EFI: Add support for .sbat signature revocations

This patch adds a new section, ".sbat", which allows for the revocation of signed binaries given a numeric value representing the set of bugs which allow for arbitrary code execution, and therefore a Secure Boot breakout, in a given family of binaries. In this case, the class is defined as "memtest86+", and the current set of bugs is 1. This doesn't imply that we're aware of bugs currently, merely that when we change it to 2, any bugs that /have/ been discovered have been fixed. Documentation for how SBAT works can be found at the following URLs: https://github.com/rhboot/shim/blob/main/SBAT.md https://github.com/rhboot/shim/blob/main/SBAT.example.md Signed-off-by: Peter Jones <pjones@redhat.com>
2025-01-06 12:33:01 -06:00 · 2022-03-30 15:16:31 -04:00 · 2022-03-30 15:16:31 -04:00 · 04980dfda3
commit 04980dfda3
parent d1014365c1
6 changed files with 43 additions and 3 deletions
--- a/boot/header.S
+++ b/boot/header.S
@ -90,7 +90,7 @@ coff_header:
 #else
 	.word	IMAGE_FILE_MACHINE_I386		# Machine (i386)
 #endif
-	.word	2				# NumberOfSections
+	.word	3				# NumberOfSections
 	.long	0 				# TimeDateStamp
 	.long	0				# PointerToSymbolTable
 	.long	0				# NumberOfSymbols
@ -118,14 +118,14 @@ optional_header:
 	.byte	0x14				# MinorLinkerVersion

 	.long	_text_size			# SizeOfCode
-	.long	0				# SizeOfInitializedData
+	.long	_sbat_size			# SizeOfInitializedData
 	.long	0				# SizeOfUninitializedData

 	.long	BASE_OF_CODE + 0x1e0		# AddressOfEntryPoint

 	.long	BASE_OF_CODE			# BaseOfCode
 #ifndef __x86_64__
-	.long	0				# BaseOfData
+	.long	_sbat_start			# BaseOfData
 #endif

 extra_header_fields:
@ -210,6 +210,22 @@ section_table:
 		| IMAGE_SCN_ALIGN_4BYTES	\
 		| IMAGE_SCN_CNT_INITIALIZED_DATA	# Characteristics (section flags)

+	.ascii	".sbat"
+	.byte	0
+	.byte	0
+	.byte	0
+	.long	_sbat_size			# VirtualSize
+	.long	_sbat_start			# VirtualAddress
+	.long	_sbat_size			# SizeOfRawData
+	.long	_sbat_start			# PointerToRawData
+	.long	0				# PointerToRelocations
+	.long	0				# PointerToLineNumbers
+	.word	0				# NumberOfRelocations
+	.word	0				# NumberOfLineNumbers
+	.long	IMAGE_SCN_MEM_READ		\
+		| IMAGE_SCN_ALIGN_4096BYTES	\
+		| IMAGE_SCN_CNT_INITIALIZED_DATA	# Characteristics (section flags)
+
 # Emulate the Linux boot header, to allow loading by intermediate boot loaders.

 	.org	497
@ -235,3 +251,6 @@ end_of_headers:
 	.long	0					// Page RVA
 	.long	10					// Block Size (2*4+2)
 	.word	(IMAGE_REL_AMD64_ABSOLUTE<<12) + 0	// reloc 0 -> 0
+
+.section ".sbat", "a", @progbits
+.incbin "../boot/sbat.csv"
--- a/boot/sbat.csv
+++ b/boot/sbat.csv
@ -0,0 +1,2 @@
+sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+memtest86+,1,Memtest86+,6.0,https://github.com/memtest86plus
--- a/build32/Makefile
+++ b/build32/Makefile
@ -75,6 +75,7 @@ all: memtest.bin memtest.efi
 -include $(subst .o,.d,$(TST_OBJS))
 -include $(subst .o,.d,$(APP_OBJS))

+boot/header.o : | ../boot/sbat.csv

 boot/startup.o: ../boot/startup32.S ../boot/boot.h
 	@mkdir -p boot
--- a/build32/ldscripts/memtest_efi.lds
+++ b/build32/ldscripts/memtest_efi.lds
@ -23,6 +23,13 @@ SECTIONS {
 		*(.reloc)
 		_reloc_end = . ;
 	}
+	. = ALIGN(512);
+	.sbat : {
+		_sbat_start = . ;
+		*(.sbat)
+		. = ALIGN(512);
+		_sbat_end = . ;
+	}
 	. = ALIGN(4096);
 	_img_end = . ;
 	/DISCARD/ : { *(*) }
@ -30,6 +37,7 @@ SECTIONS {
 	_text_size = (_text_end  - _text_start);

 	_reloc_size = (_reloc_end - _reloc_start);
+	_sbat_size = (_sbat_end - _sbat_start);
 	_sys_size  = _text_size >> 4;
 	_init_size = _text_size + _bss_size;
 }
--- a/build64/Makefile
+++ b/build64/Makefile
@ -74,6 +74,8 @@ all: memtest.bin memtest.efi
 -include $(subst .o,.d,$(TST_OBJS))
 -include $(subst .o,.d,$(APP_OBJS))

+boot/header.o : | ../boot/sbat.csv
+
 boot/startup.o: ../boot/startup64.S ../boot/boot.h
 	@mkdir -p boot
 	$(CC) -x assembler-with-cpp -c -I../boot -o $@ $<
--- a/build64/ldscripts/memtest_efi.lds
+++ b/build64/ldscripts/memtest_efi.lds
@ -23,6 +23,13 @@ SECTIONS {
 		*(.reloc)
 		_reloc_end = . ;
 	}
+	. = ALIGN(512);
+	.sbat : {
+		_sbat_start = . ;
+		*(.sbat)
+		. = ALIGN(512);
+		_sbat_end = . ;
+	}
 	. = ALIGN(4096);
 	_img_end = . ;
 	/DISCARD/ : { *(*) }
@ -30,6 +37,7 @@ SECTIONS {
 	_text_size = (_text_end  - _text_start);

 	_reloc_size = (_reloc_end - _reloc_start);
+	_sbat_size = (_sbat_end - _sbat_start);
 	_sys_size  = _text_size >> 4;
 	_init_size = _text_size + _bss_size;
 }