Skip to content

Commit

Permalink
SbatLevel_Variable.txt: clarify where and how revocation data is tracked
Browse files Browse the repository at this point in the history 
Comments to clarify that revocations should only be recorded
in SbatLevel_Variable.txt and not in any other header files.

Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
  • Loading branch information
@jsetje @vathpela
jsetje authored and vathpela committed Feb 5, 2025
1 parent 5ae408a commit e886fb3
Showing 1 changed file with 12 additions and 3 deletions.
15 changes: 12 additions & 3 deletions SbatLevel_Variable.txt
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,15 @@
In order to apply SBAT based revocations on systems that will never
run shim, code running in boot services context needs to set the
following variable:
This file is the single source for SbatLevel revocations the format
follows the variable payload and should not have any leading or
trailing whitespace on the same line.

Short descriptions of the revocations as well as CVE assignments (when
available) should be provided when an entry is added.

On systems that run shim, shim will manage these revocations. Sytems
that never run shim, primarily Windows, but this applies to any OS
that supports UEFI Secure Boot under the UEFI CA without shim can
apply SBAT based revocations by setting the following variable
from code running in boot services context.

Name: SbatLevel
Attributes: (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS)
Expand Down

0 comments on commit e886fb3

Please sign in to comment.