merge 2 commits into from

Conversation

hughsie
Copy link
Member

@hughsie hughsie commented Jun 6, 2024

Type of pull request:

@hughsie
Copy link
Member Author

hughsie commented Jun 6, 2024

@superm1 no plugin code yet, I wanted a sanity check from @vathpela before writing a demo.

superm1
superm1 reviewed Jun 6, 2024
View reviewed changes
plugins/uefi-sbat/README.md Outdated Show resolved Hide resolved
plugins/uefi-sbat/README.md Outdated Show resolved Hide resolved
plugins/uefi-sbat/README.md Show resolved Hide resolved
@hughsie hughsie force-pushed the hughsie/uefi-sbat branch 3 times, most recently from 871debe to 51439c1 Compare June 13, 2024 11:25
@hughsie
Copy link
Member Author

hughsie commented Jun 13, 2024

Okay, now this works for me. For testing I've been using:

# ./src/fwupdtool --plugins uefi-sbat  -vv install-blob revocations.efi.signed
# ./src/fwupdtool --plugins uefi-sbat  -vv reboot-cleanup

The former loading on revocations.efi to the ESP in the same directory as the currently booted shim.efi (mounting the ESP as required). On next reboot it removes the revocations.efi file.

To test we're refusing to deploy the new SBAT policy if any of the detected shim binaries are too old, you can do:

# fwupdtool firmware-build ../plugins/uefi-sbat/revocation.builder.xml revocation.efi
# fwupdtool --plugins uefi-sbat  -vv install-blob revocation.efi
SBAT level is too old on /boot/efi/EFI/fedora/grubx64.efi: ESP file /boot/efi/EFI/fedora/shimx64.efi has SBAT entry sbat v1, but revocation has v2

@hughsie hughsie requested review from jsetje and vathpela June 13, 2024 11:34
@hughsie hughsie marked this pull request as ready for review June 13, 2024 16:00
@jsetje
Copy link

jsetje commented Jun 21, 2024
edited
Loading

Looking at the rest of the new code, I'm a bit confused what the "firmware" is in this context? I assume it would be a revocations.efi blob that has an automatic payload? Edit: I'm happy to expand that implementation a bit if that's helpful. I think I've been convinced that being able to deliver separate SbatLevel and SkuSi binaries so that combinations can be selected to be applied on a single reboot is useful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@superm1 superm1 superm1 left review comments

@jsetje jsetje Awaiting requested review from jsetje

@vathpela vathpela Awaiting requested review from vathpela

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@hughsie @jsetje @superm1 @vathpela