SBAT section handling incorrect?

[hallyn]

Hi,

in rhboot/shim-review#182 (comment) it's mentioned that stubby's SBAT handling is "likely incorrect". This issue is to track either (a) verification that it is correct or (b) fixing it.

The only reference I'm aware of with respect to SBAT is https://github.com/rhboot/shim/blob/main/SBAT.md . Is there any other?

[pcmoore]

There are two things relating to SBAT handling that should be verified/addressed:

• The proper creation of the SBAT section. This was the origin of the "likely incorrect" comment mentioned above and the linked comment provides some thoughts and examples on how to potentially resolve this issue.
• What to use for stubby's SBAT value.

The SBAT value is going to need to be a combination of the stubby and the bundled Linux Kernel. The base stubby value should be something like this:

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
stubby.puzzleos,1,PuzzleOS,stubby,2.0.0,https://github.com/puzzleos/stubby

... with the Linux Kernel CSV entry appended to the end.

[hallyn]

Thank you.