system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-07-08 20:15:55 +00:00
Code Issues Projects Releases Wiki Activity

boot: add optional EFI SBAT support

Browse Source 
Add SBAT support, when -Dsbat-distro value is specified. One can use
-Dsbat-distro=auto for autodetection of all sbat options. Many meson configure
options added to customize SBAT CSV values, but sensible defaults are auto
detected by default. SBAT support is required if shim v15+ is used to load
systemd-boot binary or kernel.efi (Type II BootLoaderSpec).

Fixes #19247
This commit is contained in:
Dimitri John Ledkov 2021-04-27 16:53:53 +01:00
parent ac2c088939
commit 9137c03c04
No known key found for this signature in database
GPG Key ID: 9B8EC849D5EF70ED
5 changed files with 62 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
meson_options.txt
View File

@ -370,6 +370,18 @@ option('efi-includedir', type : 'string', value : '/usr/include/efi',
description : 'path to the EFI header directory')
option('tpm-pcrindex', type : 'integer', value : 8,
description : 'TPM PCR register number to use')
option('sbat-distro', type : 'string',
description : 'SBAT distribution ID, e.g. fedora, or auto for autodetection')
option('sbat-distro-generation', type : 'integer', value : 1,
description : 'SBAT distribution generation')
option('sbat-distro-summary', type : 'string',
description : 'SBAT distribution summary, e.g. Fedora')
option('sbat-distro-pkgname', type : 'string',
description : 'SBAT distribution package name, e.g. systemd')
option('sbat-distro-version', type : 'string',
description : 'SBAT distribution package version, e.g. 248-7.fc34')
option('sbat-distro-url', type : 'string',
description : 'SBAT distribution URL, e.g. https://src.fedoraproject.org/rpms/systemd')
option('bashcompletiondir', type : 'string',
description : 'directory for bash completion scripts ["no" disables]')

6
src/basic/macro.h
View File

@ -18,8 +18,6 @@
# define _alloc_(...) __attribute__((__alloc_size__(__VA_ARGS__)))
#endif
#define _sentinel_ __attribute__((__sentinel__))
#define _section_(x) __attribute__((__section__(x)))
#define _used_ __attribute__((__used__))
#define _destructor_ __attribute__((__destructor__))
#define _deprecated_ __attribute__((__deprecated__))
#define _packed_ __attribute__((__packed__))
@ -30,7 +28,6 @@
#define _public_ __attribute__((__visibility__("default")))
#define _hidden_ __attribute__((__visibility__("hidden")))
#define _weakref_(x) __attribute__((__weakref__(#x)))
#define _align_(x) __attribute__((__aligned__(x)))
#define _alignas_(x) __attribute__((__aligned__(__alignof(x))))
#define _alignptr_ __attribute__((__aligned__(sizeof(void*))))
#if __GNUC__ >= 7
@ -138,9 +135,6 @@
/* automake test harness */
#define EXIT_TEST_SKIP 77
#define XSTRINGIFY(x) #x
#define STRINGIFY(x) XSTRINGIFY(x)
/* builtins */
#if __SIZEOF_INT__ == 4
#define BUILTIN_FFS_U32(x) __builtin_ffs(x);

37
src/boot/efi/meson.build
View File

@ -102,6 +102,42 @@ if have_gnu_efi
efi_conf.set10('ENABLE_TPM', get_option('tpm'))
efi_conf.set('SD_TPM_PCR', get_option('tpm-pcrindex'))
if get_option('sbat-distro') != ''
efi_conf.set_quoted('SBAT_PROJECT', meson.project_name())
efi_conf.set_quoted('PROJECT_VERSION', substs.get('PROJECT_VERSION'))
efi_conf.set_quoted('PROJECT_URL', substs.get('PROJECT_URL'))
if get_option('sbat-distro-generation') < 1
error('SBAT Distro Generation must be a positive integer')
endif
efi_conf.set('SBAT_DISTRO_GENERATION', get_option('sbat-distro-generation'))
sbatvars = [['sbat-distro', 'ID'],
['sbat-distro-summary', 'NAME'],
['sbat-distro-url', 'BUG_REPORT_URL']]
foreach sbatvar : sbatvars
value = get_option(sbatvar[0])
if value == '' or value == 'auto'
value = run_command('sh', '-c', 'if [ -e /etc/os-release ]; then . /etc/os-release; else . /usr/lib/os-release; fi; echo $' + sbatvar[1]).stdout().strip()
endif
if value == ''
error('Required @0@ option not set and autodetection failed'.format(sbatvar[0]))
endif
efi_conf.set_quoted(sbatvar[0].underscorify().to_upper(), value)
endforeach
pkgname = get_option('sbat-distro-pkgname')
if pkgname == ''
pkgname = meson.project_name()
endif
efi_conf.set_quoted('SBAT_DISTRO_PKGNAME', pkgname)
pkgver = get_option('sbat-distro-version')
if pkgver == ''
efi_conf.set('SBAT_DISTRO_VERSION', 'GIT_VERSION')
else
efi_conf.set_quoted('SBAT_DISTRO_VERSION', pkgver)
endif
endif
efi_config_h = configure_file(
output : 'efi_config.h',
configuration : efi_conf)
@ -244,6 +280,7 @@ if have_gnu_efi
command : [objcopy,
'-j', '.text',
'-j', '.sdata',
'-j', '.sbat',
'-j', '.data',
'-j', '.dynamic',
'-j', '.dynsym',

7
src/boot/efi/secure-boot.c
View File

@ -11,3 +11,10 @@ BOOLEAN secure_boot_enabled(void) {
return !EFI_ERROR(err) && secure;
}
#ifdef SBAT_DISTRO
static const char sbat[] _used_ _section_ (".sbat") _align_ (512) =
"sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md\n"
SBAT_PROJECT ",1,The systemd Developers," SBAT_PROJECT "," PROJECT_VERSION "," PROJECT_URL "\n"
SBAT_PROJECT "." SBAT_DISTRO "," STRINGIFY(SBAT_DISTRO_GENERATION) "," SBAT_DISTRO_SUMMARY "," SBAT_DISTRO_PKGNAME "," SBAT_DISTRO_VERSION "," SBAT_DISTRO_URL "\n";
#endif

6
src/fundamental/macro-fundamental.h
View File

@ -7,11 +7,17 @@
#include "type.h"
#define _align_(x) __attribute__((__aligned__(x)))
#define _const_ __attribute__((__const__))
#define _pure_ __attribute__((__pure__))
#define _section_(x) __attribute__((__section__(x)))
#define _used_ __attribute__((__used__))
#define _unused_ __attribute__((__unused__))
#define _cleanup_(x) __attribute__((__cleanup__(x)))
#define XSTRINGIFY(x) #x
#define STRINGIFY(x) XSTRINGIFY(x)
#ifndef __COVERITY__
# define VOID_0 ((void)0)
#else