From 8e34030ba544b4583c87e070d1a1e0e6b9ff5d60 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Wed, 17 Feb 2021 14:03:48 +0100
Subject: [PATCH] sbat: make shim to parse it's own .sbat section on init

This is needed for shim to verify itself when booting, to make sure that
shim binaries can't be executed anymore after been revoked by SBAT.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
---
 include/pe.h   |  3 +++
 include/sbat.h |  2 ++
 pe.c           |  2 +-
 shim.c         | 15 +++++++++++++++
 4 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/include/pe.h b/include/pe.h
index 7f2236e..79bf440 100644
--- a/include/pe.h
+++ b/include/pe.h
@@ -14,6 +14,9 @@ EFI_STATUS
 read_header(void *data, unsigned int datasize,
 	    PE_COFF_LOADER_IMAGE_CONTEXT *context);
 
+EFI_STATUS
+handle_sbat(char *SBATBase, size_t SBATSize);
+
 EFI_STATUS
 handle_image (void *data, unsigned int datasize,
 	      EFI_LOADED_IMAGE *li,
diff --git a/include/sbat.h b/include/sbat.h
index 9230b58..ffde202 100644
--- a/include/sbat.h
+++ b/include/sbat.h
@@ -6,6 +6,8 @@
 #ifndef SBAT_H_
 #define SBAT_H_
 
+extern UINTN _sbat, _esbat;
+
 struct sbat_var {
 	const CHAR8 *component_name;
 	const CHAR8 *component_generation;
diff --git a/pe.c b/pe.c
index d9c65a6..d1c105e 100644
--- a/pe.c
+++ b/pe.c
@@ -823,7 +823,7 @@ read_header(void *data, unsigned int datasize,
 	return EFI_SUCCESS;
 }
 
-static EFI_STATUS
+EFI_STATUS
 handle_sbat(char *SBATBase, size_t SBATSize)
 {
 	unsigned int i;
diff --git a/shim.c b/shim.c
index 749b6ec..765c925 100644
--- a/shim.c
+++ b/shim.c
@@ -1858,12 +1858,14 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
 		L"import_mok_state() failed",
 		L"shim_init() failed",
 		L"import of SBAT data failed",
+		L"SBAT self-check failed",
 		NULL
 	};
 	enum {
 		IMPORT_MOK_STATE,
 		SHIM_INIT,
 		IMPORT_SBAT,
+		SBAT_SELF_CHECK,
 	} msg = IMPORT_MOK_STATE;
 
 	/*
@@ -1908,6 +1910,19 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
 		goto die;
 	}
 
+	if (secure_mode ()) {
+		char *sbat_start = (char *)&_sbat;
+		char *sbat_end = (char *)&_esbat;
+
+		efi_status = handle_sbat(sbat_start, sbat_end - sbat_start);
+		if (EFI_ERROR(efi_status)) {
+			perror(L"Verifiying shim SBAT data failed: %r\n",
+			       efi_status);
+			msg = SBAT_SELF_CHECK;;
+			goto die;
+		}
+	}
+
 	init_openssl();
 
 	/*