Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

uefi-sbat: Add a new plugin that can apply revocations to SbatLevelRT #7328

Merged
merged 2 commits into from
Jul 24, 2024
Merged

uefi-sbat: Add a new plugin that can apply revocations to SbatLevelRT #7328

merged 2 commits into from
Jul 24, 2024

Conversation

hughsie
Copy link
Member

@hughsie hughsie commented Jun 6, 2024

Type of pull request:

@hughsie
Copy link
Member Author

hughsie commented Jun 6, 2024

@superm1 no plugin code yet, I wanted a sanity check from @vathpela before writing a demo.

superm1
superm1 reviewed Jun 6, 2024
View reviewed changes
plugins/uefi-sbat/README.md Outdated Show resolved Hide resolved
plugins/uefi-sbat/README.md Outdated Show resolved Hide resolved
plugins/uefi-sbat/README.md Show resolved Hide resolved
@hughsie hughsie force-pushed the hughsie/uefi-sbat branch 3 times, most recently from 871debe to 51439c1 Compare June 13, 2024 11:25
@hughsie
Copy link
Member Author

hughsie commented Jun 13, 2024

Okay, now this works for me. For testing I've been using:

# ./src/fwupdtool --plugins uefi-sbat  -vv install-blob revocations.efi.signed
# ./src/fwupdtool --plugins uefi-sbat  -vv reboot-cleanup

The former loading on revocations.efi to the ESP in the same directory as the currently booted shim.efi (mounting the ESP as required). On next reboot it removes the revocations.efi file.

To test we're refusing to deploy the new SBAT policy if any of the detected shim binaries are too old, you can do:

# fwupdtool firmware-build ../plugins/uefi-sbat/revocation.builder.xml revocation.efi
# fwupdtool --plugins uefi-sbat  -vv install-blob revocation.efi
SBAT level is too old on /boot/efi/EFI/fedora/grubx64.efi: ESP file /boot/efi/EFI/fedora/shimx64.efi has SBAT entry sbat v1, but revocation has v2

@hughsie hughsie requested review from jsetje and vathpela June 13, 2024 11:34
@hughsie hughsie marked this pull request as ready for review June 13, 2024 16:00
@jsetje
Copy link

jsetje commented Jun 21, 2024
edited
Loading

Looking at the rest of the new code, I'm a bit confused what the "firmware" is in this context? I assume it would be a revocations.efi blob that has an automatic payload? Edit: I'm happy to expand that implementation a bit if that's helpful. I think I've been convinced that being able to deliver separate SbatLevel and SkuSi binaries so that combinations can be selected to be applied on a single reboot is useful.

vathpela
vathpela approved these changes Jul 22, 2024
View reviewed changes
Copy link
Collaborator

@vathpela vathpela left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, but I can't really review things like "is it correct with your plugin architecture". So I'm assuming, since you've tested it, that on that level it's correct.

@hughsie hughsie merged commit ef7d29b into main Jul 24, 2024
21 checks passed
@hughsie hughsie deleted the hughsie/uefi-sbat branch July 24, 2024 11:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@superm1 superm1 superm1 left review comments

@vathpela vathpela vathpela approved these changes

@jsetje jsetje Awaiting requested review from jsetje

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@hughsie @jsetje @superm1 @vathpela