Skip to content

Commit

Permalink
Add SbatLevel_Variable.txt to document the various revocations
Browse files Browse the repository at this point in the history 
This serves to document the SbatLevel Boot Services variable so that
other boot services code, such as bootmgr can update the revocation
level.
  • Loading branch information
@jsetje
jsetje committed May 9, 2023
1 parent 0601f44 commit 8b05c44
Showing 1 changed file with 42 additions and 0 deletions.
42 changes: 42 additions & 0 deletions SbatLevel_Variable.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
In order to apply SBAT based revocations on systems that will never
run shim, code running in boot services context needs to set the
following variable:

Name: SbatLevel
Attributes: (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS)
Namespace Guid: 605dab50-e046-4300-abb6-3dd810dd8b23

Variable content:

Initialized, no revocations:

sbat,1,2021030218

To Revoke GRUB binaries impacted by

* CVE-2021-3695
* CVE-2021-3696
* CVE-2021-3697
* CVE-2022-28733
* CVE-2022-28734
* CVE-2022-28735
* CVE-2022-28736
* CVE-2022-28737

sbat,1,2022052400
grub,2

To revoke the above and also grub binaries impacted by

* CVE-2022-2601
* CVE-2022-3775

sbat,1,2022111500
grub,3

Ad additonal bug was fixed in shim that was not considered exploitable
and can be revoked by setting:

sbat,1,2022111500
shim,2
grub,3

0 comments on commit 8b05c44

Please sign in to comment.