Closed jsetje closed 9 months ago
The commit mentions that --set-sbat-policy delete
is deprecated but it still sets delete
policy for SBAT. If you plan to keep it for the time being and remove the option in the future, I would like to see the commit message to address that.
On the other hand, the help messages for --set-fallback-verbosity
and --set-fallback-noreboot
have been changed. Those are irrelevant to SSPPolicy and should be in a separate commit.
Thank you for looking at this!!
I split out the tab spacing fix and added a note that I will delete the actual delete implementation at a future date. If someone is stuck with a newer mokutil and an older shim for some reason, they will really need the delete, so I don't want to take it away suddenly.
Those patches look good in general except a couple of minor flaws. I'll fix them and merge this PR.
Merged.
This unlocks the ability to control bootmgr revocation polity in a similar manner to what we did with sbat levels. There are some subtle differences since we want to be more aggressive with our own policy than with one that could be managed by an external OS. That choice may evolve over time.
Thank you for any and all comments, including any naming discussion.