Open Roo4L opened 1 year ago
You are completely right about why SBAT_PREVIOUS exists.
Let's see how you get back to the previous shim:
That's a horrible workflow.
Okay, I see. At least it starts to make sense right now. But as a drawback, end users must update SBAT_POLICY themselves somehow if they really wish to be protected. And as I see, there is no word about it at any security release done by distribution vendors... How come?
Hi!
I've been looking through secure boot process on el8 and found out that the current shim version shipped with el8 (15.6) is using SBAT_PREVIOUS policy by default. Thus, SbatLevel variable is not updated and system still stays vulnerable.