efi bins: add an easy way for vendors to add .sbat data

In cases where we accept vendor shim binaries with additional patches,
it may become necessary to identify those builds with additional SBAT
data.  When we consider such patches, we should be proactive in asking
vendors to include that data in the .sbat sections of their trusted EFI
binaries.

This patch adds any data in data/sbat.*.csv (after a quick sanitizing
pass) after data/sbat.csv in the .sbat section, so that no changes to
the upstream data/sbat.csv are ever required.

Signed-off-by: Peter Jones <pjones@redhat.com>

.gitignore

@@ -27,3 +27,4 @@ shim_cert.h
 version.c
 cov-int/
 scan-results/
+/sbat.*.csv

BUILDING

@@ -60,4 +60,10 @@ Variables you could set to customize the build:
   This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS.
   By default this is the same value as EFIDIR .
 
+Vendor SBAT data:
+It will sometimes be requested by reviewers that a build includes extra
+.sbat data.  The mechanism to do so is to add a CSV file in data/ with the
+name sbat.FOO.csv, where foo is your EFI subdirectory name.  The build
+system will automatically include any such files.
+
 # vim:filetype=mail:tw=74

Make.defaults

@@ -2,6 +2,8 @@ COMPILER	?= gcc
 CC		= $(CROSS_COMPILE)$(COMPILER)
 LD		= $(CROSS_COMPILE)ld
 OBJCOPY		= $(CROSS_COMPILE)objcopy
+DOS2UNIX	?= dos2unix
+D2UFLAGS	?= -r -l -F -f -n
 OPENSSL		?= openssl
 HEXDUMP		?= hexdump
 INSTALL		?= install
@@ -22,7 +24,6 @@ DEBUGSOURCE	?= $(prefix)/src/debug/
 OSLABEL		?= $(EFIDIR)
 DEFAULT_LOADER	?= \\\\grub$(ARCH_SUFFIX).efi
 DASHJ		?= -j$(shell echo $$(($$(grep -c "^model name" /proc/cpuinfo) + 1)))
-SBATPATH	?= data/sbat.csv
 
 ARCH		?= $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,)
 OBJCOPY_GTE224	= $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.*\((.*)\|version\) //g' | cut -f1-2 -d.` \>= 2.24)

Make.rules

@@ -1,3 +1,8 @@
 define get-config
 $(shell git config --local --get "shim.$(1)")
 endef
+
+define add-vendor-sbat
+$(OBJCOPY) --add-section ".$(patsubst %.csv,%,$(1))=$(1)" $(2)
+
+endef

Makefile

@@ -40,6 +40,7 @@ MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat.o
 ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
 FALLBACK_OBJS = fallback.o tpm.o errlog.o sbat.o
 ORIG_FALLBACK_SRCS = fallback.c
+SBATPATH = data/sbat.csv
 
 ifneq ($(origin ENABLE_HTTPBOOT), undefined)
 	OBJS += httpboot.o
@@ -84,9 +85,17 @@ shim.o: $(wildcard $(TOPDIR)/*.h)
 cert.o : $(TOPDIR)/cert.S
 	$(CC) $(CFLAGS) -c -o $@ $<
 
+sbat.%.csv : data/sbat.%.csv
+	$(DOS2UNIX) $(D2UFLAGS) $< $@
+	tail -c1 $@ | read -r _ || echo >> $@ # ensure a trailing newline
+
+VENDOR_SBATS := $(foreach x,$(wildcard data/sbat.*.csv),$(notdir $(x)))
+
+sbat.o : | $(SBATPATH) $(VENDOR_SBATS)
 sbat.o : $(TOPDIR)/sbat.c
 	$(CC) $(CFLAGS) -c -o $@ $<
 	$(OBJCOPY) --add-section .sbat=$(SBATPATH) $@
+	$(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@))
 
 $(SHIMNAME) : $(SHIMSONAME)
 $(MMNAME) : $(MMSONAME)

elf_aarch64_efi.lds

@@ -62,6 +62,7 @@ SECTIONS
   {
     _sbat = .;
     *(.sbat)
+    *(.sbat.*)
     _esbat = .;
   }
   . = ALIGN(4096);

elf_arm_efi.lds

@@ -60,6 +60,7 @@ SECTIONS
   {
     _sbat = .;
     *(.sbat)
+    *(.sbat.*)
     _esbat = .;
   }
   . = ALIGN(4096);

elf_ia32_efi.lds

@@ -58,6 +58,7 @@ SECTIONS
   {
     _sbat = .;
     *(.sbat)
+    *(.sbat.*)
     _esbat = .;
   }
   . = ALIGN(4096);

elf_ia64_efi.lds

@@ -60,6 +60,7 @@ SECTIONS
   {
     _sbat = .;
     *(.sbat)
+    *(.sbat.*)
     _esbat = .;
   }
   . = ALIGN(4096);

elf_x86_64_efi.lds

@@ -63,6 +63,7 @@ SECTIONS
   {
     _sbat = .;
     *(.sbat)
+    *(.sbat.*)
     _esbat = .;
   }
   . = ALIGN(4096);