From dd70785953590a0af629f7db85faba8019e85c6f Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 12 Feb 2021 12:41:41 -0500
Subject: [PATCH] efi bins: add an easy way for vendors to add .sbat data

In cases where we accept vendor shim binaries with additional patches,
it may become necessary to identify those builds with additional SBAT
data.  When we consider such patches, we should be proactive in asking
vendors to include that data in the .sbat sections of their trusted EFI
binaries.

This patch adds any data in data/sbat.*.csv (after a quick sanitizing
pass) after data/sbat.csv in the .sbat section, so that no changes to
the upstream data/sbat.csv are ever required.

Signed-off-by: Peter Jones <pjones@redhat.com>
---
 .gitignore          | 1 +
 BUILDING            | 6 ++++++
 Make.defaults       | 3 ++-
 Make.rules          | 5 +++++
 Makefile            | 9 +++++++++
 elf_aarch64_efi.lds | 1 +
 elf_arm_efi.lds     | 1 +
 elf_ia32_efi.lds    | 1 +
 elf_ia64_efi.lds    | 1 +
 elf_x86_64_efi.lds  | 1 +
 10 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 312a0e3..f4618b8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -27,3 +27,4 @@ shim_cert.h
 version.c
 cov-int/
 scan-results/
+/sbat.*.csv
diff --git a/BUILDING b/BUILDING
index fb27821..4b58203 100644
--- a/BUILDING
+++ b/BUILDING
@@ -60,4 +60,10 @@ Variables you could set to customize the build:
   This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS.
   By default this is the same value as EFIDIR .
 
+Vendor SBAT data:
+It will sometimes be requested by reviewers that a build includes extra
+.sbat data.  The mechanism to do so is to add a CSV file in data/ with the
+name sbat.FOO.csv, where foo is your EFI subdirectory name.  The build
+system will automatically include any such files.
+
 # vim:filetype=mail:tw=74
diff --git a/Make.defaults b/Make.defaults
index 10e1ad5..8bfcf7e 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -2,6 +2,8 @@ COMPILER	?= gcc
 CC		= $(CROSS_COMPILE)$(COMPILER)
 LD		= $(CROSS_COMPILE)ld
 OBJCOPY		= $(CROSS_COMPILE)objcopy
+DOS2UNIX	?= dos2unix
+D2UFLAGS	?= -r -l -F -f -n
 OPENSSL		?= openssl
 HEXDUMP		?= hexdump
 INSTALL		?= install
@@ -22,7 +24,6 @@ DEBUGSOURCE	?= $(prefix)/src/debug/
 OSLABEL		?= $(EFIDIR)
 DEFAULT_LOADER	?= \\\\grub$(ARCH_SUFFIX).efi
 DASHJ		?= -j$(shell echo $$(($$(grep -c "^model name" /proc/cpuinfo) + 1)))
-SBATPATH	?= data/sbat.csv
 
 ARCH		?= $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,)
 OBJCOPY_GTE224	= $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.*\((.*)\|version\) //g' | cut -f1-2 -d.` \>= 2.24)
diff --git a/Make.rules b/Make.rules
index 2f1d4a7..e4e31ff 100644
--- a/Make.rules
+++ b/Make.rules
@@ -1,3 +1,8 @@
 define get-config
 $(shell git config --local --get "shim.$(1)")
 endef
+
+define add-vendor-sbat
+$(OBJCOPY) --add-section ".$(patsubst %.csv,%,$(1))=$(1)" $(2)
+
+endef
diff --git a/Makefile b/Makefile
index 63867f9..45d57fc 100644
--- a/Makefile
+++ b/Makefile
@@ -40,6 +40,7 @@ MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat.o
 ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
 FALLBACK_OBJS = fallback.o tpm.o errlog.o sbat.o
 ORIG_FALLBACK_SRCS = fallback.c
+SBATPATH = data/sbat.csv
 
 ifneq ($(origin ENABLE_HTTPBOOT), undefined)
 	OBJS += httpboot.o
@@ -84,9 +85,17 @@ shim.o: $(wildcard $(TOPDIR)/*.h)
 cert.o : $(TOPDIR)/cert.S
 	$(CC) $(CFLAGS) -c -o $@ $<
 
+sbat.%.csv : data/sbat.%.csv
+	$(DOS2UNIX) $(D2UFLAGS) $< $@
+	tail -c1 $@ | read -r _ || echo >> $@ # ensure a trailing newline
+
+VENDOR_SBATS := $(foreach x,$(wildcard data/sbat.*.csv),$(notdir $(x)))
+
+sbat.o : | $(SBATPATH) $(VENDOR_SBATS)
 sbat.o : $(TOPDIR)/sbat.c
 	$(CC) $(CFLAGS) -c -o $@ $<
 	$(OBJCOPY) --add-section .sbat=$(SBATPATH) $@
+	$(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@))
 
 $(SHIMNAME) : $(SHIMSONAME)
 $(MMNAME) : $(MMSONAME)
diff --git a/elf_aarch64_efi.lds b/elf_aarch64_efi.lds
index 48ba8ba..dfa16e8 100644
--- a/elf_aarch64_efi.lds
+++ b/elf_aarch64_efi.lds
@@ -62,6 +62,7 @@ SECTIONS
   {
     _sbat = .;
     *(.sbat)
+    *(.sbat.*)
     _esbat = .;
   }
   . = ALIGN(4096);
diff --git a/elf_arm_efi.lds b/elf_arm_efi.lds
index 7d69948..55abd31 100644
--- a/elf_arm_efi.lds
+++ b/elf_arm_efi.lds
@@ -60,6 +60,7 @@ SECTIONS
   {
     _sbat = .;
     *(.sbat)
+    *(.sbat.*)
     _esbat = .;
   }
   . = ALIGN(4096);
diff --git a/elf_ia32_efi.lds b/elf_ia32_efi.lds
index 043a358..54cd3fb 100644
--- a/elf_ia32_efi.lds
+++ b/elf_ia32_efi.lds
@@ -58,6 +58,7 @@ SECTIONS
   {
     _sbat = .;
     *(.sbat)
+    *(.sbat.*)
     _esbat = .;
   }
   . = ALIGN(4096);
diff --git a/elf_ia64_efi.lds b/elf_ia64_efi.lds
index ce2e34c..ae10149 100644
--- a/elf_ia64_efi.lds
+++ b/elf_ia64_efi.lds
@@ -60,6 +60,7 @@ SECTIONS
   {
     _sbat = .;
     *(.sbat)
+    *(.sbat.*)
     _esbat = .;
   }
   . = ALIGN(4096);
diff --git a/elf_x86_64_efi.lds b/elf_x86_64_efi.lds
index 3e1f138..af3a071 100644
--- a/elf_x86_64_efi.lds
+++ b/elf_x86_64_efi.lds
@@ -63,6 +63,7 @@ SECTIONS
   {
     _sbat = .;
     *(.sbat)
+    *(.sbat.*)
     _esbat = .;
   }
   . = ALIGN(4096);