[efi] Include Secure Boot Advanced Targeting (SBAT) metadatasbat

SBAT defines an encoding for security generation numbers stored as a CSV file within a special ".sbat" section in the signed binary. If a Secure Boot exploit is discovered then the generation number will be incremented alongside the corresponding fix. Platforms may then record the minimum generation number required for any given product. This allows for an efficient revocation mechanism that consumes minimal flash storage space (in contrast to the DBX mechanism, which allows for only a single-digit number of revocation events to ever take place across all possible signed binaries). Add SBAT metadata to iPXE EFI binaries to support this mechanism. Signed-off-by: Michael Brown <mcb30@ipxe.org>
author: Michael Brown <mcb30@ipxe.org> 2022-01-13 14:10:03 +0000
committer: Michael Brown <mcb30@ipxe.org> 2022-01-13 14:12:44 +0000
commit: f4f9adf618cd85d330a896e1f721f3aa78d2409d (patch)
tree: 92cf1a5ad3ac644c8ebfc66213f42ecba973047b /src/arch
parent: fbbdc39260cf37aa749e897e773f59807d1b8362 (diff)
download: ipxe-f4f9adf618cd85d330a896e1f721f3aa78d2409d.zip
ipxe-f4f9adf618cd85d330a896e1f721f3aa78d2409d.tar.gz
ipxe-f4f9adf618cd85d330a896e1f721f3aa78d2409d.tar.bz2
5 files changed, 10 insertions, 0 deletions
diff --git a/src/arch/i386/scripts/i386-kir.lds b/src/arch/i386/scripts/i386-kir.lds
index 66bf804..13c36f2 100644
--- a/src/arch/i386/scripts/i386-kir.lds
+++ b/src/arch/i386/scripts/i386-kir.lds
@@ -136,6 +136,8 @@ SECTIONS {
 	*(.note.*)
 	*(.discard)
 	*(.discard.*)
+	*(.sbat)
+	*(.sbat.*)
     }
 
     /*
diff --git a/src/arch/i386/scripts/linux.lds b/src/arch/i386/scripts/linux.lds
index 9f2eeaf..8c3a7b0 100644
--- a/src/arch/i386/scripts/linux.lds
+++ b/src/arch/i386/scripts/linux.lds
@@ -100,5 +100,7 @@ SECTIONS {
 		*(.rel.*)
 		*(.discard)
 		*(.discard.*)
+		*(.sbat)
+		*(.sbat.*)
 	}
 }
diff --git a/src/arch/x86/scripts/pcbios.lds b/src/arch/x86/scripts/pcbios.lds
index de59adc..e208b17 100644
--- a/src/arch/x86/scripts/pcbios.lds
+++ b/src/arch/x86/scripts/pcbios.lds
@@ -229,6 +229,8 @@ SECTIONS {
 	*(.einfo.*)
 	*(.discard)
 	*(.discard.*)
+	*(.sbat)
+	*(.sbat.*)
     }
 
     /*
diff --git a/src/arch/x86/scripts/prefixonly.lds b/src/arch/x86/scripts/prefixonly.lds
index dce0930..2fe5b03 100644
--- a/src/arch/x86/scripts/prefixonly.lds
+++ b/src/arch/x86/scripts/prefixonly.lds
@@ -24,6 +24,8 @@ SECTIONS {
 	*(.einfo.*)
 	*(.discard)
 	*(.discard.*)
+	*(.sbat)
+	*(.sbat.*)
     }
 
 }
diff --git a/src/arch/x86_64/scripts/linux.lds b/src/arch/x86_64/scripts/linux.lds
index 47db217..a093787 100644
--- a/src/arch/x86_64/scripts/linux.lds
+++ b/src/arch/x86_64/scripts/linux.lds
@@ -100,5 +100,7 @@ SECTIONS {
 		*(.rel.*)
 		*(.discard)
 		*(.discard.*)
+		*(.sbat)
+		*(.sbat.*)
 	}
 }
author	Michael Brown <mcb30@ipxe.org>	2022-01-13 14:10:03 +0000
committer	Michael Brown <mcb30@ipxe.org>	2022-01-13 14:12:44 +0000
commit	f4f9adf618cd85d330a896e1f721f3aa78d2409d (patch)
tree	92cf1a5ad3ac644c8ebfc66213f42ecba973047b /src/arch
parent	fbbdc39260cf37aa749e897e773f59807d1b8362 (diff)
download	ipxe-f4f9adf618cd85d330a896e1f721f3aa78d2409d.zip ipxe-f4f9adf618cd85d330a896e1f721f3aa78d2409d.tar.gz ipxe-f4f9adf618cd85d330a896e1f721f3aa78d2409d.tar.bz2