iPXE
Macros | Functions | Variables
sbat.h File Reference

Secure Boot Advanced Targeting (SBAT) More...

Go to the source code of this file.

Macros

#define SBAT_LINE(name, generation, vendor, package, version, uri)
 A single line within an SBAT CSV file. More...
 
#define SBAT_GENERATION   1
 SBAT format generation. More...
 
#define IPXE_SBAT_GENERATION   1
 Upstream security generation. More...
 
#define SBAT_HEADER
 SBAT header line. More...
 
#define __sbat   __attribute__ (( section ( ".sbat" ), aligned ( 512 ) ))
 Mark variable as being in the ".sbat" section. More...
 

Functions

 FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
 

Variables

const char sbat [] __sbat
 SBAT data (without any NUL terminator) More...
 

Detailed Description

Secure Boot Advanced Targeting (SBAT)

SBAT defines an encoding for security generation numbers stored as a CSV file within a special ".sbat" section in the signed binary. If a Secure Boot exploit is discovered then the generation number will be incremented alongside the corresponding fix.

Platforms may then record the minimum generation number required for any given product. This allows for an efficient revocation mechanism that consumes minimal flash storage space (in contrast to the DBX mechanism, which allows for only a single-digit number of revocation events to ever take place across all possible signed binaries).

Definition in file sbat.h.

Macro Definition Documentation

◆ SBAT_LINE

#define SBAT_LINE (   name,
  generation,
  vendor,
  package,
  version,
  uri 
)
Value:
name "," _S2 ( generation ) "," vendor "," package "," \
version "," uri "\n"
const char * name
Definition: ath9k_hw.c:1984
#define _S2(x)
Stringify expanded argument.
Definition: compiler.h:53
static unsigned short vendor
Definition: davicom.c:128

A single line within an SBAT CSV file.

Parameters
nameMachine-readable component name
generationSecurity generation number
vendorHuman-readable vendor name
packageHuman-readable package name
versionHuman-readable package version
uriContact URI
Return values
lineCSV line

Definition at line 34 of file sbat.h.

◆ SBAT_GENERATION

#define SBAT_GENERATION   1

SBAT format generation.

Definition at line 39 of file sbat.h.

◆ IPXE_SBAT_GENERATION

#define IPXE_SBAT_GENERATION   1

Upstream security generation.

This represents the security generation of the upstream codebase. It will be incremented whenever a Secure Boot exploit is fixed in the upstream codebase.

If you do not have commit access to the upstream iPXE repository, then you may not modify this value under any circumstances.

Definition at line 50 of file sbat.h.

◆ SBAT_HEADER

#define SBAT_HEADER
Value:
SBAT_LINE ( "sbat", SBAT_GENERATION, "SBAT Version", "sbat", \
"https://github.com/rhboot/shim/blob/main/SBAT.md" )
#define _S2(x)
Stringify expanded argument.
Definition: compiler.h:53
#define SBAT_LINE(name, generation, vendor, package, version, uri)
A single line within an SBAT CSV file.
Definition: sbat.h:34
#define SBAT_GENERATION
SBAT format generation.
Definition: sbat.h:39

SBAT header line.

Definition at line 58 of file sbat.h.

◆ __sbat

#define __sbat   __attribute__ (( section ( ".sbat" ), aligned ( 512 ) ))

Mark variable as being in the ".sbat" section.

Definition at line 64 of file sbat.h.

Function Documentation

◆ FILE_LICENCE()

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL  )

Variable Documentation

◆ __sbat

const char sbat [] __sbat

SBAT data (without any NUL terminator)

Definition at line 124 of file version.c.