Re: [Gnu-efi-discuss] Add the .sbat section to the section map
Brought to you by:
noxorc
Menu
▾
▴
Re: [Gnu-efi-discuss] Add the .sbat section to the section map
|
From: Callum F. <gm...@op...> - 2024-03-27 11:48:52
|
On Tue, 26 Mar 2024, 17:54 Heinrich Schuchardt via Gnu-efi-discuss, < gnu...@li...> wrote: > On 3/25/24 11:06, Richard Hughes wrote: > > This has been part of fwupd-efi for a long time now. > > > > Also; I can't pretend to understand all this, so please review this > > carefully and let me know what you think. For those following along, > > I'm trying to unfork the fedora gnu-efi version of gnu-efi (99% done), > > and also unfork the lds and .S parts of fwupd-efi that we use as a > > fallback. > > > > Richard. > > Hello Richard, > > Getting the different version of gnu-efi into line is a good idea. > > Could you, please, fork gnu-efi on > https://sourceforge.net/p/gnu-efi/code/ and create a merge request. > Migrated to GitHub since March 22 (https://github.com/ncroxon/gnu-efi) Mainly for Nigel; We also could do with enabling GH Discussions so this mailing list can also go aswell (Reference: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/enabling-or-disabling-github-discussions-for-a-repository ) > As .sbat sections are not in the PE/COFF and UEFI specifications the > commit message should provide some context, e.g. > > "Multiple projects including fwupd, shim, and GRUB use a CSV file copied > to a section named .sbat for fine grained security control in a UEFI > secure boot environment. For details see > https://github.com/rhboot/shim/blob/main/SBAT.md." > > Your patch only modifies the linker scripts. Without modifying > ./gnuefi/crt0-efi-<arch>.S the .sbat section will be missing in the > section table. Without updating Make.rules no .sbat section data will be > copied into the EFI binary. README.gnuefi should describe how to build a > binary with .sbat data. > > Best regards > > Heinrich > The only issue I have with this patch, is I believe there used to be an issue with empty sections (if no SBAT data, the section will be empty) with the UEFI loader, I don't know if it's been fixed Although SBAT is (mostly) always needed now (Secure Boot) so we could just simply require it > > _______________________________________________ > Gnu-efi-discuss mailing list > Gnu...@li... > https://lists.sourceforge.net/lists/listinfo/gnu-efi-discuss Many thanks, Callum F > > |
