Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 954009 - sys-boot/grub-2.12-r6 sbat version
Summary: sys-boot/grub-2.12-r6 sbat version
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal enhancement
Assignee: Mike Gilbert
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-04-18 23:18 UTC by Mark Liman
Modified: 2025-04-20 01:44 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Liman 2025-04-18 23:18:34 UTC 
I build my shim from source, rather than using the fedora one, as I am using my own keys for secure boot. The latest shim 16.0, has bumped the minimal version for grub in the sbat.csv file therefore the current sbat provided with the package doesn't work and results in a verification error every time. Realistically this isn't a relevant bug as it will only be a problem in the future when sys-boot/shim gets bumped to 16.0 in the main gentoo repo.

Updating the sbat.csv to the example below leads to a successful verification.

sbat,1,2024040900,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,4,Free Software Foundation,grub,2.12,https://www.gnu.org/software/grub/
grub.gentoo,1,Gentoo,grub,2.12,https://bugs.gentoo.org/

I don't fully understand the way the sbat works, so I am unsure about whether the sbat version should be bumped because as far as I understand it's related to the CVE's found in grub.

https://github.com/rhboot/shim/blob/main/SbatLevel_Variable.txt 

Reproducible: Always

Steps to Reproduce:
1. Build or get shim 16.0 from somewhere
2. Sign grub with your keys
3. Try to boot 
Actual Results:  
Shim Verification Error

Expected Results:  
The system boots