[dbx] update SBAT/SVN to latest and improve reporting

* Explicitly report the SVN/SBAT number comparison in the log.
* Also don't perform revocation checks on unsigned bootloaders.
* Also add provision for CRLF handling when parsing our remote SBAT.

Author: pbatard

src/db.h

@@ -150,8 +150,8 @@ static const char db_sb_revoked_txt[] =
  * Use as fallback when https://rufus.ie/sbat_level.txt cannot be accessed.
  */
 static const char db_sbat_level_txt[] =
-	"sbat,1,2024010900\n"
+	"sbat,1,2025051000\n"
 	"shim,4\n"
-	"grub,3\n"
-	"grub.debian,4\n"
-	"BOOTMGRSECURITYVERSIONNUMBER,0x30000";
+	"grub,5\n"
+	"grub.proxmox,2\n"
+	"BOOTMGRSECURITYVERSIONNUMBER,0x70000";

src/hash.c

@@ -2198,8 +2198,11 @@ static BOOL IsRevokedBySbat(uint8_t* buf, uint32_t len)
 		if (entry.version == 0)
 			continue;
 		for (j = 0; sbat_entries[j].product != NULL; j++) {
-			if (strcmp(entry.product, sbat_entries[j].product) == 0 && entry.version < sbat_entries[j].version)
+			if (strcmp(entry.product, sbat_entries[j].product) == 0 && entry.version < sbat_entries[j].version) {
+				uprintf("  SBAT version for '%s' (%d) is lower than required minimum SBAT version (%d)!",
+					entry.product, entry.version, sbat_entries[j].version);
 				return TRUE;
+			}
 		}
 	}
 
@@ -2306,8 +2309,11 @@ static BOOL IsRevokedBySvn(uint8_t* buf, uint32_t len)
 				svn_ver = (uint32_t*)RvaToPhysical(buf, rsrc_rva);
 				if (svn_ver != NULL) {
 					uuprintf("  SVN version: %d.%d", *svn_ver >> 16, *svn_ver & 0xffff);
-					if (*svn_ver < sbat_entries[i].version)
+					if (*svn_ver < sbat_entries[i].version) {
+						uprintf("  SVN version %d.%d is lower than required minimum SVN version %d.%d!",
+							*svn_ver >> 16, *svn_ver & 0xffff, sbat_entries[i].version >> 16, sbat_entries[i].version & 0xffff);
 						return TRUE;
+					}
 				}
 			} else {
 				uprintf("  Warning: Unexpected Secure Version Number size");
@@ -2394,42 +2400,43 @@ int IsBootloaderRevoked(uint8_t* buf, uint32_t len)
 	// Get the signer/issuer info
 	cert = GetPeSignatureData(buf);
 	r = GetIssuerCertificateInfo(cert, &info);
-	if (r == 0)
+	if (r == 0) {
 		uprintf("  (Unsigned Bootloader)");
-	else if (r > 0)
+	} else if (r > 0) {
 		uprintf("  Signed by '%s'", info.name);
-
-	if (!PE256Buffer(buf, len, hash))
-		return -1;
-	// Check for UEFI DBX revocation
-	if (IsRevokedByDbx(hash, buf, len))
-		revoked = 1;
-	// Check for Microsoft SSP revocation
-	for (i = 0; revoked == 0 && i < pe256ssp_size * SHA256_HASHSIZE; i += SHA256_HASHSIZE)
-		if (memcmp(hash, &pe256ssp[i], SHA256_HASHSIZE) == 0)
-			revoked = 2;
-	// Check for Linux SBAT revocation
-	if (revoked == 0 && IsRevokedBySbat(buf, len))
-		revoked =  3;
-	// Check for Microsoft SVN revocation
-	if (revoked == 0 && IsRevokedBySvn(buf, len))
-		revoked = 4;
-	// Check for UEFI DBX certificate revocation
-	if (revoked == 0 && IsRevokedByCert(&info))
-		revoked = 5;
-
-	// If signed and not revoked, print the various Secure Boot "gotchas"
-	if (r > 0 && revoked == 0) {
-		if (strcmp(info.name, "Microsoft Windows Production PCA 2011") == 0) {
-			uprintf("  Note: This bootloader may fail Secure Boot validation on systems that");
-			uprintf("  have been updated to use the 'Windows UEFI CA 2023' certificate.");
-		} else if (strcmp(info.name, "Windows UEFI CA 2023") == 0) {
-			uprintf("  Note: This bootloader will fail Secure Boot validation on systems that");
-			uprintf("  have not been updated to use the latest Secure Boot certificates");
-		} else if (strcmp(info.name, "Microsoft Corporation UEFI CA 2011") == 0 ||
-			strcmp(info.name, "Microsoft UEFI CA 2023") == 0) {
-			uprintf("  Note: This bootloader may fail Secure Boot validation on *some* systems,");
-			uprintf("  unless you enable \"Microsoft 3rd-party UEFI CA\" in your 'BIOS'.");
+		// Only perform revocation checks on signed bootloaders
+		if (!PE256Buffer(buf, len, hash))
+			return -1;
+		// Check for UEFI DBX revocation
+		if (IsRevokedByDbx(hash, buf, len))
+			revoked = 1;
+		// Check for Microsoft SSP revocation
+		for (i = 0; revoked == 0 && i < pe256ssp_size * SHA256_HASHSIZE; i += SHA256_HASHSIZE)
+			if (memcmp(hash, &pe256ssp[i], SHA256_HASHSIZE) == 0)
+				revoked = 2;
+		// Check for Linux SBAT revocation
+		if (revoked == 0 && IsRevokedBySbat(buf, len))
+			revoked = 3;
+		// Check for Microsoft SVN revocation
+		if (revoked == 0 && IsRevokedBySvn(buf, len))
+			revoked = 4;
+		// Check for UEFI DBX certificate revocation
+		if (revoked == 0 && IsRevokedByCert(&info))
+			revoked = 5;
+
+		// If signed and not revoked, print the various Secure Boot "gotchas"
+		if (revoked == 0) {
+			if (strcmp(info.name, "Microsoft Windows Production PCA 2011") == 0) {
+				uprintf("  Note: This bootloader may fail Secure Boot validation on systems that");
+				uprintf("  have been updated to use the 'Windows UEFI CA 2023' certificate.");
+			} else if (strcmp(info.name, "Windows UEFI CA 2023") == 0) {
+				uprintf("  Note: This bootloader will fail Secure Boot validation on systems that");
+				uprintf("  have not been updated to use the latest Secure Boot certificates");
+			} else if (strcmp(info.name, "Microsoft Corporation UEFI CA 2011") == 0 ||
+				strcmp(info.name, "Microsoft UEFI CA 2023") == 0) {
+				uprintf("  Note: This bootloader may fail Secure Boot validation on *some* systems,");
+				uprintf("  unless you enable \"Microsoft 3rd-party UEFI CA\" in your 'BIOS'.");
+			}
 		}
 	}
 

src/parser.c

@@ -1588,9 +1588,12 @@ sbat_entry_t* GetSbatEntries(char* sbatlevel)
 		return NULL;
 
 	num_entries = 1;
-	for (i = 0; sbatlevel[i] != '\0'; i++)
+	for (i = 0; sbatlevel[i] != '\0'; i++) {
 		if (sbatlevel[i] == '\n')
 			num_entries++;
+		if (sbatlevel[i] == '\r')
+			sbatlevel[i] = '\n';
+	}
 
 	sbat_list = calloc(num_entries + 1, sizeof(sbat_entry_t));
 	if (sbat_list == NULL)

src/rufus.rc

@@ -33,7 +33,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
 IDD_DIALOG DIALOGEX 12, 12, 232, 326
 STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
 EXSTYLE WS_EX_ACCEPTFILES
-CAPTION "Rufus 4.11.2283"
+CAPTION "Rufus 4.11.2284"
 FONT 9, "Segoe UI Symbol", 400, 0, 0x0
 BEGIN
     LTEXT           "Drive Properties",IDS_DRIVE_PROPERTIES_TXT,8,6,53,12,NOT WS_GROUP
@@ -408,8 +408,8 @@ END
 //
 
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 4,11,2283,0
- PRODUCTVERSION 4,11,2283,0
+ FILEVERSION 4,11,2284,0
+ PRODUCTVERSION 4,11,2284,0
  FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
  FILEFLAGS 0x1L
@@ -427,13 +427,13 @@ BEGIN
             VALUE "Comments", "https://rufus.ie"
             VALUE "CompanyName", "Akeo Consulting"
             VALUE "FileDescription", "Rufus"
-            VALUE "FileVersion", "4.11.2283"
+            VALUE "FileVersion", "4.11.2284"
             VALUE "InternalName", "Rufus"
             VALUE "LegalCopyright", "� 2011-2025 Pete Batard (GPL v3)"
             VALUE "LegalTrademarks", "https://www.gnu.org/licenses/gpl-3.0.html"
             VALUE "OriginalFilename", "rufus-4.11.exe"
             VALUE "ProductName", "Rufus"
-            VALUE "ProductVersion", "4.11.2283"
+            VALUE "ProductVersion", "4.11.2284"
         END
     END
     BLOCK "VarFileInfo"