Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

revocations.efi to deliver new sbat level requirements as well as updated bootmgr SkuSiPolicy #6

Open
wants to merge 5 commits into
base: main
Choose a base branch
from

Conversation

jsetje
Copy link

@jsetje jsetje commented Nov 10, 2022

This covers delivering updates to SBAT_LEVEL without the need
to create and sign a new shim

Signed-off-by: Jan Setje-Eilers [email protected]

@jsetje
Copy link
Author

jsetje commented Nov 29, 2022

While this works, I should admit that this is a bit of a strange binary and I wouldn't be surprised if there was a better way.

I did run into the fact that the PE parsing in shim does not handle longer section names. Since that could be an attack surface, it probably makes sense to keep that code as simple as it can be.

@jsetje jsetje changed the title Create sbat_level.efi to deliver new sbat level requirements revocations.efi to deliver new sbat level requirements as well as updated bootmgr SkuSiPolicy Jun 9, 2023
@jsetje jsetje force-pushed the main branch 2 times, most recently from a8e9f89 to 03d0f36 Compare June 12, 2023 23:15
@jsetje
Copy link
Author

jsetje commented Jun 12, 2023

This contains a dangerous latest SkuSiPolicy version. While this is handy for testing, we may or may not want to ship this here. Comments are welcome.

 This covers delivering updates to SBAT_LEVEL without the need
to create and sign a new shim

Signed-off-by: Jan Setje-Eilers <[email protected]>
This is also included in shim builtin latest revocation, but it
revokes shim binaries impacted by:

* CVE-2023-40547
* CVE-2023-40546
* CVE-2023-40548
* CVE-2023-40549
* CVE-2023-40550
* CVE-2023-40551

And also revokes GRUB binaries impacted by:

* CVE-2023-4692
* CVE-2023-4693
When the term previous was introduced for revocations to be
automatically applied there was a hope that everytime a new
revocation was built into shim, the previous revocation could
be applied automatically. Further experience has shown the
real world to be more complex than that. The automatic payload
will realistically contain a set of revocations governed by
both the cadence at which a distro's customer base updates
as well as the severity of the issue being revoked.

This is not a functional change.

Signed-off-by: Jan Setje-Eilers <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant