git.ipfire.org Git - thirdparty/ipxe.git/commit

author	Michael Brown <mcb30@ipxe.org>
	Thu, 13 Jan 2022 14:10:03 +0000 (14:10 +0000)
committer	Michael Brown <mcb30@ipxe.org>
	Thu, 13 Jan 2022 14:12:44 +0000 (14:12 +0000)
commit	f4f9adf618cd85d330a896e1f721f3aa78d2409d
tree	92cf1a5ad3ac644c8ebfc66213f42ecba973047b	tree \| snapshot
parent	fbbdc39260cf37aa749e897e773f59807d1b8362	commit \| diff

[efi] Include Secure Boot Advanced Targeting (SBAT) metadata

SBAT defines an encoding for security generation numbers stored as a
CSV file within a special ".sbat" section in the signed binary. If a
Secure Boot exploit is discovered then the generation number will be
incremented alongside the corresponding fix.

Platforms may then record the minimum generation number required for
any given product. This allows for an efficient revocation mechanism
that consumes minimal flash storage space (in contrast to the DBX
mechanism, which allows for only a single-digit number of revocation
events to ever take place across all possible signed binaries).

Add SBAT metadata to iPXE EFI binaries to support this mechanism.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

src/arch/i386/scripts/i386-kir.lds		diff \| blob \| blame \| history
src/arch/i386/scripts/linux.lds		diff \| blob \| blame \| history
src/arch/x86/scripts/pcbios.lds		diff \| blob \| blame \| history
src/arch/x86/scripts/prefixonly.lds		diff \| blob \| blame \| history
src/arch/x86_64/scripts/linux.lds		diff \| blob \| blame \| history
src/config/branding.h		diff \| blob \| blame \| history
src/core/version.c		diff \| blob \| blame \| history
src/include/ipxe/sbat.h	[new file with mode: 0644]	blob
src/scripts/efi.lds		diff \| blob \| blame \| history