From: Luca Boccassi <bluca@debian.org>
Date: Sat, 16 Sep 2023 23:55:55 +0000 (+0100)
Subject: boot: use separate SBAT project names for stub and boot
X-Git-Tag: v255-rc1~497
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c9bebec872;p=thirdparty%2Fsystemd.git

boot: use separate SBAT project names for stub and boot

The implementations are not 100% overlapping, so use different identifiers, so
that revocations can be done independently. e.g.: a bug that affects only
sd-boot won't necessarily cause old UKIs to be revoked.
---

diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c
index 83cdd87afc1..a870348f273 100644
--- a/src/boot/efi/boot.c
+++ b/src/boot/efi/boot.c
@@ -17,6 +17,7 @@
 #include "proto/device-path.h"
 #include "proto/simple-text-io.h"
 #include "random-seed.h"
+#include "sbat.h"
 #include "secure-boot.h"
 #include "shim.h"
 #include "ticks.h"
@@ -34,6 +35,8 @@ _used_ _section_(".osrel") static const char osrel[] =
         "VERSION=\"" GIT_VERSION "\"\n"
         "NAME=\"systemd-boot " GIT_VERSION "\"\n";
 
+DECLARE_SBAT(SBAT_BOOT_SECTION_TEXT);
+
 typedef enum LoaderType {
         LOADER_UNDEFINED,
         LOADER_AUTO,
diff --git a/src/boot/efi/secure-boot.c b/src/boot/efi/secure-boot.c
index 3a80712fe06..f6776af9178 100644
--- a/src/boot/efi/secure-boot.c
+++ b/src/boot/efi/secure-boot.c
@@ -2,7 +2,6 @@
 
 #include "console.h"
 #include "proto/security-arch.h"
-#include "sbat.h"
 #include "secure-boot.h"
 #include "util.h"
 #include "vmm.h"
@@ -33,10 +32,6 @@ SecureBootMode secure_boot_mode(void) {
         return decode_secure_boot_mode(secure, audit, deployed, setup);
 }
 
-#ifdef SBAT_DISTRO
-static const char sbat[] _used_ _section_(".sbat") = SBAT_SECTION_TEXT;
-#endif
-
 EFI_STATUS secure_boot_enroll_at(EFI_FILE *root_dir, const char16_t *path, bool force) {
         assert(root_dir);
         assert(path);
diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c
index e34fc77faa5..6cd5ccb5d44 100644
--- a/src/boot/efi/stub.c
+++ b/src/boot/efi/stub.c
@@ -10,6 +10,7 @@
 #include "pe.h"
 #include "proto/shell-parameters.h"
 #include "random-seed.h"
+#include "sbat.h"
 #include "secure-boot.h"
 #include "shim.h"
 #include "splash.h"
@@ -22,6 +23,8 @@
 /* magic string to find in the binary image */
 _used_ _section_(".sdmagic") static const char magic[] = "#### LoaderInfo: systemd-stub " GIT_VERSION " ####";
 
+DECLARE_SBAT(SBAT_STUB_SECTION_TEXT);
+
 static EFI_STATUS combine_initrd(
                 EFI_PHYSICAL_ADDRESS initrd_base, size_t initrd_size,
                 const void * const extra_initrds[], const size_t extra_initrd_sizes[], size_t n_extra_initrds,
diff --git a/src/fundamental/macro-fundamental.h b/src/fundamental/macro-fundamental.h
index 1d49765fce9..7367bcb4117 100644
--- a/src/fundamental/macro-fundamental.h
+++ b/src/fundamental/macro-fundamental.h
@@ -395,3 +395,10 @@ static inline size_t ALIGN_TO(size_t l, size_t ali) {
                 dummy_t __empty__ ## name;             \
                 type name[];                           \
         }
+
+#ifdef SBAT_DISTRO
+        #define DECLARE_SBAT(text) \
+                static const char sbat[] _used_ _section_(".sbat") = (text)
+#else
+        #define DECLARE_SBAT(text)
+#endif
diff --git a/src/fundamental/sbat.h b/src/fundamental/sbat.h
index e3198287ba7..9288e058125 100644
--- a/src/fundamental/sbat.h
+++ b/src/fundamental/sbat.h
@@ -2,8 +2,13 @@
 
 #ifdef SBAT_DISTRO
 #  include "version.h"
-#  define SBAT_SECTION_TEXT \
-        "sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md\n" \
-        SBAT_PROJECT ",1,The systemd Developers," SBAT_PROJECT "," PROJECT_VERSION "," PROJECT_URL "\n" \
-        SBAT_PROJECT "." SBAT_DISTRO "," STRINGIFY(SBAT_DISTRO_GENERATION) "," SBAT_DISTRO_SUMMARY "," SBAT_DISTRO_PKGNAME "," SBAT_DISTRO_VERSION "," SBAT_DISTRO_URL "\n"
+#  define SBAT_MAGIC "sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md\n"
+#  define SBAT_BOOT_SECTION_TEXT \
+        SBAT_MAGIC \
+        SBAT_PROJECT "-boot" ",1,The systemd Developers," SBAT_PROJECT "," PROJECT_VERSION "," PROJECT_URL "\n" \
+        SBAT_PROJECT "-boot" "." SBAT_DISTRO "," STRINGIFY(SBAT_DISTRO_GENERATION) "," SBAT_DISTRO_SUMMARY "," SBAT_DISTRO_PKGNAME "," SBAT_DISTRO_VERSION "," SBAT_DISTRO_URL "\n"
+#  define SBAT_STUB_SECTION_TEXT \
+        SBAT_MAGIC \
+        SBAT_PROJECT "-stub" ",1,The systemd Developers," SBAT_PROJECT "," PROJECT_VERSION "," PROJECT_URL "\n" \
+        SBAT_PROJECT "-stub" "." SBAT_DISTRO "," STRINGIFY(SBAT_DISTRO_GENERATION) "," SBAT_DISTRO_SUMMARY "," SBAT_DISTRO_PKGNAME "," SBAT_DISTRO_VERSION "," SBAT_DISTRO_URL "\n"
 #endif
diff --git a/src/test/test-sbat.c b/src/test/test-sbat.c
index 1a905418d1d..0c4310015be 100644
--- a/src/test/test-sbat.c
+++ b/src/test/test-sbat.c
@@ -10,10 +10,12 @@
 
 TEST(sbat_section_text) {
         log_info("---SBAT-----------&<----------------------------------------\n"
+                 "%s"
                  "%s"
                  "------------------>&-----------------------------------------",
 #ifdef SBAT_DISTRO
-                 SBAT_SECTION_TEXT
+                 SBAT_BOOT_SECTION_TEXT,
+                 SBAT_STUB_SECTION_TEXT
 #else
                  "(not defined)"
 #endif