nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0474-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch

9723a8
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
9723a8
From: Peter Jones <pjones@redhat.com>
9723a8
Date: Mon, 15 Feb 2021 17:07:00 +0100
9723a8
Subject: [PATCH] util/mkimage: Add an option to import SBAT metadata into a
9723a8
 .sbat section
9723a8
9723a8
Add a --sbat option to the grub-mkimage tool which allows us to import
9723a8
an SBAT metadata formatted as a CSV file into a .sbat section of the
9723a8
EFI binary.
9723a8
9723a8
Signed-off-by: Peter Jones <pjones@redhat.com>
9723a8
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
9723a8
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
9723a8
---
3efed6
 util/grub-install-common.c  |  2 +-
9723a8
 util/grub-mkimage.c         | 15 ++++++++++++++-
9723a8
 util/mkimage.c              | 43 ++++++++++++++++++++++++++++++++++++-------
9723a8
 include/grub/util/install.h |  3 ++-
9723a8
 include/grub/util/mkimage.h |  1 +
3efed6
 docs/grub.texi              | 19 +++++++++++++++++++
3efed6
 6 files changed, 73 insertions(+), 10 deletions(-)
9723a8
9723a8
diff --git a/util/grub-install-common.c b/util/grub-install-common.c
3efed6
index fa6b65347ea..fde4ca7fc8c 100644
9723a8
--- a/util/grub-install-common.c
9723a8
+++ b/util/grub-install-common.c
3efed6
@@ -537,7 +537,7 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
3efed6
 			       pubkeys, npubkeys,
3efed6
 			       x509keys, nx509keys,
3efed6
 			       config_path, tgt,
3efed6
-			       note, appsig_size, compression, dtb);
3efed6
+			       note, appsig_size, compression, dtb, NULL);
9723a8
   while (dc--)
9723a8
     grub_install_pop_module ();
9723a8
 }
9723a8
diff --git a/util/grub-mkimage.c b/util/grub-mkimage.c
3efed6
index 394d2dc5fc9..17a86261ffc 100644
9723a8
--- a/util/grub-mkimage.c
9723a8
+++ b/util/grub-mkimage.c
3efed6
@@ -82,6 +82,7 @@ static struct argp_option options[] = {
9723a8
   {"output",  'o', N_("FILE"), 0, N_("output a generated image to FILE [default=stdout]"), 0},
9723a8
   {"format",  'O', N_("FORMAT"), 0, 0, 0},
9723a8
   {"compression",  'C', "(xz|none|auto)", 0, N_("choose the compression to use for core image"), 0},
9723a8
+  {"sbat", 's', N_("FILE"), 0, N_("SBAT metadata"), 0},
9723a8
   {"verbose",     'v', 0,      0, N_("print verbose messages."), 0},
3efed6
   {"appended-signature-size", 'S', N_("SIZE"), 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), 0},
9723a8
   { 0, 0, 0, 0, 0, 0 }
3efed6
@@ -127,6 +128,7 @@ struct arguments
3efed6
   size_t nx509keys;
9723a8
   char *font;
9723a8
   char *config;
9723a8
+  char *sbat;
9723a8
   int note;
3efed6
   size_t appsig_size;
9723a8
   const struct grub_install_image_target_desc *image_target;
3efed6
@@ -244,6 +246,13 @@ argp_parser (int key, char *arg, struct argp_state *state)
9723a8
       arguments->prefix = xstrdup (arg);
9723a8
       break;
9723a8
 
9723a8
+    case 's':
9723a8
+      if (arguments->sbat)
9723a8
+	free (arguments->sbat);
9723a8
+
9723a8
+      arguments->sbat = xstrdup (arg);
9723a8
+      break;
9723a8
+
9723a8
     case 'v':
9723a8
       verbosity++;
9723a8
       break;
3efed6
@@ -331,7 +340,8 @@ main (int argc, char *argv[])
3efed6
 			       arguments.nx509keys, arguments.config,
9723a8
 			       arguments.image_target, arguments.note,
3efed6
 			       arguments.appsig_size,
9723a8
-			       arguments.comp, arguments.dtb);
9723a8
+			       arguments.comp, arguments.dtb,
3efed6
+			       arguments.sbat);
9723a8
 
9723a8
   grub_util_file_sync  (fp);
9723a8
   fclose (fp);
3efed6
@@ -346,5 +356,8 @@ main (int argc, char *argv[])
9723a8
   if (arguments.output)
9723a8
     free (arguments.output);
9723a8
 
9723a8
+  if (arguments.sbat)
9723a8
+    free (arguments.sbat);
9723a8
+
9723a8
   return 0;
9723a8
 }
9723a8
diff --git a/util/mkimage.c b/util/mkimage.c
3efed6
index 0f5ae2a76f2..16418e245d3 100644
9723a8
--- a/util/mkimage.c
9723a8
+++ b/util/mkimage.c
3efed6
@@ -826,12 +826,13 @@ grub_install_generate_image (const char *dir, const char *prefix,
3efed6
 			     char **x509key_paths, size_t nx509keys,
3efed6
 			     char *config_path,
9723a8
 			     const struct grub_install_image_target_desc *image_target,
3efed6
-			     int note, size_t appsig_size, grub_compression_t comp, const char *dtb_path)
3efed6
+			     int note, size_t appsig_size, grub_compression_t comp,
3efed6
+			     const char *dtb_path, const char *sbat_path)
9723a8
 {
9723a8
   char *kernel_img, *core_img;
9723a8
   size_t total_module_size, core_size;
9723a8
   size_t memdisk_size = 0, config_size = 0;
9723a8
-  size_t prefix_size = 0, dtb_size = 0;
9723a8
+  size_t prefix_size = 0, dtb_size = 0, sbat_size = 0;
9723a8
   char *kernel_path;
9723a8
   size_t offset;
9723a8
   struct grub_util_path_list *path_list, *p;
3efed6
@@ -895,6 +896,9 @@ grub_install_generate_image (const char *dir, const char *prefix,
9723a8
       total_module_size += dtb_size + sizeof (struct grub_module_header);
9723a8
     }
9723a8
 
9723a8
+  if (sbat_path != NULL && image_target->id != IMAGE_EFI)
9723a8
+    grub_util_error (_(".sbat section can be embedded into EFI images only"));
9723a8
+
9723a8
   if (config_path)
9723a8
     {
9723a8
       config_size = ALIGN_ADDR (grub_util_get_image_size (config_path) + 1);
3efed6
@@ -1277,8 +1281,9 @@ grub_install_generate_image (const char *dir, const char *prefix,
9723a8
       break;
9723a8
     case IMAGE_EFI:
9723a8
       {
9723a8
-	char *pe_img, *header;
9723a8
+	char *pe_img, *pe_sbat, *header;
9723a8
 	struct grub_pe32_section_table *section;
9723a8
+	size_t n_sections = 4;
9723a8
 	size_t scn_size;
9723a8
 	grub_uint32_t vma, raw_data;
9723a8
 	size_t pe_size, header_size;
3efed6
@@ -1293,8 +1298,15 @@ grub_install_generate_image (const char *dir, const char *prefix,
9723a8
 	  header_size = EFI64_HEADER_SIZE;
9723a8
 
9723a8
 	vma = raw_data = header_size;
9723a8
+
9723a8
+	if (sbat_path != NULL)
9723a8
+	  {
9723a8
+	    sbat_size = ALIGN_ADDR (grub_util_get_image_size (sbat_path));
9723a8
+	    sbat_size = ALIGN_UP (sbat_size, GRUB_PE32_FILE_ALIGNMENT);
9723a8
+	  }
9723a8
+
9723a8
 	pe_size = ALIGN_UP (header_size + core_size, GRUB_PE32_FILE_ALIGNMENT) +
9723a8
-          ALIGN_UP (layout.reloc_size, GRUB_PE32_FILE_ALIGNMENT);
9723a8
+          ALIGN_UP (layout.reloc_size, GRUB_PE32_FILE_ALIGNMENT) + sbat_size;
9723a8
 	header = pe_img = xcalloc (1, pe_size);
9723a8
 
9723a8
 	memcpy (pe_img + raw_data, core_img, core_size);
3efed6
@@ -1309,7 +1321,10 @@ grub_install_generate_image (const char *dir, const char *prefix,
9723a8
 					      + GRUB_PE32_SIGNATURE_SIZE);
9723a8
 	c->machine = grub_host_to_target16 (image_target->pe_target);
9723a8
 
9723a8
-	c->num_sections = grub_host_to_target16 (4);
9723a8
+	if (sbat_path != NULL)
9723a8
+	  n_sections++;
9723a8
+
9723a8
+	c->num_sections = grub_host_to_target16 (n_sections);
9723a8
 	c->time = grub_host_to_target32 (STABLE_EMBEDDING_TIMESTAMP);
9723a8
 	c->characteristics = grub_host_to_target16 (GRUB_PE32_EXECUTABLE_IMAGE
9723a8
 						    | GRUB_PE32_LINE_NUMS_STRIPPED
3efed6
@@ -1371,7 +1386,8 @@ grub_install_generate_image (const char *dir, const char *prefix,
9723a8
 				   GRUB_PE32_SCN_MEM_READ);
9723a8
 
9723a8
 	scn_size = ALIGN_UP (layout.kernel_size - layout.exec_size, GRUB_PE32_FILE_ALIGNMENT);
9723a8
-	PE_OHDR (o32, o64, data_size) = grub_host_to_target32 (scn_size +
9723a8
+	/* ALIGN_UP (sbat_size, GRUB_PE32_FILE_ALIGNMENT) is done earlier. */
9723a8
+	PE_OHDR (o32, o64, data_size) = grub_host_to_target32 (scn_size + sbat_size +
9723a8
 							       ALIGN_UP (total_module_size,
9723a8
 									 GRUB_PE32_FILE_ALIGNMENT));
9723a8
 
3efed6
@@ -1382,7 +1398,7 @@ grub_install_generate_image (const char *dir, const char *prefix,
9723a8
 				   GRUB_PE32_SCN_MEM_READ |
9723a8
 				   GRUB_PE32_SCN_MEM_WRITE);
9723a8
 
9723a8
-	scn_size = pe_size - layout.reloc_size - raw_data;
9723a8
+	scn_size = pe_size - layout.reloc_size - sbat_size - raw_data;
9723a8
 	section = init_pe_section (image_target, section, "mods",
9723a8
 				   &vma, scn_size, image_target->section_align,
9723a8
 				   &raw_data, scn_size,
3efed6
@@ -1390,6 +1406,19 @@ grub_install_generate_image (const char *dir, const char *prefix,
9723a8
 				   GRUB_PE32_SCN_MEM_READ |
9723a8
 				   GRUB_PE32_SCN_MEM_WRITE);
9723a8
 
9723a8
+	if (sbat_path != NULL)
9723a8
+	  {
9723a8
+	    pe_sbat = pe_img + raw_data;
9723a8
+	    grub_util_load_image (sbat_path, pe_sbat);
9723a8
+
9723a8
+	    section = init_pe_section (image_target, section, ".sbat",
9723a8
+				       &vma, sbat_size,
9723a8
+				       image_target->section_align,
9723a8
+				       &raw_data, sbat_size,
9723a8
+				       GRUB_PE32_SCN_CNT_INITIALIZED_DATA |
9723a8
+				       GRUB_PE32_SCN_MEM_READ);
9723a8
+	  }
9723a8
+
9723a8
 	scn_size = layout.reloc_size;
9723a8
 	PE_OHDR (o32, o64, base_relocation_table.rva) = grub_host_to_target32 (vma);
9723a8
 	PE_OHDR (o32, o64, base_relocation_table.size) = grub_host_to_target32 (scn_size);
9723a8
diff --git a/include/grub/util/install.h b/include/grub/util/install.h
3efed6
index 95059285bd4..dad17561c4f 100644
9723a8
--- a/include/grub/util/install.h
9723a8
+++ b/include/grub/util/install.h
3efed6
@@ -187,7 +187,8 @@ grub_install_generate_image (const char *dir, const char *prefix,
9723a8
 			     char *config_path,
9723a8
 			     const struct grub_install_image_target_desc *image_target,
3efed6
 			     int note, size_t appsig_size,
9723a8
-			     grub_compression_t comp, const char *dtb_file);
9723a8
+			     grub_compression_t comp, const char *dtb_file,
9723a8
+			     const char *sbat_path);
9723a8
 
9723a8
 const struct grub_install_image_target_desc *
9723a8
 grub_install_get_image_target (const char *arg);
9723a8
diff --git a/include/grub/util/mkimage.h b/include/grub/util/mkimage.h
3efed6
index cef7fffa7ae..f48d544c28a 100644
9723a8
--- a/include/grub/util/mkimage.h
9723a8
+++ b/include/grub/util/mkimage.h
9723a8
@@ -24,6 +24,7 @@ struct grub_mkimage_layout
9723a8
   size_t exec_size;
9723a8
   size_t kernel_size;
9723a8
   size_t bss_size;
9723a8
+  size_t sbat_size;
9723a8
   grub_uint64_t start_address;
9723a8
   void *reloc_section;
9723a8
   size_t reloc_size;
9723a8
diff --git a/docs/grub.texi b/docs/grub.texi
3efed6
index 314bbeb8471..52e6e5763b8 100644
9723a8
--- a/docs/grub.texi
9723a8
+++ b/docs/grub.texi
3efed6
@@ -5719,6 +5719,7 @@ environment variables and commands are listed in the same order.
3efed6
 * Using GPG-style digital signatures:: Booting digitally signed code
3efed6
 * Using appended signatures::          An alternative approach to booting digitally signed code
3efed6
 * Signing GRUB itself::                Ensuring the integrity of the GRUB core image
9723a8
+* Secure Boot Advanced Targeting::   Embedded information for generation number based revocation
9723a8
 * Lockdown::                           Lockdown when booting on a secure setup
9723a8
 @end menu
9723a8
 
3efed6
@@ -6010,6 +6011,24 @@ As with UEFI secure boot, it is necessary to build in the required modules,
3efed6
 or sign them separately.
3efed6
 
3efed6
 
9723a8
+@node Secure Boot Advanced Targeting
9723a8
+@section Embedded information for generation number based revocation
9723a8
+
9723a8
+The Secure Boot Advanced Targeting (SBAT) is a mechanism to allow the revocation
9723a8
+of components in the boot path by using generation numbers embedded into the EFI
9723a8
+binaries. The SBAT metadata is located in an .sbat data section that has set of
9723a8
+UTF-8 strings as comma-separated values (CSV). See
9723a8
+@uref{https://github.com/rhboot/shim/blob/main/SBAT.md} for more details.
9723a8
+
9723a8
+To add a data section containing the SBAT information into the binary, the
9723a8
+@option{--sbat} option of @command{grub-mkimage} command should be used. The content
9723a8
+of a CSV file, encoded with UTF-8, is copied as is to the .sbat data section into
9723a8
+the generated EFI binary. The CSV file can be stored anywhere on the file system.
9723a8
+
9723a8
+@example
9723a8
+grub-mkimage -O x86_64-efi -o grubx64.efi -p '(tftp)/grub' --sbat sbat.csv efinet tftp
9723a8
+@end example
9723a8
+
9723a8
 @node Lockdown
9723a8
 @section Lockdown when booting on a secure setup
9723a8