diff options
| author | Peter Jones <pjones@redhat.com> | 2021-02-12 12:41:41 -0500 |
|---|---|---|
| committer | Javier Martinez Canillas <javier@dowhile0.org> | 2021-02-12 19:27:21 +0100 |
| commit | dd70785953590a0af629f7db85faba8019e85c6f (patch) | |
| tree | 11d80872789216f8aec025258fceeab3c57a3d0e | |
| parent | 6d13718c806680f78157483906b04486775f5252 (diff) | |
| download | efi-boot-shim-dd70785953590a0af629f7db85faba8019e85c6f.tar.gz efi-boot-shim-dd70785953590a0af629f7db85faba8019e85c6f.zip | |
efi bins: add an easy way for vendors to add .sbat data
In cases where we accept vendor shim binaries with additional patches,
it may become necessary to identify those builds with additional SBAT
data. When we consider such patches, we should be proactive in asking
vendors to include that data in the .sbat sections of their trusted EFI
binaries.
This patch adds any data in data/sbat.*.csv (after a quick sanitizing
pass) after data/sbat.csv in the .sbat section, so that no changes to
the upstream data/sbat.csv are ever required.
Signed-off-by: Peter Jones <pjones@redhat.com>
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | BUILDING | 6 | ||||
| -rw-r--r-- | Make.defaults | 3 | ||||
| -rw-r--r-- | Make.rules | 5 | ||||
| -rw-r--r-- | Makefile | 9 | ||||
| -rw-r--r-- | elf_aarch64_efi.lds | 1 | ||||
| -rw-r--r-- | elf_arm_efi.lds | 1 | ||||
| -rw-r--r-- | elf_ia32_efi.lds | 1 | ||||
| -rw-r--r-- | elf_ia64_efi.lds | 1 | ||||
| -rw-r--r-- | elf_x86_64_efi.lds | 1 |
10 files changed, 28 insertions, 1 deletions
@@ -27,3 +27,4 @@ shim_cert.h version.c cov-int/ scan-results/ +/sbat.*.csv @@ -60,4 +60,10 @@ Variables you could set to customize the build: This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS. By default this is the same value as EFIDIR . +Vendor SBAT data: +It will sometimes be requested by reviewers that a build includes extra +.sbat data. The mechanism to do so is to add a CSV file in data/ with the +name sbat.FOO.csv, where foo is your EFI subdirectory name. The build +system will automatically include any such files. + # vim:filetype=mail:tw=74 diff --git a/Make.defaults b/Make.defaults index 10e1ad52..8bfcf7e0 100644 --- a/Make.defaults +++ b/Make.defaults @@ -2,6 +2,8 @@ COMPILER ?= gcc CC = $(CROSS_COMPILE)$(COMPILER) LD = $(CROSS_COMPILE)ld OBJCOPY = $(CROSS_COMPILE)objcopy +DOS2UNIX ?= dos2unix +D2UFLAGS ?= -r -l -F -f -n OPENSSL ?= openssl HEXDUMP ?= hexdump INSTALL ?= install @@ -22,7 +24,6 @@ DEBUGSOURCE ?= $(prefix)/src/debug/ OSLABEL ?= $(EFIDIR) DEFAULT_LOADER ?= \\\\grub$(ARCH_SUFFIX).efi DASHJ ?= -j$(shell echo $$(($$(grep -c "^model name" /proc/cpuinfo) + 1))) -SBATPATH ?= data/sbat.csv ARCH ?= $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,) OBJCOPY_GTE224 = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.*\((.*)\|version\) //g' | cut -f1-2 -d.` \>= 2.24) @@ -1,3 +1,8 @@ define get-config $(shell git config --local --get "shim.$(1)") endef + +define add-vendor-sbat +$(OBJCOPY) --add-section ".$(patsubst %.csv,%,$(1))=$(1)" $(2) + +endef @@ -40,6 +40,7 @@ MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat.o ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h) FALLBACK_OBJS = fallback.o tpm.o errlog.o sbat.o ORIG_FALLBACK_SRCS = fallback.c +SBATPATH = data/sbat.csv ifneq ($(origin ENABLE_HTTPBOOT), undefined) OBJS += httpboot.o @@ -84,9 +85,17 @@ shim.o: $(wildcard $(TOPDIR)/*.h) cert.o : $(TOPDIR)/cert.S $(CC) $(CFLAGS) -c -o $@ $< +sbat.%.csv : data/sbat.%.csv + $(DOS2UNIX) $(D2UFLAGS) $< $@ + tail -c1 $@ | read -r _ || echo >> $@ # ensure a trailing newline + +VENDOR_SBATS := $(foreach x,$(wildcard data/sbat.*.csv),$(notdir $(x))) + +sbat.o : | $(SBATPATH) $(VENDOR_SBATS) sbat.o : $(TOPDIR)/sbat.c $(CC) $(CFLAGS) -c -o $@ $< $(OBJCOPY) --add-section .sbat=$(SBATPATH) $@ + $(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@)) $(SHIMNAME) : $(SHIMSONAME) $(MMNAME) : $(MMSONAME) diff --git a/elf_aarch64_efi.lds b/elf_aarch64_efi.lds index 48ba8ba2..dfa16e8f 100644 --- a/elf_aarch64_efi.lds +++ b/elf_aarch64_efi.lds @@ -62,6 +62,7 @@ SECTIONS { _sbat = .; *(.sbat) + *(.sbat.*) _esbat = .; } . = ALIGN(4096); diff --git a/elf_arm_efi.lds b/elf_arm_efi.lds index 7d699483..55abd31a 100644 --- a/elf_arm_efi.lds +++ b/elf_arm_efi.lds @@ -60,6 +60,7 @@ SECTIONS { _sbat = .; *(.sbat) + *(.sbat.*) _esbat = .; } . = ALIGN(4096); diff --git a/elf_ia32_efi.lds b/elf_ia32_efi.lds index 043a3583..54cd3fb9 100644 --- a/elf_ia32_efi.lds +++ b/elf_ia32_efi.lds @@ -58,6 +58,7 @@ SECTIONS { _sbat = .; *(.sbat) + *(.sbat.*) _esbat = .; } . = ALIGN(4096); diff --git a/elf_ia64_efi.lds b/elf_ia64_efi.lds index ce2e34cb..ae10149d 100644 --- a/elf_ia64_efi.lds +++ b/elf_ia64_efi.lds @@ -60,6 +60,7 @@ SECTIONS { _sbat = .; *(.sbat) + *(.sbat.*) _esbat = .; } . = ALIGN(4096); diff --git a/elf_x86_64_efi.lds b/elf_x86_64_efi.lds index 3e1f1385..af3a0714 100644 --- a/elf_x86_64_efi.lds +++ b/elf_x86_64_efi.lds @@ -63,6 +63,7 @@ SECTIONS { _sbat = .; *(.sbat) + *(.sbat.*) _esbat = .; } . = ALIGN(4096); |