boot: use separate SBAT project names for stub and boot

The implementations are not 100% overlapping, so use different identifiers, so
that revocations can be done independently. e.g.: a bug that affects only
sd-boot won't necessarily cause old UKIs to be revoked.

diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c
index 83cdd87afc15ee05efad255250973fe19f97f1b0..a870348f2736bbf6af7e5c0c737ffd69ac59463b 100644 (file)
--- a/src/boot/efi/boot.c
+++ b/src/boot/efi/boot.c
@@ -17,6 +17,7 @@
 #include "proto/device-path.h"
 #include "proto/simple-text-io.h"
 #include "random-seed.h"
+#include "sbat.h"
 #include "secure-boot.h"
 #include "shim.h"
 #include "ticks.h"
@@ -34,6 +35,8 @@ _used_ _section_(".osrel") static const char osrel[] =
         "VERSION=\"" GIT_VERSION "\"\n"
         "NAME=\"systemd-boot " GIT_VERSION "\"\n";
 
+DECLARE_SBAT(SBAT_BOOT_SECTION_TEXT);
+
 typedef enum LoaderType {
         LOADER_UNDEFINED,
         LOADER_AUTO,

diff --git a/src/boot/efi/secure-boot.c b/src/boot/efi/secure-boot.c
index 3a80712fe0631af15792b3f883972021c591e4a8..f6776af917825b274142a40f268a6d2537419564 100644 (file)
--- a/src/boot/efi/secure-boot.c
+++ b/src/boot/efi/secure-boot.c
@@ -2,7 +2,6 @@
 
 #include "console.h"
 #include "proto/security-arch.h"
-#include "sbat.h"
 #include "secure-boot.h"
 #include "util.h"
 #include "vmm.h"
@@ -33,10 +32,6 @@ SecureBootMode secure_boot_mode(void) {
         return decode_secure_boot_mode(secure, audit, deployed, setup);
 }
 
-#ifdef SBAT_DISTRO
-static const char sbat[] _used_ _section_(".sbat") = SBAT_SECTION_TEXT;
-#endif
-
 EFI_STATUS secure_boot_enroll_at(EFI_FILE *root_dir, const char16_t *path, bool force) {
         assert(root_dir);
         assert(path);

diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c
index e34fc77faa563ca0af437bed4ecb269215a91dae..6cd5ccb5d4470ae88cbd8b8cce33835ba3987bcb 100644 (file)
--- a/src/boot/efi/stub.c
+++ b/src/boot/efi/stub.c
@@ -10,6 +10,7 @@
 #include "pe.h"
 #include "proto/shell-parameters.h"
 #include "random-seed.h"
+#include "sbat.h"
 #include "secure-boot.h"
 #include "shim.h"
 #include "splash.h"
@@ -22,6 +23,8 @@
 /* magic string to find in the binary image */
 _used_ _section_(".sdmagic") static const char magic[] = "#### LoaderInfo: systemd-stub " GIT_VERSION " ####";
 
+DECLARE_SBAT(SBAT_STUB_SECTION_TEXT);
+
 static EFI_STATUS combine_initrd(
                 EFI_PHYSICAL_ADDRESS initrd_base, size_t initrd_size,
                 const void * const extra_initrds[], const size_t extra_initrd_sizes[], size_t n_extra_initrds,

diff --git a/src/fundamental/macro-fundamental.h b/src/fundamental/macro-fundamental.h
index 1d49765fce910a06f3bab8e9806607364f53f1cd..7367bcb4117696a52e5d73aba3e7aa274e2bb2fe 100644 (file)
--- a/src/fundamental/macro-fundamental.h
+++ b/src/fundamental/macro-fundamental.h
@@ -395,3 +395,10 @@ static inline size_t ALIGN_TO(size_t l, size_t ali) {
                 dummy_t __empty__ ## name;             \
                 type name[];                           \
         }
+
+#ifdef SBAT_DISTRO
+        #define DECLARE_SBAT(text) \
+                static const char sbat[] _used_ _section_(".sbat") = (text)
+#else
+        #define DECLARE_SBAT(text)
+#endif

diff --git a/src/fundamental/sbat.h b/src/fundamental/sbat.h
index e3198287ba7438b7f14bf7e57a94cfcbcd380539..9288e058125e7124846774838194961aabe74151 100644 (file)
--- a/src/fundamental/sbat.h
+++ b/src/fundamental/sbat.h
@@ -2,8 +2,13 @@
 
 #ifdef SBAT_DISTRO
 #  include "version.h"
-#  define SBAT_SECTION_TEXT \
-        "sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md\n" \
-        SBAT_PROJECT ",1,The systemd Developers," SBAT_PROJECT "," PROJECT_VERSION "," PROJECT_URL "\n" \
-        SBAT_PROJECT "." SBAT_DISTRO "," STRINGIFY(SBAT_DISTRO_GENERATION) "," SBAT_DISTRO_SUMMARY "," SBAT_DISTRO_PKGNAME "," SBAT_DISTRO_VERSION "," SBAT_DISTRO_URL "\n"
+#  define SBAT_MAGIC "sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md\n"
+#  define SBAT_BOOT_SECTION_TEXT \
+        SBAT_MAGIC \
+        SBAT_PROJECT "-boot" ",1,The systemd Developers," SBAT_PROJECT "," PROJECT_VERSION "," PROJECT_URL "\n" \
+        SBAT_PROJECT "-boot" "." SBAT_DISTRO "," STRINGIFY(SBAT_DISTRO_GENERATION) "," SBAT_DISTRO_SUMMARY "," SBAT_DISTRO_PKGNAME "," SBAT_DISTRO_VERSION "," SBAT_DISTRO_URL "\n"
+#  define SBAT_STUB_SECTION_TEXT \
+        SBAT_MAGIC \
+        SBAT_PROJECT "-stub" ",1,The systemd Developers," SBAT_PROJECT "," PROJECT_VERSION "," PROJECT_URL "\n" \
+        SBAT_PROJECT "-stub" "." SBAT_DISTRO "," STRINGIFY(SBAT_DISTRO_GENERATION) "," SBAT_DISTRO_SUMMARY "," SBAT_DISTRO_PKGNAME "," SBAT_DISTRO_VERSION "," SBAT_DISTRO_URL "\n"
 #endif

diff --git a/src/test/test-sbat.c b/src/test/test-sbat.c
index 1a905418d1daad248e6f85a00dc9e01d2dee0b27..0c4310015be7311f534860de31eeeb649bde7064 100644 (file)
--- a/src/test/test-sbat.c
+++ b/src/test/test-sbat.c
@@ -10,10 +10,12 @@
 
 TEST(sbat_section_text) {
         log_info("---SBAT-----------&<----------------------------------------\n"
+                 "%s"
                  "%s"
                  "------------------>&-----------------------------------------",
 #ifdef SBAT_DISTRO
-                 SBAT_SECTION_TEXT
+                 SBAT_BOOT_SECTION_TEXT,
+                 SBAT_STUB_SECTION_TEXT
 #else
                  "(not defined)"
 #endif