Merge pull request #19436 from xnox/sbat

boot: add optional EFI SBAT support

meson_options.txt

@@ -370,6 +370,18 @@ option('efi-includedir', type : 'string', value : '/usr/include/efi',
        description : 'path to the EFI header directory')
 option('tpm-pcrindex', type : 'integer', value : 8,
        description : 'TPM PCR register number to use')
+option('sbat-distro', type : 'string',
+       description : 'SBAT distribution ID, e.g. fedora, or auto for autodetection')
+option('sbat-distro-generation', type : 'integer', value : 1,
+       description : 'SBAT distribution generation')
+option('sbat-distro-summary', type : 'string',
+       description : 'SBAT distribution summary, e.g. Fedora')
+option('sbat-distro-pkgname', type : 'string',
+       description : 'SBAT distribution package name, e.g. systemd')
+option('sbat-distro-version', type : 'string',
+       description : 'SBAT distribution package version, e.g. 248-7.fc34')
+option('sbat-distro-url', type : 'string',
+       description : 'SBAT distribution URL, e.g. https://src.fedoraproject.org/rpms/systemd')
 
 option('bashcompletiondir', type : 'string',
        description : 'directory for bash completion scripts ["no" disables]')

src/basic/macro.h

@@ -18,8 +18,6 @@
 #  define _alloc_(...) __attribute__((__alloc_size__(__VA_ARGS__)))
 #endif
 #define _sentinel_ __attribute__((__sentinel__))
-#define _section_(x) __attribute__((__section__(x)))
-#define _used_ __attribute__((__used__))
 #define _destructor_ __attribute__((__destructor__))
 #define _deprecated_ __attribute__((__deprecated__))
 #define _packed_ __attribute__((__packed__))
@@ -30,7 +28,6 @@
 #define _public_ __attribute__((__visibility__("default")))
 #define _hidden_ __attribute__((__visibility__("hidden")))
 #define _weakref_(x) __attribute__((__weakref__(#x)))
-#define _align_(x) __attribute__((__aligned__(x)))
 #define _alignas_(x) __attribute__((__aligned__(__alignof(x))))
 #define _alignptr_ __attribute__((__aligned__(sizeof(void*))))
 #if __GNUC__ >= 7
@@ -138,9 +135,6 @@
 /* automake test harness */
 #define EXIT_TEST_SKIP 77
 
-#define XSTRINGIFY(x) #x
-#define STRINGIFY(x) XSTRINGIFY(x)
-
 /* builtins */
 #if __SIZEOF_INT__ == 4
 #define BUILTIN_FFS_U32(x) __builtin_ffs(x);

src/boot/efi/meson.build

@@ -102,6 +102,42 @@ if have_gnu_efi
         efi_conf.set10('ENABLE_TPM', get_option('tpm'))
         efi_conf.set('SD_TPM_PCR', get_option('tpm-pcrindex'))
 
+        if get_option('sbat-distro') != ''
+                efi_conf.set_quoted('SBAT_PROJECT', meson.project_name())
+                efi_conf.set_quoted('PROJECT_VERSION', substs.get('PROJECT_VERSION'))
+                efi_conf.set_quoted('PROJECT_URL', substs.get('PROJECT_URL'))
+                if get_option('sbat-distro-generation') < 1
+                       error('SBAT Distro Generation must be a positive integer')
+                endif
+                efi_conf.set('SBAT_DISTRO_GENERATION', get_option('sbat-distro-generation'))
+                sbatvars = [['sbat-distro', 'ID'],
+                            ['sbat-distro-summary', 'NAME'],
+                            ['sbat-distro-url', 'BUG_REPORT_URL']]
+                foreach sbatvar : sbatvars
+                        value = get_option(sbatvar[0])
+                        if value == '' or value == 'auto'
+                                value = run_command('sh', '-c', 'if [ -e /etc/os-release ]; then . /etc/os-release; else . /usr/lib/os-release; fi; echo $' + sbatvar[1]).stdout().strip()
+                        endif
+                        if value == ''
+                                error('Required @0@ option not set and autodetection failed'.format(sbatvar[0]))
+                        endif
+                        efi_conf.set_quoted(sbatvar[0].underscorify().to_upper(), value)
+                endforeach
+
+                pkgname = get_option('sbat-distro-pkgname')
+                if pkgname == ''
+                        pkgname = meson.project_name()
+                endif
+                efi_conf.set_quoted('SBAT_DISTRO_PKGNAME', pkgname)
+
+                pkgver = get_option('sbat-distro-version')
+                if pkgver == ''
+                        efi_conf.set('SBAT_DISTRO_VERSION', 'GIT_VERSION')
+                else
+                        efi_conf.set_quoted('SBAT_DISTRO_VERSION', pkgver)
+                endif
+        endif
+
         efi_config_h = configure_file(
                 output : 'efi_config.h',
                 configuration : efi_conf)
@@ -244,6 +280,7 @@ if have_gnu_efi
                         command : [objcopy,
                                    '-j', '.text',
                                    '-j', '.sdata',
+                                   '-j', '.sbat',
                                    '-j', '.data',
                                    '-j', '.dynamic',
                                    '-j', '.dynsym',

src/boot/efi/secure-boot.c

@@ -11,3 +11,10 @@ BOOLEAN secure_boot_enabled(void) {
 
         return !EFI_ERROR(err) && secure;
 }
+
+#ifdef SBAT_DISTRO
+static const char sbat[] _used_ _section_ (".sbat") _align_ (512) =
+        "sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md\n"
+        SBAT_PROJECT ",1,The systemd Developers," SBAT_PROJECT "," PROJECT_VERSION "," PROJECT_URL "\n"
+        SBAT_PROJECT "." SBAT_DISTRO "," STRINGIFY(SBAT_DISTRO_GENERATION) "," SBAT_DISTRO_SUMMARY "," SBAT_DISTRO_PKGNAME "," SBAT_DISTRO_VERSION "," SBAT_DISTRO_URL "\n";
+#endif

src/fundamental/macro-fundamental.h

@@ -7,11 +7,17 @@
 
 #include "type.h"
 
+#define _align_(x) __attribute__((__aligned__(x)))
 #define _const_ __attribute__((__const__))
 #define _pure_ __attribute__((__pure__))
+#define _section_(x) __attribute__((__section__(x)))
+#define _used_ __attribute__((__used__))
 #define _unused_ __attribute__((__unused__))
 #define _cleanup_(x) __attribute__((__cleanup__(x)))
 
+#define XSTRINGIFY(x) #x
+#define STRINGIFY(x) XSTRINGIFY(x)
+
 #ifndef __COVERITY__
 #  define VOID_0 ((void)0)
 #else