Add support for SSPPolicy, depricate --set-sbat-policy delete #65
Conversation
|
The commit mentions that On the other hand, the help messages for |
|
Thank you for looking at this!! I split out the tab spacing fix and added a note that I will delete the actual delete implementation at a future date. If someone is stuck with a newer mokutil and an older shim for some reason, they will really need the delete, so I don't want to take it away suddenly. |
This only removed --set-sbat-policy delete from the documentaion and help message. Since mokutil and shim may not be updated in lockstep, it makes sense to continue to allow it to be set for a while. I will remove it fully in a couple months. Signed-off-by: Jan Setje-Eilers <[email protected]>
…oot) Signed-off-by: Jan Setje-Eilers <[email protected]>
When the term previous was introduced for revocations to be automatically applied there was a hope that everytime a new revocation was built into shim, the previous revocation could be applied automatically. Further experience has shown the real world to be more complex than that. The automatic payload will realistically contain a set of revocations governed by both the cadence at which a distro's customer base updates as well as the severity of the issue being revoked. In order to not break compatibility with existing scripts, the term "previous" will continue to be accepted. This is not a functional change. Signed-off-by: Jan Setje-Eilers <[email protected]>
src/mokutil.c
Outdated
| @@ -136,13 +137,16 @@ print_help () | |||
| printf (" --set-fallback-noreboot <true/false>\t\tPrevent fallback from automatically rebooting\n"); | |||
| printf (" --trust-mok\t\t\t\tTrust MOK keys within the kernel keyring\n"); | |||
| printf (" --untrust-mok\t\t\t\tDo not trust MOK keys\n"); | |||
| printf (" --set-sbat-policy <latest/previous/delete>\t\tApply Latest, Previous, or Blank SBAT revocations\n"); | |||
| printf (" --set-sbat-policy <latest/previous>" | |||
| "\tApply Lates or Previous SBAT revocations\n"); | |||
| @@ -1,4 +1,4 @@ | |||
| /** | |||
| /* | |||
|
Those patches look good in general except a couple of minor flaws. I'll fix them and merge this PR. |
|
Merged. |
This unlocks the ability to control bootmgr revocation polity in a similar manner to what we did with sbat levels. There are some subtle differences since we want to be more aggressive with our own policy than with one that could be managed by an external OS. That choice may evolve over time.
Thank you for any and all comments, including any naming discussion.