In powerpc, PE format Binary are not supported and can't use shim
(https://github.com/rhboot/shim/blob/main/SBAT.md).
However, ELF binary are supported. So, we created new ELF note for SBAT in ELF
binary which store the SBAT data and
SBAT verifier will be there in firmware to read SBAT data from ELF note and
validate it.
this patch series consists of 2 parts:
1) Patch 1: create new ELF Note for SBAT
In order to store the SBAT data, we create a new ELF note. The string
"Secure-Boot-Advanced-Targeting",
zero-padded to 4 byte alignment, shall be entered in the name field.
The string "sbat"'s ASCII values, 0x41536967, should be entered in the type
field.
2) Patch 2: adding sbat metadata into sbat ELF Note
The SBAT metadata, which is read from .csv file and transformed into an ELF
note,is made into an image using the -s option.
(The rest of this cover letter concerns testing the entire end-to-end setup -
SBAT.)
You can experiement with this using entirely free software.
You need the following trees:
https://github.com/SudhakarKuppusamy1/qemu branch sbat
https://github.com/SudhakarKuppusamy1/SLOF branch sbat
https://github.com/SudhakarKuppusamy1/grub branch sbat
You also need:
- the SBAT metadata (.csv file)
- the SBAT Variable (.csv file)
Both should followed the SBAT specification
(https://github.com/rhboot/shim/blob/main/SBAT.md)
Example: https://github.com/SudhakarKuppusamy1/testing/sbat
sbat_metadata.csv
sbat_var.csv
Lastly you will need a working a ppc64(le) vm.
sample vm: https://github.com/SudhakarKuppusamy1/testing/vm
pseries-ubuntu-20.04.6.qcow2
Then:
- build qemu (./configure --target-list=ppc64-softmmu && make).
You need qemu-system-ppc64.
- use xxd (ex: xxd -i sbat_var.csv sbat_var.h) to convert the SBAT Variable
for verifying grub into a header file, and copy it in to
SLOF/lib/libcrypto/sbat_var.h.
It must create variables sbat_var_csv and sbat_var_csv_len.
- build SLOF for qemu (make qemu)
- verify that you can boot your VM with new SLOF and stock grub.
To boot with new SLOF, pass -bios ./SLOF/boot_rom.bin . It should
boot with new slof in secure boot mode.
sudo ./build/qemu-system-ppc64 -m 8192 -M
pseries-2.12,accel=kvm,cap-ail-mode-3=off,secure-boot=on -nographic -vga none
-smp 4 -hdd pseries-ubuntu-20.04.6.qcow2 -bios ./boot_rom.bin
- Build grub in your VM.
- Build the SBAT metadata into grub.The following incantation should give you
a working but non-portable grub, assuming you have grub installed on
/dev/sda2:
GRUB_MODULES="all_video boot btrfs cat configfile echo ext2 fat font gfxmenu
gfxterm gzio halt hfsplus http iso9660 jpeg loadenv loopback linux lvm
mdraid09
mdraid1x minicmd net normal part_apple part_msdos part_gpt password_pbkdf2
png
reboot regexp search search_fs_uuid search_fs_file search_label serial sleep
syslinuxcfg test tftp video xfs"
sudo ./grub-install --modules "$GRUB_MODULES" -d ./grub-core/ -v "/dev/sda2"
--sbat=./sbat_metadata.csv
dd if=/boot/grub/powerpc-ieee1275/core.elf of=/dev/sda2
Sudhakar Kuppusamy (2):
mkimage: create new ELF Note for SBAT
mkimage: adding sbat metadata into sbat ELF Note on powerpc
include/grub/util/mkimage.h | 4 +--
util/grub-mkimagexx.c | 51 +++++++++++++++++++++++++++++++++++--
util/mkimage.c | 17 ++++++++++---
3 files changed, 64 insertions(+), 8 deletions(-)
--
2.43.5
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
