Expand description
UEFI SBAT (Secure Boot Advanced Targeting)
SBAT is used to revoke insecure UEFI executables in a way that won’t eat up the limited storage space available in the UEFI environment.
There are two important sources of data:
- The SBAT metadata associated with each image describes the components in that image.
- The SBAT revocation data stored in a UEFI variable provides a list of component versions that are no longer allowed to boot.
Each entry in the revocation list contains component name and version fields. (The first entry, which is the sbat version, also has a date field. That date field acts as a version for the whole revocation list.) When validating an image, each component in the image is checked against the revocation entries. If the name matches, and if the component’s version is less than the version in the corresponding revocation entry, the component is considered revoked and the image will not pass validation.
The details and exact validation rules are described further in the SBAT.md and SBAT.example.md files in the shim repo.
§API
This no_std
library handles parsing both sources of SBAT data
(ImageSbat
and RevocationSbat
data), as well as performing
the revocation comparison. The parsing starts with raw bytes
containing the CSV; the library doesn’t handle directly reading PE
binaries or UEFI variables. Consider using the object
crate to
extract the .sbat
section from a PE binary.
If the alloc
feature is enabled, the ImageSbatOwned
and
RevocationSbatOwned
types can be be used. These types own the
CSV string data rather than taking a reference to it. They deref to
ImageSbat
and RevocationSbat
respectively.
§Examples
use sbat::{ImageSbat, ParseError, RevocationSbat, ValidationResult};
fn main() -> Result<(), ParseError> {
let image_sbat_a1 = b"sbat,1\nCompA,1";
let image_sbat_a2 = b"sbat,1\nCompA,2";
let revocation_sbat = b"sbat,1,2021030218\nCompA,2";
// Parse the image and revocation SBAT.
let image_sbat = ImageSbat::parse(image_sbat_a1)?;
let revocations = RevocationSbat::parse(revocation_sbat)?;
// Check that the image is revoked.
assert_eq!(
revocations.validate_image(image_sbat),
ValidationResult::Revoked(image_sbat.entries().last().unwrap()),
);
// Change the image's CompA generation to 2 and verify that it is no
// longer revoked.
let image_sbat = ImageSbat::parse(image_sbat_a2)?;
assert_eq!(
revocations.validate_image(image_sbat),
ValidationResult::Allowed,
);
Ok(())
}
Re-exports§
Structs§
- SBAT component. This is the machine-readable portion of SBAT that is actually used for revocation (other fields are human-readable and not used for comparisons).
- Iterator over entries in
ImageSbat
. - SBAT component generation.
- Image SBAT metadata.
- ImageSbatOwned
alloc
Owned image SBAT metadata. - Revocation SBAT data.
- RevocationSbatOwned
alloc
Owned revocation SBAT data. - Revocation data embedded in the
.sbatlevel
section of a shim executable. - Iterator over revoked components in
RevocationSbat
. - Vendor data. This is optional human-readable data that is not used for SBAT comparison.
Enums§
- SBAT parse error.
- Error returned by
RevocationSection::parse
. - Whether an image is allowed or revoked.
Constants§
- ASCII characters that this library allows in SBAT fields (in addition to alphanumeric characters).
- Name of the revocation section embedded in shim executables.
- Standard PE section name for SBAT metadata.