Xen project Mailing List

Re: [XEN PATCH v2] sbat: Add SBAT section to the Xen EFI binary

To: Gerald Elder-Vass <gerald.elder-vass@xxxxxxxxx>

From: Frediano Ziglio <frediano.ziglio@xxxxxxxxx>

Date: Thu, 1 May 2025 14:07:18 +0100

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>

Delivery-date: Thu, 01 May 2025 13:07:49 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Thu, May 1, 2025 at 1:23 PM Gerald Elder-Vass <gerald.elder-vass@xxxxxxxxx> wrote: > > SBAT is a revocation scheme for UEFI SecureBoot, and is mandated by Microsoft > for signing. > > The SBAT section provides a way for the binary to declare a generation > id for its upstream source and any vendor changes applied. A compatible > loader can then revoke vulnerable binaries by generation, using the > binary's declared generation id(s) to determine if it is safe to load. > > More information about SBAT is available here: > https://github.com/rhboot/shim/blob/main/SBAT.md > > Vendors should append a custom line onto sbat.csv(.in) with their vendor > specific sbat data. > > Populate the SBAT section in the Xen binary by using the information > in xen/arch/x86/sbat.csv > > Signed-off-by: Gerald Elder-Vass <gerald.elder-vass@xxxxxxxxx> > Signed-off-by: Frediano Ziglio <frediano.ziglio@xxxxxxxxx> > Tested-by: Gerald Elder-Vass <gerald.elder-vass@xxxxxxxxx> > --- > Changed since v1: > * Updated commit message to explain why SBAT is needed > * Renamed sbat_data.o rule to sbat.o > * Moved sbat.o rule into alphabetical order > * Removed xen specific entry from sbat.csv (and rule for auto filling > version) > - The alternative of adding a "customise me" line would result in more > overhead for anyone else building Xen, regardless of UEFI SecureBoot > usage > > diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile > index d902fb7accd9..8fc5c69111d5 100644 > --- a/xen/arch/x86/Makefile > +++ b/xen/arch/x86/Makefile > @@ -58,6 +58,7 @@ obj-y += percpu.o > obj-y += physdev.o > obj-$(CONFIG_COMPAT) += x86_64/physdev.o > obj-y += psr.o > +obj-y += sbat.o > obj-y += setup.o > obj-y += shutdown.o > obj-y += smp.o > @@ -277,6 +278,9 @@ $(obj)/efi.lds: AFLAGS-y += -DEFI > $(obj)/xen.lds $(obj)/efi.lds: $(src)/xen.lds.S FORCE > $(call if_changed_dep,cpp_lds_S) > > +$(obj)/sbat.o: $(src)/sbat.csv > + $(OBJCOPY) -I binary -O elf64-x86-64 --rename-section > .data=.sbat,readonly,data,contents $< $@ > + > clean-files := \ > include/asm/asm-macros.* \ > $(objtree)/.xen-syms.[0-9]* \ > diff --git a/xen/arch/x86/sbat.csv b/xen/arch/x86/sbat.csv > new file mode 100644 > index 000000000000..1f262b5f038b > --- /dev/null > +++ b/xen/arch/x86/sbat.csv > @@ -0,0 +1 @@ > +sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md > diff --git a/xen/arch/x86/xen.lds.S b/xen/arch/x86/xen.lds.S > index 9a1dfe1b340a..e6405941e1b7 100644 > --- a/xen/arch/x86/xen.lds.S > +++ b/xen/arch/x86/xen.lds.S > @@ -343,6 +343,8 @@ SECTIONS > *(.reloc) > __base_relocs_end = .; > } > + > + .sbat (NOLOAD) : { *(.sbat) } > #elif defined(XEN_BUILD_EFI) > /* > * Due to the way EFI support is currently implemented, these two symbols > diff --git a/xen/include/xen/xen.lds.h b/xen/include/xen/xen.lds.h > index a17810bb286f..756f97d48183 100644 > --- a/xen/include/xen/xen.lds.h > +++ b/xen/include/xen/xen.lds.h > @@ -92,7 +92,8 @@ > *(.comment.*) \ > *(.note.*) > #else > -#define DISCARD_EFI_SECTIONS > +#define DISCARD_EFI_SECTIONS \ > + *(.sbat) > #endif > > /* Sections to be discarded. */ Reviewed-by: Frediano Ziglio <frediano.ziglio@xxxxxxxxx> Frediano

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.