Loading drivers/firmware/efi/Kconfig +24 −0 Original line number Diff line number Diff line Loading @@ -281,6 +281,30 @@ config EFI_EMBEDDED_FIRMWARE bool select CRYPTO_LIB_SHA256 config EFI_SBAT def_bool y if EFI_SBAT_FILE!="" config EFI_SBAT_FILE string "Embedded SBAT section file path" depends on EFI_ZBOOT help SBAT section provides a way to improve SecureBoot revocations of UEFI binaries by introducing a generation-based mechanism. With SBAT, older UEFI binaries can be prevented from booting by bumping the minimal required generation for the specific component in the bootloader. Note: SBAT information is distribution specific, i.e. the owner of the signing SecureBoot certificate must define the SBAT policy. Linux kernel upstream does not define SBAT components and their generations. See https://github.com/rhboot/shim/blob/main/SBAT.md for the additional details. Specify a file with SBAT data which is going to be embedded as '.sbat' section into the kernel. If unsure, leave blank. endmenu config UEFI_CPER Loading drivers/firmware/efi/libstub/Makefile.zboot +4 −0 Original line number Diff line number Diff line Loading @@ -44,6 +44,10 @@ AFLAGS_zboot-header.o += -DMACHINE_TYPE=IMAGE_FILE_MACHINE_$(EFI_ZBOOT_MACH_TYPE $(obj)/zboot-header.o: $(srctree)/drivers/firmware/efi/libstub/zboot-header.S FORCE $(call if_changed_rule,as_o_S) ifneq ($(CONFIG_EFI_SBAT_FILE),) $(obj)/zboot-header.o: $(CONFIG_EFI_SBAT_FILE) endif ZBOOT_DEPS := $(obj)/zboot-header.o $(objtree)/drivers/firmware/efi/libstub/lib.a LDFLAGS_vmlinuz.efi.elf := -T $(srctree)/drivers/firmware/efi/libstub/zboot.lds Loading drivers/firmware/efi/libstub/zboot-header.S +20 −2 Original line number Diff line number Diff line Loading @@ -123,11 +123,29 @@ __efistub_efi_zboot_header: IMAGE_SCN_MEM_READ | \ IMAGE_SCN_MEM_EXECUTE #ifdef CONFIG_EFI_SBAT .ascii ".sbat\0\0\0" .long __sbat_size .long _sbat - .Ldoshdr .long __sbat_size .long _sbat - .Ldoshdr .long 0, 0 .short 0, 0 .long IMAGE_SCN_CNT_INITIALIZED_DATA | \ IMAGE_SCN_MEM_READ | \ IMAGE_SCN_MEM_DISCARDABLE .pushsection ".sbat", "a", @progbits .incbin CONFIG_EFI_SBAT_FILE .popsection #endif .ascii ".data\0\0\0" .long __data_size .long _etext - .Ldoshdr .long _data - .Ldoshdr .long __data_rawsize .long _etext - .Ldoshdr .long _data - .Ldoshdr .long 0, 0 .short 0, 0 Loading drivers/firmware/efi/libstub/zboot.lds +11 −0 Original line number Diff line number Diff line Loading @@ -29,7 +29,17 @@ SECTIONS . = _etext; } #ifdef CONFIG_EFI_SBAT .sbat : ALIGN(4096) { _sbat = .; *(.sbat) _esbat = ALIGN(4096); . = _esbat; } #endif .data : ALIGN(4096) { _data = .; *(.data* .init.data*) _edata = ALIGN(512); . = _edata; Loading @@ -52,3 +62,4 @@ PROVIDE(__efistub__gzdata_size = PROVIDE(__data_rawsize = ABSOLUTE(_edata - _etext)); PROVIDE(__data_size = ABSOLUTE(_end - _etext)); PROVIDE(__sbat_size = ABSOLUTE(_esbat - _sbat)); Loading
drivers/firmware/efi/Kconfig +24 −0 Original line number Diff line number Diff line Loading @@ -281,6 +281,30 @@ config EFI_EMBEDDED_FIRMWARE bool select CRYPTO_LIB_SHA256 config EFI_SBAT def_bool y if EFI_SBAT_FILE!="" config EFI_SBAT_FILE string "Embedded SBAT section file path" depends on EFI_ZBOOT help SBAT section provides a way to improve SecureBoot revocations of UEFI binaries by introducing a generation-based mechanism. With SBAT, older UEFI binaries can be prevented from booting by bumping the minimal required generation for the specific component in the bootloader. Note: SBAT information is distribution specific, i.e. the owner of the signing SecureBoot certificate must define the SBAT policy. Linux kernel upstream does not define SBAT components and their generations. See https://github.com/rhboot/shim/blob/main/SBAT.md for the additional details. Specify a file with SBAT data which is going to be embedded as '.sbat' section into the kernel. If unsure, leave blank. endmenu config UEFI_CPER Loading
drivers/firmware/efi/libstub/Makefile.zboot +4 −0 Original line number Diff line number Diff line Loading @@ -44,6 +44,10 @@ AFLAGS_zboot-header.o += -DMACHINE_TYPE=IMAGE_FILE_MACHINE_$(EFI_ZBOOT_MACH_TYPE $(obj)/zboot-header.o: $(srctree)/drivers/firmware/efi/libstub/zboot-header.S FORCE $(call if_changed_rule,as_o_S) ifneq ($(CONFIG_EFI_SBAT_FILE),) $(obj)/zboot-header.o: $(CONFIG_EFI_SBAT_FILE) endif ZBOOT_DEPS := $(obj)/zboot-header.o $(objtree)/drivers/firmware/efi/libstub/lib.a LDFLAGS_vmlinuz.efi.elf := -T $(srctree)/drivers/firmware/efi/libstub/zboot.lds Loading
drivers/firmware/efi/libstub/zboot-header.S +20 −2 Original line number Diff line number Diff line Loading @@ -123,11 +123,29 @@ __efistub_efi_zboot_header: IMAGE_SCN_MEM_READ | \ IMAGE_SCN_MEM_EXECUTE #ifdef CONFIG_EFI_SBAT .ascii ".sbat\0\0\0" .long __sbat_size .long _sbat - .Ldoshdr .long __sbat_size .long _sbat - .Ldoshdr .long 0, 0 .short 0, 0 .long IMAGE_SCN_CNT_INITIALIZED_DATA | \ IMAGE_SCN_MEM_READ | \ IMAGE_SCN_MEM_DISCARDABLE .pushsection ".sbat", "a", @progbits .incbin CONFIG_EFI_SBAT_FILE .popsection #endif .ascii ".data\0\0\0" .long __data_size .long _etext - .Ldoshdr .long _data - .Ldoshdr .long __data_rawsize .long _etext - .Ldoshdr .long _data - .Ldoshdr .long 0, 0 .short 0, 0 Loading
drivers/firmware/efi/libstub/zboot.lds +11 −0 Original line number Diff line number Diff line Loading @@ -29,7 +29,17 @@ SECTIONS . = _etext; } #ifdef CONFIG_EFI_SBAT .sbat : ALIGN(4096) { _sbat = .; *(.sbat) _esbat = ALIGN(4096); . = _esbat; } #endif .data : ALIGN(4096) { _data = .; *(.data* .init.data*) _edata = ALIGN(512); . = _edata; Loading @@ -52,3 +62,4 @@ PROVIDE(__efistub__gzdata_size = PROVIDE(__data_rawsize = ABSOLUTE(_edata - _etext)); PROVIDE(__data_size = ABSOLUTE(_end - _etext)); PROVIDE(__sbat_size = ABSOLUTE(_esbat - _sbat));
