boot: add optional EFI SBAT support

Add SBAT support, when -Dsbat-distro value is specified. One can use
-Dsbat-distro=auto for autodetection of all sbat options. Many meson configure
options added to customize SBAT CSV values, but sensible defaults are auto
detected by default. SBAT support is required if shim v15+ is used to load
systemd-boot binary or kernel.efi (Type II BootLoaderSpec).

Fixes #19247

diff --git a/meson_options.txt b/meson_options.txt
index ad7174cf69eff19bb87bbd68ea3a8e2ce7079ab6..b7f30ce16bf54907bf65441bcc3dad8fcee49b15 100644 (file)
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -370,6 +370,18 @@ option('efi-includedir', type : 'string', value : '/usr/include/efi',
        description : 'path to the EFI header directory')
 option('tpm-pcrindex', type : 'integer', value : 8,
        description : 'TPM PCR register number to use')
+option('sbat-distro', type : 'string',
+       description : 'SBAT distribution ID, e.g. fedora, or auto for autodetection')
+option('sbat-distro-generation', type : 'integer', value : 1,
+       description : 'SBAT distribution generation')
+option('sbat-distro-summary', type : 'string',
+       description : 'SBAT distribution summary, e.g. Fedora')
+option('sbat-distro-pkgname', type : 'string',
+       description : 'SBAT distribution package name, e.g. systemd')
+option('sbat-distro-version', type : 'string',
+       description : 'SBAT distribution package version, e.g. 248-7.fc34')
+option('sbat-distro-url', type : 'string',
+       description : 'SBAT distribution URL, e.g. https://src.fedoraproject.org/rpms/systemd')
 
 option('bashcompletiondir', type : 'string',
        description : 'directory for bash completion scripts ["no" disables]')

diff --git a/src/basic/macro.h b/src/basic/macro.h
index f1d5e0894e3a077e9b302e19de263f89af129956..072fed4378931256fc9e3bc83cd2797652b0bc39 100644 (file)
--- a/src/basic/macro.h
+++ b/src/basic/macro.h
@@ -18,8 +18,6 @@
 #  define _alloc_(...) __attribute__((__alloc_size__(__VA_ARGS__)))
 #endif
 #define _sentinel_ __attribute__((__sentinel__))
-#define _section_(x) __attribute__((__section__(x)))
-#define _used_ __attribute__((__used__))
 #define _destructor_ __attribute__((__destructor__))
 #define _deprecated_ __attribute__((__deprecated__))
 #define _packed_ __attribute__((__packed__))
@@ -30,7 +28,6 @@
 #define _public_ __attribute__((__visibility__("default")))
 #define _hidden_ __attribute__((__visibility__("hidden")))
 #define _weakref_(x) __attribute__((__weakref__(#x)))
-#define _align_(x) __attribute__((__aligned__(x)))
 #define _alignas_(x) __attribute__((__aligned__(__alignof(x))))
 #define _alignptr_ __attribute__((__aligned__(sizeof(void*))))
 #if __GNUC__ >= 7
@@ -138,9 +135,6 @@
 /* automake test harness */
 #define EXIT_TEST_SKIP 77
 
-#define XSTRINGIFY(x) #x
-#define STRINGIFY(x) XSTRINGIFY(x)
-
 /* builtins */
 #if __SIZEOF_INT__ == 4
 #define BUILTIN_FFS_U32(x) __builtin_ffs(x);

diff --git a/src/boot/efi/meson.build b/src/boot/efi/meson.build
index 47768931082f049818d57eb4aa85653b011106ee..ab5530bec17ab6a112dca818a6fd02131a36939a 100644 (file)
--- a/src/boot/efi/meson.build
+++ b/src/boot/efi/meson.build
@@ -102,6 +102,42 @@ if have_gnu_efi
         efi_conf.set10('ENABLE_TPM', get_option('tpm'))
         efi_conf.set('SD_TPM_PCR', get_option('tpm-pcrindex'))
 
+        if get_option('sbat-distro') != ''
+                efi_conf.set_quoted('SBAT_PROJECT', meson.project_name())
+                efi_conf.set_quoted('PROJECT_VERSION', substs.get('PROJECT_VERSION'))
+                efi_conf.set_quoted('PROJECT_URL', substs.get('PROJECT_URL'))
+                if get_option('sbat-distro-generation') < 1
+                       error('SBAT Distro Generation must be a positive integer')
+                endif
+                efi_conf.set('SBAT_DISTRO_GENERATION', get_option('sbat-distro-generation'))
+                sbatvars = [['sbat-distro', 'ID'],
+                            ['sbat-distro-summary', 'NAME'],
+                            ['sbat-distro-url', 'BUG_REPORT_URL']]
+                foreach sbatvar : sbatvars
+                        value = get_option(sbatvar[0])
+                        if value == '' or value == 'auto'
+                                value = run_command('sh', '-c', 'if [ -e /etc/os-release ]; then . /etc/os-release; else . /usr/lib/os-release; fi; echo $' + sbatvar[1]).stdout().strip()
+                        endif
+                        if value == ''
+                                error('Required @0@ option not set and autodetection failed'.format(sbatvar[0]))
+                        endif
+                        efi_conf.set_quoted(sbatvar[0].underscorify().to_upper(), value)
+                endforeach
+
+                pkgname = get_option('sbat-distro-pkgname')
+                if pkgname == ''
+                        pkgname = meson.project_name()
+                endif
+                efi_conf.set_quoted('SBAT_DISTRO_PKGNAME', pkgname)
+
+                pkgver = get_option('sbat-distro-version')
+                if pkgver == ''
+                        efi_conf.set('SBAT_DISTRO_VERSION', 'GIT_VERSION')
+                else
+                        efi_conf.set_quoted('SBAT_DISTRO_VERSION', pkgver)
+                endif
+        endif
+
         efi_config_h = configure_file(
                 output : 'efi_config.h',
                 configuration : efi_conf)
@@ -244,6 +280,7 @@ if have_gnu_efi
                         command : [objcopy,
                                    '-j', '.text',
                                    '-j', '.sdata',
+                                   '-j', '.sbat',
                                    '-j', '.data',
                                    '-j', '.dynamic',
                                    '-j', '.dynsym',

diff --git a/src/boot/efi/secure-boot.c b/src/boot/efi/secure-boot.c
index cacf3b6a7b834dd72986505341ea18520a1c95ec..c1dfcfc5cb0beb1c12a02962ee1c366a30528614 100644 (file)
--- a/src/boot/efi/secure-boot.c
+++ b/src/boot/efi/secure-boot.c
@@ -11,3 +11,10 @@ BOOLEAN secure_boot_enabled(void) {
 
         return !EFI_ERROR(err) && secure;
 }
+
+#ifdef SBAT_DISTRO
+static const char sbat[] _used_ _section_ (".sbat") _align_ (512) =
+        "sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md\n"
+        SBAT_PROJECT ",1,The systemd Developers," SBAT_PROJECT "," PROJECT_VERSION "," PROJECT_URL "\n"
+        SBAT_PROJECT "." SBAT_DISTRO "," STRINGIFY(SBAT_DISTRO_GENERATION) "," SBAT_DISTRO_SUMMARY "," SBAT_DISTRO_PKGNAME "," SBAT_DISTRO_VERSION "," SBAT_DISTRO_URL "\n";
+#endif

diff --git a/src/fundamental/macro-fundamental.h b/src/fundamental/macro-fundamental.h
index 790920eb23bac05753bb06a0a8c79bfb31df2c54..6ff8372f3cdd856e123b21935cb934f317d20d4e 100644 (file)
--- a/src/fundamental/macro-fundamental.h
+++ b/src/fundamental/macro-fundamental.h
@@ -7,11 +7,17 @@
 
 #include "type.h"
 
+#define _align_(x) __attribute__((__aligned__(x)))
 #define _const_ __attribute__((__const__))
 #define _pure_ __attribute__((__pure__))
+#define _section_(x) __attribute__((__section__(x)))
+#define _used_ __attribute__((__used__))
 #define _unused_ __attribute__((__unused__))
 #define _cleanup_(x) __attribute__((__cleanup__(x)))
 
+#define XSTRINGIFY(x) #x
+#define STRINGIFY(x) XSTRINGIFY(x)
+
 #ifndef __COVERITY__
 #  define VOID_0 ((void)0)
 #else