iPXE
sbat.h
Go to the documentation of this file.
1#ifndef _IPXE_SBAT_H
2#define _IPXE_SBAT_H
3
4/** @file
5 *
6 * Secure Boot Advanced Targeting (SBAT)
7 *
8 * SBAT defines an encoding for security generation numbers stored as
9 * a CSV file within a special ".sbat" section in the signed binary.
10 * If a Secure Boot exploit is discovered then the generation number
11 * will be incremented alongside the corresponding fix.
12 *
13 * Platforms may then record the minimum generation number required
14 * for any given product. This allows for an efficient revocation
15 * mechanism that consumes minimal flash storage space (in contrast to
16 * the DBX mechanism, which allows for only a single-digit number of
17 * revocation events to ever take place across all possible signed
18 * binaries).
19 */
20
21FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
22FILE_SECBOOT ( PERMITTED );
23
24/**
25 * A single line within an SBAT CSV file
26 *
27 * @v name Machine-readable component name
28 * @v generation Security generation number
29 * @v vendor Human-readable vendor name
30 * @v package Human-readable package name
31 * @v version Human-readable package version
32 * @v uri Contact URI
33 * @ret line CSV line
34 */
35#define SBAT_LINE( name, generation, vendor, package, version, uri ) \
36 name "," _S2 ( generation ) "," vendor "," package "," \
37 version "," uri "\n"
38
39/** SBAT format generation */
40#define SBAT_GENERATION 1
41
42/** Upstream security generation
43 *
44 * This represents the security generation of the upstream codebase.
45 * It will be incremented whenever a Secure Boot exploit is fixed in
46 * the upstream codebase.
47 *
48 * If you do not have commit access to the upstream iPXE repository,
49 * then you may not modify this value under any circumstances.
50 */
51#define IPXE_SBAT_GENERATION 1
52
53/* Seriously, do not modify this value */
54#if IPXE_SBAT_GENERATION != 1
55#error "You may not modify IPXE_SBAT_GENERATION"
56#endif
57
58/** SBAT header line */
59#define SBAT_HEADER \
60 SBAT_LINE ( "sbat", SBAT_GENERATION, "SBAT Version", "sbat", \
61 _S2 ( SBAT_GENERATION ), \
62 "https://github.com/rhboot/shim/blob/main/SBAT.md" )
63
64/** Mark variable as being in the ".sbat" section */
65#define __sbat __attribute__ (( section ( ".sbat" ), aligned ( 512 ) ))
66
67extern const char sbat[] __sbat;
68
69#endif /* _IPXE_SBAT_H */
FILE_LICENCE
#define FILE_LICENCE(_licence)
Declare a particular licence as applying to a file.
Definition compiler.h:896
FILE_SECBOOT
#define FILE_SECBOOT(_status)
Declare a file's UEFI Secure Boot permission status.
Definition compiler.h:926
__sbat
#define __sbat
Mark variable as being in the ".sbat" section.
Definition sbat.h:65
Generated by doxygen 1.14.0