*/
#define PRODUCT_SETTING_URI "https://ipxe.org/cfg/%s"
+/*
+ * Product security name suffix
+ *
+ * Vendors creating signed iPXE binaries must set this to a non-empty
+ * value (e.g. "2pint").
+ */
+#define PRODUCT_SBAT_NAME ""
+
+/*
+ * Product security generation
+ *
+ * Vendors creating signed iPXE binaries must set this to a non-zero
+ * value, and must increment the value whenever a Secure Boot exploit
+ * is fixed (unless the upstream IPXE_SBAT_GENERATION has already been
+ * incremented as part of that fix).
+ */
+#define PRODUCT_SBAT_GENERATION 0
+
#include <config/local/branding.h>
#endif /* CONFIG_BRANDING_H */
#include <wchar.h>
#include <ipxe/features.h>
#include <ipxe/version.h>
+#include <ipxe/sbat.h>
#include <config/general.h>
#include <config/branding.h>
/** Copy of build name string within ".prefix" */
const char build_name_prefix[] __attribute__ (( section ( ".prefix.name" ) ))
= BUILD_NAME;
+
+/** SBAT upstream iPXE line
+ *
+ * This line represents the security generation of the upstream
+ * codebase from which this build is derived.
+ */
+#define SBAT_IPXE \
+ SBAT_LINE ( "ipxe", IPXE_SBAT_GENERATION, \
+ "iPXE", BUILD_NAME, VERSION, "https://ipxe.org" )
+
+/** SBAT local build line
+ *
+ * This line states the security generation of the local build, which
+ * may include non-default features or non-upstreamed modifications.
+ */
+#if PRODUCT_SBAT_GENERATION
+#define SBAT_PRODUCT \
+ SBAT_LINE ( "ipxe." PRODUCT_SBAT_NAME, PRODUCT_SBAT_GENERATION, \
+ PRODUCT_SHORT_NAME, BUILD_NAME, VERSION, \
+ PRODUCT_URI )
+#else
+#define SBAT_PRODUCT ""
+#endif
+
+/** SBAT data */
+#define SBAT_DATA SBAT_HEADER "" SBAT_IPXE "" SBAT_PRODUCT
+
+/** SBAT data (without any NUL terminator) */
+const char sbat[ sizeof ( SBAT_DATA ) - 1 ] __sbat = SBAT_DATA;
--- /dev/null
+#ifndef _IPXE_SBAT_H
+#define _IPXE_SBAT_H
+
+/** @file
+ *
+ * Secure Boot Advanced Targeting (SBAT)
+ *
+ * SBAT defines an encoding for security generation numbers stored as
+ * a CSV file within a special ".sbat" section in the signed binary.
+ * If a Secure Boot exploit is discovered then the generation number
+ * will be incremented alongside the corresponding fix.
+ *
+ * Platforms may then record the minimum generation number required
+ * for any given product. This allows for an efficient revocation
+ * mechanism that consumes minimal flash storage space (in contrast to
+ * the DBX mechanism, which allows for only a single-digit number of
+ * revocation events to ever take place across all possible signed
+ * binaries).
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+
+/**
+ * A single line within an SBAT CSV file
+ *
+ * @v name Machine-readable component name
+ * @v generation Security generation number
+ * @v vendor Human-readable vendor name
+ * @v package Human-readable package name
+ * @v version Human-readable package version
+ * @v uri Contact URI
+ * @ret line CSV line
+ */
+#define SBAT_LINE( name, generation, vendor, package, version, uri ) \
+ name "," _S2 ( generation ) "," vendor "," package "," \
+ version "," uri "\n"
+
+/** SBAT format generation */
+#define SBAT_GENERATION 1
+
+/** Upstream security generation
+ *
+ * This represents the security generation of the upstream codebase.
+ * It will be incremented whenever a Secure Boot exploit is fixed in
+ * the upstream codebase.
+ *
+ * If you do not have commit access to the upstream iPXE repository,
+ * then you may not modify this value under any circumstances.
+ */
+#define IPXE_SBAT_GENERATION 1
+
+/* Seriously, do not modify this value */
+#if IPXE_SBAT_GENERATION != 1
+#error "You may not modify IPXE_SBAT_GENERATION"
+#endif
+
+/** SBAT header line */
+#define SBAT_HEADER \
+ SBAT_LINE ( "sbat", SBAT_GENERATION, "SBAT Version", "sbat", \
+ _S2 ( SBAT_GENERATION ), \
+ "https://github.com/rhboot/shim/blob/main/SBAT.md" )
+
+/** Mark variable as being in the ".sbat" section */
+#define __sbat __attribute__ (( section ( ".sbat" ), aligned ( 512 ) ))
+
+extern const char sbat[] __sbat;
+
+#endif /* _IPXE_SBAT_H */
projects / thirdparty / ipxe.git / commitdiff
