diff --git a/.gitignore b/.gitignore index 5a703bd..2a4ed69 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,7 @@ # editor backup/tmp files *~ *.sw? + +# generated revocation payload +data/sbat_level_automatic.csv +data/sbat_level_latest.csv diff --git a/.gitmodules b/.gitmodules index 4e5d47a..e228fa3 100644 --- a/.gitmodules +++ b/.gitmodules @@ -2,3 +2,6 @@ path = gnu-efi url = https://github.com/rhboot/gnu-efi branch = shim-15.6 +[submodule "shim"] + path = shim + url = https://github.com/rhboot/shim diff --git a/Makefile b/Makefile index ecb7e49..02a36a7 100644 --- a/Makefile +++ b/Makefile @@ -51,10 +51,19 @@ endef define add-vendor-sbat $(OBJCOPY) --add-section ".$(patsubst %.csv,%,$(1))=$(1)" $(2) +endef +define add-skusi +$(OBJCOPY) --add-section ".$(patsubst %.bin,%,$(1))=$(1)" $(2) endef SBATPATH = $(TOPDIR)/data/sbat.csv +SBATLEVELLATESTPATH = $(TOPDIR)/data/sbat_level_latest.csv +SBATLEVELAUTOMATICPATH = $(TOPDIR)/data/sbat_level_automatic.csv +SSPVLATESTPATH = $(TOPDIR)/data/SkuSiPolicy_Version_latest.bin +SSPSLATESTPATH = $(TOPDIR)/data/SkuSiPolicy_latest.bin +SSPVAUTOMATICPATH = $(TOPDIR)/data/SkuSiPolicy_Version_automatic.bin +SSPSAUTOMATICPATH = $(TOPDIR)/data/SkuSiPolicy_automatic.bin VENDOR_SBATS := $(sort $(foreach x,$(wildcard $(TOPDIR)/data/sbat.*.csv data/sbat.*.csv),$(notdir $(x)))) OBJFLAGS = @@ -84,9 +93,9 @@ ifeq ($(ARCH),arm) BUILDFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include) endif -all : certwrapper.efi +all : certwrapper.efi revocations.efi -certwrapper.so : sbat_data.o certwrapper.o +certwrapper.so : revocation_data.o certwrapper.o certwrapper.so : SOLIBS= certwrapper.so : SOFLAGS= certwrapper.so : BUILDFLAGS+=-DVENDOR_DB @@ -94,6 +103,28 @@ certwrapper.efi : OBJFLAGS = --strip-unneeded $(call VENDOR_DB, $<) certwrapper.efi : SECTIONS=.text .reloc .db .sbat certwrapper.efi : VENDOR_DB_FILE?=db.esl +revocations.so : revocation_data.o revocations.o +revocations.so : SOLIBS= +revocations.so : SOFLAGS= +revocations.efi : OBJFLAGS = --strip-unneeded +revocations.efi : SECTIONS=.text .reloc .sbat .sbatl .sbata .sspva .sspsa .sspvl .sspsl + +revocations.o : certwrapper.o + cp certwrapper.o revocations.o + +SBAT_LATEST_DATE ?= 2023012950 +SBAT_AUTOMATIC_DATE ?= 2023012900 + +$(SBATLEVELLATESTPATH) : + awk '/^sbat,1,$(SBAT_LATEST_DATE)/ { print $$0 }' \ + FS=\"\n\" RS=\\n\\n shim/SbatLevel_Variable.txt \ + > $@ + +$(SBATLEVELAUTOMATICPATH) : + awk '/^sbat,1,$(SBAT_AUTOMATIC_DATE)/ { print $$0 }' \ + FS=\"\n\" RS=\\n\\n shim/SbatLevel_Variable.txt \ + > $@ + %.efi : %.so ifneq ($(OBJCOPY_GTE224),1) $(error objcopy >= 2.24 is required) @@ -103,12 +134,31 @@ endif $(OBJFLAGS) \ $(FORMAT) $^ $@ -sbat_data.o : | $(SBATPATH) $(VENDOR_SBATS) -sbat_data.o : /dev/null +revocation_data.o : $(SBATLEVELLATESTPATH) $(SBATLEVELAUTOMATICPATH) +revocation_data.o : | $(SBATPATH) $(VENDOR_SBATS) +revocation_data.o : /dev/null $(CC) $(BUILDFLAGS) -x c -c -o $@ $< $(OBJCOPY) --add-section .sbat=$(SBATPATH) \ --set-section-flags .sbat=contents,alloc,load,readonly,data \ $@ + $(OBJCOPY) --add-section .sbatl=$(SBATLEVELLATESTPATH) \ + --set-section-flags .sbatl=contents,alloc,load,readonly,data \ + $@ + $(OBJCOPY) --add-section .sbata=$(SBATLEVELAUTOMATICPATH) \ + --set-section-flags .sbata=contents,alloc,load,readonly,data \ + $@ + $(OBJCOPY) --add-section .sspvl=$(SSPVLATESTPATH) \ + --set-section-flags .sspvl=contents,alloc,load,readonly,data \ + $@ + $(OBJCOPY) --add-section .sspsl=$(SSPSLATESTPATH) \ + --set-section-flags .sspsl=contents,alloc,load,readonly,data \ + $@ + $(OBJCOPY) --add-section .sspva=$(SSPVAUTOMATICPATH) \ + --set-section-flags .sspva=contents,alloc,load,readonly,data \ + $@ + $(OBJCOPY) --add-section .sspsa=$(SSPSAUTOMATICPATH) \ + --set-section-flags .sspsa=contents,alloc,load,readonly,data \ + $@ $(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@)) %.so : %.o @@ -120,7 +170,7 @@ sbat_data.o : /dev/null $(CC) $(BUILDFLAGS) -c -o $@ $^ clean : - @rm -vf *.o *.so *.efi + @rm -vf *.o *.so *.efi $(SBATLEVELLATESTPATH) $(SBATLEVELAUTOMATICPATH) update : git submodule update --init --recursive diff --git a/data/SkuSiPolicy_Version_automatic.bin b/data/SkuSiPolicy_Version_automatic.bin new file mode 100644 index 0000000..412ee87 Binary files /dev/null and b/data/SkuSiPolicy_Version_automatic.bin differ diff --git a/data/SkuSiPolicy_Version_latest.bin b/data/SkuSiPolicy_Version_latest.bin new file mode 100644 index 0000000..329e937 Binary files /dev/null and b/data/SkuSiPolicy_Version_latest.bin differ diff --git a/data/SkuSiPolicy_automatic.bin b/data/SkuSiPolicy_automatic.bin new file mode 100644 index 0000000..0296877 Binary files /dev/null and b/data/SkuSiPolicy_automatic.bin differ diff --git a/data/SkuSiPolicy_latest.bin b/data/SkuSiPolicy_latest.bin new file mode 100644 index 0000000..0296877 Binary files /dev/null and b/data/SkuSiPolicy_latest.bin differ diff --git a/shim b/shim new file mode 160000 index 0000000..314aecf --- /dev/null +++ b/shim @@ -0,0 +1 @@ +Subproject commit 314aecf89318d31697a3fabf14cf49a0dc359331