SBAT component versions

Steve McIntyre steve at einval.com
Tue May 25 15:46:55 BST 2021 

Hi Jeff,

On Tue, May 25, 2021 at 02:35:06PM +0000, Jeff Hewett (jhewett) wrote:
>I recently started doing some testing with SBAT in the 15.4 shim and would like
>to confirm my understanding of how version entries work. I started with an SBAT
>entry for the GRUB version of 2.04, then 2.06, then 2.02. I was expecting the
>2.02 version to fail with secure boot however it booted successfully. It
>appears from the shim code that the version is tracked via a UEFI variable to
>ensure a lower version won’t boot. Maybe I’ve misunderstood the intended
>behavior(??)

You're looking at the software version of the GRUB component. SBAT
SBAT versioning cares about the component *generation*, not the
software version ("vendor_version"). Looking at an example I have to
hand, one of Debian's grub binaries has the following SBAT data:

  sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
  grub,1,Free Software Foundation,grub,2.02,https://www.gnu.org/software/grub/
  grub.debian,1,Debian,grub2,2.02+dfsg1-20+deb10u4,https://tracker.debian.org/pkg/grub2

The generation is field #2 (i.e. "1" in all cases here). See the
"Generation-Based Revocation Metadata" section in the SBAT doc [1]:

| field                | meaning                                     |
|----------------------|---------------------------------------------|
| component_name       | the name we're comparing                    |
| component_generation | the generation number for the comparison    |
| vendor_name          | human readable vendor name                  |
| vendor_package_name  | human readable package name                 |
| vendor_version       | human readable package version (maybe       |
|                      | machine parseable too, not specified here)  |
| vendor_url           | url to look stuff up, contact, whatever.    |

Does that help to explain?

[1] https://github.com/rhboot/shim/blob/main/SBAT.md

-- 
Steve McIntyre, Cambridge, UK.                                steve at einval.com
"Arguing that you don't care about the right to privacy because you have
 nothing to hide is no different than saying you don't care about free
 speech because you have nothing to say."
   -- Edward Snowden

More information about the Efi mailing list