Expand description
UEFI SBAT (Secure Boot Advanced Targeting)
SBAT is used to revoke insecure UEFI executables in a way that won’t eat up the limited storage space available in the UEFI environment.
There are two important sources of data:
- The SBAT metadata associated with each image describes the components in that image.
- The SBAT revocation data stored in a UEFI variable provides a list of component versions that are no longer allowed to boot.
Each entry in the revocation list contains component name and version fields. (The first entry, which is the sbat version, also has a date field. That date field acts as a version for the whole revocation list.) When validating an image, each component in the image is checked against the revocation entries. If the name matches, and if the component’s version is less than the version in the corresponding revocation entry, the component is considered revoked and the image will not pass validation.
The details and exact validation rules are described further in the SBAT.md and SBAT.example.md files in the shim repo.
§API
This no_std library handles parsing both sources of SBAT data
(ImageSbat and RevocationSbat data), as well as performing
the revocation comparison. The parsing starts with raw bytes
containing the CSV; the library doesn’t handle directly reading PE
binaries or UEFI variables. Consider using the object crate to
extract the .sbat section from a PE binary.
If the alloc feature is enabled, the ImageSbatOwned and
RevocationSbatOwned types can be be used. These types own the
CSV string data rather than taking a reference to it. They deref to
ImageSbat and RevocationSbat respectively.
§Examples
use sbat::{ImageSbat, ParseError, RevocationSbat, ValidationResult};
fn main() -> Result<(), ParseError> {
let image_sbat_a1 = b"sbat,1\nCompA,1";
let image_sbat_a2 = b"sbat,1\nCompA,2";
let revocation_sbat = b"sbat,1,2021030218\nCompA,2";
// Parse the image and revocation SBAT.
let image_sbat = ImageSbat::parse(image_sbat_a1)?;
let revocations = RevocationSbat::parse(revocation_sbat)?;
// Check that the image is revoked.
assert_eq!(
revocations.validate_image(image_sbat),
ValidationResult::Revoked(image_sbat.entries().last().unwrap()),
);
// Change the image's CompA generation to 2 and verify that it is no
// longer revoked.
let image_sbat = ImageSbat::parse(image_sbat_a2)?;
assert_eq!(
revocations.validate_image(image_sbat),
ValidationResult::Allowed,
);
Ok(())
}Re-exports§
Structs§
- Component
- SBAT component. This is the machine-readable portion of SBAT that is actually used for revocation (other fields are human-readable and not used for comparisons).
- Entries
- Iterator over entries in
ImageSbat. - Entry
- Entry in image SBAT metadata. This contains a
Component, which is what gets used for revocation comparisons, as well asVendordata, which is extra data that serves as a human-readable comment. - Generation
- SBAT component generation.
- Image
Sbat - Image SBAT metadata.
- Image
Sbat Owned alloc - Owned image SBAT metadata.
- Revocation
Sbat - Revocation SBAT data.
- Revocation
Sbat Owned alloc - Owned revocation SBAT data.
- Revocation
Section - Revocation data embedded in the
.sbatlevelsection of a shim executable. - Revoked
Components - Iterator over revoked components in
RevocationSbat. - Vendor
- Vendor data. This is optional human-readable data that is not used for SBAT comparison.
Enums§
- Parse
Error - SBAT parse error.
- Revocation
Section Error - Error returned by
RevocationSection::parse. - Validation
Result - Whether an image is allowed or revoked.
Constants§
- ALLOWED_
SPECIAL_ CHARS - ASCII characters that this library allows in SBAT fields (in addition to alphanumeric characters).
- REVOCATION_
SECTION_ NAME - Name of the revocation section embedded in shim executables.
- SBAT_
SECTION_ NAME - Standard PE section name for SBAT metadata.