frozencemetery
commented
2 years ago I believe this is covered by an earlier paragraph:
The global and product-specific generation number name spaces are not tied to each other. The global number is managed externally, and the vast majority of products will never publish a minimum product-specific generation number for any of their components. Unspecified, more specific generation numbers are treated as 0.
However, it might be more clear if the acme examples included an upstream grub entry.
shaopeijie
Hello, Recently I have been learing the SBAT mechanism(SBAT.md), I found an ACME example in section Along comes bug 1 , and that confuses me. As I see, acme didn't add 'grub,1' in their .sbat before, so 'grub,2' in SBAT can not revoke it only if grub.acme,2 is added. so SBAT issued by UEFI CA should be: sbat,1 shim,1 grub,2 grub.acme,2
am I right or misunderstand?
part of SBAT.md bellow: We talk to Acme and they agree to do the latter, thus saving flash real estate to be developed on another day. Their binary now looks like:
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md grub,2,Free Software Foundation,grub,1.96,https://www.gnu.org/software/grub/ grub.acme,1,Acme Corporation,grub,1.96-8192,https://acme.arpa/packages/grub The UEFI CA issues an update which looks like:
sbat,1 shim,1 grub,2 grub.fedora,2