From 04980dfda346fd0f7e6cb51d8e5b1ea88327b9c4 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 30 Mar 2022 15:16:31 -0400
Subject: [PATCH] EFI: Add support for .sbat signature revocations

This patch adds a new section, ".sbat", which allows for the revocation
of signed binaries given a numeric value representing the set of bugs
which allow for arbitrary code execution, and therefore a Secure Boot
breakout, in a given family of binaries.

In this case, the class is defined as "memtest86+", and the current set
of bugs is 1.  This doesn't imply that we're aware of bugs currently,
merely that when we change it to 2, any bugs that /have/ been discovered
have been fixed.

Documentation for how SBAT works can be found at the following URLs:

  https://github.com/rhboot/shim/blob/main/SBAT.md
  https://github.com/rhboot/shim/blob/main/SBAT.example.md

Signed-off-by: Peter Jones <pjones@redhat.com>
---
 boot/header.S                     | 25 ++++++++++++++++++++++---
 boot/sbat.csv                     |  2 ++
 build32/Makefile                  |  1 +
 build32/ldscripts/memtest_efi.lds |  8 ++++++++
 build64/Makefile                  |  2 ++
 build64/ldscripts/memtest_efi.lds |  8 ++++++++
 6 files changed, 43 insertions(+), 3 deletions(-)
 create mode 100644 boot/sbat.csv

diff --git a/boot/header.S b/boot/header.S
index c922a44..673bc67 100644
--- a/boot/header.S
+++ b/boot/header.S
@@ -90,7 +90,7 @@ coff_header:
 #else
 	.word	IMAGE_FILE_MACHINE_I386		# Machine (i386)
 #endif
-	.word	2				# NumberOfSections
+	.word	3				# NumberOfSections
 	.long	0 				# TimeDateStamp
 	.long	0				# PointerToSymbolTable
 	.long	0				# NumberOfSymbols
@@ -118,14 +118,14 @@ optional_header:
 	.byte	0x14				# MinorLinkerVersion
 
 	.long	_text_size			# SizeOfCode
-	.long	0				# SizeOfInitializedData
+	.long	_sbat_size			# SizeOfInitializedData
 	.long	0				# SizeOfUninitializedData
 
 	.long	BASE_OF_CODE + 0x1e0		# AddressOfEntryPoint
 
 	.long	BASE_OF_CODE			# BaseOfCode
 #ifndef __x86_64__
-	.long	0				# BaseOfData
+	.long	_sbat_start			# BaseOfData
 #endif
 
 extra_header_fields:
@@ -210,6 +210,22 @@ section_table:
 		| IMAGE_SCN_ALIGN_4BYTES	\
 		| IMAGE_SCN_CNT_INITIALIZED_DATA	# Characteristics (section flags)
 
+	.ascii	".sbat"
+	.byte	0
+	.byte	0
+	.byte	0
+	.long	_sbat_size			# VirtualSize
+	.long	_sbat_start			# VirtualAddress
+	.long	_sbat_size			# SizeOfRawData
+	.long	_sbat_start			# PointerToRawData
+	.long	0				# PointerToRelocations
+	.long	0				# PointerToLineNumbers
+	.word	0				# NumberOfRelocations
+	.word	0				# NumberOfLineNumbers
+	.long	IMAGE_SCN_MEM_READ		\
+		| IMAGE_SCN_ALIGN_4096BYTES	\
+		| IMAGE_SCN_CNT_INITIALIZED_DATA	# Characteristics (section flags)
+
 # Emulate the Linux boot header, to allow loading by intermediate boot loaders.
 
 	.org	497
@@ -235,3 +251,6 @@ end_of_headers:
 	.long	0					// Page RVA
 	.long	10					// Block Size (2*4+2)
 	.word	(IMAGE_REL_AMD64_ABSOLUTE<<12) + 0	// reloc 0 -> 0
+
+.section ".sbat", "a", @progbits
+.incbin "../boot/sbat.csv"
diff --git a/boot/sbat.csv b/boot/sbat.csv
new file mode 100644
index 0000000..a32b1cc
--- /dev/null
+++ b/boot/sbat.csv
@@ -0,0 +1,2 @@
+sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+memtest86+,1,Memtest86+,6.0,https://github.com/memtest86plus
diff --git a/build32/Makefile b/build32/Makefile
index b38aa50..a6b933d 100644
--- a/build32/Makefile
+++ b/build32/Makefile
@@ -75,6 +75,7 @@ all: memtest.bin memtest.efi
 -include $(subst .o,.d,$(TST_OBJS))
 -include $(subst .o,.d,$(APP_OBJS))
 
+boot/header.o : | ../boot/sbat.csv
 
 boot/startup.o: ../boot/startup32.S ../boot/boot.h
 	@mkdir -p boot
diff --git a/build32/ldscripts/memtest_efi.lds b/build32/ldscripts/memtest_efi.lds
index 69dd6ae..6c09fdb 100644
--- a/build32/ldscripts/memtest_efi.lds
+++ b/build32/ldscripts/memtest_efi.lds
@@ -23,6 +23,13 @@ SECTIONS {
 		*(.reloc)
 		_reloc_end = . ;
 	}
+	. = ALIGN(512);
+	.sbat : {
+		_sbat_start = . ;
+		*(.sbat)
+		. = ALIGN(512);
+		_sbat_end = . ;
+	}
 	. = ALIGN(4096);
 	_img_end = . ;
 	/DISCARD/ : { *(*) }
@@ -30,6 +37,7 @@ SECTIONS {
 	_text_size = (_text_end  - _text_start);
 
 	_reloc_size = (_reloc_end - _reloc_start);
+	_sbat_size = (_sbat_end - _sbat_start);
 	_sys_size  = _text_size >> 4;
 	_init_size = _text_size + _bss_size;
 }
diff --git a/build64/Makefile b/build64/Makefile
index 3539906..b1b6ec4 100644
--- a/build64/Makefile
+++ b/build64/Makefile
@@ -74,6 +74,8 @@ all: memtest.bin memtest.efi
 -include $(subst .o,.d,$(TST_OBJS))
 -include $(subst .o,.d,$(APP_OBJS))
 
+boot/header.o : | ../boot/sbat.csv
+
 boot/startup.o: ../boot/startup64.S ../boot/boot.h
 	@mkdir -p boot
 	$(CC) -x assembler-with-cpp -c -I../boot -o $@ $<
diff --git a/build64/ldscripts/memtest_efi.lds b/build64/ldscripts/memtest_efi.lds
index 408336a..ec27bbf 100644
--- a/build64/ldscripts/memtest_efi.lds
+++ b/build64/ldscripts/memtest_efi.lds
@@ -23,6 +23,13 @@ SECTIONS {
 		*(.reloc)
 		_reloc_end = . ;
 	}
+	. = ALIGN(512);
+	.sbat : {
+		_sbat_start = . ;
+		*(.sbat)
+		. = ALIGN(512);
+		_sbat_end = . ;
+	}
 	. = ALIGN(4096);
 	_img_end = . ;
 	/DISCARD/ : { *(*) }
@@ -30,6 +37,7 @@ SECTIONS {
 	_text_size = (_text_end  - _text_start);
 
 	_reloc_size = (_reloc_end - _reloc_start);
+	_sbat_size = (_sbat_end - _sbat_start);
 	_sys_size  = _text_size >> 4;
 	_init_size = _text_size + _bss_size;
 }