Re: [Gnu-efi-discuss] Add the .sbat section to the section map

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Tue, 26 Mar 2024 at 17:54, Heinrich Schuchardt <xyp...@gm...> wrote:
> Getting the different version of gnu-efi into line is a good idea.

I think it's the only sane thing to do long term :)

> As .sbat sections are not in the PE/COFF and UEFI specifications the
> commit message should provide some context, e.g.>
> "Multiple projects including fwupd, shim, and GRUB use a CSV file copied
> to a section named .sbat for fine grained security control in a UEFI
> secure boot environment. For details see
> https://github.com/rhboot/shim/blob/main/SBAT.md."

Fixed, thanks.

> Your patch only modifies the linker scripts. Without modifying
> ./gnuefi/crt0-efi-<arch>.S the .sbat section will be missing in the
> section table.

This was the bit I wasn't sure how to do, for instance, this is what fwupd does:

diff --git a/gnuefi/crt0-efi-riscv64.S b/gnuefi/crt0-efi-riscv64.S
index 712ed03..6350105 100644
--- a/gnuefi/crt0-efi-riscv64.S
+++ b/gnuefi/crt0-efi-riscv64.S
@@ -35,7 +35,7 @@ pe_header:
        .2byte  0
 coff_header:
        .2byte  0x5064                          // riscv64
-       .2byte  4                               // nr_sections
+       .2byte  NR_SECTIONS                             // nr_sections
        .4byte  0                               // TimeDateStamp
        .4byte  0                               // PointerToSymbolTable
        .4byte  0                               // NumberOfSymbols
@@ -150,6 +150,20 @@ section_table:
        .2byte  0                       // NumberOfLineNumbers
        .4byte  0x40000040              // Characteristics (section flags)

+#ifdef USING_SBAT
+       .ascii  ".sbat\0\0\0"
+       .4byte  _sbat_vsize - ImageBase         // VirtualSize
+       .4byte  _sbat - ImageBase       // VirtualAddress
+       .4byte  _sbat_size - ImageBase          // SizeOfRawData
+       .4byte  _sbat - ImageBase       // PointerToRawData
+
+       .4byte  0               // PointerToRelocations (0 for executables)
+       .4byte  0               // PointerToLineNumbers (0 for executables)
+       .2byte  0               // NumberOfRelocations  (0 for executables)
+       .2byte  0               // NumberOfLineNumbers  (0 for executables)
+       .4byte  0x40000040      // Characteristics (section flags)
+#endif
+
        .text
        .globl _start
        .type _start,%function

...which means you have to set USING_SBAT and NR_SECTIONS in the build
system. I'm wondering if this is the right way to do it; it seems
having an empty section unconditionally (e.g. setting nr_sections to
5) might be okay, but does blow up the binary size by 4k for everyone.
Maybe that's okay.

> Without updating Make.rules no .sbat section data will be
> copied into the EFI binary.

Got it -- thanks. I'm using meson in fwupd-efi so I missed that.

> README.gnuefi should describe how to build a
> binary with .sbat data.

Something like this perhaps?

+ .sbat
+       This section contains CSV data to specify the fine grained
+       security control of the UEFI secure boot environment.
+       To populate this, use objcopy:
+
+       $ objcopy --remove-section=.sbat --add-section .sbat=sbat.csv \
+        --set-section-flags=.sbom=contents,alloc,load,readonly,data \
+        filename.exe

Richard.


