Skip to content

SBAT Level update for February 2025 GRUB CVEs #736

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 18, 2025
Merged

SBAT Level update for February 2025 GRUB CVEs #736

merged 1 commit into from
Mar 18, 2025
Rate limit · GitHub

Access has been restricted

You have triggered a rate limit.

Please wait a few minutes before you try again;
in some cases this may take up to an hour.

Conversation

jsetje
Copy link
Collaborator

@jsetje jsetje commented Mar 18, 2025

@vathpela
Copy link
Contributor

vathpela commented Mar 18, 2025
edited
Loading

When I build this, in sbat_var.o I get:

sbat,1,2023012900
shim,2
grub,3
grub.debian,4

and

sbat,1,2025021800
shim,4
grub,5

i.e. in the intermediate the compiler sees it's:

  .Lsbat_var_automatic:
   .ascii "sbat," "1," "2023012900" "\n" "shim,2\ngrub,3\ngrub.debian,4\n"
   .byte 0
   .balign 1, 0
  .Lsbat_var_latest:
   .ascii "sbat," "1," "2025021800" "\n" "shim,4\ngrub,5\n"
   .byte 0
   .section .note.GNU-stack,"a"

Shouldn't we have grub,4 in sbat_var_automatic?

@jsetje
SBAT Level update for February 2025 GRUB CVEs
65ac479 
Moves the minimum GRUB SBAT Level to 5 in order to require fixes
for the following GRUB CVEs:

CVE-2024-45774
CVE-2024-45775
CVE-2024-45776
CVE-2024-45777
CVE-2024-45778
CVE-2024-45779
CVE-2024-45780
CVE-2024-45781
CVE-2024-45782
CVE-2024-45783
CVE-2025-0622
CVE-2025-0624
CVE-2025-0677
CVE-2025-0678
CVE-2025-0684
CVE-2025-0685
CVE-2025-0686
CVE-2025-0689
CVE-2025-0690
CVE-2025-1118
CVE-2025-1125

This also bumps the default SBAT_AUTOMATIC_DATE to 2024040900.

Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
@jsetje jsetje force-pushed the revocation-update branch from b750f84 to 65ac479 Compare March 18, 2025 17:33
@jsetje
Copy link
Collaborator Author

jsetje commented Mar 18, 2025

I bumped the default SBAT_AUTOMATIC_DATE to 2024040900 and that looks right, it also includes the grub.peimage,2 revocation.

I should probably move the default SBAT_AUTOMATIC_DATE into SbatLevel_Variable.txt, but that will be a separate PR for the next release.

@vathpela
Copy link
Contributor

I should probably move the default SBAT_AUTOMATIC_DATE into SbatLevel_Variable.txt, but that will be a separate PR for the next release.

So... after this release, we probably ought to look at making it so the automatic date is also something derived from the same place, rather than two different files.

vathpela
vathpela approved these changes Mar 18, 2025
View reviewed changes
Copy link
Contributor

@vathpela vathpela left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me; for next time we probably want to think about how to unify these two bits of policy so they don't slip through halfway updated.

@vathpela vathpela merged commit 8932527 into rhboot:main Mar 18, 2025
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vathpela vathpela

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jsetje @vathpela