x86/efi: Implement support for embedding SBAT data for x86
authorVitaly Kuznetsov <vkuznets@redhat.com>
Tue, 3 Jun 2025 09:19:51 +0000 (11:19 +0200)
committerBorislav Petkov (AMD) <bp@alien8.de>
Sat, 21 Jun 2025 11:53:44 +0000 (13:53 +0200)
Similar to zboot architectures, implement support for embedding SBAT data
for x86. Put '.sbat' section in between '.data' and '.text' as the former
also covers '.bss' and '.pgtable' and thus must be the last one in the
file.

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/20250603091951.57775-1-vkuznets@redhat.com
arch/x86/boot/Makefile
arch/x86/boot/compressed/Makefile
arch/x86/boot/compressed/sbat.S [new file with mode: 0644]
arch/x86/boot/compressed/vmlinux.lds.S
arch/x86/boot/header.S
drivers/firmware/efi/Kconfig

index 640fcac..3f9fb36 100644 (file)
@@ -71,7 +71,7 @@ $(obj)/vmlinux.bin: $(obj)/compressed/vmlinux FORCE
 
 SETUP_OBJS = $(addprefix $(obj)/,$(setup-y))
 
-sed-zoffset := -e 's/^\([0-9a-fA-F]*\) [a-zA-Z] \(startup_32\|efi.._stub_entry\|efi\(32\)\?_pe_entry\|input_data\|kernel_info\|_end\|_ehead\|_text\|_e\?data\|z_.*\)$$/\#define ZO_\2 0x\1/p'
+sed-zoffset := -e 's/^\([0-9a-fA-F]*\) [a-zA-Z] \(startup_32\|efi.._stub_entry\|efi\(32\)\?_pe_entry\|input_data\|kernel_info\|_end\|_ehead\|_text\|_e\?data\|_e\?sbat\|z_.*\)$$/\#define ZO_\2 0x\1/p'
 
 quiet_cmd_zoffset = ZOFFSET $@
       cmd_zoffset = $(NM) $< | sed -n $(sed-zoffset) > $@
index f4f7b22..3a38fdc 100644 (file)
@@ -106,6 +106,11 @@ vmlinux-objs-$(CONFIG_UNACCEPTED_MEMORY) += $(obj)/mem.o
 vmlinux-objs-$(CONFIG_EFI) += $(obj)/efi.o
 vmlinux-libs-$(CONFIG_EFI_STUB) += $(objtree)/drivers/firmware/efi/libstub/lib.a
 vmlinux-libs-$(CONFIG_X86_64)  += $(objtree)/arch/x86/boot/startup/lib.a
+vmlinux-objs-$(CONFIG_EFI_SBAT) += $(obj)/sbat.o
+
+ifdef CONFIG_EFI_SBAT
+$(obj)/sbat.o: $(CONFIG_EFI_SBAT_FILE)
+endif
 
 $(obj)/vmlinux: $(vmlinux-objs-y) $(vmlinux-libs-y) FORCE
        $(call if_changed,ld)
diff --git a/arch/x86/boot/compressed/sbat.S b/arch/x86/boot/compressed/sbat.S
new file mode 100644 (file)
index 0000000..838f70a
--- /dev/null
@@ -0,0 +1,7 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Embed SBAT data in the kernel.
+ */
+       .pushsection ".sbat", "a", @progbits
+       .incbin CONFIG_EFI_SBAT_FILE
+       .popsection
index 3b2bc61..587ce3e 100644 (file)
@@ -43,6 +43,14 @@ SECTIONS
                *(.rodata.*)
                _erodata = . ;
        }
+#ifdef CONFIG_EFI_SBAT
+       .sbat : ALIGN(0x1000) {
+               _sbat = . ;
+               *(.sbat)
+               _esbat = ALIGN(0x1000);
+               . = _esbat;
+       }
+#endif
        .data : ALIGN(0x1000) {
                _data = . ;
                *(.data)
index e1f4fd5..9bea5a1 100644 (file)
@@ -179,15 +179,11 @@ pecompat_fstart:
 #else
        .set    pecompat_fstart, setup_size
 #endif
-       .ascii  ".text"
-       .byte   0
-       .byte   0
-       .byte   0
-       .long   ZO__data
-       .long   setup_size
-       .long   ZO__data                        # Size of initialized data
-                                               # on disk
-       .long   setup_size
+       .ascii  ".text\0\0\0"
+       .long   textsize                        # VirtualSize
+       .long   setup_size                      # VirtualAddress
+       .long   textsize                        # SizeOfRawData
+       .long   setup_size                      # PointerToRawData
        .long   0                               # PointerToRelocations
        .long   0                               # PointerToLineNumbers
        .word   0                               # NumberOfRelocations
@@ -196,6 +192,23 @@ pecompat_fstart:
                IMAGE_SCN_MEM_READ              | \
                IMAGE_SCN_MEM_EXECUTE           # Characteristics
 
+#ifdef CONFIG_EFI_SBAT
+       .ascii  ".sbat\0\0\0"
+       .long   ZO__esbat - ZO__sbat            # VirtualSize
+       .long   setup_size + ZO__sbat           # VirtualAddress
+       .long   ZO__esbat - ZO__sbat            # SizeOfRawData
+       .long   setup_size + ZO__sbat           # PointerToRawData
+
+       .long   0, 0, 0
+       .long   IMAGE_SCN_CNT_INITIALIZED_DATA  | \
+               IMAGE_SCN_MEM_READ              | \
+               IMAGE_SCN_MEM_DISCARDABLE       # Characteristics
+
+       .set    textsize, ZO__sbat
+#else
+       .set    textsize, ZO__data
+#endif
+
        .ascii  ".data\0\0\0"
        .long   ZO__end - ZO__data              # VirtualSize
        .long   setup_size + ZO__data           # VirtualAddress
index db8c5c0..16baa03 100644 (file)
@@ -286,7 +286,7 @@ config EFI_SBAT
 
 config EFI_SBAT_FILE
        string "Embedded SBAT section file path"
-       depends on EFI_ZBOOT
+       depends on EFI_ZBOOT || (EFI_STUB && X86)
        help
          SBAT section provides a way to improve SecureBoot revocations of UEFI
          binaries by introducing a generation-based mechanism. With SBAT, older