sd-boot: pad .sbat section to 1k bytes

Fedora's kernels now ship with a .sbat section:
  kernel,1,Red Hat,kernel-core,6.17.0-0.rc1.250814g0cc53520e68b.20.fc44.x86_64,mailto:secalert@redhat.com
  kernel.fedora,1,Red Hat,kernel-core,6.17.0-0.rc1.250814g0cc53520e68b.20.fc44.x86_64,mailto:secalert@redhat.com
This pushes the combined .sbat section just over its pre-allocated size of 512 bytes:
  File "/usr/bin/ukify", line 1048, in pe_add_sections
    raise PEError(f'Not enough space in existing section {section.name} to append new data')
  PEError: Not enough space in existing section .sbat to append new data

PE sections need to align to 512 bytes, so to make it all fit we pad the .sbat
section with zeros to 1k. Various tools already should strip trailing zeros when
using sbat sections, since ukify always inserts a trailing NUL.

The defines are moved to sbat.h, they are used only in sd-stub and sd-boot.

diff --git a/src/boot/stub.c b/src/boot/stub.c
index 77678bc79673ea428c3356a8df769684ce135ddc..575b4a982c6dbe2f208ca2d8b58d3651077f2a67 100644 (file)
--- a/src/boot/stub.c
+++ b/src/boot/stub.c
@@ -51,7 +51,7 @@ enum {
 /* magic string to find in the binary image */
 DECLARE_NOALLOC_SECTION(".sdmagic", "#### LoaderInfo: systemd-stub " GIT_VERSION " ####");
 
-DECLARE_SBAT(SBAT_STUB_SECTION_TEXT);
+DECLARE_SBAT_PADDED(SBAT_STUB_SECTION_TEXT);
 
 static char16_t* pe_section_to_str16(
                 EFI_LOADED_IMAGE_PROTOCOL *loaded_image,

diff --git a/src/fundamental/macro-fundamental.h b/src/fundamental/macro-fundamental.h
index a322a4587cf00896e890c645c414eda2359a8743..2f2b3df277afd58ec926294d432767b72675175c 100644 (file)
--- a/src/fundamental/macro-fundamental.h
+++ b/src/fundamental/macro-fundamental.h
@@ -436,17 +436,22 @@ assert_cc(sizeof(dummy_t) == 0);
         }
 #endif
 
-/* Declares an ELF read-only string section that does not occupy memory at runtime. */
-#define DECLARE_NOALLOC_SECTION(name, text)   \
-        asm(".pushsection " name ",\"S\"\n\t" \
-            ".ascii " STRINGIFY(text) "\n\t"  \
+/* Declare an ELF read-only string section that does not occupy memory at runtime. */
+#define DECLARE_NOALLOC_SECTION(name, text)           \
+        asm(".pushsection " name ",\"S\"\n\t"         \
+            ".ascii " STRINGIFY(text) "\n\t"          \
             ".popsection\n")
 
-#ifdef SBAT_DISTRO
-#  define DECLARE_SBAT(text) DECLARE_NOALLOC_SECTION(".sbat", text)
-#else
-#  define DECLARE_SBAT(text)
-#endif
+/* Similar to DECLARE_NOALLOC_SECTION, but pad the section with extra 512 bytes. After taking alignment into
+ * account, the section has up to 1024 bytes minus the size of the original content of padding, and this
+ * extra space can be used to extend the contents. This is intended for the .sbat section. */
+#define DECLARE_NOALLOC_SECTION_PADDED(name, text)    \
+        assert_cc(STRLEN(text) <= 512);               \
+        asm(".pushsection " name ",\"S\"\n\t"         \
+            ".ascii " STRINGIFY(text) "\n\t"          \
+            ".balign 512\n\t"                         \
+            ".fill 512, 1, 0\n\t"                     \
+            ".popsection\n")
 
 #define typeof_field(struct_type, member) typeof(((struct_type *) 0)->member)
 #define sizeof_field(struct_type, member) sizeof(((struct_type *) 0)->member)

diff --git a/src/fundamental/sbat.h b/src/fundamental/sbat.h
index 9288e058125e7124846774838194961aabe74151..1a6e678b3550e5b876812d320ae8c89853357e5f 100644 (file)
--- a/src/fundamental/sbat.h
+++ b/src/fundamental/sbat.h
@@ -12,3 +12,11 @@
         SBAT_PROJECT "-stub" ",1,The systemd Developers," SBAT_PROJECT "," PROJECT_VERSION "," PROJECT_URL "\n" \
         SBAT_PROJECT "-stub" "." SBAT_DISTRO "," STRINGIFY(SBAT_DISTRO_GENERATION) "," SBAT_DISTRO_SUMMARY "," SBAT_DISTRO_PKGNAME "," SBAT_DISTRO_VERSION "," SBAT_DISTRO_URL "\n"
 #endif
+
+#ifdef SBAT_DISTRO
+#  define DECLARE_SBAT(text) DECLARE_NOALLOC_SECTION(".sbat", text)
+#  define DECLARE_SBAT_PADDED(text) DECLARE_NOALLOC_SECTION_PADDED(".sbat", text)
+#else
+#  define DECLARE_SBAT(text)
+#  define DECLARE_SBAT_PADDED(text)
+#endif