diff --git a/.gitignore b/.gitignore index 312a0e3..f4618b8 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,4 @@ shim_cert.h version.c cov-int/ scan-results/ +/sbat.*.csv diff --git a/BUILDING b/BUILDING index fb27821..4b58203 100644 --- a/BUILDING +++ b/BUILDING @@ -60,4 +60,10 @@ Variables you could set to customize the build: This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS. By default this is the same value as EFIDIR . +Vendor SBAT data: +It will sometimes be requested by reviewers that a build includes extra +.sbat data. The mechanism to do so is to add a CSV file in data/ with the +name sbat.FOO.csv, where foo is your EFI subdirectory name. The build +system will automatically include any such files. + # vim:filetype=mail:tw=74 diff --git a/Make.defaults b/Make.defaults index 10e1ad5..8bfcf7e 100644 --- a/Make.defaults +++ b/Make.defaults @@ -2,6 +2,8 @@ COMPILER ?= gcc CC = $(CROSS_COMPILE)$(COMPILER) LD = $(CROSS_COMPILE)ld OBJCOPY = $(CROSS_COMPILE)objcopy +DOS2UNIX ?= dos2unix +D2UFLAGS ?= -r -l -F -f -n OPENSSL ?= openssl HEXDUMP ?= hexdump INSTALL ?= install @@ -22,7 +24,6 @@ DEBUGSOURCE ?= $(prefix)/src/debug/ OSLABEL ?= $(EFIDIR) DEFAULT_LOADER ?= \\\\grub$(ARCH_SUFFIX).efi DASHJ ?= -j$(shell echo $$(($$(grep -c "^model name" /proc/cpuinfo) + 1))) -SBATPATH ?= data/sbat.csv ARCH ?= $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,) OBJCOPY_GTE224 = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.*\((.*)\|version\) //g' | cut -f1-2 -d.` \>= 2.24) diff --git a/Make.rules b/Make.rules index 2f1d4a7..e4e31ff 100644 --- a/Make.rules +++ b/Make.rules @@ -1,3 +1,8 @@ define get-config $(shell git config --local --get "shim.$(1)") endef + +define add-vendor-sbat +$(OBJCOPY) --add-section ".$(patsubst %.csv,%,$(1))=$(1)" $(2) + +endef diff --git a/Makefile b/Makefile index 63867f9..45d57fc 100644 --- a/Makefile +++ b/Makefile @@ -40,6 +40,7 @@ MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat.o ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h) FALLBACK_OBJS = fallback.o tpm.o errlog.o sbat.o ORIG_FALLBACK_SRCS = fallback.c +SBATPATH = data/sbat.csv ifneq ($(origin ENABLE_HTTPBOOT), undefined) OBJS += httpboot.o @@ -84,9 +85,17 @@ shim.o: $(wildcard $(TOPDIR)/*.h) cert.o : $(TOPDIR)/cert.S $(CC) $(CFLAGS) -c -o $@ $< +sbat.%.csv : data/sbat.%.csv + $(DOS2UNIX) $(D2UFLAGS) $< $@ + tail -c1 $@ | read -r _ || echo >> $@ # ensure a trailing newline + +VENDOR_SBATS := $(foreach x,$(wildcard data/sbat.*.csv),$(notdir $(x))) + +sbat.o : | $(SBATPATH) $(VENDOR_SBATS) sbat.o : $(TOPDIR)/sbat.c $(CC) $(CFLAGS) -c -o $@ $< $(OBJCOPY) --add-section .sbat=$(SBATPATH) $@ + $(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@)) $(SHIMNAME) : $(SHIMSONAME) $(MMNAME) : $(MMSONAME) diff --git a/elf_aarch64_efi.lds b/elf_aarch64_efi.lds index 48ba8ba..dfa16e8 100644 --- a/elf_aarch64_efi.lds +++ b/elf_aarch64_efi.lds @@ -62,6 +62,7 @@ SECTIONS { _sbat = .; *(.sbat) + *(.sbat.*) _esbat = .; } . = ALIGN(4096); diff --git a/elf_arm_efi.lds b/elf_arm_efi.lds index 7d69948..55abd31 100644 --- a/elf_arm_efi.lds +++ b/elf_arm_efi.lds @@ -60,6 +60,7 @@ SECTIONS { _sbat = .; *(.sbat) + *(.sbat.*) _esbat = .; } . = ALIGN(4096); diff --git a/elf_ia32_efi.lds b/elf_ia32_efi.lds index 043a358..54cd3fb 100644 --- a/elf_ia32_efi.lds +++ b/elf_ia32_efi.lds @@ -58,6 +58,7 @@ SECTIONS { _sbat = .; *(.sbat) + *(.sbat.*) _esbat = .; } . = ALIGN(4096); diff --git a/elf_ia64_efi.lds b/elf_ia64_efi.lds index ce2e34c..ae10149 100644 --- a/elf_ia64_efi.lds +++ b/elf_ia64_efi.lds @@ -60,6 +60,7 @@ SECTIONS { _sbat = .; *(.sbat) + *(.sbat.*) _esbat = .; } . = ALIGN(4096); diff --git a/elf_x86_64_efi.lds b/elf_x86_64_efi.lds index 3e1f138..af3a071 100644 --- a/elf_x86_64_efi.lds +++ b/elf_x86_64_efi.lds @@ -63,6 +63,7 @@ SECTIONS { _sbat = .; *(.sbat) + *(.sbat.*) _esbat = .; } . = ALIGN(4096);