lcp / mokutil

The utility to manipulate machine owner keys
GNU General Public License v3.0
70 stars 38 forks source link

Add support for SSPPolicy, depricate --set-sbat-policy delete #65

Closed jsetje closed 9 months ago

jsetje commented 1 year ago

This unlocks the ability to control bootmgr revocation polity in a similar manner to what we did with sbat levels. There are some subtle differences since we want to be more aggressive with our own policy than with one that could be managed by an external OS. That choice may evolve over time.

Thank you for any and all comments, including any naming discussion.

lcp commented 1 year ago

The commit mentions that --set-sbat-policy delete is deprecated but it still sets delete policy for SBAT. If you plan to keep it for the time being and remove the option in the future, I would like to see the commit message to address that.

On the other hand, the help messages for --set-fallback-verbosity and --set-fallback-noreboot have been changed. Those are irrelevant to SSPPolicy and should be in a separate commit.

jsetje commented 1 year ago

Thank you for looking at this!!

I split out the tab spacing fix and added a note that I will delete the actual delete implementation at a future date. If someone is stuck with a newer mokutil and an older shim for some reason, they will really need the delete, so I don't want to take it away suddenly.

lcp commented 9 months ago

Those patches look good in general except a couple of minor flaws. I'll fix them and merge this PR.

lcp commented 9 months ago

Merged.