From 743f3fa0e40c3971b3ea9c5eb7724cbf2a91c282 Mon Sep 17 00:00:00 2001
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Date: Fri, 20 Dec 2024 18:49:17 -0800
Subject: Add generate_sbat_var_defs utility program

This adds the utility program generate_sbat_var_defs, which can be used
to generate the sbar_var_defs.h header file from the human readable
SbatLevel_Variable.txt file.

Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
---
 generate_sbat_var_defs.c | 156 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 156 insertions(+)
 create mode 100644 generate_sbat_var_defs.c

(limited to 'generate_sbat_var_defs.c')

diff --git a/generate_sbat_var_defs.c b/generate_sbat_var_defs.c
new file mode 100644
index 00000000..e29fcbd7
--- /dev/null
+++ b/generate_sbat_var_defs.c
@@ -0,0 +1,156 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
+/*
+ * This generates the header files that produce the actual revocation
+ * string payload. On the one hand this grabs the defintions from the
+ * human readable SbatLevel_Variable.txt file which is nice. On the other
+ * hand it's one off c code.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+typedef struct sbat_revocation sbat_revocation;
+
+struct sbat_revocation {
+	int date;
+	char *revocations;
+	sbat_revocation *next;
+};
+
+static sbat_revocation *revlisthead;
+
+int
+readfile(char *SbatLevel_Variable)
+{
+	FILE *varfilep;
+	char line[1024];
+	int date;
+
+	int revocationsp = 0;
+
+	sbat_revocation *revlistlast = NULL;
+	sbat_revocation *revlistentry = NULL;
+
+	revlisthead = NULL;
+
+	varfilep = fopen(SbatLevel_Variable, "r");
+	if (varfilep == NULL)
+		return -1;
+
+	while (fgets(line, sizeof(line), varfilep) != NULL) {
+		if (sscanf(line, "sbat,1,%d\n", &date) && strlen(line) == 18) {
+			revlistentry =
+				(sbat_revocation *)malloc(sizeof(sbat_revocation));
+			if (revlistentry == NULL)
+				return -1;
+			if (revlisthead == NULL)
+				revlisthead = revlistentry;
+			else
+				revlistlast->next = revlistentry;
+
+			revlistlast = revlistentry;
+
+			revlistentry->date = date;
+			while (line[0] != '\n' &&
+			       fgets(line, sizeof(line), varfilep) != NULL) {
+					revlistentry->revocations =
+						(char *)realloc(revlistentry->revocations,
+								 revocationsp +
+								 strlen(line) + 1);
+					if (revlistentry->revocations == NULL)
+						return -1;
+					if (strlen(line) > 1) {
+						line[strlen(line) -1] = 0;
+						sprintf(revlistentry->revocations
+							+ revocationsp, "%s\\n", line);
+					revocationsp = revocationsp + strlen(line) + 2;
+					}
+			}
+			revocationsp = 0;
+
+		}
+	}
+
+	return 1;
+}
+
+int
+writefile()
+{
+	int epochfound = 0;
+	int epochdate = 2021030218;
+	int latestdate = 0;
+
+	sbat_revocation *revlistentry;
+	sbat_revocation *latest_revlistentry = NULL;
+
+	revlistentry = revlisthead;
+
+	while (revlistentry != NULL) {
+		if (revlistentry->date == epochdate) {
+			printf("#ifndef GEN_SBAT_VAR_DEFS_H_\n"
+			       "#define GEN_SBAT_VAR_DEFS_H_\n"
+			       "#ifndef ENABLE_SHIM_DEVEL\n\n"
+			       "#ifndef SBAT_AUTOMATIC_DATE\n"
+			       "#define SBAT_AUTOMATIC_DATE 2023012900\n"
+			       "#endif /* SBAT_AUTOMATIC_DATE */\n"
+			       "#if SBAT_AUTOMATIC_DATE == %d\n"
+			       "#define SBAT_VAR_AUTOMATIC_REVOCATIONS\n",
+			       revlistentry->date);
+			epochfound = 1;
+		} else if (epochfound == 1) {
+			printf("#elif SBAT_AUTOMATIC_DATE == %d\n"
+			       "#define SBAT_VAR_AUTOMATIC_REVOCATIONS \"%s\"\n",
+			       revlistentry->date,
+			       revlistentry->revocations);
+		}
+		if (revlistentry->date > latestdate) {
+			latest_revlistentry = revlistentry;
+			latestdate = revlistentry->date;
+		}
+		revlistentry = revlistentry->next;
+	}
+
+	if (epochfound == 0 || !latest_revlistentry)
+		return -1;
+
+	printf("#else\n"
+	       "#error \"Unknown SBAT_AUTOMATIC_DATE\"\n"
+	       "#endif /* SBAT_AUTOMATIC_DATE == */\n\n"
+	       "#define SBAT_VAR_AUTOMATIC_DATE QUOTEVAL(SBAT_AUTOMATIC_DATE)\n"
+	       "#define SBAT_VAR_AUTOMATIC \\\n"
+               "	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_AUTOMATIC_DATE \"\\n\" \\\n"
+               "	SBAT_VAR_AUTOMATIC_REVOCATIONS\n\n");
+
+	printf("#define SBAT_VAR_LATEST_DATE \"%d\"\n"
+	       "#define SBAT_VAR_LATEST_REVOCATIONS \"%s\"\n",
+	       latest_revlistentry->date,
+	       latest_revlistentry->revocations);
+
+	printf("#define SBAT_VAR_LATEST \\\n"
+               "	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE \"\\n\" \\\n"
+               "	SBAT_VAR_LATEST_REVOCATIONS\n\n"
+	       "#endif /* !ENABLE_SHIM_DEVEL */\n"
+	       "#endif /* !GEN_SBAT_VAR_DEFS_H_ */\n");
+
+	return 0;
+}
+
+
+int
+main(int argc, char *argv[])
+{
+	char SbatLevel_Variable[2048];
+
+	if (argc == 2)
+		snprintf(SbatLevel_Variable, 2048, "%s/SbatLevel_Variable.txt", argv[1]);
+	else
+		snprintf(SbatLevel_Variable, 2048, "SbatLevel_Variable.txt");
+
+	if (readfile(SbatLevel_Variable))
+		return writefile();
+	else
+		return -1;
+}
-- 
cgit v1.2.3


From 76fab7bd7e61e080ac8ae28450cae6f533159086 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 12 Mar 2025 13:56:54 -0400
Subject: generate_sbat_var_defs: run clang-format on readfile()

Signed-off-by: Peter Jones <pjones@redhat.com>
---
 generate_sbat_var_defs.c | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

(limited to 'generate_sbat_var_defs.c')

diff --git a/generate_sbat_var_defs.c b/generate_sbat_var_defs.c
index e29fcbd7..3ae62eba 100644
--- a/generate_sbat_var_defs.c
+++ b/generate_sbat_var_defs.c
@@ -41,8 +41,8 @@ readfile(char *SbatLevel_Variable)
 
 	while (fgets(line, sizeof(line), varfilep) != NULL) {
 		if (sscanf(line, "sbat,1,%d\n", &date) && strlen(line) == 18) {
-			revlistentry =
-				(sbat_revocation *)malloc(sizeof(sbat_revocation));
+			revlistentry = (sbat_revocation *)malloc(
+				sizeof(sbat_revocation));
 			if (revlistentry == NULL)
 				return -1;
 			if (revlisthead == NULL)
@@ -55,21 +55,21 @@ readfile(char *SbatLevel_Variable)
 			revlistentry->date = date;
 			while (line[0] != '\n' &&
 			       fgets(line, sizeof(line), varfilep) != NULL) {
-					revlistentry->revocations =
-						(char *)realloc(revlistentry->revocations,
-								 revocationsp +
-								 strlen(line) + 1);
-					if (revlistentry->revocations == NULL)
-						return -1;
-					if (strlen(line) > 1) {
-						line[strlen(line) -1] = 0;
-						sprintf(revlistentry->revocations
-							+ revocationsp, "%s\\n", line);
-					revocationsp = revocationsp + strlen(line) + 2;
-					}
+				revlistentry->revocations = (char *)realloc(
+					revlistentry->revocations,
+					revocationsp + strlen(line) + 1);
+				if (revlistentry->revocations == NULL)
+					return -1;
+				if (strlen(line) > 1) {
+					line[strlen(line) - 1] = 0;
+					sprintf(revlistentry->revocations +
+					                revocationsp,
+					        "%s\\n", line);
+					revocationsp =
+						revocationsp + strlen(line) + 2;
+				}
 			}
 			revocationsp = 0;
-
 		}
 	}
 
-- 
cgit v1.2.3


From 6dadb70a2a522640db9025c77ef61d8949734c37 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 12 Mar 2025 13:58:51 -0400
Subject: generate_sbat_var_defs: Fix memory leak on realloc failure and fd
 leak.

Resolves: Coverity CID 457502
Signed-off-by: Peter Jones <pjones@redhat.com>
---
 generate_sbat_var_defs.c | 34 ++++++++++++++++++++++++++--------
 1 file changed, 26 insertions(+), 8 deletions(-)

(limited to 'generate_sbat_var_defs.c')

diff --git a/generate_sbat_var_defs.c b/generate_sbat_var_defs.c
index 3ae62eba..2d8f76de 100644
--- a/generate_sbat_var_defs.c
+++ b/generate_sbat_var_defs.c
@@ -27,8 +27,9 @@ readfile(char *SbatLevel_Variable)
 	FILE *varfilep;
 	char line[1024];
 	int date;
+	int ret = -1;
 
-	int revocationsp = 0;
+	unsigned int revocationsp = 0;
 
 	sbat_revocation *revlistlast = NULL;
 	sbat_revocation *revlistentry = NULL;
@@ -44,7 +45,7 @@ readfile(char *SbatLevel_Variable)
 			revlistentry = (sbat_revocation *)malloc(
 				sizeof(sbat_revocation));
 			if (revlistentry == NULL)
-				return -1;
+				goto err;
 			if (revlisthead == NULL)
 				revlisthead = revlistentry;
 			else
@@ -55,11 +56,14 @@ readfile(char *SbatLevel_Variable)
 			revlistentry->date = date;
 			while (line[0] != '\n' &&
 			       fgets(line, sizeof(line), varfilep) != NULL) {
-				revlistentry->revocations = (char *)realloc(
-					revlistentry->revocations,
-					revocationsp + strlen(line) + 1);
-				if (revlistentry->revocations == NULL)
-					return -1;
+				char *new = NULL;
+				new = realloc(revlistentry->revocations,
+				              revocationsp + strlen(line) + 1);
+				if (new == NULL) {
+					ret = -1;
+					goto err;
+				}
+				revlistentry->revocations = new;
 				if (strlen(line) > 1) {
 					line[strlen(line) - 1] = 0;
 					sprintf(revlistentry->revocations +
@@ -73,7 +77,21 @@ readfile(char *SbatLevel_Variable)
 		}
 	}
 
-	return 1;
+	ret = 1;
+err:
+	if (ret < 0 && revlisthead) {
+		sbat_revocation *rle = revlisthead;
+		while (rle) {
+			sbat_revocation *next = rle->next;
+			if (rle->revocations)
+				free(rle->revocations);
+			free(rle);
+			rle = next;
+		}
+		revlisthead = NULL;
+	}
+	fclose(varfilep);
+	return ret;
 }
 
 int
-- 
cgit v1.2.3


From f58c77e49ef9fe79b67c8e1d39524ff80c892ace Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 12 Mar 2025 14:03:40 -0400
Subject: generate_sbat_var_defs: Ensure revlistentry->revocations is
 initialized.

Resolves: Coverity CID 457507
Signed-off-by: Peter Jones <pjones@redhat.com>
---
 generate_sbat_var_defs.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'generate_sbat_var_defs.c')

diff --git a/generate_sbat_var_defs.c b/generate_sbat_var_defs.c
index 2d8f76de..94540bb0 100644
--- a/generate_sbat_var_defs.c
+++ b/generate_sbat_var_defs.c
@@ -42,8 +42,7 @@ readfile(char *SbatLevel_Variable)
 
 	while (fgets(line, sizeof(line), varfilep) != NULL) {
 		if (sscanf(line, "sbat,1,%d\n", &date) && strlen(line) == 18) {
-			revlistentry = (sbat_revocation *)malloc(
-				sizeof(sbat_revocation));
+			revlistentry = calloc(1, sizeof(sbat_revocation));
 			if (revlistentry == NULL)
 				goto err;
 			if (revlisthead == NULL)
-- 
cgit v1.2.3


From 893252718ebd8e3777a5209e84f2819e1ae59108 Mon Sep 17 00:00:00 2001
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Date: Mon, 17 Feb 2025 15:05:03 -0800
Subject: SBAT Level update for February 2025 GRUB CVEs

Moves the minimum GRUB SBAT Level to 5 in order to require fixes
for the following GRUB CVEs:

CVE-2024-45774
CVE-2024-45775
CVE-2024-45776
CVE-2024-45777
CVE-2024-45778
CVE-2024-45779
CVE-2024-45780
CVE-2024-45781
CVE-2024-45782
CVE-2024-45783
CVE-2025-0622
CVE-2025-0624
CVE-2025-0677
CVE-2025-0678
CVE-2025-0684
CVE-2025-0685
CVE-2025-0686
CVE-2025-0689
CVE-2025-0690
CVE-2025-1118
CVE-2025-1125

This also bumps the default SBAT_AUTOMATIC_DATE to 2024040900.

Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
---
 SbatLevel_Variable.txt   | 12 +++++-------
 generate_sbat_var_defs.c |  2 +-
 2 files changed, 6 insertions(+), 8 deletions(-)

(limited to 'generate_sbat_var_defs.c')

diff --git a/SbatLevel_Variable.txt b/SbatLevel_Variable.txt
index 407f1337..7afdcd0d 100644
--- a/SbatLevel_Variable.txt
+++ b/SbatLevel_Variable.txt
@@ -118,12 +118,10 @@ grub,4
 grub.peimage,2
 
 
-Since http boot shim CVE is considerably more serious than then GRUB
-ntfs CVEs shim is delivering the shim revocation without the updated
-GRUB revocation as a latest payload.
-
-To revoke both the impacted shim and impacted GRUB binaries:
+Revocations for:
+ - Februady 2025 GRUB CVEs
 
-sbat,1,2024<date TBD>
+sbat,1,2025021800
 shim,4
-grub,4
+grub,5
+
diff --git a/generate_sbat_var_defs.c b/generate_sbat_var_defs.c
index 94540bb0..1258e1b2 100644
--- a/generate_sbat_var_defs.c
+++ b/generate_sbat_var_defs.c
@@ -111,7 +111,7 @@ writefile()
 			       "#define GEN_SBAT_VAR_DEFS_H_\n"
 			       "#ifndef ENABLE_SHIM_DEVEL\n\n"
 			       "#ifndef SBAT_AUTOMATIC_DATE\n"
-			       "#define SBAT_AUTOMATIC_DATE 2023012900\n"
+			       "#define SBAT_AUTOMATIC_DATE 2024040900\n"
 			       "#endif /* SBAT_AUTOMATIC_DATE */\n"
 			       "#if SBAT_AUTOMATIC_DATE == %d\n"
 			       "#define SBAT_VAR_AUTOMATIC_REVOCATIONS\n",
-- 
cgit v1.2.3