]> git.ipfire.org Git - thirdparty/ipxe.git/commit
projects / thirdparty / ipxe.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d2e1601) | patch
[efi] Support versions of shim that perform SBAT verification
authorMichael Brown <mcb30@ipxe.org>
Tue, 23 May 2023 13:55:08 +0000 (14:55 +0100)
committerMichael Brown <mcb30@ipxe.org>
Tue, 23 May 2023 14:27:20 +0000 (15:27 +0100)
commit5b4318143648272b36736c1d1d5d1acbda9a5876
tree5dfe1ca8d04a858620bae4c91a4a9d23aca0538ftree
parentd2e1601cf4c8a0df21c08b9c8acf22e9cb631c5ccommit | diff
[efi] Support versions of shim that perform SBAT verification

The UEFI shim implements a fairly nicely designed revocation mechanism
designed around the concept of security generations.  Unfortunately
nobody in the shim community has thus far added the relevant metadata
to the Linux kernel, with the result that current versions of shim are
incapable of booting current versions of the Linux kernel.

Experience shows that there is unfortunately no point in trying to get
a fix for this upstreamed into shim.  We therefore default to working
around this undesirable behaviour by patching data read from the
"SbatLevel" variable used to hold SBAT configuration.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
src/hci/commands/shim_cmd.c diff | blob | blame | history
src/include/ipxe/efi/efi_shim.h diff | blob | blame | history
src/include/usr/shimmgmt.h diff | blob | blame | history
src/interface/efi/efi_shim.c diff | blob | blame | history
src/usr/shimmgmt.c diff | blob | blame | history
Mirror of https://github.com/ipxe/ipxe.git