diff options
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | Makefile | 6 | ||||
| -rw-r--r-- | generate_sbat_var_defs.c | 156 |
3 files changed, 163 insertions, 0 deletions
@@ -38,6 +38,7 @@ Make.local /crash-* /fuzz-* !/fuzz-*.c +/generate_sbat_var_defs /leak-* /post-process-pe /random.bin @@ -38,6 +38,8 @@ CFLAGS += -DENABLE_SHIM_CERT else TARGETS += $(MMNAME) $(FBNAME) endif +# This is temporary and will go away soon +TARGETS += generate_sbat_var_defs OBJS = shim.o globals.o mok.o netboot.o cert.o dp.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o sbat_var.o pe.o pe-relocate.o httpboot.o csv.o load-options.o KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer ORIG_SOURCES = shim.c globals.c mok.c netboot.c dp.c replacements.c tpm.c errlog.c sbat.c pe.c pe-relocate.c httpboot.c shim.h version.h $(wildcard include/*.h) cert.S sbat_var.S @@ -188,6 +190,9 @@ lib/lib.a: | $(TOPDIR)/lib/Makefile $(wildcard $(TOPDIR)/include/*.[ch]) post-process-pe : $(TOPDIR)/post-process-pe.c $(HOSTCC) -std=gnu11 -Og -g3 -Wall -Wextra -Wno-missing-field-initializers -Werror -o $@ $< +generate_sbat_var_defs: $(TOPDIR)/generate_sbat_var_defs.c + $(HOSTCC) -std=gnu11 -Og -g3 -Wall -Wextra -Wno-missing-field-initializers -Werror -o $@ $< + buildid : $(TOPDIR)/buildid.c $(HOSTCC) -I/usr/include -Og -g3 -Wall -Werror -Wextra -o $@ $< -lelf @@ -356,6 +361,7 @@ clean-lib-objs: clean-shim-objs: @rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME) @rm -vf *.debug *.so *.efi *.efi.* *.tar.* version.c buildid post-process-pe compile_commands.json + @rm -vf generate_sbat_var_defs @rm -vf Cryptlib/*.[oa] Cryptlib/*/*.[oa] @if [ -d .git ] ; then git clean -f -d -e 'Cryptlib/OpenSSL/*'; fi diff --git a/generate_sbat_var_defs.c b/generate_sbat_var_defs.c new file mode 100644 index 00000000..e29fcbd7 --- /dev/null +++ b/generate_sbat_var_defs.c @@ -0,0 +1,156 @@ +// SPDX-License-Identifier: BSD-2-Clause-Patent + +/* + * This generates the header files that produce the actual revocation + * string payload. On the one hand this grabs the defintions from the + * human readable SbatLevel_Variable.txt file which is nice. On the other + * hand it's one off c code. + */ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +typedef struct sbat_revocation sbat_revocation; + +struct sbat_revocation { + int date; + char *revocations; + sbat_revocation *next; +}; + +static sbat_revocation *revlisthead; + +int +readfile(char *SbatLevel_Variable) +{ + FILE *varfilep; + char line[1024]; + int date; + + int revocationsp = 0; + + sbat_revocation *revlistlast = NULL; + sbat_revocation *revlistentry = NULL; + + revlisthead = NULL; + + varfilep = fopen(SbatLevel_Variable, "r"); + if (varfilep == NULL) + return -1; + + while (fgets(line, sizeof(line), varfilep) != NULL) { + if (sscanf(line, "sbat,1,%d\n", &date) && strlen(line) == 18) { + revlistentry = + (sbat_revocation *)malloc(sizeof(sbat_revocation)); + if (revlistentry == NULL) + return -1; + if (revlisthead == NULL) + revlisthead = revlistentry; + else + revlistlast->next = revlistentry; + + revlistlast = revlistentry; + + revlistentry->date = date; + while (line[0] != '\n' && + fgets(line, sizeof(line), varfilep) != NULL) { + revlistentry->revocations = + (char *)realloc(revlistentry->revocations, + revocationsp + + strlen(line) + 1); + if (revlistentry->revocations == NULL) + return -1; + if (strlen(line) > 1) { + line[strlen(line) -1] = 0; + sprintf(revlistentry->revocations + + revocationsp, "%s\\n", line); + revocationsp = revocationsp + strlen(line) + 2; + } + } + revocationsp = 0; + + } + } + + return 1; +} + +int +writefile() +{ + int epochfound = 0; + int epochdate = 2021030218; + int latestdate = 0; + + sbat_revocation *revlistentry; + sbat_revocation *latest_revlistentry = NULL; + + revlistentry = revlisthead; + + while (revlistentry != NULL) { + if (revlistentry->date == epochdate) { + printf("#ifndef GEN_SBAT_VAR_DEFS_H_\n" + "#define GEN_SBAT_VAR_DEFS_H_\n" + "#ifndef ENABLE_SHIM_DEVEL\n\n" + "#ifndef SBAT_AUTOMATIC_DATE\n" + "#define SBAT_AUTOMATIC_DATE 2023012900\n" + "#endif /* SBAT_AUTOMATIC_DATE */\n" + "#if SBAT_AUTOMATIC_DATE == %d\n" + "#define SBAT_VAR_AUTOMATIC_REVOCATIONS\n", + revlistentry->date); + epochfound = 1; + } else if (epochfound == 1) { + printf("#elif SBAT_AUTOMATIC_DATE == %d\n" + "#define SBAT_VAR_AUTOMATIC_REVOCATIONS \"%s\"\n", + revlistentry->date, + revlistentry->revocations); + } + if (revlistentry->date > latestdate) { + latest_revlistentry = revlistentry; + latestdate = revlistentry->date; + } + revlistentry = revlistentry->next; + } + + if (epochfound == 0 || !latest_revlistentry) + return -1; + + printf("#else\n" + "#error \"Unknown SBAT_AUTOMATIC_DATE\"\n" + "#endif /* SBAT_AUTOMATIC_DATE == */\n\n" + "#define SBAT_VAR_AUTOMATIC_DATE QUOTEVAL(SBAT_AUTOMATIC_DATE)\n" + "#define SBAT_VAR_AUTOMATIC \\\n" + " SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_AUTOMATIC_DATE \"\\n\" \\\n" + " SBAT_VAR_AUTOMATIC_REVOCATIONS\n\n"); + + printf("#define SBAT_VAR_LATEST_DATE \"%d\"\n" + "#define SBAT_VAR_LATEST_REVOCATIONS \"%s\"\n", + latest_revlistentry->date, + latest_revlistentry->revocations); + + printf("#define SBAT_VAR_LATEST \\\n" + " SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE \"\\n\" \\\n" + " SBAT_VAR_LATEST_REVOCATIONS\n\n" + "#endif /* !ENABLE_SHIM_DEVEL */\n" + "#endif /* !GEN_SBAT_VAR_DEFS_H_ */\n"); + + return 0; +} + + +int +main(int argc, char *argv[]) +{ + char SbatLevel_Variable[2048]; + + if (argc == 2) + snprintf(SbatLevel_Variable, 2048, "%s/SbatLevel_Variable.txt", argv[1]); + else + snprintf(SbatLevel_Variable, 2048, "SbatLevel_Variable.txt"); + + if (readfile(SbatLevel_Variable)) + return writefile(); + else + return -1; +} |