SBAT patch for fwupdate
Steve McIntyre
steve at einval.com
Thu Mar 4 15:24:13 GMT 2021
Hey folks,
One of the changes that's come out of the latest set of GRUB updates
and attendant Secure Boot revocations is SBAT (Secure Boot Advanced
Targeting - see https://github.com/rhboot/shim/blob/main/SBAT.md).
This necessitates all signed binaries to now include an extra lump of
metadata so that generation-based revocation can work.
Shim, GRUB and fwupd all have support for this now, which is good. For
older distros still shipping fwupdate as a separate signed package,
there's not been an upstream fix for this as the project is now dead
and merged into fwupd. So I've added a simple patch for this for the
sake of Debian, and AIUI Javier has reviewed it and is expecting to
adopt it for RHEL7.
Here's the link in case anybody else is interested:
https://github.com/steve-mcintyre/fwupdate/commit/be48c87244643bd6da4e2badfc9f85c33c97a376
--
Steve McIntyre, Cambridge, UK. steve at einval.com
'There is some grim amusement in watching Pence try to run the typical
"politician in the middle of a natural disaster" playbook, however
incompetently, while Trump scribbles all over it in crayon and eats some
of the pages.' -- Russ Allbery
More information about the Efi
mailing list