How actually should developer set sbat policy on RHEL8?

[Roo4L]

Hi!

I've been looking through secure boot process on el8 and found out that the current shim version shipped with el8 (15.6) is using SBAT_PREVIOUS policy by default. Thus, SbatLevel variable is not updated and system still stays vulnerable.

1. As I see, at other distros. like SUSE, there is an ability to update sbat policy using mokutil, but on el8 mokutil is too old and doesn't support sbat variable update. How should I change sbat policy then?
2. Why is sbat policy set to SBAT_PREVIOUS by default? It doesn't make much sense to me. I though that SBAT_PREVIOUS should exist as a backup option in case there is some issues with latest one, but instead it appears to be the main one.

[julian-klode]

You are completely right about why SBAT_PREVIOUS exists.

Let's see how you get back to the previous shim:

1. If SBAT_LATEST were the default, you need to disable secure boot
2. Boot a rescue image with the old shim
3. Reinstall the old shim into the installed system
4. If SBAT_LATEST were the default, switch the policy to previous
5. If SBAT_LATEST were the default, re-enable secure boot.

That's a horrible workflow.

[Roo4L]

Okay, I see. At least it starts to make sense right now. But as a drawback, end users must update SBAT_POLICY themselves somehow if they really wish to be protected. And as I see, there is no word about it at any security release done by distribution vendors... How come?