Add new GRUB2 CVEs, SBAT level and clarifications

This also adds more details about the CVEs and unifies the spelling of GRUB2.
rhboot · Nov 6, 2023 · 15c328e · 15c328e
1 parent dc7aebd
commit 15c328e
Showing 1 changed file with 49 additions and 34 deletions.
diff --git a/README.md b/README.md
@@ -93,39 +93,52 @@ This matches https://github.com/rhboot/shim/releases/tag/15.7 and contains the a
 [your text here]
 
 *******************************************************************************
-### If shim is loading GRUB2 bootloader and your previously released shim booted a version of grub affected by any of the CVEs in the July 2020 grub2 CVE list, the March 2021 grub2 CVE list, the June 7th 2022 grub2 CVE list, or the November 15th 2022 list, have fixes for all these CVEs been applied?
-
-* CVE-2020-14372
-* CVE-2020-25632
-* CVE-2020-25647
-* CVE-2020-27749
-* CVE-2020-27779
-* CVE-2021-20225
-* CVE-2021-20233
-* CVE-2020-10713
-* CVE-2020-14308
-* CVE-2020-14309
-* CVE-2020-14310
-* CVE-2020-14311
-* CVE-2020-15705
-* CVE-2021-3418 (if you are shipping the shim_lock module)
-
-* CVE-2021-3695
-* CVE-2021-3696
-* CVE-2021-3697
-* CVE-2022-28733
-* CVE-2022-28734
-* CVE-2022-28735
-* CVE-2022-28736
-* CVE-2022-28737
-
-* CVE-2022-2601
-* CVE-2022-3775
+### If shim is loading GRUB2 bootloader and your previously released shim booted a version of GRUB2 affected by any of the CVEs in the July 2020, the March 2021, the June 7th 2022, the November 15th 2022, or 3rd of October 2023 GRUB2 CVE list, have fixes for all these CVEs been applied?
+
+* 2020 July - BootHole
+ * Details: https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html
+ * CVE-2020-10713
+ * CVE-2020-14308
+ * CVE-2020-14309
+ * CVE-2020-14310
+ * CVE-2020-14311
+ * CVE-2020-15705
+ * CVE-2020-15706
+ * CVE-2020-15707
+* March 2021
+ * Details: https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html
+ * CVE-2020-14372
+ * CVE-2020-25632
+ * CVE-2020-25647
+ * CVE-2020-27749
+ * CVE-2020-27779
+ * CVE-2021-3418 (if you are shipping the shim_lock module)
+ * CVE-2021-20225
+ * CVE-2021-20233
+* June 2022
+ * Details: https://lists.gnu.org/archive/html/grub-devel/2022-06/msg00035.html, SBAT increase to 2
+ * CVE-2021-3695
+ * CVE-2021-3696
+ * CVE-2021-3697
+ * CVE-2022-28733
+ * CVE-2022-28734
+ * CVE-2022-28735
+ * CVE-2022-28736
+ * CVE-2022-28737
+* November 2022
+ * Details: https://lists.gnu.org/archive/html/grub-devel/2022-11/msg00059.html, SBAT increase to 3
+ * CVE-2022-2601
+ * CVE-2022-3775
+* October 2023 - NTFS vulnerabilities
+ * Details: https://lists.gnu.org/archive/html/grub-devel/2023-10/msg00028.html, SBAT increase to 4
+ * CVE-2023-4693
+ * CVE-2023-4692
 *******************************************************************************
 [your text here]
 
 *******************************************************************************
-### If these fixes have been applied, have you set the global SBAT generation on your GRUB binary to 3?
+### If these fixes have been applied, is the upstream global SBAT generation in your GRUB2 binary set to 4?
+The entry should look similar to: `grub,4,Free Software Foundation,grub,GRUB_UPSTREAM_VERSION,https://www.gnu.org/software/grub/`
 *******************************************************************************
 [your text here]
 
@@ -199,19 +212,22 @@ This should include logs for creating the buildroots, applying patches, doing th
 [your text here]
 
 *******************************************************************************
-### Do you add a vendor-specific SBAT entry to the SBAT section in each binary that supports SBAT metadata ( grub2, fwupd, fwupdate, shim + all child shim binaries )?
+### Do you add a vendor-specific SBAT entry to the SBAT section in each binary that supports SBAT metadata ( GRUB2, fwupd, fwupdate, shim + all child shim binaries )?
 ### Please provide exact SBAT entries for all SBAT binaries you are booting or planning to boot directly through shim.
 ### Where your code is only slightly modified from an upstream vendor's, please also preserve their SBAT entries to simplify revocation.
+If you are using a downstream implementation of GRUB2 (e.g. from Fedora or Debian), please
+preserve the SBAT entry from those distributions and only append your own.
+More information on how SBAT works can be found [here](https://github.com/rhboot/shim/blob/main/SBAT.md).
 *******************************************************************************
 [your text here]
 
 *******************************************************************************
-### Which modules are built into your signed grub image?
+### Which modules are built into your signed GRUB2 image?
 *******************************************************************************
 [your text here]
 
 *******************************************************************************
-### What is the origin and full version number of your bootloader (GRUB or other)?
+### What is the origin and full version number of your bootloader (GRUB2 or other)?
 *******************************************************************************
 [your text here]
 
@@ -231,10 +247,9 @@ This should include logs for creating the buildroots, applying patches, doing th
 [your text here]
 
 *******************************************************************************
-### Does your SHIM load any loaders that support loading unsigned kernels (e.g. GRUB)?
+### Does your SHIM load any loaders that support loading unsigned kernels (e.g. GRUB2)?
 *******************************************************************************
 [your text here]
-
 *******************************************************************************
 ### What kernel are you using? Which patches does it includes to enforce Secure Boot?
 *******************************************************************************