boot: use separate SBAT project names for stub and boot

The implementations are not 100% overlapping, so use different identifiers, so that revocations can be done independently. e.g.: a bug that affects only sd-boot won't necessarily cause old UKIs to be revoked.
2025-03-14 04:58:28 +03:00 · 2023-09-17 00:55:55 +01:00 · 2023-09-17 00:55:55 +01:00 · c9bebec872
commit c9bebec872
parent 33ec8d7610
6 changed files with 25 additions and 10 deletions
--- a/src/boot/efi/boot.c
+++ b/src/boot/efi/boot.c
@ -17,6 +17,7 @@
 #include "proto/device-path.h"
 #include "proto/simple-text-io.h"
 #include "random-seed.h"
+#include "sbat.h"
 #include "secure-boot.h"
 #include "shim.h"
 #include "ticks.h"
@ -34,6 +35,8 @@ _used_ _section_(".osrel") static const char osrel[] =
        "VERSION=\"" GIT_VERSION "\"\n"
        "NAME=\"systemd-boot " GIT_VERSION "\"\n";

+DECLARE_SBAT(SBAT_BOOT_SECTION_TEXT);
+
 typedef enum LoaderType {
        LOADER_UNDEFINED,
        LOADER_AUTO,
--- a/src/boot/efi/secure-boot.c
+++ b/src/boot/efi/secure-boot.c
@ -2,7 +2,6 @@

 #include "console.h"
 #include "proto/security-arch.h"
-#include "sbat.h"
 #include "secure-boot.h"
 #include "util.h"
 #include "vmm.h"
@ -33,10 +32,6 @@ SecureBootMode secure_boot_mode(void) {
        return decode_secure_boot_mode(secure, audit, deployed, setup);
 }

-#ifdef SBAT_DISTRO
-static const char sbat[] _used_ _section_(".sbat") = SBAT_SECTION_TEXT;
-#endif
-
 EFI_STATUS secure_boot_enroll_at(EFI_FILE *root_dir, const char16_t *path, bool force) {
        assert(root_dir);
        assert(path);
--- a/src/boot/efi/stub.c
+++ b/src/boot/efi/stub.c
@ -10,6 +10,7 @@
 #include "pe.h"
 #include "proto/shell-parameters.h"
 #include "random-seed.h"
+#include "sbat.h"
 #include "secure-boot.h"
 #include "shim.h"
 #include "splash.h"
@ -22,6 +23,8 @@
 /* magic string to find in the binary image */
 _used_ _section_(".sdmagic") static const char magic[] = "#### LoaderInfo: systemd-stub " GIT_VERSION " ####";

+DECLARE_SBAT(SBAT_STUB_SECTION_TEXT);
+
 static EFI_STATUS combine_initrd(
                EFI_PHYSICAL_ADDRESS initrd_base, size_t initrd_size,
                const void * const extra_initrds[], const size_t extra_initrd_sizes[], size_t n_extra_initrds,
--- a/src/fundamental/macro-fundamental.h
+++ b/src/fundamental/macro-fundamental.h
@ -395,3 +395,10 @@ static inline size_t ALIGN_TO(size_t l, size_t ali) {
                dummy_t __empty__ ## name;             \
                type name[];                           \
        }
+
+#ifdef SBAT_DISTRO
+        #define DECLARE_SBAT(text) \
+                static const char sbat[] _used_ _section_(".sbat") = (text)
+#else
+        #define DECLARE_SBAT(text)
+#endif
--- a/src/fundamental/sbat.h
+++ b/src/fundamental/sbat.h
@ -2,8 +2,13 @@

 #ifdef SBAT_DISTRO
 #  include "version.h"
-#  define SBAT_SECTION_TEXT \
-        "sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md\n" \
-        SBAT_PROJECT ",1,The systemd Developers," SBAT_PROJECT "," PROJECT_VERSION "," PROJECT_URL "\n" \
-        SBAT_PROJECT "." SBAT_DISTRO "," STRINGIFY(SBAT_DISTRO_GENERATION) "," SBAT_DISTRO_SUMMARY "," SBAT_DISTRO_PKGNAME "," SBAT_DISTRO_VERSION "," SBAT_DISTRO_URL "\n"
+#  define SBAT_MAGIC "sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md\n"
+#  define SBAT_BOOT_SECTION_TEXT \
+        SBAT_MAGIC \
+        SBAT_PROJECT "-boot" ",1,The systemd Developers," SBAT_PROJECT "," PROJECT_VERSION "," PROJECT_URL "\n" \
+        SBAT_PROJECT "-boot" "." SBAT_DISTRO "," STRINGIFY(SBAT_DISTRO_GENERATION) "," SBAT_DISTRO_SUMMARY "," SBAT_DISTRO_PKGNAME "," SBAT_DISTRO_VERSION "," SBAT_DISTRO_URL "\n"
+#  define SBAT_STUB_SECTION_TEXT \
+        SBAT_MAGIC \
+        SBAT_PROJECT "-stub" ",1,The systemd Developers," SBAT_PROJECT "," PROJECT_VERSION "," PROJECT_URL "\n" \
+        SBAT_PROJECT "-stub" "." SBAT_DISTRO "," STRINGIFY(SBAT_DISTRO_GENERATION) "," SBAT_DISTRO_SUMMARY "," SBAT_DISTRO_PKGNAME "," SBAT_DISTRO_VERSION "," SBAT_DISTRO_URL "\n"
 #endif
--- a/src/test/test-sbat.c
+++ b/src/test/test-sbat.c
@ -10,10 +10,12 @@

 TEST(sbat_section_text) {
        log_info("---SBAT-----------&<----------------------------------------\n"
+                 "%s"
                 "%s"
                 "------------------>&-----------------------------------------",
 #ifdef SBAT_DISTRO
-                 SBAT_SECTION_TEXT
+                 SBAT_BOOT_SECTION_TEXT,
+                 SBAT_STUB_SECTION_TEXT
 #else
                 "(not defined)"
 #endif