ukify: add default .sbat section for addons

In order to ensure addons can always be revoked via SBAT, and it is not
left out by mistake, have a default metadata entry if none is specified
by the caller.
https://github.com/rhboot/shim/blob/main/SBAT.md

diff --git a/man/ukify.xml b/man/ukify.xml
index 2e22b1f42e496009f7f586598c7e94bfaff26123..4531ac89b2877f53bc0724a7ddd392e06967d5af 100644 (file)
--- a/man/ukify.xml
+++ b/man/ukify.xml
@@ -50,6 +50,7 @@
     <varname>Splash=</varname>/<option>--splash=</option>,
     <varname>PCRPKey=</varname>/<option>--pcrpkey=</option>,
     <varname>Uname=</varname>/<option>--uname=</option>,
+    <varname>SBAT=</varname>/<option>--sbat=</option>,
     and <option>--section=</option>
     below.</para>
 
@@ -369,6 +370,27 @@
         </varlistentry>
       </variablelist>
     </refsect2>
+
+    <refsect2>
+      <title>[Addon:<replaceable>NAME</replaceable>] section</title>
+
+      <para>Currently, these options only apply when building PE addons.</para>
+
+      <variablelist>
+        <varlistentry>
+          <term><varname>SBAT=<replaceable>TEXT</replaceable>|<replaceable>@PATH</replaceable></varname></term>
+          <term><option>--sbat=<replaceable>TEXT</replaceable>|<replaceable>@PATH</replaceable></option></term>
+
+          <listitem><para>SBAT metadata associated with the addon. SBAT policies are useful to revoke whole
+          groups of addons with a single, static policy update that does not take space in DBX/MOKX. If not
+          specified manually, a default metadata entry consisting of
+          <literal>uki.addon.systemd,1,UKI Addon,uki.addon.systemd,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html</literal>
+          will be used, to ensure it is always possible to revoke addons. For more information on SBAT see
+          <ulink url="https://github.com/rhboot/shim/blob/main/SBAT.md">Shim's documentation.</ulink></para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </refsect2>
   </refsect1>
 
   <refsect1>
@@ -464,11 +486,13 @@ Phases=enter-initrd:leave-initrd
       --secureboot-private-key=sb.key \
       --secureboot-certificate=sb.cert \
       --cmdline='debug' \
+      --sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+      uki.addon.author,1,UKI Addon for System,uki.addon.author,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html'
       --output=debug.cmdline
       </programlisting>
 
       <para>This creates a signed PE binary that contains the additional kernel command line parameter
-      <literal>debug</literal>.</para>
+      <literal>debug</literal> with SBAT metadata referring to the owner of the addon.</para>
     </example>
   </refsect1>
 

diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py
index 3a0c7af36250281bfe8e0bfe9e9ec19708a9fbb6..66e176cd0ce44884dca1653bf7c0a8d74373c0db 100755 (executable)
--- a/src/ukify/ukify.py
+++ b/src/ukify/ukify.py
@@ -679,10 +679,12 @@ def make_uki(opts):
 
     call_systemd_measure(uki, linux, opts=opts)
 
-    # UKI creation
+    # UKI or addon creation - addons don't use the stub so we add SBAT manually
 
     if linux is not None:
         uki.add_section(Section.create('.linux', linux, measure=True))
+    elif opts.sbat:
+        uki.add_section(Section.create('.sbat', opts.sbat, measure=False))
 
     if sign_args_present:
         unsigned = tempfile.NamedTemporaryFile(prefix='uki')
@@ -927,6 +929,16 @@ CONFIG_ITEMS = [
         config_key = 'UKI/Stub',
     ),
 
+    ConfigItem(
+        '--sbat',
+        metavar = 'TEXT|@PATH',
+        help = 'SBAT policy [.sbat section] for addons',
+        default = """sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+uki.addon,1,UKI Addon,uki.addon,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html
+""",
+        config_key = 'Addon/SBAT',
+    ),
+
     ConfigItem(
         '--section',
         dest = 'sections',