revocations.efi to deliver new sbat level requirements as well as updated bootmgr SkuSiPolicy

Makefile

@@ -51,10 +51,19 @@ endef
 
 define add-vendor-sbat
 $(OBJCOPY) --add-section ".$(patsubst %.csv,%,$(1))=$(1)" $(2)
+endef
 
+define add-skusi
+$(OBJCOPY) --add-section ".$(patsubst %.bin,%,$(1))=$(1)" $(2)
 endef
 
 SBATPATH = $(TOPDIR)/data/sbat.csv
+SBATLEVELLATESTPATH = $(TOPDIR)/data/sbat_level_latest.csv
+SBATLEVELAUTOMATICPATH = $(TOPDIR)/data/sbat_level_automatic.csv
+SSPVLATESTPATH = $(TOPDIR)/data/SkuSiPolicy_Version_latest.bin
+SSPSLATESTPATH = $(TOPDIR)/data/SkuSiPolicy_latest.bin
+SSPVAUTOMATICPATH = $(TOPDIR)/data/SkuSiPolicy_Version_automatic.bin
+SSPSAUTOMATICPATH = $(TOPDIR)/data/SkuSiPolicy_automatic.bin
 VENDOR_SBATS := $(sort $(foreach x,$(wildcard $(TOPDIR)/data/sbat.*.csv data/sbat.*.csv),$(notdir $(x))))
 
 OBJFLAGS =
@@ -84,16 +93,25 @@ ifeq ($(ARCH),arm)
 	BUILDFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include)
 endif
 
-all : certwrapper.efi
+all : certmule.efi revocations.efi
 
-certwrapper.so : sbat_data.o certwrapper.o
+certwrapper.so : revocation_data.o certwrapper.o
 certwrapper.so : SOLIBS=
 certwrapper.so : SOFLAGS=
 certwrapper.so : BUILDFLAGS+=-DVENDOR_DB
 certwrapper.efi : OBJFLAGS = --strip-unneeded $(call VENDOR_DB, $<)
 certwrapper.efi : SECTIONS=.text .reloc .db .sbat
 certwrapper.efi : VENDOR_DB_FILE?=db.esl
 
+revocations.so : revocation_data.o revocations.o
+revocations.so : SOLIBS=
+revocations.so : SOFLAGS=
+revocations.efi : OBJFLAGS = --strip-unneeded
+revocations.efi : SECTIONS=.text .reloc .sbat .sbatl .sbata .sspva .sspsa .sspvl .sspsl
+
+revocations.o : certmule.o
+	cp certmule.o revocations.o
+
 %.efi : %.so
 ifneq ($(OBJCOPY_GTE224),1)
 	$(error objcopy >= 2.24 is required)
@@ -103,12 +121,30 @@ endif
 		   $(OBJFLAGS) \
 		   $(FORMAT) $^ $@
 
-sbat_data.o : | $(SBATPATH) $(VENDOR_SBATS)
-sbat_data.o : /dev/null
+revocation_data.o : | $(SBATPATH) $(VENDOR_SBATS)
+revocation_data.o : /dev/null
 	$(CC) $(BUILDFLAGS) -x c -c -o $@ $<
 	$(OBJCOPY) --add-section .sbat=$(SBATPATH) \
 		--set-section-flags .sbat=contents,alloc,load,readonly,data \
 		$@
+	$(OBJCOPY) --add-section .sbatl=$(SBATLEVELLATESTPATH) \
+		--set-section-flags .sbatl=contents,alloc,load,readonly,data \
+		$@
+	$(OBJCOPY) --add-section .sbata=$(SBATLEVELAUTOMATICPATH) \
+		--set-section-flags .sbata=contents,alloc,load,readonly,data \
+		$@
+	$(OBJCOPY) --add-section .sspvl=$(SSPVLATESTPATH) \
+		--set-section-flags .sspvl=contents,alloc,load,readonly,data \
+		$@
+	$(OBJCOPY) --add-section .sspsl=$(SSPSLATESTPATH) \
+		--set-section-flags .sspsl=contents,alloc,load,readonly,data \
+		$@
+	$(OBJCOPY) --add-section .sspva=$(SSPVAUTOMATICPATH) \
+		--set-section-flags .sspva=contents,alloc,load,readonly,data \
+		$@
+	$(OBJCOPY) --add-section .sspsa=$(SSPSAUTOMATICPATH) \
+		--set-section-flags .sspsa=contents,alloc,load,readonly,data \
+		$@
 	$(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@))
 
 %.so : %.o

data/sbat_level_automatic.csv

@@ -0,0 +1,4 @@
+sbat,1,2022111500
+shim,2
+grub,3
+grub.debian,4

data/sbat_level_latest.csv

@@ -0,0 +1,3 @@
+sbat,1,2023100300
+shim,4
+grub,4