mirror of
https://github.com/torvalds/linux.git
synced 2026-04-21 08:13:56 -04:00
0f9a1739dd
SBAT is a mechanism which improves SecureBoot revocations of UEFI binaries by introducing a generation-based technique. Compromised or vulnerable UEFI binaries can be prevented from booting by bumping the minimal required generation for the specific component in the bootloader. More information on the SBAT can be obtained here: https://github.com/rhboot/shim/blob/main/SBAT.md Upstream Linux kernel does not currently participate in any way in SBAT as there's no existing policy in how SBAT generation number should be defined. Keep the status quo and provide a mechanism for distro vendors and anyone else who signs their kernel for SecureBoot to include their own SBAT data. This leaves the decision on the policy to the vendor. Basically, each distro implementing SecureBoot today, will have an option to inject their own SBAT data during kernel build and before it gets signed by their SecureBoot CA. Different distro do not need to agree on the common SBAT component names or generation numbers as each distro ships its own 'shim' with their own 'vendor_cert'/'vendor_db' Implement support for embedding SBAT data for architectures using zboot (arm64, loongarch, riscv). Put '.sbat' section in between '.data' and '.text' as the former also covers '.bss' and thus must be the last one. Reviewed-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
62 lines
2.3 KiB
Makefile
62 lines
2.3 KiB
Makefile
# SPDX-License-Identifier: GPL-2.0
|
|
|
|
# to be include'd by arch/$(ARCH)/boot/Makefile after setting
|
|
# EFI_ZBOOT_PAYLOAD, EFI_ZBOOT_BFD_TARGET, EFI_ZBOOT_MACH_TYPE and
|
|
# EFI_ZBOOT_FORWARD_CFI
|
|
|
|
quiet_cmd_copy_and_pad = PAD $@
|
|
cmd_copy_and_pad = cp $< $@; \
|
|
truncate -s $$(hexdump -s16 -n4 -e '"%u"' $<) $@
|
|
|
|
# Pad the file to the size of the uncompressed image in memory, including BSS
|
|
$(obj)/vmlinux.bin: $(obj)/$(EFI_ZBOOT_PAYLOAD) FORCE
|
|
$(call if_changed,copy_and_pad)
|
|
|
|
# in GZIP, the appended le32 carrying the uncompressed size is part of the
|
|
# format, but in other cases, we just append it at the end for convenience,
|
|
# causing the original tools to complain when checking image integrity.
|
|
comp-type-y := gzip
|
|
zboot-method-y := gzip
|
|
zboot-size-len-y := 0
|
|
|
|
comp-type-$(CONFIG_KERNEL_ZSTD) := zstd
|
|
zboot-method-$(CONFIG_KERNEL_ZSTD) := zstd22_with_size
|
|
zboot-size-len-$(CONFIG_KERNEL_ZSTD) := 4
|
|
|
|
$(obj)/vmlinuz: $(obj)/vmlinux.bin FORCE
|
|
$(call if_changed,$(zboot-method-y))
|
|
|
|
# avoid eager evaluation to prevent references to non-existent build artifacts
|
|
OBJCOPYFLAGS_vmlinuz.o = -I binary -O $(EFI_ZBOOT_BFD_TARGET) $(EFI_ZBOOT_OBJCOPY_FLAGS) \
|
|
--rename-section .data=.gzdata,load,alloc,readonly,contents
|
|
$(obj)/vmlinuz.o: $(obj)/vmlinuz FORCE
|
|
$(call if_changed,objcopy)
|
|
|
|
aflags-zboot-header-$(EFI_ZBOOT_FORWARD_CFI) := \
|
|
-DPE_DLL_CHAR_EX=IMAGE_DLLCHARACTERISTICS_EX_FORWARD_CFI_COMPAT
|
|
|
|
AFLAGS_zboot-header.o += -DMACHINE_TYPE=IMAGE_FILE_MACHINE_$(EFI_ZBOOT_MACH_TYPE) \
|
|
-DZBOOT_EFI_PATH="\"$(realpath $(obj)/vmlinuz.efi.elf)\"" \
|
|
-DZBOOT_SIZE_LEN=$(zboot-size-len-y) \
|
|
-DCOMP_TYPE="\"$(comp-type-y)\"" \
|
|
$(aflags-zboot-header-y)
|
|
|
|
$(obj)/zboot-header.o: $(srctree)/drivers/firmware/efi/libstub/zboot-header.S FORCE
|
|
$(call if_changed_rule,as_o_S)
|
|
|
|
ifneq ($(CONFIG_EFI_SBAT_FILE),)
|
|
$(obj)/zboot-header.o: $(CONFIG_EFI_SBAT_FILE)
|
|
endif
|
|
|
|
ZBOOT_DEPS := $(obj)/zboot-header.o $(objtree)/drivers/firmware/efi/libstub/lib.a
|
|
|
|
LDFLAGS_vmlinuz.efi.elf := -T $(srctree)/drivers/firmware/efi/libstub/zboot.lds
|
|
$(obj)/vmlinuz.efi.elf: $(obj)/vmlinuz.o $(ZBOOT_DEPS) FORCE
|
|
$(call if_changed,ld)
|
|
|
|
OBJCOPYFLAGS_vmlinuz.efi := -O binary
|
|
$(obj)/vmlinuz.efi: $(obj)/vmlinuz.efi.elf FORCE
|
|
$(call if_changed,objcopy)
|
|
|
|
targets += zboot-header.o vmlinux.bin vmlinuz vmlinuz.o vmlinuz.efi.elf vmlinuz.efi
|