On 12.06.2025 15:15, Tu Dinh wrote: > On 12/06/2025 02:03, Andrew Cooper wrote: >> +Secure Boot Advanced Targeting >> +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >> + >> +SBAT is a recovation scheme for Secure Boot enabled components, using a >> +generation based scheme. See `Shim SBAT.md >> +<https://github.com/rhboot/shim/blob/main/SBAT.md>`_ for full details. >> + >> +Upstream Xen provides the infrastructure to embed SBAT metadata in >> +``xen.efi``, but does not maintain a generation number itself. Downstreams >> +are expected to maintain their own generation numbers. >> + > > Why would Xen not maintain its own SBAT generation? An upstream SBAT > incremented for every Secure Boot bypass XSA would make it far easier to > block vulnerable variants and help downstreams coordinate fixes.
Quoting from the SBAT patch that was submitted a little while ago: "The SBAT section provides a way for the binary to declare a generation id for its upstream source and any vendor changes applied." That is, the generation ID is per-vendor. Upstream incrementing whatever ID would be meaningless to downstreams then. Hence we can as well not do so in the first place. Jan
