Create revocations.efi to deliver new sbat level requirements

This covers delivering updates to SBAT_LEVEL without the need to create and sign a new shim Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
rhboot · Mar 31, 2023 · d02add2 · d02add2
1 parent e1e8bd5
commit d02add2
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -55,6 +55,8 @@ $(OBJCOPY) --add-section ".$(patsubst %.csv,%,$(1))=$(1)" $(2)
 endef
 
 SBATPATH = $(TOPDIR)/data/sbat.csv
+SBATLEVELLATESTPATH = $(TOPDIR)/data/sbat_level_latest.csv
+SBATLEVELPREVIOUSPATH = $(TOPDIR)/data/sbat_level_previous.csv
 VENDOR_SBATS := $(sort $(foreach x,$(wildcard $(TOPDIR)/data/sbat.*.csv data/sbat.*.csv),$(notdir $(x))))
 
 OBJFLAGS =
@@ -84,7 +86,7 @@ ifeq ($(ARCH),arm)
 	BUILDFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include)
 endif
 
-all : certmule.efi
+all : certmule.efi revocations.efi
 
 certmule.so : sbat_data.o certmule.o
 certmule.so : SOLIBS=
@@ -94,6 +96,15 @@ certmule.efi : OBJFLAGS = --strip-unneeded $(call VENDOR_DB, $<)
 certmule.efi : SECTIONS=.text .reloc .db .sbat
 certmule.efi : VENDOR_DB_FILE?=db.esl
 
+revocations.so : sbat_data.o revocations.o
+revocations.so : SOLIBS=
+revocations.so : SOFLAGS=
+revocations.efi : OBJFLAGS = --strip-unneeded 
+revocations.efi : SECTIONS=.text .reloc .sbat .sbatlevellatest .sbatlevelprevious
+
+revocations.o : certmule.o
+	cp certmule.o revocations.o
+
 %.efi : %.so
 ifneq ($(OBJCOPY_GTE224),1)
 	$(error objcopy >= 2.24 is required)
@@ -109,6 +120,12 @@ sbat_data.o : /dev/null
 	$(OBJCOPY) --add-section .sbat=$(SBATPATH) \
 		--set-section-flags .sbat=contents,alloc,load,readonly,data \
 		$@
+	$(OBJCOPY) --add-section .sbatlevellatest=$(SBATLEVELLATESTPATH) \
+		--set-section-flags .sbatlevellatest=contents,alloc,load,readonly,data \
+		$@
+	$(OBJCOPY) --add-section .sbatlevelprevious=$(SBATLEVELPREVIOUSPATH) \
+		--set-section-flags .sbatlevelprevious=contents,alloc,load,readonly,data \
+		$@
 	$(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@))
 
 %.so : %.o

diff --git a/data/sbat_level_latest.csv b/data/sbat_level_latest.csv
@@ -0,0 +1,3 @@
+sbat,1,2022111500
+shim,2
+grub,3
diff --git a/data/sbat_level_previous.csv b/data/sbat_level_previous.csv
@@ -0,0 +1,2 @@
+sbat,1,2022052400
+grub,2