Moklist'ed hashes incorrectly follow strict sbat validation rules
ValdikSS opened this issue · comments
ValdikSS commented
Shim 15.6 fails to load unsigned efi files without .sbat section when enrolled by the hash using MokManager, ending in an endless loop of security violation screens.
The documentation mentions that it should work for db
entries, but does not mention moklist hashes:
If a binary is enrolled in db by its hash rather than by certificate, the validation result is logged only, not enforced
This seems like a bug to me.