Modify sbat.md to help with readability. #398
Conversation
I'll request more review from @jsetje |
SBAT.md
Outdated
| assigned names. Examples of components are shim, GRUB, kernel, hypervisors, etc. | ||
|
|
||
| Below is an example of a product and vendor, both in the same `sbat.csv` file. SBAT | ||
| is a vendor, as it is a link in the UEFI Secure Boot chain of trust. |
There was a problem hiding this comment.
I think you meant to say SBAT acts like a component rather than a vendor. And yes, the sbat version basically does.
A disclosure in this context is the event/date where a CVE and fixes for it are made public. It could be worth describing that in a bit more detail, the document was generally written with an audience of system security folks in mind, but the group of folks that have to deal with shim and how it works is actually broader than that. I can try to draft something. |
fe1ed4b to
406f519
Compare
|
Hey! I put up some changes in response to your feedback 20 days ago. Is there anything else I need to do to push this forward? |
|
Thanks for the ping, this had fallen off my radar. Also, thank you for the edits, other than the one item I flagged this looks good. |
SBAT.md
Outdated
| assigned names. Examples of components are shim, GRUB, kernel, hypervisors, etc. | ||
|
|
||
| Below is an example of a product and component, both in the same `sbat.csv` file. `sbat` | ||
| is a component, as it is a link in the UEFI Secure Boot chain of trust. |
There was a problem hiding this comment.
I see in my email you left a comment requesting that I switch this to 'sbat' defines the version of the format of the revocation metadata itselfhowever I don't see that comment here. (Was it deleted? I also see in your lgtm comment you wanted me to address something you flagged.)
Does that comment still apply?
I had my specific wording originally because the word "component" seems to be used in a specific way in this document, as you mentioned, and I wanted it to be clear what the word "component" referred to. But I do get that components is an overloaded word. It's entirely possible I didn't understand what you meant by "component" in this document. Is sbat a component as defined above? Or is it just "the version of the format of the revocation metadata itself"? If that is true, should I use a different example to illustrate what a "component" is?
Here's a guess as to what I could switch it to, to clarify the concern you had with the word being overloaded:
**Component** as defined here refers to a component that is committed to a UEFI boot services variable, as opposed to a component loaded from a file in a filesystem. They are used as a link in the UEFI Secure Boot chain of trust and are assigned names...
I'm more than happy to rewrite it in the way you prefer, I just want to make sure that is still what you want, as that comment seems to be gone.
|
Yes, I tried to turn it back into a review and deleted the comment, same content though. |
Signed-off-by: Esther Shimanovich eshimanovich@google.com
406f519 to
b82414a
Compare
Signed-off-by: Esther Shimanovich eshimanovich@google.com
I've had a bit of trouble understanding SBAT.md, so I thought I might open up a PR with a few additions that might help with readability, and some questions. Hopefully this might be helpful to other people as well.
I highlighted some of the words that were defined in this doc, and I also added an example earlier on, as that would have been helpful for me to visualize some of the new concepts as I read it. I didn't want to make any structural changes so I avoided those. If you respond to my questions above, I am happy to add them to the doc in this PR!
Thanks a bunch!
Esther