Skip to content

Commit

Permalink
sbat: Also bump latest for grub,4 (and to todays date)
Browse files Browse the repository at this point in the history 
Back in January we decided to bump the SBAT level for the shim
CVE without bumping the grub level for the previous NTFS issues
- CVE-2023-4692 CVE-2023-4693 - as not every vendor was signing
the ntfs module.

Catch up on this revocation to ensure it doesn't get lost. Doing
so also allows us to remove the grub.debian,4 revocation as this
happened before grub,4 and hence is obsolete.

Also bump the date of the sbat variable to today's. Don't copy
the April 5 one to a previous selection, as it wasn't shipped
to anyone.

Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
  • Loading branch information
@julian-klode @vathpela
julian-klode authored and vathpela committed Apr 9, 2024
1 parent 63edf92 commit 3e1394e
Showing 1 changed file with 6 additions and 3 deletions.
9 changes: 6 additions & 3 deletions include/sbat_var_defs.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,10 +58,13 @@
SBAT_VAR_AUTOMATIC_REVOCATIONS

/*
* Revocations for January 2024 shim CVEs + Debian/Ubuntu (peimage) CVE-2024-2312
* Revocations for:
* - January 2024 shim CVEs
* - October 2023 grub CVEs
* - Debian/Ubuntu (peimage) CVE-2024-2312
*/
#define SBAT_VAR_LATEST_DATE "2024040500"
#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\ngrub.peimage,2\n"
#define SBAT_VAR_LATEST_DATE "2024040900"
#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,4\ngrub.peimage,2\n"
#define SBAT_VAR_LATEST \
SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \
SBAT_VAR_LATEST_REVOCATIONS
Expand Down

0 comments on commit 3e1394e

Please sign in to comment.