|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [XEN PATCH v4] sbat: Add SBAT section to the Xen EFI binary
SBAT is a revocation scheme for UEFI SecureBoot, and is mandated by Microsoft for signing. The SBAT section provides a way for the binary to declare a generation id for its upstream source and any vendor changes applied. A compatible loader can then revoke vulnerable binaries by generation, using the binary's declared generation id(s) to determine if it is safe to load. More information about SBAT is available here: https://github.com/rhboot/shim/blob/main/SBAT.md Vendors should append a custom line onto sbat.csv(.in) with their vendor specific sbat data. Populate the SBAT section in the Xen binary by using the information in xen/arch/xs86/efi/sbat.sbat Signed-off-by: Gerald Elder-Vass <gerald.elder-vass@xxxxxxxxx> Signed-off-by: Frediano Ziglio <frediano.ziglio@xxxxxxxxx> Tested-by: Gerald Elder-Vass <gerald.elder-vass@xxxxxxxxx> --- Changed since v3: * Rebased patch onto 'staging' branch * Included an empty .note.GNU-stack section to sbat.o to fix linker warning * Discard .sbat section from ELF (non-EFI) build Changed since v2: * Moved sbat files and rules to arch/x86/efi * Updated sbat rule to reuse existing objcopy command Changed since v1: * Updated commit message to explain why SBAT is needed * Renamed sbat_data.o rule to sbat.o * Moved sbat.o rule into alphabetical order * Removed xen specific entry from sbat.csv (and rule for auto filling version) - The alternative of adding a "customise me" line would result in more overhead for anyone else building Xen, regardless of UEFI SecureBoot usage diff --git a/xen/arch/x86/efi/Makefile b/xen/arch/x86/efi/Makefile index c6678652fc98..530a76dc4f42 100644 --- a/xen/arch/x86/efi/Makefile +++ b/xen/arch/x86/efi/Makefile @@ -6,11 +6,19 @@ cmd_objcopy_o_ihex = $(OBJCOPY) -I ihex -O binary $< $@ $(obj)/%.o: $(src)/%.ihex FORCE $(call if_changed,objcopy_o_ihex) +$(obj)/sbat.o: OBJCOPYFLAGS := -I binary -O elf64-x86-64 \ + --rename-section .data=.sbat,readonly,data,contents \ + --add-section .note.GNU-stack=/dev/null +$(obj)/sbat.o: $(src)/sbat.sbat FORCE + $(call if_changed,objcopy) + $(obj)/boot.init.o: $(obj)/buildid.o $(call cc-option-add,cflags-stack-boundary,CC,-mpreferred-stack-boundary=4) $(addprefix $(obj)/,$(EFIOBJ-y) mbi2.init.o): CFLAGS_stack_boundary := $(cflags-stack-boundary) +EFIOBJ-y += sbat.o + obj-y := common-stub.o stub.o obj-$(XEN_BUILD_EFI) := $(filter-out %.init.o,$(EFIOBJ-y)) obj-bin-$(XEN_BUILD_EFI) := $(filter %.init.o,$(EFIOBJ-y)) diff --git a/xen/arch/x86/efi/sbat.sbat b/xen/arch/x86/efi/sbat.sbat new file mode 100644 index 000000000000..1f262b5f038b --- /dev/null +++ b/xen/arch/x86/efi/sbat.sbat @@ -0,0 +1 @@ +sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md diff --git a/xen/arch/x86/xen.lds.S b/xen/arch/x86/xen.lds.S index 53bafc98a536..a9240fa51a5e 100644 --- a/xen/arch/x86/xen.lds.S +++ b/xen/arch/x86/xen.lds.S @@ -343,6 +343,8 @@ SECTIONS *(.reloc) __base_relocs_end = .; } + + .sbat (NOLOAD) : { *(.sbat) } #elif defined(XEN_BUILD_EFI) /* * Due to the way EFI support is currently implemented, these two symbols diff --git a/xen/include/xen/xen.lds.h b/xen/include/xen/xen.lds.h index 793d0e11450c..725ecae11893 100644 --- a/xen/include/xen/xen.lds.h +++ b/xen/include/xen/xen.lds.h @@ -99,7 +99,8 @@ *(.comment.*) \ *(.note.*) #else -#define DISCARD_EFI_SECTIONS +#define DISCARD_EFI_SECTIONS \ + *(.sbat) #endif /* Sections to be discarded. */
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |