From patchwork Thu Apr 24 08:09:49 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vitaly Kuznetsov X-Patchwork-Id: 885100 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E1D99207DFF for ; Thu, 24 Apr 2025 08:10:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745482235; cv=none; b=Hq5ixPy5if3L0JXwTvDwg0bG4GyXHDn3LYPE4On6h5UglZDC2mXhZJNIrTMWJjIcSynmqz0KiZT+VCqZdZ41wz7Xa7xLqjhfILMbKc3NaBJe8mlJc8bwFOpaVI18k+Iujo9K8YzXdw4mTFhnmdERIZKrzDdB2PzbQOw+ObTdTr8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745482235; c=relaxed/simple; bh=wfzfwtAAfE/gqDeQKesSIqyP3cK0GG7CaFYvtfFF1Vo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=FaRbIhYWqHU1FvViUHZl2yeLAox1jABtjZqQz2EjsV+jVqDwjEg+gDU5jTTp3R7A4urt6vSmNjQauGk1RZ5wEi+4yV4M5+GBjKQTS3fzZuAO4mvwom4/5s62csnKIA7jW03Bs81E2iLC44CKmTs228owarrx3cJbJeHa3E6EAIQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=hCXrPm+0; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="hCXrPm+0" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1745482232; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=A+1ZgWYZjkFNKtbyOd5XBijVRyjAhhTtk+/ckQxhbdc=; b=hCXrPm+0LxA8X6TYHPYAd+ZD/PDjQtPPbp/0PtBiQUV9hxaIBYBjdCSgTIv5AwRid4Lma5 rvqifSgsXpYsIdwfi7ZvVARqndcpwjCcYISSg/uhmb1lTmIpytC+JUhJ7Mn+0WE8r0NpJO POYH5aAyLjXn71hXfKFgGO6qvFXH7yE= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-491-Nz0TM1INMt6rHFY_g5srJw-1; Thu, 24 Apr 2025 04:10:29 -0400 X-MC-Unique: Nz0TM1INMt6rHFY_g5srJw-1 X-Mimecast-MFC-AGG-ID: Nz0TM1INMt6rHFY_g5srJw_1745482227 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 2BF20180034E; Thu, 24 Apr 2025 08:10:25 +0000 (UTC) Received: from fedora.redhat.com (unknown [10.45.224.198]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id B0E9230001AB; Thu, 24 Apr 2025 08:10:11 +0000 (UTC) From: Vitaly Kuznetsov To: x86@kernel.org, linux-efi@vger.kernel.org Cc: Thomas Gleixner , Ingo Molnar , Dave Hansen , "H. Peter Anvin" , Ard Biesheuvel , Peter Jones , Daniel Berrange , Emanuele Giuseppe Esposito , Gerd Hoffmann , Greg KH , Luca Boccassi , Peter Zijlstra , Matthew Garrett , James Bottomley , Eric Snowberg , Paolo Bonzini , Paul Walmsley , Palmer Dabbelt , Albert Ou , Alexandre Ghiti , linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH 1/2] efi/libstub: zboot specific mechanism for embedding SBAT section Date: Thu, 24 Apr 2025 12:09:49 +0400 Message-ID: <20250424080950.289864-2-vkuznets@redhat.com> In-Reply-To: <20250424080950.289864-1-vkuznets@redhat.com> References: <20250424080950.289864-1-vkuznets@redhat.com> Precedence: bulk X-Mailing-List: linux-efi@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 SBAT is a mechanism which improves SecureBoot revocations of UEFI binaries by introducing a generation-based technique. Compromised or vulnerable UEFI binaries can be prevented from booting by bumping the minimal required generation for the specific component in the bootloader. More information on the SBAT can be obtained here: https://github.com/rhboot/shim/blob/main/SBAT.md Upstream Linux kernel does not currently participate in any way in SBAT as there's no existing policy in how SBAT generation number should be defined. Keep the status quo and provide a mechanism for distro vendors and anyone else who signs their kernel for SecureBoot to include their own SBAT data. This leaves the decision on the policy to the vendor. Basically, each distro implementing SecureBoot today, will have an option to inject their own SBAT data during kernel build and before it gets signed by their SecureBoot CA. Different distro do not need to agree on the common SBAT component names or generation numbers as each distro ships its own 'shim' with their own 'vendor_cert'/'vendor_db' Implement support for embedding SBAT data for architectures using zboot (arm64, loongarch, riscv). Build '.sbat' section along with libstub so it can be reused by x86 implementation later. Signed-off-by: Vitaly Kuznetsov --- drivers/firmware/efi/Kconfig | 25 +++++++++++++++++++++ drivers/firmware/efi/libstub/Makefile | 7 ++++++ drivers/firmware/efi/libstub/Makefile.zboot | 3 ++- drivers/firmware/efi/libstub/sbat.S | 7 ++++++ drivers/firmware/efi/libstub/zboot-header.S | 14 ++++++++++++ drivers/firmware/efi/libstub/zboot.lds | 17 ++++++++++++++ 6 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 drivers/firmware/efi/libstub/sbat.S diff --git a/drivers/firmware/efi/Kconfig b/drivers/firmware/efi/Kconfig index 5fe61b9ab5f9..2edb0167ba49 100644 --- a/drivers/firmware/efi/Kconfig +++ b/drivers/firmware/efi/Kconfig @@ -281,6 +281,31 @@ config EFI_EMBEDDED_FIRMWARE bool select CRYPTO_LIB_SHA256 +config EFI_SBAT + bool "Embed SBAT section in the kernel" + depends on EFI_ZBOOT + help + SBAT section provides a way to improve SecureBoot revocations of UEFI + binaries by introducing a generation-based mechanism. With SBAT, older + UEFI binaries can be prevented from booting by bumping the minimal + required generation for the specific component in the bootloader. + + Note: SBAT information is distribution specific, i.e. the owner of the + signing SecureBoot certificate must define the SBAT policy. Linux + kernel upstream does not define SBAT components and their generations. + + See https://github.com/rhboot/shim/blob/main/SBAT.md for the additional + details. + + If unsure, say N. + +config EFI_SBAT_FILE + string "Embedded SBAT section file path" + depends on EFI_SBAT + help + Specify a file with SBAT data which is going to be embedded as '.sbat' + section into the kernel. + endmenu config UEFI_CPER diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile index d23a1b9fed75..5113cbdadf9a 100644 --- a/drivers/firmware/efi/libstub/Makefile +++ b/drivers/firmware/efi/libstub/Makefile @@ -105,6 +105,13 @@ lib-$(CONFIG_UNACCEPTED_MEMORY) += unaccepted_memory.o bitmap.o find.o extra-y := $(lib-y) lib-y := $(patsubst %.o,%.stub.o,$(lib-y)) +extra-$(CONFIG_EFI_SBAT) += sbat.o +$(obj)/sbat.o: $(obj)/sbat.bin +targets += sbat.bin +filechk_sbat.bin = cat $(or $(real-prereqs), /dev/null) +$(obj)/sbat.bin: $(CONFIG_EFI_SBAT_FILE) FORCE + $(call filechk,sbat.bin) + # Even when -mbranch-protection=none is set, Clang will generate a # .note.gnu.property for code-less object files (like lib/ctype.c), # so work around this by explicitly removing the unwanted section. diff --git a/drivers/firmware/efi/libstub/Makefile.zboot b/drivers/firmware/efi/libstub/Makefile.zboot index 48842b5c106b..3d2d0b326f7c 100644 --- a/drivers/firmware/efi/libstub/Makefile.zboot +++ b/drivers/firmware/efi/libstub/Makefile.zboot @@ -44,7 +44,8 @@ AFLAGS_zboot-header.o += -DMACHINE_TYPE=IMAGE_FILE_MACHINE_$(EFI_ZBOOT_MACH_TYPE $(obj)/zboot-header.o: $(srctree)/drivers/firmware/efi/libstub/zboot-header.S FORCE $(call if_changed_rule,as_o_S) -ZBOOT_DEPS := $(obj)/zboot-header.o $(objtree)/drivers/firmware/efi/libstub/lib.a +ZBOOT_DEPS := $(obj)/zboot-header.o $(objtree)/drivers/firmware/efi/libstub/lib.a \ + $(if $(CONFIG_EFI_SBAT),$(objtree)/drivers/firmware/efi/libstub/sbat.o) LDFLAGS_vmlinuz.efi.elf := -T $(srctree)/drivers/firmware/efi/libstub/zboot.lds $(obj)/vmlinuz.efi.elf: $(obj)/vmlinuz.o $(ZBOOT_DEPS) FORCE diff --git a/drivers/firmware/efi/libstub/sbat.S b/drivers/firmware/efi/libstub/sbat.S new file mode 100644 index 000000000000..4e99a1bac794 --- /dev/null +++ b/drivers/firmware/efi/libstub/sbat.S @@ -0,0 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Embed SBAT data in the kernel. + */ + .pushsection ".sbat","a",@progbits + .incbin "drivers/firmware/efi/libstub/sbat.bin" + .popsection diff --git a/drivers/firmware/efi/libstub/zboot-header.S b/drivers/firmware/efi/libstub/zboot-header.S index fb676ded47fa..f2df24504fc5 100644 --- a/drivers/firmware/efi/libstub/zboot-header.S +++ b/drivers/firmware/efi/libstub/zboot-header.S @@ -135,6 +135,20 @@ __efistub_efi_zboot_header: IMAGE_SCN_MEM_READ | \ IMAGE_SCN_MEM_WRITE +#ifdef CONFIG_EFI_SBAT + .ascii ".sbat\0\0\0" + .long __sbat_size + .long _edata - .Ldoshdr + .long __sbat_size + .long _edata - .Ldoshdr + + .long 0, 0 + .short 0, 0 + .long IMAGE_SCN_CNT_INITIALIZED_DATA | \ + IMAGE_SCN_MEM_READ | \ + IMAGE_SCN_MEM_DISCARDABLE +#endif + .set .Lsection_count, (. - .Lsection_table) / 40 #ifdef PE_DLL_CHAR_EX diff --git a/drivers/firmware/efi/libstub/zboot.lds b/drivers/firmware/efi/libstub/zboot.lds index 9ecc57ff5b45..2cd5015c70ce 100644 --- a/drivers/firmware/efi/libstub/zboot.lds +++ b/drivers/firmware/efi/libstub/zboot.lds @@ -31,10 +31,24 @@ SECTIONS .data : ALIGN(4096) { *(.data* .init.data*) +#ifndef CONFIG_EFI_SBAT _edata = ALIGN(512); +#else + /* Avoid gap between '.data' and '.sbat' */ + _edata = ALIGN(4096); +#endif . = _edata; } +#ifdef CONFIG_EFI_SBAT + .sbat : ALIGN(4096) { + _sbat = . ; + *(.sbat) + _esbat = ALIGN(512); + . = _esbat; + } +#endif + .bss : { *(.bss* .init.bss*) _end = ALIGN(512); @@ -52,3 +66,6 @@ PROVIDE(__efistub__gzdata_size = PROVIDE(__data_rawsize = ABSOLUTE(_edata - _etext)); PROVIDE(__data_size = ABSOLUTE(_end - _etext)); +#ifdef CONFIG_EFI_SBAT +PROVIDE(__sbat_size = ABSOLUTE(_esbat - _sbat)); +#endif From patchwork Thu Apr 24 08:09:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vitaly Kuznetsov X-Patchwork-Id: 884081 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 407982116FA for ; Thu, 24 Apr 2025 08:10:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745482248; cv=none; b=N2VovwM7XPQjfUOZgXCZUlbdTqV26M33bWSTxSdm7neyx0VuGlIDCI7wwAbhhbFb8FOe1TmAEtjfbL3at50GT6mkfUNkioG81h5O4QuWRCgvVFiFezGPs4dGGjhqo17H1G4sqfOSAVy+FHksZwJicNIqgPBqO+F6iDWk5+5wOh8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745482248; c=relaxed/simple; bh=TH67hndJf5FIDT/iNA8mLp4el/Q9YJ0KwNFDvaHNoy4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=LcnGKEjb17vV7RgKish7S0YTGbxFjVzEGwBz1jaOmKM3fkjmWuq98zORkQuTsr9fo8YxATNhXAYV4WDPiPILkosGU3sDhirThT+yXarT5Ia8gPBN2UQ83c/R5p/LbFlVtPH0Ra9GzIb0JqeXI7pgkordS706EGEcHkgLny9+0+Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=g/tEPKTz; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="g/tEPKTz" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1745482246; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=90i0OCg6Zt5Z8sKdLwCV2r9r1JKdc4QuwHkOEn9E9Jg=; b=g/tEPKTzGMolKevEu6X0ViGPCyI+LlFFBsPyW92QR5n2C2b8r94LZxN5lwZkH6QQr1VtRb AozsK/URaLCHlEX6KzQAwDtk+SCDYM34c7gebhbuIpmy5qSSnqQu6gXS1CMyaM3kValwbY N7j6Gl9Odi/5ubU3Z0TfgKmqkd51tOg= Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-79-3RHKMFU5PVm64rDqCSspaA-1; Thu, 24 Apr 2025 04:10:42 -0400 X-MC-Unique: 3RHKMFU5PVm64rDqCSspaA-1 X-Mimecast-MFC-AGG-ID: 3RHKMFU5PVm64rDqCSspaA_1745482240 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 5FC2219560BA; Thu, 24 Apr 2025 08:10:39 +0000 (UTC) Received: from fedora.redhat.com (unknown [10.45.224.198]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id B3B5B30001A2; Thu, 24 Apr 2025 08:10:25 +0000 (UTC) From: Vitaly Kuznetsov To: x86@kernel.org, linux-efi@vger.kernel.org Cc: Thomas Gleixner , Ingo Molnar , Dave Hansen , "H. Peter Anvin" , Ard Biesheuvel , Peter Jones , Daniel Berrange , Emanuele Giuseppe Esposito , Gerd Hoffmann , Greg KH , Luca Boccassi , Peter Zijlstra , Matthew Garrett , James Bottomley , Eric Snowberg , Paolo Bonzini , Paul Walmsley , Palmer Dabbelt , Albert Ou , Alexandre Ghiti , linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH 2/2] x86/efi: Implement support for embedding SBAT data for x86 Date: Thu, 24 Apr 2025 12:09:50 +0400 Message-ID: <20250424080950.289864-3-vkuznets@redhat.com> In-Reply-To: <20250424080950.289864-1-vkuznets@redhat.com> References: <20250424080950.289864-1-vkuznets@redhat.com> Precedence: bulk X-Mailing-List: linux-efi@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Similar to zboot architectures, implement support for embedding SBAT data for x86. Put '.sbat' section to the very end of the binary. Note, the obsolete CRC-32 checksum (see commit 9c54baab4401 ("x86/boot: Drop CRC-32 checksum and the build tool that generates it")) is gone and while it would've been possible to reserve the last 4 bytes in '.sbat' section too (like it's done today in '.data'), it seems to be a pointless exercise: SBAT makes zero sense without a signature on the EFI binary so '.sbat' won't be at the very end of the file anyway. Any tool which uses the last 4 bytes of the file as a checksum is broken with signed EFI binaries already. Signed-off-by: Vitaly Kuznetsov --- arch/x86/boot/Makefile | 2 +- arch/x86/boot/compressed/Makefile | 2 ++ arch/x86/boot/compressed/vmlinux.lds.S | 13 +++++++++++++ arch/x86/boot/header.S | 13 +++++++++++++ drivers/firmware/efi/Kconfig | 2 +- 5 files changed, 30 insertions(+), 2 deletions(-) diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile index 81f55da81967..5f7b52f0e7f5 100644 --- a/arch/x86/boot/Makefile +++ b/arch/x86/boot/Makefile @@ -71,7 +71,7 @@ $(obj)/vmlinux.bin: $(obj)/compressed/vmlinux FORCE SETUP_OBJS = $(addprefix $(obj)/,$(setup-y)) -sed-zoffset := -e 's/^\([0-9a-fA-F]*\) [a-zA-Z] \(startup_32\|efi.._stub_entry\|efi\(32\)\?_pe_entry\|input_data\|kernel_info\|_end\|_ehead\|_text\|_e\?data\|z_.*\)$$/\#define ZO_\2 0x\1/p' +sed-zoffset := -e 's/^\([0-9a-fA-F]*\) [a-zA-Z] \(startup_32\|efi.._stub_entry\|efi\(32\)\?_pe_entry\|input_data\|kernel_info\|_end\|_ehead\|_text\|_e\?data\|_e\?sbat\|z_.*\)$$/\#define ZO_\2 0x\1/p' quiet_cmd_zoffset = ZOFFSET $@ cmd_zoffset = $(NM) $< | sed -n $(sed-zoffset) > $@ diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile index fdbce022db55..b9b80eccdc02 100644 --- a/arch/x86/boot/compressed/Makefile +++ b/arch/x86/boot/compressed/Makefile @@ -107,6 +107,8 @@ vmlinux-objs-$(CONFIG_UNACCEPTED_MEMORY) += $(obj)/mem.o vmlinux-objs-$(CONFIG_EFI) += $(obj)/efi.o vmlinux-libs-$(CONFIG_EFI_STUB) += $(objtree)/drivers/firmware/efi/libstub/lib.a +vmlinux-objs-$(CONFIG_EFI_SBAT) += $(objtree)/drivers/firmware/efi/libstub/sbat.o + $(obj)/vmlinux: $(vmlinux-objs-y) $(vmlinux-libs-y) FORCE $(call if_changed,ld) diff --git a/arch/x86/boot/compressed/vmlinux.lds.S b/arch/x86/boot/compressed/vmlinux.lds.S index 3b2bc61c9408..d0a27905de90 100644 --- a/arch/x86/boot/compressed/vmlinux.lds.S +++ b/arch/x86/boot/compressed/vmlinux.lds.S @@ -49,9 +49,22 @@ SECTIONS *(.data.*) /* Add 4 bytes of extra space for the obsolete CRC-32 checksum */ +#ifndef CONFIG_EFI_SBAT . = ALIGN(. + 4, 0x200); +#else + /* Avoid gap between '.data' and '.sbat' */ + . = ALIGN(. + 4, 0x1000); +#endif _edata = . ; } +#ifdef CONFIG_EFI_SBAT + .sbat : ALIGN(0x1000) { + _sbat = . ; + *(.sbat) + _esbat = ALIGN(0x200); + . = _esbat; + } +#endif . = ALIGN(L1_CACHE_BYTES); .bss : { _bss = . ; diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S index b5c79f43359b..ab851490ef74 100644 --- a/arch/x86/boot/header.S +++ b/arch/x86/boot/header.S @@ -207,6 +207,19 @@ pecompat_fstart: IMAGE_SCN_MEM_READ | \ IMAGE_SCN_MEM_WRITE # Characteristics +#ifdef CONFIG_EFI_SBAT + .ascii ".sbat\0\0\0" + .long ZO__esbat - ZO__sbat # VirtualSize + .long setup_size + ZO__sbat # VirtualAddress + .long ZO__esbat - ZO__sbat # SizeOfRawData + .long setup_size + ZO__sbat # PointerToRawData + + .long 0, 0, 0 + .long IMAGE_SCN_CNT_INITIALIZED_DATA | \ + IMAGE_SCN_MEM_READ | \ + IMAGE_SCN_MEM_DISCARDABLE # Characteristics +#endif + .set section_count, (. - section_table) / 40 #endif /* CONFIG_EFI_STUB */ diff --git a/drivers/firmware/efi/Kconfig b/drivers/firmware/efi/Kconfig index 2edb0167ba49..5022a378fec1 100644 --- a/drivers/firmware/efi/Kconfig +++ b/drivers/firmware/efi/Kconfig @@ -283,7 +283,7 @@ config EFI_EMBEDDED_FIRMWARE config EFI_SBAT bool "Embed SBAT section in the kernel" - depends on EFI_ZBOOT + depends on EFI_ZBOOT || (EFI_STUB && X86) help SBAT section provides a way to improve SecureBoot revocations of UEFI binaries by introducing a generation-based mechanism. With SBAT, older