forked from rhboot/shim
-
Notifications
You must be signed in to change notification settings - Fork 0
/
SbatLevel_Variable.txt
108 lines (75 loc) · 1.97 KB
/
SbatLevel_Variable.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
In order to apply SBAT based revocations on systems that will never
run shim, code running in boot services context needs to set the
following variable:
Name: SbatLevel
Attributes: (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS)
Namespace Guid: 605dab50-e046-4300-abb6-3dd810dd8b23
Variable content:
Initialized, no revocations:
sbat,1,2021030218
To Revoke GRUB2 binaries impacted by
* CVE-2021-3695
* CVE-2021-3696
* CVE-2021-3697
* CVE-2022-28733
* CVE-2022-28734
* CVE-2022-28735
* CVE-2022-28736
sbat,1,2022052400
grub,2
and shim binaries impacted by
* CVE-2022-28737
sbat,1,2022052400
shim,2
grub,2
Shim delivered both versions of these revocations with
the same 2022052400 date stamp, once as an opt-in latest
revocation with shim,2 and then as an automatic revocation without
shim,2
To revoke GRUB2 grub binaries impacted by
* CVE-2022-2601
* CVE-2022-3775
sbat,1,2022111500
shim,2
grub,3
To revoke Debian's grub.3 which missed
the patches:
sbat,1,2023012900
shim,2
grub,3
grub.debian,4
An additonal bug was fixed in shim that was not considered exploitable,
can be revoked by setting:
sbat,1,2023012950
shim,3
grub,3
grub.debian,4
shim did not deliver this payload at the time
To Revoke GRUB2 binaries impacted by:
* CVE-2023-4692
* CVE-2023-4693
These CVEs are in the ntfs module and vendors that do and do not
ship this module as part of their signed binary are split.
sbat,1,2023091900
shim,2
grub,4
Since not everyone has shipped updated GRUB packages, shim did not
deliver this revocation at the time.
To Revoke shim binaries impacted by:
* CVE-2023-40547
* CVE-2023-40546
* CVE-2023-40548
* CVE-2023-40549
* CVE-2023-40550
* CVE-2023-40551
sbat,1,2024010900
shim,4
grub,3
grub.debian,4
Since http boot shim CVE is considerably more serious than then GRUB
ntfs CVEs shim is delivering the shim revocation without the updated
GRUB revocation as a latest payload.
To revoke both the impacted shim and impacted GRUB binaries:
sbat,1,2024<date TBD>
shim,4
grub,4