[PATCH v0 0/2] Secure Boot Advanced Targeting (SBAT) support on powerpc
This patch set contains the v0 for Secure Boot Advanced Targeting (SBAT) support on powerpc secure boot. In powerpc, PE format Binary are not supported and can't use shim (https://github.com/rhboot/shim/blob/main/SBAT.md). However, ELF binary are supported. So, we created new ELF note for SBAT in ELF binary which store the SBAT data and SBAT verifier will be there in firmware to read SBAT data from ELF note and validate it. this patch series consists of 2 parts: 1) Patch 1: create new ELF Note for SBAT we add a new ELF note for SBAT which store the SBAT data. The name field of shall be the string "Secure-Boot-Advanced-Targeting", zero-padded to 4 byte alignment. The type field shall be 0x41536967 (the ASCII values for the string "sbat"). 2) Patch 2: adding sbat data into sbat ELF Note it reads the SBAT data from sbat.csv and create the ELF Note for it then store the SBAT data on it while generate image with -s option Sudhakar Kuppusamy and Daniel Axtens (2): mkimage: create new ELF Note for SBAT mkimage: adding sbat data into sbat ELF Note on powerpc include/grub/util/mkimage.h | 4 +-- util/grub-mkimagexx.c | 61 ++--- util/mkimage.c | 21 ++--- 3 files changed, 74 insertions(+), 12 deletions(-) -- 2.39.3 ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH v0 1/2] mkimage: create new ELF Note for SBAT
we add a new ELF note for SBAT which store the SBAT data.
The name field of shall be the string "Secure-Boot-Advanced-Targeting",
zero-padded
to 4 byte alignment. The type field shall be 0x41536967 (the ASCII values
for the string "sbat").
Signed-off-by: Sudhakar Kuppusamy
Co-authored-by: Daniel Axtens
---
include/grub/util/mkimage.h | 4 +--
util/grub-mkimagexx.c | 61 ++---
2 files changed, 58 insertions(+), 7 deletions(-)
diff --git a/include/grub/util/mkimage.h b/include/grub/util/mkimage.h
index 6f1da89b9..881e3031f 100644
--- a/include/grub/util/mkimage.h
+++ b/include/grub/util/mkimage.h
@@ -51,12 +51,12 @@ grub_mkimage_load_image64 (const char *kernel_path,
const struct grub_install_image_target_desc
*image_target);
void
grub_mkimage_generate_elf32 (const struct grub_install_image_target_desc
*image_target,
-int note, size_t appsig_size, char **core_img,
size_t *core_size,
+int note, size_t appsig_size, char *sbat, char
**core_img, size_t *core_size,
Elf32_Addr target_addr,
struct grub_mkimage_layout *layout);
void
grub_mkimage_generate_elf64 (const struct grub_install_image_target_desc
*image_target,
-int note, size_t appsig_size, char **core_img,
size_t *core_size,
+int note, size_t appsig_size, char *sbat, char
**core_img, size_t *core_size,
Elf64_Addr target_addr,
struct grub_mkimage_layout *layout);
diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
index 9488f0525..2ab90ff8f 100644
--- a/util/grub-mkimagexx.c
+++ b/util/grub-mkimagexx.c
@@ -85,6 +85,14 @@ struct grub_ieee1275_note
struct grub_ieee1275_note_desc descriptor;
};
+#define GRUB_SBAT_NOTE_NAME "Secure-Boot-Advanced-Targeting"
+#define GRUB_SBAT_NOTE_TYPE 0x73626174 /* "sbat" */
+
+struct grub_sbat_note {
+ Elf32_Nhdr header;
+ char name[ALIGN_UP(sizeof(GRUB_SBAT_NOTE_NAME), 4)];
+};
+
#define GRUB_APPENDED_SIGNATURE_NOTE_NAME "Appended-Signature"
#define GRUB_APPENDED_SIGNATURE_NOTE_TYPE 0x41536967 /* "ASig" */
@@ -217,7 +225,7 @@ grub_arm_reloc_jump24 (grub_uint32_t *target, Elf32_Addr
sym_addr)
void
SUFFIX (grub_mkimage_generate_elf) (const struct
grub_install_image_target_desc *image_target,
- int note, size_t appsig_size, char
**core_img, size_t *core_size,
+ int note, size_t appsig_size, char *sbat,
char **core_img, size_t *core_size,
Elf_Addr target_addr,
struct grub_mkimage_layout *layout)
{
@@ -226,11 +234,18 @@ SUFFIX (grub_mkimage_generate_elf) (const struct
grub_install_image_target_desc
Elf_Ehdr *ehdr;
Elf_Phdr *phdr;
Elf_Shdr *shdr;
- int header_size, footer_size = 0;
+ int header_size, footer_size = 0, footer_offset = 0;
+ char *footer;
int phnum = 1;
int shnum = 4;
int string_size = sizeof (".text") + sizeof ("mods") + 1;
+ if (sbat)
+{
+ phnum++;
+ footer_size += ALIGN_UP (sizeof (struct grub_sbat_note) +
layout->sbat_size, 4);
+}
+
if (appsig_size)
{
phnum++;
@@ -263,6 +278,7 @@ SUFFIX (grub_mkimage_generate_elf) (const struct
grub_install_image_target_desc
ehdr = (void *) elf_img;
phdr = (void *) (elf_img + sizeof (*ehdr));
shdr = (void *) (elf_img + sizeof (*ehdr) + phnum * sizeof (*phdr));
+ footer = elf_img + program_size + header_size;
memcpy (ehdr->e_ident, ELFMAG, SELFMAG);
ehdr->e_ident[EI_CLASS] = ELFCLASSXX;
if (!image_target->bigendian)
@@ -435,6 +451,9 @@ SUFFIX (grub_mkimage_generate_elf) (const struct
grub_install_image_target_desc
phdr->p_filesz = grub_host_to_target32 (XEN_NOTE_SIZE);
phdr->p_memsz = 0;
phdr->p_offset = grub_host_to_target32 (header_size + program_size);
+
+ footer = ptr;
+ footer_offset = XEN_NOTE_SIZE;
}
if (image_target->id == IMAGE_XEN_PVH)
@@ -468,6 +487,9 @@ SUFFIX (grub_mkimage_generate_elf) (const struct
grub_install_image_target_desc
phdr->p_filesz = grub_host_to_target32 (XEN_PVH_NOTE_SIZE);
phdr->p_memsz = 0;
phdr->p_offset = grub_host_to_target32 (header_size + program_size);
+
+ footer = ptr;
+ footer_offset = XEN_PVH_NOTE_SIZE;
}
if (note)
@@ -498,12 +520,39 @@ SUFFIX (grub_mkimage_generate_elf) (const struct
grub_install_image_target_desc
phdr->p_filesz = grub_host_to_target32 (note_size);
phdr->p_memsz = 0;
phdr->p_offset = grub_host_to_target32 (header_size + program_size);
+
+ footer = (elf_img + program_size + header_size + note_size);
+ footer_offset += note_size;
}
+ if (sbat) {
+int note_size = ALIGN_UP(sizeof (struct grub_sbat_note) +
layout->sbat_size, 4);
+struct grub_sbat_note
[PATCH v0 1/2] mkimage: create new ELF Note for SBAT
we add a new ELF note for SBAT which store the SBAT data.
The name field of shall be the string "Secure-Boot-Advanced-Targeting",
zero-padded
to 4 byte alignment. The type field shall be 0x41536967 (the ASCII values
for the string "sbat").
Signed-off-by: Sudhakar Kuppusamy
Co-authored-by: Daniel Axtens
---
include/grub/util/mkimage.h | 4 +--
util/grub-mkimagexx.c | 61 ++---
2 files changed, 58 insertions(+), 7 deletions(-)
diff --git a/include/grub/util/mkimage.h b/include/grub/util/mkimage.h
index 6f1da89b9..881e3031f 100644
--- a/include/grub/util/mkimage.h
+++ b/include/grub/util/mkimage.h
@@ -51,12 +51,12 @@ grub_mkimage_load_image64 (const char *kernel_path,
const struct grub_install_image_target_desc
*image_target);
void
grub_mkimage_generate_elf32 (const struct grub_install_image_target_desc
*image_target,
-int note, size_t appsig_size, char **core_img,
size_t *core_size,
+int note, size_t appsig_size, char *sbat, char
**core_img, size_t *core_size,
Elf32_Addr target_addr,
struct grub_mkimage_layout *layout);
void
grub_mkimage_generate_elf64 (const struct grub_install_image_target_desc
*image_target,
-int note, size_t appsig_size, char **core_img,
size_t *core_size,
+int note, size_t appsig_size, char *sbat, char
**core_img, size_t *core_size,
Elf64_Addr target_addr,
struct grub_mkimage_layout *layout);
diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
index 9488f0525..2ab90ff8f 100644
--- a/util/grub-mkimagexx.c
+++ b/util/grub-mkimagexx.c
@@ -85,6 +85,14 @@ struct grub_ieee1275_note
struct grub_ieee1275_note_desc descriptor;
};
+#define GRUB_SBAT_NOTE_NAME "Secure-Boot-Advanced-Targeting"
+#define GRUB_SBAT_NOTE_TYPE 0x73626174 /* "sbat" */
+
+struct grub_sbat_note {
+ Elf32_Nhdr header;
+ char name[ALIGN_UP(sizeof(GRUB_SBAT_NOTE_NAME), 4)];
+};
+
#define GRUB_APPENDED_SIGNATURE_NOTE_NAME "Appended-Signature"
#define GRUB_APPENDED_SIGNATURE_NOTE_TYPE 0x41536967 /* "ASig" */
@@ -217,7 +225,7 @@ grub_arm_reloc_jump24 (grub_uint32_t *target, Elf32_Addr
sym_addr)
void
SUFFIX (grub_mkimage_generate_elf) (const struct
grub_install_image_target_desc *image_target,
- int note, size_t appsig_size, char
**core_img, size_t *core_size,
+ int note, size_t appsig_size, char *sbat,
char **core_img, size_t *core_size,
Elf_Addr target_addr,
struct grub_mkimage_layout *layout)
{
@@ -226,11 +234,18 @@ SUFFIX (grub_mkimage_generate_elf) (const struct
grub_install_image_target_desc
Elf_Ehdr *ehdr;
Elf_Phdr *phdr;
Elf_Shdr *shdr;
- int header_size, footer_size = 0;
+ int header_size, footer_size = 0, footer_offset = 0;
+ char *footer;
int phnum = 1;
int shnum = 4;
int string_size = sizeof (".text") + sizeof ("mods") + 1;
+ if (sbat)
+{
+ phnum++;
+ footer_size += ALIGN_UP (sizeof (struct grub_sbat_note) +
layout->sbat_size, 4);
+}
+
if (appsig_size)
{
phnum++;
@@ -263,6 +278,7 @@ SUFFIX (grub_mkimage_generate_elf) (const struct
grub_install_image_target_desc
ehdr = (void *) elf_img;
phdr = (void *) (elf_img + sizeof (*ehdr));
shdr = (void *) (elf_img + sizeof (*ehdr) + phnum * sizeof (*phdr));
+ footer = elf_img + program_size + header_size;
memcpy (ehdr->e_ident, ELFMAG, SELFMAG);
ehdr->e_ident[EI_CLASS] = ELFCLASSXX;
if (!image_target->bigendian)
@@ -435,6 +451,9 @@ SUFFIX (grub_mkimage_generate_elf) (const struct
grub_install_image_target_desc
phdr->p_filesz = grub_host_to_target32 (XEN_NOTE_SIZE);
phdr->p_memsz = 0;
phdr->p_offset = grub_host_to_target32 (header_size + program_size);
+
+ footer = ptr;
+ footer_offset = XEN_NOTE_SIZE;
}
if (image_target->id == IMAGE_XEN_PVH)
@@ -468,6 +487,9 @@ SUFFIX (grub_mkimage_generate_elf) (const struct
grub_install_image_target_desc
phdr->p_filesz = grub_host_to_target32 (XEN_PVH_NOTE_SIZE);
phdr->p_memsz = 0;
phdr->p_offset = grub_host_to_target32 (header_size + program_size);
+
+ footer = ptr;
+ footer_offset = XEN_PVH_NOTE_SIZE;
}
if (note)
@@ -498,12 +520,39 @@ SUFFIX (grub_mkimage_generate_elf) (const struct
grub_install_image_target_desc
phdr->p_filesz = grub_host_to_target32 (note_size);
phdr->p_memsz = 0;
phdr->p_offset = grub_host_to_target32 (header_size + program_size);
+
+ footer = (elf_img + program_size + header_size + note_size);
+ footer_offset += note_size;
}
+ if (sbat) {
+int note_size = ALIGN_UP(sizeof (struct grub_sbat_note) +
layout->sbat_size, 4);
+struct grub_sbat_note
[PATCH v0 0/2] Secure Boot Advanced Targeting (SBAT) support on powerpc
This patch set contains the v0 for Secure Boot Advanced Targeting (SBAT) support on powerpc secure boot. In powerpc, PE format Binary are not supported and can't use shim (https://github.com/rhboot/shim/blob/main/SBAT.md). However, ELF binary are supported. So, we created new ELF note for SBAT in ELF binary which store the SBAT data and SBAT verifier will be there in firmware to read SBAT data from ELF note and validate it. this patch series consists of 2 parts: 1) Patch 1: create new ELF Note for SBAT we add a new ELF note for SBAT which store the SBAT data. The name field of shall be the string "Secure-Boot-Advanced-Targeting", zero-padded to 4 byte alignment. The type field shall be 0x41536967 (the ASCII values for the string "sbat"). 2) Patch 2: adding sbat data into sbat ELF Note it reads the SBAT data from sbat.csv and create the ELF Note for it then store the SBAT data on it while generate image with -s option Sudhakar Kuppusamy and Daniel Axtens (2): mkimage: create new ELF Note for SBAT mkimage: adding sbat data into sbat ELF Note on powerpc include/grub/util/mkimage.h | 4 +-- util/grub-mkimagexx.c | 61 ++--- util/mkimage.c | 21 ++--- 3 files changed, 74 insertions(+), 12 deletions(-) -- 2.39.3 ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH v0 2/2] mkimage: adding sbat data into sbat ELF Note on powerpc
it reads the SBAT data from sbat.csv and create the ELF Note for it then
store the SBAT data on it while generate image with -s option
Signed-off-by: Sudhakar Kuppusamy
Co-authored-by: Daniel Axtens
---
util/mkimage.c | 21 -
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/util/mkimage.c b/util/mkimage.c
index 0737935fd..e8d7dcc23 100644
--- a/util/mkimage.c
+++ b/util/mkimage.c
@@ -958,8 +958,8 @@ grub_install_generate_image (const char *dir, const char
*prefix,
total_module_size += dtb_size + sizeof (struct grub_module_header);
}
- if (sbat_path != NULL && image_target->id != IMAGE_EFI)
-grub_util_error (_(".sbat section can be embedded into EFI images only"));
+ if (sbat_path != NULL && (image_target->id != IMAGE_EFI && image_target->id
!= IMAGE_PPC))
+grub_util_error (_(".sbat section can be embedded into EFI/sbat ELF Note
cab be added into powerpc-ieee1275 images only"));
if (disable_shim_lock)
total_module_size += sizeof (struct grub_module_header);
@@ -1835,7 +1835,18 @@ grub_install_generate_image (const char *dir, const char
*prefix,
case IMAGE_I386_IEEE1275:
{
grub_uint64_t target_addr;
- if (image_target->id == IMAGE_LOONGSON_ELF)
+char *sbat = NULL;
+
+ if (sbat_path != NULL)
+ {
+ sbat_size = grub_util_get_image_size (sbat_path);
+sbat = xmalloc (sbat_size);
+ grub_util_load_image (sbat_path, sbat);
+layout.sbat_size = sbat_size;
+ }
+
+
+if (image_target->id == IMAGE_LOONGSON_ELF)
{
if (comp == GRUB_COMPRESSION_NONE)
target_addr = (image_target->link_addr - decompress_size);
@@ -1846,10 +1857,10 @@ grub_install_generate_image (const char *dir, const
char *prefix,
else
target_addr = image_target->link_addr;
if (image_target->voidp_sizeof == 4)
- grub_mkimage_generate_elf32 (image_target, note, appsig_size,
&core_img,
+ grub_mkimage_generate_elf32 (image_target, note, appsig_size, sbat,
&core_img,
&core_size, target_addr, &layout);
else
- grub_mkimage_generate_elf64 (image_target, note, appsig_size,
&core_img,
+ grub_mkimage_generate_elf64 (image_target, note, appsig_size, sbat,
&core_img,
&core_size, target_addr, &layout);
}
break;
--
2.39.3
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
