diff '--color=auto' -ruN linux-6.12.1-gentoo/arch/x86/boot/Makefile linux-6.12.1-gentoo.sbat/arch/x86/boot/Makefile --- linux-6.12.1-gentoo/arch/x86/boot/Makefile 2024-11-22 22:47:28.288743052 +0100 +++ linux-6.12.1-gentoo.sbat/arch/x86/boot/Makefile 2024-11-23 13:39:34.930313632 +0100 @@ -63,9 +63,9 @@ quiet_cmd_image = BUILD $@ silent_redirect_image = >/dev/null cmd_image = $(obj)/tools/build $(obj)/setup.bin $(obj)/vmlinux.bin \ - $(obj)/zoffset.h $@ $($(quiet)redirect_image) + $(obj)/zoffset.h $(obj)/sbat.csv $@ $($(quiet)redirect_image) -$(obj)/bzImage: $(obj)/setup.bin $(obj)/vmlinux.bin $(obj)/tools/build FORCE +$(obj)/bzImage: $(obj)/setup.bin $(obj)/vmlinux.bin $(obj)/sbat.csv $(obj)/tools/build FORCE $(call if_changed,image) @$(kecho) 'Kernel: $@ is ready' ' (#'$(or $(KBUILD_BUILD_VERSION),`cat .version`)')' @@ -75,6 +75,16 @@ SETUP_OBJS = $(addprefix $(obj)/,$(setup-y)) + +quiet_cmd_sbat = SBAT $@ + cmd_sbat = sed s@%KERNELVERSION%@$(KERNELVERSION)@ $(srctree)/$@ > $@ + + +targets += sbat.csv +$(obj)/sbat.csv: $(srctree)/$@ FORCE + $(call if_changed,sbat) + + sed-zoffset := -e 's/^\([0-9a-fA-F]*\) [a-zA-Z] \(startup_32\|efi.._stub_entry\|efi\(32\)\?_pe_entry\|input_data\|kernel_info\|_end\|_ehead\|_text\|_e\?data\|z_.*\)$$/\#define ZO_\2 0x\1/p' quiet_cmd_zoffset = ZOFFSET $@ diff '--color=auto' -ruN linux-6.12.1-gentoo/arch/x86/boot/header.S linux-6.12.1-gentoo.sbat/arch/x86/boot/header.S --- linux-6.12.1-gentoo/arch/x86/boot/header.S 2024-11-22 22:47:28.291743064 +0100 +++ linux-6.12.1-gentoo.sbat/arch/x86/boot/header.S 2024-11-30 15:33:33.427367030 +0100 @@ -83,9 +83,9 @@ .long ZO__end - ZO__data # SizeOfInitializedData .long 0 # SizeOfUninitializedData - .long setup_size + ZO_efi_pe_entry # AddressOfEntryPoint + .long setup_size + salign + ZO_efi_pe_entry # AddressOfEntryPoint - .long setup_size # BaseOfCode + .long setup_size + salign # BaseOfCode #ifdef CONFIG_X86_32 .long 0 # data #endif @@ -106,7 +106,7 @@ .word 0 # MinorSubsystemVersion .long 0 # Win32VersionValue - .long setup_size + ZO__end # SizeOfImage + .long setup_size + salign + ZO__end # SizeOfImage .long salign # SizeOfHeaders .long 0 # CheckSum @@ -179,15 +179,25 @@ #else .set pecompat_fstart, setup_size #endif + + .ascii ".sbat\0\0\0" + .long salign # SizeOfRawData + .long setup_size # VirtualAddress + .long salign # SizeOfRawData + .long setup_size # PointerToRawData + + .long 0, 0, 0 + .long IMAGE_SCN_ALIGN_512BYTES + .ascii ".text" .byte 0 .byte 0 .byte 0 .long ZO__data - .long setup_size + .long setup_size + salign .long ZO__data # Size of initialized data # on disk - .long setup_size + .long setup_size + salign .long 0 # PointerToRelocations .long 0 # PointerToLineNumbers .word 0 # NumberOfRelocations @@ -198,9 +208,9 @@ .ascii ".data\0\0\0" .long ZO__end - ZO__data # VirtualSize - .long setup_size + ZO__data # VirtualAddress + .long setup_size + salign + ZO__data # VirtualAddress .long ZO__edata - ZO__data # SizeOfRawData - .long setup_size + ZO__data # PointerToRawData + .long setup_size + salign + ZO__data # PointerToRawData .long 0, 0, 0 .long IMAGE_SCN_CNT_INITIALIZED_DATA | \ diff '--color=auto' -ruN linux-6.12.1-gentoo/arch/x86/boot/sbat.csv linux-6.12.1-gentoo.sbat/arch/x86/boot/sbat.csv --- linux-6.12.1-gentoo/arch/x86/boot/sbat.csv 1970-01-01 01:00:00.000000000 +0100 +++ linux-6.12.1-gentoo.sbat/arch/x86/boot/sbat.csv 2024-11-23 13:39:34.930313632 +0100 @@ -0,0 +1,2 @@ +sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md +kernel,1,Gentoo Linux,gentoo-sources,%KERNELVERSION%,https://www.gentoo.org diff '--color=auto' -ruN linux-6.12.1-gentoo/arch/x86/boot/tools/build.c linux-6.12.1-gentoo.sbat/arch/x86/boot/tools/build.c --- linux-6.12.1-gentoo/arch/x86/boot/tools/build.c 2024-11-22 22:47:28.292743068 +0100 +++ linux-6.12.1-gentoo.sbat/arch/x86/boot/tools/build.c 2024-11-30 15:27:50.721048086 +0100 @@ -6,11 +6,15 @@ */ /* - * This file builds a disk-image from three different files: + * This file builds a disk-image from 4 different files: * * - setup: 8086 machine code, sets up system parm * - system: 80386 code for actual system * - zoffset.h: header with ZO_* defines + * - sbat.csv: policy specification for Secure Boot Advanced Targeting + * only needed when CONFIG_EFI_STUB is selected, + * and secure boot is enabled, but does no harm + * to include SBAT in either case * * It does some checking that all files are of the correct type, and writes * the result to the specified destination, removing headers and padding to @@ -43,6 +47,7 @@ /* Minimal number of setup sectors */ #define SETUP_SECT_MIN 5 #define SETUP_SECT_MAX 64 +#define SBAT_SIZE 4096 /* This must be large enough to hold the entire setup */ u8 buf[SETUP_SECT_MAX*512]; @@ -130,7 +135,7 @@ static void usage(void) { - die("Usage: build setup system zoffset.h image"); + die("Usage: build setup system zoffset.h sbat.csv image"); } /* @@ -179,13 +184,13 @@ void *kernel; u32 crc = 0xffffffffUL; - if (argc != 5) + if (argc != 6) usage(); parse_zoffset(argv[3]); - dest = fopen(argv[4], "w"); + dest = fopen(argv[5], "w"); if (!dest) - die("Unable to write `%s': %m", argv[4]); + die("Unable to write `%s': %m", argv[5]); /* Copy the setup code */ file = fopen(argv[1], "r"); @@ -215,8 +220,7 @@ if (fstat(fd, &sb)) die("Unable to stat `%s': %m", argv[2]); if (_edata != sb.st_size) - die("Unexpected file size `%s': %u != %u", argv[2], _edata, - sb.st_size); + die("Unexpected file size `%s': %u != %u", argv[2], _edata, sb.st_size); sz = _edata - 4; kernel = mmap(NULL, sz, PROT_READ, MAP_SHARED, fd, 0); if (kernel == MAP_FAILED) @@ -226,6 +230,22 @@ if (fwrite(buf, 1, i, dest) != i) die("Writing setup failed"); + /* Copy CSV for Secure Boot Advanced Targeting (SBAT) */ + file = fopen(argv[4], "r"); + if (!file) + die("Unable to open `%s': %m", argv[4]); + c = fread(buf, 1, sizeof(buf), file); + if (ferror(file)) + die("read-error on SBAT"); + fclose(file); + if (c > SBAT_SIZE) + die("SBAT must be at most %u bytes", SBAT_SIZE); + if (c < SBAT_SIZE) + memset(buf+c, 0, SBAT_SIZE-c); + crc = partial_crc32(buf, SBAT_SIZE, crc); + if (fwrite(buf, 1, SBAT_SIZE, dest) != SBAT_SIZE) + die("Writing SBAT failed"); + /* Copy the kernel code */ crc = partial_crc32(kernel, sz, crc); if (fwrite(kernel, 1, sz, dest) != sz)