Rename "previous" revocations to "automatic"

When the term previous was introduced for revocations to be automatically applied there was a hope that everytime a new revocation was built into shim, the previous revocation could be applied automatically. Further experience has shown the real world to be more complex than that. The automatic payload will realistically contain a set of revocations governed by both the cadence at which a distro's customer base updates as well as the severity of the issue being revoked. In order to not break compatibility with existing scripts, the term "previous" will continue to be accepted. This is not a functional change. Signed-off-by: Jan Setje-Eilers <[email protected]>
lcp · Feb 7, 2024 · c361087 · c361087
1 parent 48e3d2a
commit c361087
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 11 deletions.
diff --git a/man/mokutil.1 b/man/mokutil.1
@@ -77,7 +77,7 @@ mokutil \- utility to manipulate machine owner keys
 .br
 \fBmokutil\fR [--list-sbat-revocations]
 .br
-\fBmokutil\fR [--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)]
+\fBmokutil\fR [--set-sbat-policy (\fIlatest\fR | \fIautomatic\fR | \fIdelete\fR)]
 .br
 \fBmokutil\fR [--timeout \fI-1,0..0x7fff\fR]
 .br
@@ -189,14 +189,14 @@ List the keys in the secure boot blacklist signature store (dbx)
 \fB--list-sbat-revocations\fR
 List the entries in the Secure Boot Advanced Targeting store (SBAT)
 .TP
-\fB--set-sbat-policy (\fIlatest\fR | \fIprevious\fR)\fR
+\fB--set-sbat-policy (\fIlatest\fR | \fIautomatic\fR)\fR
 Set the SbatPolicy UEFI Variable to have shim apply either the latest
-or the previous SBAT revocations.  If UEFI Secure Boot is disabled, then
+or the automatic SBAT revocations.  If UEFI Secure Boot is disabled, then
 shim will automatically delete SBAT revocations
 .TP
-\fB--set-ssp-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)\fR
+\fB--set-ssp-policy (\fIlatest\fR | \fIautomatic\fR | \fIdelete\fR)\fR
 Set the SspPolicy UEFI Variable to have shim apply either the latest
-or the previous Windows SkuSiPolicy to manage bootmgr revocations. Since
+or the automatic Windows SkuSiPolicy to manage bootmgr revocations. Since
 these are non-native revocations, shim will not automatically delete
 them. If this is needed, spp-policy can be set to delete when Secure
 Boot is disabled. The delete policy is non-persistent.

diff --git a/src/mokutil.c b/src/mokutil.c
@@ -139,10 +139,10 @@ print_help ()
 			"\tPrevent fallback from automatically rebooting\n");
 	printf ("  --trust-mok\t\t\t\tTrust MOK keys within the kernel keyring\n");
 	printf ("  --untrust-mok\t\t\t\tDo not trust MOK keys\n");
-	printf ("  --set-sbat-policy <latest/previous>"
-			"\tApply Latest or Previous SBAT revocations\n");
-	printf ("  --set-ssp-policy <latest/previous/delete>\n"
-			"\t\t\t\t\tApply Latest, Previous, or delete SkuSiPolicy\n");
+	printf ("  --set-sbat-policy <latest/automatic>"
+			"\tApply Latest or Automatic SBAT revocations\n");
+	printf ("  --set-ssp-policy <latest/automatic/delete>\n"
+			"\t\t\t\t\tApply Latest, Automatic, or delete SkuSiPolicy\n");
 	printf ("  --pk\t\t\t\t\tList the keys in PK\n");
 	printf ("  --kek\t\t\t\t\tList the keys in KEK\n");
 	printf ("  --db\t\t\t\t\tList the keys in db\n");
@@ -1956,7 +1956,8 @@ main (int argc, char *argv[])
 				command |= SET_SBAT;
 				if (strcmp (optarg, "latest") == 0)
 					policy = 1;
-				else if (strcmp (optarg, "previous") == 0)
+				else if ((strcmp (optarg, "previous") == 0) ||
+					 (strcmp (optarg, "automatic") == 0))
 					policy = 2;
 				else if (strcmp (optarg, "delete") == 0)
 					policy = 3;
@@ -1966,7 +1967,8 @@ main (int argc, char *argv[])
 				command |= SET_SSP;
 				if (strcmp (optarg, "latest") == 0)
 					policy = 1;
-				else if (strcmp (optarg, "previous") == 0)
+				else if ((strcmp (optarg, "previous") == 0) ||
+					 (strcmp (optarg, "automatic") == 0))
 					policy = 2;
 				else if (strcmp (optarg, "delete") == 0)
 					policy = 3;