SBAT entries and revocation in case of multiple variants of same component

[Sherif Nagy]

Hello,

I was thinking about a specific scenario, where distros / vendors might
provide multiple variants of the same EFI component, for example:

* Kernel-lts, kernel-mainline and kernel-stable where all will have
SBAT or UKI
* grub-next and grub-stable, where both will have SBAT entries

Lets talk about the SBAT entries, are those going to be identical in
each package? or we will need to change the component name in the SBAT
entry?

If we keep the same SBAT entries on both package, won't this break the
revocation based on global generation number / version and the only way
to revoke a bad EFI is by blocking its hash in DBX or blocking the cert
for his package?

What would be the best practices in this case? I assume of course using
separate cert for each component, in sense that grub-next has it's own
cert and grub2-stable signed with another cert.

My thoughts are:
* Different cert for each component
* Different SBAT entry for each component

I think we can brain storm about this and come up with best practices
that we can push into the shim-review readme for clarification.

Any thoughts?

Regards,
Sherif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
URL: <http://lists.einval.com/pipermail/efi/attachments/20231120/8a3b99e6/attachment.sig>