puzzleos / stubby

UEFI bootloader stub
GNU Lesser General Public License v2.1
13 stars 8 forks source link

SBAT section handling incorrect? #5

Open hallyn opened 3 years ago

hallyn commented 3 years ago

Hi,

in https://github.com/rhboot/shim-review/issues/182#issuecomment-877298866 it's mentioned that stubby's SBAT handling is "likely incorrect". This issue is to track either (a) verification that it is correct or (b) fixing it.

The only reference I'm aware of with respect to SBAT is https://github.com/rhboot/shim/blob/main/SBAT.md . Is there any other?

pcmoore commented 3 years ago

There are two things relating to SBAT handling that should be verified/addressed:

The SBAT value is going to need to be a combination of the stubby and the bundled Linux Kernel. The base stubby value should be something like this:

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
stubby.puzzleos,1,PuzzleOS,stubby,2.0.0,https://github.com/puzzleos/stubby

... with the Linux Kernel CSV entry appended to the end.

hallyn commented 3 years ago

Thank you.