mirror of
https://github.com/systemd/systemd-stable.git
synced 2025-01-18 06:03:42 +03:00
boot: add optional EFI SBAT support
Add SBAT support, when -Dsbat-distro value is specified. One can use -Dsbat-distro=auto for autodetection of all sbat options. Many meson configure options added to customize SBAT CSV values, but sensible defaults are auto detected by default. SBAT support is required if shim v15+ is used to load systemd-boot binary or kernel.efi (Type II BootLoaderSpec). Fixes #19247
This commit is contained in:
parent
ac2c088939
commit
9137c03c04
@ -370,6 +370,18 @@ option('efi-includedir', type : 'string', value : '/usr/include/efi',
|
||||
description : 'path to the EFI header directory')
|
||||
option('tpm-pcrindex', type : 'integer', value : 8,
|
||||
description : 'TPM PCR register number to use')
|
||||
option('sbat-distro', type : 'string',
|
||||
description : 'SBAT distribution ID, e.g. fedora, or auto for autodetection')
|
||||
option('sbat-distro-generation', type : 'integer', value : 1,
|
||||
description : 'SBAT distribution generation')
|
||||
option('sbat-distro-summary', type : 'string',
|
||||
description : 'SBAT distribution summary, e.g. Fedora')
|
||||
option('sbat-distro-pkgname', type : 'string',
|
||||
description : 'SBAT distribution package name, e.g. systemd')
|
||||
option('sbat-distro-version', type : 'string',
|
||||
description : 'SBAT distribution package version, e.g. 248-7.fc34')
|
||||
option('sbat-distro-url', type : 'string',
|
||||
description : 'SBAT distribution URL, e.g. https://src.fedoraproject.org/rpms/systemd')
|
||||
|
||||
option('bashcompletiondir', type : 'string',
|
||||
description : 'directory for bash completion scripts ["no" disables]')
|
||||
|
@ -18,8 +18,6 @@
|
||||
# define _alloc_(...) __attribute__((__alloc_size__(__VA_ARGS__)))
|
||||
#endif
|
||||
#define _sentinel_ __attribute__((__sentinel__))
|
||||
#define _section_(x) __attribute__((__section__(x)))
|
||||
#define _used_ __attribute__((__used__))
|
||||
#define _destructor_ __attribute__((__destructor__))
|
||||
#define _deprecated_ __attribute__((__deprecated__))
|
||||
#define _packed_ __attribute__((__packed__))
|
||||
@ -30,7 +28,6 @@
|
||||
#define _public_ __attribute__((__visibility__("default")))
|
||||
#define _hidden_ __attribute__((__visibility__("hidden")))
|
||||
#define _weakref_(x) __attribute__((__weakref__(#x)))
|
||||
#define _align_(x) __attribute__((__aligned__(x)))
|
||||
#define _alignas_(x) __attribute__((__aligned__(__alignof(x))))
|
||||
#define _alignptr_ __attribute__((__aligned__(sizeof(void*))))
|
||||
#if __GNUC__ >= 7
|
||||
@ -138,9 +135,6 @@
|
||||
/* automake test harness */
|
||||
#define EXIT_TEST_SKIP 77
|
||||
|
||||
#define XSTRINGIFY(x) #x
|
||||
#define STRINGIFY(x) XSTRINGIFY(x)
|
||||
|
||||
/* builtins */
|
||||
#if __SIZEOF_INT__ == 4
|
||||
#define BUILTIN_FFS_U32(x) __builtin_ffs(x);
|
||||
|
@ -102,6 +102,42 @@ if have_gnu_efi
|
||||
efi_conf.set10('ENABLE_TPM', get_option('tpm'))
|
||||
efi_conf.set('SD_TPM_PCR', get_option('tpm-pcrindex'))
|
||||
|
||||
if get_option('sbat-distro') != ''
|
||||
efi_conf.set_quoted('SBAT_PROJECT', meson.project_name())
|
||||
efi_conf.set_quoted('PROJECT_VERSION', substs.get('PROJECT_VERSION'))
|
||||
efi_conf.set_quoted('PROJECT_URL', substs.get('PROJECT_URL'))
|
||||
if get_option('sbat-distro-generation') < 1
|
||||
error('SBAT Distro Generation must be a positive integer')
|
||||
endif
|
||||
efi_conf.set('SBAT_DISTRO_GENERATION', get_option('sbat-distro-generation'))
|
||||
sbatvars = [['sbat-distro', 'ID'],
|
||||
['sbat-distro-summary', 'NAME'],
|
||||
['sbat-distro-url', 'BUG_REPORT_URL']]
|
||||
foreach sbatvar : sbatvars
|
||||
value = get_option(sbatvar[0])
|
||||
if value == '' or value == 'auto'
|
||||
value = run_command('sh', '-c', 'if [ -e /etc/os-release ]; then . /etc/os-release; else . /usr/lib/os-release; fi; echo $' + sbatvar[1]).stdout().strip()
|
||||
endif
|
||||
if value == ''
|
||||
error('Required @0@ option not set and autodetection failed'.format(sbatvar[0]))
|
||||
endif
|
||||
efi_conf.set_quoted(sbatvar[0].underscorify().to_upper(), value)
|
||||
endforeach
|
||||
|
||||
pkgname = get_option('sbat-distro-pkgname')
|
||||
if pkgname == ''
|
||||
pkgname = meson.project_name()
|
||||
endif
|
||||
efi_conf.set_quoted('SBAT_DISTRO_PKGNAME', pkgname)
|
||||
|
||||
pkgver = get_option('sbat-distro-version')
|
||||
if pkgver == ''
|
||||
efi_conf.set('SBAT_DISTRO_VERSION', 'GIT_VERSION')
|
||||
else
|
||||
efi_conf.set_quoted('SBAT_DISTRO_VERSION', pkgver)
|
||||
endif
|
||||
endif
|
||||
|
||||
efi_config_h = configure_file(
|
||||
output : 'efi_config.h',
|
||||
configuration : efi_conf)
|
||||
@ -244,6 +280,7 @@ if have_gnu_efi
|
||||
command : [objcopy,
|
||||
'-j', '.text',
|
||||
'-j', '.sdata',
|
||||
'-j', '.sbat',
|
||||
'-j', '.data',
|
||||
'-j', '.dynamic',
|
||||
'-j', '.dynsym',
|
||||
|
@ -11,3 +11,10 @@ BOOLEAN secure_boot_enabled(void) {
|
||||
|
||||
return !EFI_ERROR(err) && secure;
|
||||
}
|
||||
|
||||
#ifdef SBAT_DISTRO
|
||||
static const char sbat[] _used_ _section_ (".sbat") _align_ (512) =
|
||||
"sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md\n"
|
||||
SBAT_PROJECT ",1,The systemd Developers," SBAT_PROJECT "," PROJECT_VERSION "," PROJECT_URL "\n"
|
||||
SBAT_PROJECT "." SBAT_DISTRO "," STRINGIFY(SBAT_DISTRO_GENERATION) "," SBAT_DISTRO_SUMMARY "," SBAT_DISTRO_PKGNAME "," SBAT_DISTRO_VERSION "," SBAT_DISTRO_URL "\n";
|
||||
#endif
|
||||
|
@ -7,11 +7,17 @@
|
||||
|
||||
#include "type.h"
|
||||
|
||||
#define _align_(x) __attribute__((__aligned__(x)))
|
||||
#define _const_ __attribute__((__const__))
|
||||
#define _pure_ __attribute__((__pure__))
|
||||
#define _section_(x) __attribute__((__section__(x)))
|
||||
#define _used_ __attribute__((__used__))
|
||||
#define _unused_ __attribute__((__unused__))
|
||||
#define _cleanup_(x) __attribute__((__cleanup__(x)))
|
||||
|
||||
#define XSTRINGIFY(x) #x
|
||||
#define STRINGIFY(x) XSTRINGIFY(x)
|
||||
|
||||
#ifndef __COVERITY__
|
||||
# define VOID_0 ((void)0)
|
||||
#else
|
||||
|
Loading…
x
Reference in New Issue
Block a user