Re: [XEN PATCH v2] sbat: Add SBAT section to the Xen EFI binary

On 02/05/2025 8:01 am, Jan Beulich wrote: > On 01.05.2025 14:23, Gerald Elder-Vass wrote: >> --- a/xen/arch/x86/Makefile >> +++ b/xen/arch/x86/Makefile >> @@ -58,6 +58,7 @@ obj-y += percpu.o >> obj-y += physdev.o >> obj-$(CONFIG_COMPAT) += x86_64/physdev.o >> obj-y += psr.o >> +obj-y += sbat.o >

Re: [XEN PATCH v2] sbat: Add SBAT section to the Xen EFI binary

On 01.05.2025 14:23, Gerald Elder-Vass wrote: > --- a/xen/arch/x86/Makefile > +++ b/xen/arch/x86/Makefile > @@ -58,6 +58,7 @@ obj-y += percpu.o > obj-y += physdev.o > obj-$(CONFIG_COMPAT) += x86_64/physdev.o > obj-y += psr.o > +obj-y += sbat.o > obj-y += setup.o > obj-y += shutdown.o > obj-y

Re: [XEN PATCH v2] sbat: Add SBAT section to the Xen EFI binary

On Thu, May 1, 2025 at 1:23 PM Gerald Elder-Vass wrote: > > SBAT is a revocation scheme for UEFI SecureBoot, and is mandated by Microsoft > for signing. > > The SBAT section provides a way for the binary to declare a generation > id for its upstream source and any vendor changes applied. A compati

[XEN PATCH v2] sbat: Add SBAT section to the Xen EFI binary

SBAT is a revocation scheme for UEFI SecureBoot, and is mandated by Microsoft for signing. The SBAT section provides a way for the binary to declare a generation id for its upstream source and any vendor changes applied. A compatible loader can then revoke vulnerable binaries by generation, using