Re: SBAT revocation. Do we need a 12.6.1 release? (Was: Heads-up: Verifying shim SBAT data failed: Security Policy Violation)
On Wed, Jul 03, 2024 at 10:45:10PM +0200, Cyril Brulebois wrote:
>Steve McIntyre <steve@einval.com> (2024-07-03):
>> There are other alternative on your test systems:
>
>ACK, ta.
>
>> 1. disable secure boot while testing (which of course is *not* the
>> right answer long-term!)
>
>That's BIOS-based tests for me.
>
>> 2. use mokutil --set-sbat-policy from a running system to go back to
>> a previous SBAT minimum level, or delete the policy altogether
>>
>> 3. if you're testing in a qemu VM, you can also use "virt-fw-vars"
>> from the "python3-virt-firmware" package to modify the SBAT (and
>> other) firmware settings from outside the VM. This is *incredibly*
>> useful when doing development and CI with shim.
>
>ACK. At least at my level I *really* don't want to be diverging from
>what end users are going to face: I really want to know about such
>things, and not to publish if we know that's going to explode anyway.
Nod. Apologies for the surprise this time. I was hoping to minimise
the pain with quick uploads and migration, but... :-(
--
Steve McIntyre, Cambridge, UK. steve@einval.com
"The problem with defending the purity of the English language is that
English is about as pure as a cribhouse whore. We don't just borrow words; on
occasion, English has pursued other languages down alleyways to beat them
unconscious and rifle their pockets for new vocabulary." -- James D. Nicoll
Reply to: