From 05eae929c52f418fbd4e4fd8f27e332e64868d03 Mon Sep 17 00:00:00 2001
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Date: Tue, 9 May 2023 16:30:29 -0700
Subject: [PATCH] Add SbatLevel_Variable.txt to document the various
 revocations

This serves to document the SbatLevel Boot Services variable so that
other boot services code, such as bootmgr can update the revocation
level.

Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
---
 SbatLevel_Variable.txt | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 SbatLevel_Variable.txt

diff --git a/SbatLevel_Variable.txt b/SbatLevel_Variable.txt
new file mode 100644
index 000000000..8696304de
--- /dev/null
+++ b/SbatLevel_Variable.txt
@@ -0,0 +1,42 @@
+In order to apply SBAT based revocations on systems that will never
+run shim, code running in boot services context needs to set the
+following variable:
+
+Name: SbatLevel
+Attributes: (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS)
+Namespace Guid: 605dab50-e046-4300-abb6-3dd810dd8b23
+
+Variable content:
+
+Initialized, no revocations:
+
+sbat,1,2021030218
+
+To Revoke GRUB binaries impacted by
+
+* CVE-2021-3695
+* CVE-2021-3696
+* CVE-2021-3697
+* CVE-2022-28733
+* CVE-2022-28734
+* CVE-2022-28735
+* CVE-2022-28736
+* CVE-2022-28737
+
+sbat,1,2022052400
+grub,2
+
+To revoke the above and also grub binaries impacted by
+
+* CVE-2022-2601
+* CVE-2022-3775
+
+sbat,1,2022111500
+grub,3
+
+An additonal bug was fixed in shim that was not considered exploitable
+and can be revoked by setting:
+
+sbat,1,2022111500
+shim,2
+grub,3