All signed bootloader executables must contain SBAT (Secure Boot Advanced Targeting) metadata for revocation purposes. The inclusion of SBAT is not yet listed as one of Microsoft‘s UEFI Signing Requirements, but we expect they will want us to include SBAT data so that revocations can occur without using up more dbx
space. See shim’s SBAT.md
for more background on why it's needed and details of the format.
There are two fields in the bootloader component that we expect to change over time: the generation number and the version number.
For example, here is the original crdyboot SBAT data:
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md crdyboot,1,Google,crdyboot,1.0.0,https://chromium.googlesource.com/chromiumos/platform/crdyboot
The second line contains the bootloader component. The second field (1
) is the generation number and the fifth field (1.0.0
) is the version number. Note that only the first two fields of each record are machine-readable, everything after that is just for human consumption.
The generation number must be bumped any time a security fix necessitates revoking older versions. In more detail:
Note that the canonical source of revocation data is in sbat_var_defs.h
in the shim repo. Revocations should be submitted there as well as applied to crdyshim's revocations.csv
.
* Exactly what constitutes a “sufficiently complete” rollout is not fully defined yet. We will need to consider scenarios such as OS rollbacks, switching from the dev channel to the stable channel, livebooting a newer installer, etc, and decide what the appropriate balance is between preventing bootloader rollback attacks and avoiding unexpected boot failures on end-user devices.
Each bootloader has its own CSV file that provides the metadata:
The metadata file is copied verbatim into a .sbat
section of the final executable. This is done via macro invocation that looks like this:
embed_section!(SBAT, ".sbat", "../sbat.csv");
The macro is defined in libcrdy/src/util.rs
. It creates a static variable and uses the link_section
attribute to place it in the appropriate section.