Skip to content

Commit

Permalink
SBAT Policy latest should be a one-shot
Browse files Browse the repository at this point in the history
Since booting from removable media can be hard to detect,
setting a persistent latest SBAT policy is risky in a typical
client system. This changes latest to be a one-shot operation
that could be set at the time of an OS update if desired.

Signed-off-by: Jan Setje-Eilers <[email protected]>
  • Loading branch information
jsetje authored and vathpela committed May 24, 2022
1 parent c0bcd04 commit 77144e5
Showing 1 changed file with 13 additions and 8 deletions.
21 changes: 13 additions & 8 deletions sbat.c
Original file line number Diff line number Diff line change
Expand Up @@ -369,6 +369,16 @@ preserve_sbat_uefi_variable(UINT8 *sbat, UINTN sbatsize, UINT32 attributes,
return false;
}

static void
clear_sbat_policy()
{
EFI_STATUS efi_status = EFI_SUCCESS;

efi_status = del_variable(SBAT_POLICY, SHIM_LOCK_GUID);
if (EFI_ERROR(efi_status))
console_error(L"Could not reset SBAT Policy", efi_status);
}

EFI_STATUS
set_sbat_uefi_variable(void)
{
Expand All @@ -394,6 +404,7 @@ set_sbat_uefi_variable(void)
case SBAT_POLICY_LATEST:
dprint("Custom sbat policy: latest\n");
sbat_var = SBAT_VAR_LATEST;
clear_sbat_policy();
break;
case SBAT_POLICY_PREVIOUS:
dprint("Custom sbat policy: previous\n");
Expand All @@ -408,19 +419,13 @@ set_sbat_uefi_variable(void)
reset_sbat = true;
sbat_var = SBAT_VAR_ORIGINAL;
}
efi_status = del_variable(SBAT_POLICY, SHIM_LOCK_GUID);
if (EFI_ERROR(efi_status))
console_error(L"Could not reset SBAT Policy",
efi_status);
clear_sbat_policy();
break;
default:
console_error(L"SBAT policy state %llu is invalid",
EFI_INVALID_PARAMETER);
efi_status = del_variable(SBAT_POLICY, SHIM_LOCK_GUID);
if (EFI_ERROR(efi_status))
console_error(L"Could not reset SBAT Policy",
efi_status);
sbat_var = SBAT_VAR_PREVIOUS;
clear_sbat_policy();
break;
}
}
Expand Down

0 comments on commit 77144e5

Please sign in to comment.