sbat: make shim to parse it's own .sbat section on init

This is needed for shim to verify itself when booting, to make sure that shim binaries can't be executed anymore after been revoked by SBAT. Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2025-08-03 15:27:15 +00:00 · 2021-02-17 14:03:48 +01:00 · 2021-02-17 14:03:48 +01:00 · 8e34030ba5
commit 8e34030ba5
parent 1919b566b0
4 changed files with 21 additions and 1 deletions
--- a/include/pe.h
+++ b/include/pe.h
@ -14,6 +14,9 @@ EFI_STATUS
 read_header(void *data, unsigned int datasize,
 	    PE_COFF_LOADER_IMAGE_CONTEXT *context);

+EFI_STATUS
+handle_sbat(char *SBATBase, size_t SBATSize);
+
 EFI_STATUS
 handle_image (void *data, unsigned int datasize,
 	      EFI_LOADED_IMAGE *li,
--- a/include/sbat.h
+++ b/include/sbat.h
@ -6,6 +6,8 @@
 #ifndef SBAT_H_
 #define SBAT_H_

+extern UINTN _sbat, _esbat;
+
 struct sbat_var {
 	const CHAR8 *component_name;
 	const CHAR8 *component_generation;
--- a/pe.c
+++ b/pe.c
@ -823,7 +823,7 @@ read_header(void *data, unsigned int datasize,
 	return EFI_SUCCESS;
 }

-static EFI_STATUS
+EFI_STATUS
 handle_sbat(char *SBATBase, size_t SBATSize)
 {
 	unsigned int i;
--- a/shim.c
+++ b/shim.c
@ -1858,12 +1858,14 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
 		L"import_mok_state() failed",
 		L"shim_init() failed",
 		L"import of SBAT data failed",
+		L"SBAT self-check failed",
 		NULL
 	};
 	enum {
 		IMPORT_MOK_STATE,
 		SHIM_INIT,
 		IMPORT_SBAT,
+		SBAT_SELF_CHECK,
 	} msg = IMPORT_MOK_STATE;

 	/*
@ -1908,6 +1910,19 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
 		goto die;
 	}

+	if (secure_mode ()) {
+		char *sbat_start = (char *)&_sbat;
+		char *sbat_end = (char *)&_esbat;
+
+		efi_status = handle_sbat(sbat_start, sbat_end - sbat_start);
+		if (EFI_ERROR(efi_status)) {
+			perror(L"Verifiying shim SBAT data failed: %r\n",
+			       efi_status);
+			msg = SBAT_SELF_CHECK;;
+			goto die;
+		}
+	}
+
 	init_openssl();

 	/*