iPXE
sbat.h
Go to the documentation of this file.
1 #ifndef _IPXE_SBAT_H
2 #define _IPXE_SBAT_H
3 
4 /** @file
5  *
6  * Secure Boot Advanced Targeting (SBAT)
7  *
8  * SBAT defines an encoding for security generation numbers stored as
9  * a CSV file within a special ".sbat" section in the signed binary.
10  * If a Secure Boot exploit is discovered then the generation number
11  * will be incremented alongside the corresponding fix.
12  *
13  * Platforms may then record the minimum generation number required
14  * for any given product. This allows for an efficient revocation
15  * mechanism that consumes minimal flash storage space (in contrast to
16  * the DBX mechanism, which allows for only a single-digit number of
17  * revocation events to ever take place across all possible signed
18  * binaries).
19  */
20 
21 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
22 FILE_SECBOOT ( PERMITTED );
23 
24 /**
25  * A single line within an SBAT CSV file
26  *
27  * @v name Machine-readable component name
28  * @v generation Security generation number
29  * @v vendor Human-readable vendor name
30  * @v package Human-readable package name
31  * @v version Human-readable package version
32  * @v uri Contact URI
33  * @ret line CSV line
34  */
35 #define SBAT_LINE( name, generation, vendor, package, version, uri ) \
36  name "," _S2 ( generation ) "," vendor "," package "," \
37  version "," uri "\n"
38 
39 /** SBAT format generation */
40 #define SBAT_GENERATION 1
41 
42 /** Upstream security generation
43  *
44  * This represents the security generation of the upstream codebase.
45  * It will be incremented whenever a Secure Boot exploit is fixed in
46  * the upstream codebase.
47  *
48  * If you do not have commit access to the upstream iPXE repository,
49  * then you may not modify this value under any circumstances.
50  */
51 #define IPXE_SBAT_GENERATION 1
52 
53 /* Seriously, do not modify this value */
54 #if IPXE_SBAT_GENERATION != 1
55 #error "You may not modify IPXE_SBAT_GENERATION"
56 #endif
57 
58 /** SBAT header line */
59 #define SBAT_HEADER \
60  SBAT_LINE ( "sbat", SBAT_GENERATION, "SBAT Version", "sbat", \
61  _S2 ( SBAT_GENERATION ), \
62  "https://github.com/rhboot/shim/blob/main/SBAT.md" )
63 
64 /** Mark variable as being in the ".sbat" section */
65 #define __sbat __attribute__ (( section ( ".sbat" ), aligned ( 512 ) ))
66 
67 extern const char sbat[] __sbat;
68 
69 #endif /* _IPXE_SBAT_H */
__sbat
#define __sbat
Mark variable as being in the ".sbat" section.
Definition: sbat.h:65
FILE_SECBOOT
FILE_SECBOOT(PERMITTED)
FILE_LICENCE
FILE_LICENCE(GPL2_OR_LATER_OR_UBDL)
Generated by   doxygen 1.8.15