From c67d5a027d7a34ab19a12f7585dd7c143d82481d Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Sun, 21 May 2023 14:32:39 +0100 Subject: [PATCH] ukify: add default .sbat section for addons In order to ensure addons can always be revoked via SBAT, and it is not left out by mistake, have a default metadata entry if none is specified by the caller. https://github.com/rhboot/shim/blob/main/SBAT.md --- man/ukify.xml | 26 +++++++++++++++++++++++++- src/ukify/ukify.py | 14 +++++++++++++- 2 files changed, 38 insertions(+), 2 deletions(-) diff --git a/man/ukify.xml b/man/ukify.xml index 2e22b1f42e4..4531ac89b28 100644 --- a/man/ukify.xml +++ b/man/ukify.xml @@ -50,6 +50,7 @@ Splash=/, PCRPKey=/, Uname=/, + SBAT=/, and below. @@ -369,6 +370,27 @@ + + + [Addon:<replaceable>NAME</replaceable>] section + + Currently, these options only apply when building PE addons. + + + + SBAT=TEXT|@PATH + + + SBAT metadata associated with the addon. SBAT policies are useful to revoke whole + groups of addons with a single, static policy update that does not take space in DBX/MOKX. If not + specified manually, a default metadata entry consisting of + uki.addon.systemd,1,UKI Addon,uki.addon.systemd,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html + will be used, to ensure it is always possible to revoke addons. For more information on SBAT see + Shim's documentation. + + + + @@ -464,11 +486,13 @@ Phases=enter-initrd:leave-initrd --secureboot-private-key=sb.key \ --secureboot-certificate=sb.cert \ --cmdline='debug' \ + --sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md + uki.addon.author,1,UKI Addon for System,uki.addon.author,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html' --output=debug.cmdline This creates a signed PE binary that contains the additional kernel command line parameter - debug. + debug with SBAT metadata referring to the owner of the addon. diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py index 3a0c7af3625..66e176cd0ce 100755 --- a/src/ukify/ukify.py +++ b/src/ukify/ukify.py @@ -679,10 +679,12 @@ def make_uki(opts): call_systemd_measure(uki, linux, opts=opts) - # UKI creation + # UKI or addon creation - addons don't use the stub so we add SBAT manually if linux is not None: uki.add_section(Section.create('.linux', linux, measure=True)) + elif opts.sbat: + uki.add_section(Section.create('.sbat', opts.sbat, measure=False)) if sign_args_present: unsigned = tempfile.NamedTemporaryFile(prefix='uki') @@ -927,6 +929,16 @@ CONFIG_ITEMS = [ config_key = 'UKI/Stub', ), + ConfigItem( + '--sbat', + metavar = 'TEXT|@PATH', + help = 'SBAT policy [.sbat section] for addons', + default = """sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md +uki.addon,1,UKI Addon,uki.addon,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html +""", + config_key = 'Addon/SBAT', + ), + ConfigItem( '--section', dest = 'sections',