-
Notifications
You must be signed in to change notification settings - Fork 300
/
Copy pathSbatLevel_Variable.txt
129 lines (90 loc) · 2.57 KB
/
SbatLevel_Variable.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
This file is the single source for SbatLevel revocations the format
follows the variable payload and should not have any leading or
trailing whitespace on the same line.
Short descriptions of the revocations as well as CVE assignments (when
available) should be provided when an entry is added.
On systems that run shim, shim will manage these revocations. Sytems
that never run shim, primarily Windows, but this applies to any OS
that supports UEFI Secure Boot under the UEFI CA without shim can
apply SBAT based revocations by setting the following variable
from code running in boot services context.
Name: SbatLevel
Attributes: (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS)
Namespace Guid: 605dab50-e046-4300-abb6-3dd810dd8b23
Variable content:
Initialized, no revocations:
sbat,1,2021030218
To Revoke GRUB2 binaries impacted by
* CVE-2021-3695
* CVE-2021-3696
* CVE-2021-3697
* CVE-2022-28733
* CVE-2022-28734
* CVE-2022-28735
* CVE-2022-28736
sbat,1,2022052400
grub,2
and shim binaries impacted by
* CVE-2022-28737
sbat,1,2022052400
shim,2
grub,2
Shim delivered both versions of these revocations with
the same 2022052400 date stamp, once as an opt-in latest
revocation with shim,2 and then as an automatic revocation without
shim,2
To revoke GRUB2 grub binaries impacted by
* CVE-2022-2601
* CVE-2022-3775
sbat,1,2022111500
shim,2
grub,3
To revoke Debian's grub.3 which missed
the patches:
sbat,1,2023012900
shim,2
grub,3
grub.debian,4
An additonal bug was fixed in shim that was not considered exploitable,
can be revoked by setting:
sbat,1,2023012950
shim,3
grub,3
grub.debian,4
shim did not deliver this payload at the time
To Revoke GRUB2 binaries impacted by:
* CVE-2023-4692
* CVE-2023-4693
These CVEs are in the ntfs module and vendors that do and do not
ship this module as part of their signed binary are split.
sbat,1,2023091900
shim,2
grub,4
Since not everyone has shipped updated GRUB packages, shim did not
deliver this revocation at the time.
To Revoke shim binaries impacted by:
* CVE-2023-40547
* CVE-2023-40546
* CVE-2023-40548
* CVE-2023-40549
* CVE-2023-40550
* CVE-2023-40551
sbat,1,2024010900
shim,4
grub,3
grub.debian,4
Revocations for:
- January 2024 shim CVEs
- October 2023 grub CVEs
- Debian/Ubuntu (peimage) CVE-2024-2312
sbat,1,2024040900
shim,4
grub,4
grub.peimage,2
Since http boot shim CVE is considerably more serious than then GRUB
ntfs CVEs shim is delivering the shim revocation without the updated
GRUB revocation as a latest payload.
To revoke both the impacted shim and impacted GRUB binaries:
sbat,1,2024<date TBD>
shim,4
grub,4