Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use Sbat_Level_Variable.txt from shim repo #12

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Use Sbat_Level_Variable.txt from shim repo #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
0a6749b
Create revocations.efi to deliver new sbat level requirements
jsetje Nov 8, 2022
cb08cf5
SkuSiPolicy payload - at the moment this is only for testing
jsetje Jun 9, 2023
7b0068f
Update previous (automatic) SbatLevel to 2022111500
jsetje Sep 21, 2023
1109790
2023 shim and GRUB revocations
jsetje Sep 21, 2023
dea7500
Rename "previous" revocations to "automatic"
jsetje Dec 15, 2023
a7546a7
use SbatLevel_Variable.txt in shim repo as source for revocations
jsetje Dec 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,7 @@
# editor backup/tmp files
*~
*.sw?

# generated revocation payload
data/sbat_level_automatic.csv
data/sbat_level_latest.csv
3 changes: 3 additions & 0 deletions .gitmodules
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,6 @@
path = gnu-efi
url = https://github.com/rhboot/gnu-efi
branch = shim-15.6
[submodule "shim"]
path = shim
url = https://github.com/rhboot/shim
60 changes: 55 additions & 5 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,10 +51,19 @@ endef

define add-vendor-sbat
$(OBJCOPY) --add-section ".$(patsubst %.csv,%,$(1))=$(1)" $(2)
endef

define add-skusi
$(OBJCOPY) --add-section ".$(patsubst %.bin,%,$(1))=$(1)" $(2)
endef

SBATPATH = $(TOPDIR)/data/sbat.csv
SBATLEVELLATESTPATH = $(TOPDIR)/data/sbat_level_latest.csv
SBATLEVELAUTOMATICPATH = $(TOPDIR)/data/sbat_level_automatic.csv
SSPVLATESTPATH = $(TOPDIR)/data/SkuSiPolicy_Version_latest.bin
SSPSLATESTPATH = $(TOPDIR)/data/SkuSiPolicy_latest.bin
SSPVAUTOMATICPATH = $(TOPDIR)/data/SkuSiPolicy_Version_automatic.bin
SSPSAUTOMATICPATH = $(TOPDIR)/data/SkuSiPolicy_automatic.bin
VENDOR_SBATS := $(sort $(foreach x,$(wildcard $(TOPDIR)/data/sbat.*.csv data/sbat.*.csv),$(notdir $(x))))

OBJFLAGS =
Expand Down Expand Up @@ -84,16 +93,38 @@ ifeq ($(ARCH),arm)
BUILDFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include)
endif

all : certwrapper.efi
all : certwrapper.efi revocations.efi

certwrapper.so : sbat_data.o certwrapper.o
certwrapper.so : revocation_data.o certwrapper.o
certwrapper.so : SOLIBS=
certwrapper.so : SOFLAGS=
certwrapper.so : BUILDFLAGS+=-DVENDOR_DB
certwrapper.efi : OBJFLAGS = --strip-unneeded $(call VENDOR_DB, $<)
certwrapper.efi : SECTIONS=.text .reloc .db .sbat
certwrapper.efi : VENDOR_DB_FILE?=db.esl

revocations.so : revocation_data.o revocations.o
revocations.so : SOLIBS=
revocations.so : SOFLAGS=
revocations.efi : OBJFLAGS = --strip-unneeded
revocations.efi : SECTIONS=.text .reloc .sbat .sbatl .sbata .sspva .sspsa .sspvl .sspsl

revocations.o : certwrapper.o
cp certwrapper.o revocations.o

SBAT_LATEST_DATE ?= 2023012950
SBAT_AUTOMATIC_DATE ?= 2023012900

$(SBATLEVELLATESTPATH) :
awk '/^sbat,1,$(SBAT_LATEST_DATE)/ { print $$0 }' \
FS=\"\n\" RS=\\n\\n shim/SbatLevel_Variable.txt \
> $@

$(SBATLEVELAUTOMATICPATH) :
awk '/^sbat,1,$(SBAT_AUTOMATIC_DATE)/ { print $$0 }' \
FS=\"\n\" RS=\\n\\n shim/SbatLevel_Variable.txt \
> $@

%.efi : %.so
ifneq ($(OBJCOPY_GTE224),1)
$(error objcopy >= 2.24 is required)
Expand All @@ -103,12 +134,31 @@ endif
$(OBJFLAGS) \
$(FORMAT) $^ $@

sbat_data.o : | $(SBATPATH) $(VENDOR_SBATS)
sbat_data.o : /dev/null
revocation_data.o : $(SBATLEVELLATESTPATH) $(SBATLEVELAUTOMATICPATH)
revocation_data.o : | $(SBATPATH) $(VENDOR_SBATS)
revocation_data.o : /dev/null
$(CC) $(BUILDFLAGS) -x c -c -o $@ $<
$(OBJCOPY) --add-section .sbat=$(SBATPATH) \
--set-section-flags .sbat=contents,alloc,load,readonly,data \
$@
$(OBJCOPY) --add-section .sbatl=$(SBATLEVELLATESTPATH) \
--set-section-flags .sbatl=contents,alloc,load,readonly,data \
$@
$(OBJCOPY) --add-section .sbata=$(SBATLEVELAUTOMATICPATH) \
--set-section-flags .sbata=contents,alloc,load,readonly,data \
$@
$(OBJCOPY) --add-section .sspvl=$(SSPVLATESTPATH) \
--set-section-flags .sspvl=contents,alloc,load,readonly,data \
$@
$(OBJCOPY) --add-section .sspsl=$(SSPSLATESTPATH) \
--set-section-flags .sspsl=contents,alloc,load,readonly,data \
$@
$(OBJCOPY) --add-section .sspva=$(SSPVAUTOMATICPATH) \
--set-section-flags .sspva=contents,alloc,load,readonly,data \
$@
$(OBJCOPY) --add-section .sspsa=$(SSPSAUTOMATICPATH) \
--set-section-flags .sspsa=contents,alloc,load,readonly,data \
$@
$(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@))

%.so : %.o
Expand All @@ -120,7 +170,7 @@ sbat_data.o : /dev/null
$(CC) $(BUILDFLAGS) -c -o $@ $^

clean :
@rm -vf *.o *.so *.efi
@rm -vf *.o *.so *.efi $(SBATLEVELLATESTPATH) $(SBATLEVELAUTOMATICPATH)

update :
git submodule update --init --recursive
Expand Down
Binary file added data/SkuSiPolicy_Version_automatic.bin
View file
Open in desktop
Binary file not shown.
Binary file added data/SkuSiPolicy_Version_latest.bin
View file
Open in desktop
Binary file not shown.
Binary file added data/SkuSiPolicy_automatic.bin
View file
Open in desktop
Binary file not shown.
Binary file added data/SkuSiPolicy_latest.bin
View file
Open in desktop
Binary file not shown.
1 change: 1 addition & 0 deletions shim
Open in desktop
Submodule shim added at 314aec