search

lcp / mokutil

The utility to manipulate machine owner keys
GNU General Public License v3.0
60 stars 37 forks source link

SBAT revocation update support #52

Closed jsetje closed 2 years ago

jsetje commented 2 years ago

Control how shim will apply SBAT revocations:

mokutil --set-sbat-policy latest

applies the latest SBAT revocations
(default behavior)

mokutil --set-sbat-policy previous

applies previous SBAT revocations to
allow falling back to an older release

In both of the above cases shim will only apply SBAT revocations that are newer than the ones currently installed.

mokutil --set-sbat-policy delete

resets SBAT revocations only if Secure
Boot is disabled. This setting does not
persist.

Signed-off-by: Jan Setje-Eilers Jan.SetjeEilers@oracle.com

jsetje commented 2 years ago

This goes along with https://github.com/rhboot/shim/pull/467 This was developed to account for supporting sbat revocations as a non-authenticated boot services variable.

lcp commented 2 years ago

Thanks for the patch!