From dd70785953590a0af629f7db85faba8019e85c6f Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 12 Feb 2021 12:41:41 -0500
Subject: efi bins: add an easy way for vendors to add .sbat data

In cases where we accept vendor shim binaries with additional patches,
it may become necessary to identify those builds with additional SBAT
data.  When we consider such patches, we should be proactive in asking
vendors to include that data in the .sbat sections of their trusted EFI
binaries.

This patch adds any data in data/sbat.*.csv (after a quick sanitizing
pass) after data/sbat.csv in the .sbat section, so that no changes to
the upstream data/sbat.csv are ever required.

Signed-off-by: Peter Jones <pjones@redhat.com>
---
 .gitignore          | 1 +
 BUILDING            | 6 ++++++
 Make.defaults       | 3 ++-
 Make.rules          | 5 +++++
 Makefile            | 9 +++++++++
 elf_aarch64_efi.lds | 1 +
 elf_arm_efi.lds     | 1 +
 elf_ia32_efi.lds    | 1 +
 elf_ia64_efi.lds    | 1 +
 elf_x86_64_efi.lds  | 1 +
 10 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 312a0e3a..f4618b84 100644
--- a/.gitignore
+++ b/.gitignore
@@ -27,3 +27,4 @@ shim_cert.h
 version.c
 cov-int/
 scan-results/
+/sbat.*.csv
diff --git a/BUILDING b/BUILDING
index fb278217..4b582036 100644
--- a/BUILDING
+++ b/BUILDING
@@ -60,4 +60,10 @@ Variables you could set to customize the build:
   This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS.
   By default this is the same value as EFIDIR .
 
+Vendor SBAT data:
+It will sometimes be requested by reviewers that a build includes extra
+.sbat data.  The mechanism to do so is to add a CSV file in data/ with the
+name sbat.FOO.csv, where foo is your EFI subdirectory name.  The build
+system will automatically include any such files.
+
 # vim:filetype=mail:tw=74
diff --git a/Make.defaults b/Make.defaults
index 10e1ad52..8bfcf7e0 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -2,6 +2,8 @@ COMPILER	?= gcc
 CC		= $(CROSS_COMPILE)$(COMPILER)
 LD		= $(CROSS_COMPILE)ld
 OBJCOPY		= $(CROSS_COMPILE)objcopy
+DOS2UNIX	?= dos2unix
+D2UFLAGS	?= -r -l -F -f -n
 OPENSSL		?= openssl
 HEXDUMP		?= hexdump
 INSTALL		?= install
@@ -22,7 +24,6 @@ DEBUGSOURCE	?= $(prefix)/src/debug/
 OSLABEL		?= $(EFIDIR)
 DEFAULT_LOADER	?= \\\\grub$(ARCH_SUFFIX).efi
 DASHJ		?= -j$(shell echo $$(($$(grep -c "^model name" /proc/cpuinfo) + 1)))
-SBATPATH	?= data/sbat.csv
 
 ARCH		?= $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,)
 OBJCOPY_GTE224	= $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.*\((.*)\|version\) //g' | cut -f1-2 -d.` \>= 2.24)
diff --git a/Make.rules b/Make.rules
index 2f1d4a7b..e4e31ff4 100644
--- a/Make.rules
+++ b/Make.rules
@@ -1,3 +1,8 @@
 define get-config
 $(shell git config --local --get "shim.$(1)")
 endef
+
+define add-vendor-sbat
+$(OBJCOPY) --add-section ".$(patsubst %.csv,%,$(1))=$(1)" $(2)
+
+endef
diff --git a/Makefile b/Makefile
index 63867f92..45d57fcc 100644
--- a/Makefile
+++ b/Makefile
@@ -40,6 +40,7 @@ MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat.o
 ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
 FALLBACK_OBJS = fallback.o tpm.o errlog.o sbat.o
 ORIG_FALLBACK_SRCS = fallback.c
+SBATPATH = data/sbat.csv
 
 ifneq ($(origin ENABLE_HTTPBOOT), undefined)
 	OBJS += httpboot.o
@@ -84,9 +85,17 @@ shim.o: $(wildcard $(TOPDIR)/*.h)
 cert.o : $(TOPDIR)/cert.S
 	$(CC) $(CFLAGS) -c -o $@ $<
 
+sbat.%.csv : data/sbat.%.csv
+	$(DOS2UNIX) $(D2UFLAGS) $< $@
+	tail -c1 $@ | read -r _ || echo >> $@ # ensure a trailing newline
+
+VENDOR_SBATS := $(foreach x,$(wildcard data/sbat.*.csv),$(notdir $(x)))
+
+sbat.o : | $(SBATPATH) $(VENDOR_SBATS)
 sbat.o : $(TOPDIR)/sbat.c
 	$(CC) $(CFLAGS) -c -o $@ $<
 	$(OBJCOPY) --add-section .sbat=$(SBATPATH) $@
+	$(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@))
 
 $(SHIMNAME) : $(SHIMSONAME)
 $(MMNAME) : $(MMSONAME)
diff --git a/elf_aarch64_efi.lds b/elf_aarch64_efi.lds
index 48ba8ba2..dfa16e8f 100644
--- a/elf_aarch64_efi.lds
+++ b/elf_aarch64_efi.lds
@@ -62,6 +62,7 @@ SECTIONS
   {
     _sbat = .;
     *(.sbat)
+    *(.sbat.*)
     _esbat = .;
   }
   . = ALIGN(4096);
diff --git a/elf_arm_efi.lds b/elf_arm_efi.lds
index 7d699483..55abd31a 100644
--- a/elf_arm_efi.lds
+++ b/elf_arm_efi.lds
@@ -60,6 +60,7 @@ SECTIONS
   {
     _sbat = .;
     *(.sbat)
+    *(.sbat.*)
     _esbat = .;
   }
   . = ALIGN(4096);
diff --git a/elf_ia32_efi.lds b/elf_ia32_efi.lds
index 043a3583..54cd3fb9 100644
--- a/elf_ia32_efi.lds
+++ b/elf_ia32_efi.lds
@@ -58,6 +58,7 @@ SECTIONS
   {
     _sbat = .;
     *(.sbat)
+    *(.sbat.*)
     _esbat = .;
   }
   . = ALIGN(4096);
diff --git a/elf_ia64_efi.lds b/elf_ia64_efi.lds
index ce2e34cb..ae10149d 100644
--- a/elf_ia64_efi.lds
+++ b/elf_ia64_efi.lds
@@ -60,6 +60,7 @@ SECTIONS
   {
     _sbat = .;
     *(.sbat)
+    *(.sbat.*)
     _esbat = .;
   }
   . = ALIGN(4096);
diff --git a/elf_x86_64_efi.lds b/elf_x86_64_efi.lds
index 3e1f1385..af3a0714 100644
--- a/elf_x86_64_efi.lds
+++ b/elf_x86_64_efi.lds
@@ -63,6 +63,7 @@ SECTIONS
   {
     _sbat = .;
     *(.sbat)
+    *(.sbat.*)
     _esbat = .;
   }
   . = ALIGN(4096);
-- 
cgit v1.2.3