diff options
| author | Jan Setje-Eilers <jan.setjeeilers@oracle.com> | 2023-12-13 20:32:10 -0800 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2024-01-22 14:17:20 -0500 |
| commit | 6f395c23466a2bc08a28bbc216d6665ade0b117d (patch) | |
| tree | ef42ee4cb2d65d86b2a2fa6359e14c2b0089f222 | |
| parent | 30a4f3751a8da09ab0853f1a384b80096828cc34 (diff) | |
| download | efi-boot-shim-6f395c23466a2bc08a28bbc216d6665ade0b117d.tar.gz efi-boot-shim-6f395c23466a2bc08a28bbc216d6665ade0b117d.zip | |
Build time selectable automatic SBATLevel revocations
The ability to automatically apply SBATLevel revocations varies
from distro to distro. This allows distros that are able to
automatically apply SBATLevel revocations when shim is updated to
select a level by supplying SBAT_AUTOMATIC_DATE=<datestamp> on the
make command line. Currently the following options are available:
2021030218 no revocations - useful for distros that need to rely on
an externally delivered revocations.efi
2022052400 grub,2
2022111500 shim,2
grub,3
2023012900 shim,2
grub,3
grub.debian,4
If no datestamp is specified the build will default to the
most recent 2023012900.
Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
| -rw-r--r-- | Make.defaults | 3 | ||||
| -rw-r--r-- | include/sbat_var_defs.h | 33 |
2 files changed, 31 insertions, 5 deletions
diff --git a/Make.defaults b/Make.defaults index 9af89f4e..e75cd3cd 100644 --- a/Make.defaults +++ b/Make.defaults @@ -188,6 +188,9 @@ endif ifneq ($(origin VENDOR_DBX_FILE), undefined) DEFINES += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\" endif +ifneq ($(origin SBAT_AUTOMATIC_DATE), undefined) +DEFINES += -DSBAT_AUTOMATIC_DATE=$(SBAT_AUTOMATIC_DATE) +endif LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(LOCAL_EFI_PATH) -L$(LIBDIR) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1 $(ARCH_LDFLAGS) --no-undefined diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h index bd54cf5d..f8cba029 100644 --- a/include/sbat_var_defs.h +++ b/include/sbat_var_defs.h @@ -3,6 +3,9 @@ #ifndef SBAT_VAR_DEFS_H_ #define SBAT_VAR_DEFS_H_ +#define QUOTEVAL(s) QUOTE(s) +#define QUOTE(s) #s + /* * This is the entry for the sbat data format */ @@ -23,14 +26,34 @@ SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \ SBAT_VAR_LATEST_REVOCATIONS #else /* !ENABLE_SHIM_DEVEL */ + /* - * At this point we do not want shim to automatically apply a - * revocation unless it is delivered by a separately installed - * signed revocations binary. + * Some distros may want to apply revocations from 2022052400 + * or 2022111500 automatically. They can be selected by setting + * SBAT_AUTOMATIC_DATE=<datestamp> at build time. Otherwise the + * default is to apply the second to most recent revocations + * automatically. Distros that need to manage automatic updates + * externally from shim can choose the epoch 2021030218 emtpy + * revocations. */ -#define SBAT_VAR_AUTOMATIC_DATE "2021030218" +#ifndef SBAT_AUTOMATIC_DATE +#define SBAT_AUTOMATIC_DATE 2023012900 +#endif /* SBAT_AUTOMATIC_DATE */ +#if SBAT_AUTOMATIC_DATE == 2021030218 +#define SBAT_VAR_AUTOMATIC_REVOCATIONS +#elif SBAT_AUTOMATIC_DATE == 2022052400 +#define SBAT_VAR_AUTOMATIC_REVOCATIONS "grub,2\n" +#elif SBAT_AUTOMATIC_DATE == 2022111500 +#define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,2\ngrub,3\n" +#elif SBAT_AUTOMATIC_DATE == 2023012900 +#define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,2\ngrub,3\ngrub.debian,4\n" +#else +#error "Unknown SBAT_AUTOMATIC_DATE" +#endif /* SBAT_AUTOMATIC_DATE == */ +#define SBAT_VAR_AUTOMATIC_DATE QUOTEVAL(SBAT_AUTOMATIC_DATE) #define SBAT_VAR_AUTOMATIC \ - SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_AUTOMATIC_DATE "\n" + SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_AUTOMATIC_DATE "\n" \ + SBAT_VAR_AUTOMATIC_REVOCATIONS /* * Revocations for January 2024 shim CVEs |