Software Bill Of Materials (SBOM) More...

Macros
#define	SBOM_FIELD(key, value)
	An SBOM field.
#define	SBOM_STRING(key, value)
	An SBOM string field.
#define	SBOM_PACKAGE(spdxid, name, supplier, version)
	An SBOM package.
#define	SBOM_MANIFEST(name, supplier, version)
	An SBOM manifest.
#define	__sbom __attribute__ (( section ( ".sbom" ), aligned ( 512 ) ))
	Mark variable as being in the ".sbom" section.

Functions
	FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
	FILE_SECBOOT (PERMITTED)

Variables
const char sbom[]	__sbom
	SBOM data (without any NUL terminator)

Detailed Description

Software Bill Of Materials (SBOM)

Since October 2025, the Microsoft UEFI Signing Requirements have included a clause stating that "submissions must contain a valid signed SPDX SBOM in a custom '.sbom' PE section". A list of required fields is provided, and a link is given to "the Microsoft SBOM tool to aid SBOM generation". So far, so promising.

The Microsoft SBOM tool has no support for handling a .sbom PE section. There is no published document that specifies what is supposed to appear within this PE section. An educated guess is that it should probably contain the raw JSON data in the same format that the Microsoft SBOM tool produces.

The list of required fields does not map to identifiable fields within the JSON. In particular:

"file name / software"

This might be the top-level "name" field. It's hard to tell. The SPDX SBOM specification is not particularly informative either: the only definition it appears to give for "name" is "This field identifies the name of an Element as designated by the creator", which is a spectacularly useless definition.
"software version / component generation (shim)"

This may refer to the "packages[].versionInfo" field. There is no obvious relevance for the words "component", "generation", or "shim". The proximity of "generation" and "shim" suggests that this might be related in some way to the SBAT security generation, which is absolutely not the same thing as the software version.
"vendor / company name (this must exactly match the verified company name in the submitter's EV certificate on the Microsoft HDC partner center account)"

This is clearly written as though it has some significance for the UEFI signing submission process. Unfortunately there is no obvious map to any defined SBOM field. An educated guess is that this might be referring to "packages[].supplier", since experiments show that the Microsoft SBOM tool will fail validation unless this field is present.
"product-name"

This might also be the top-level "name" field. There is no indication given as to how this might differ from "file name / software".
"OEM Name" and "OEM ID"

These seem to be terms made up on the spur of the moment. The three-letter sequence "OEM" does not appear anywhere within the codebase of the Microsoft SBOM tool.

In the absence of any meaningful specification, we choose not to engage in good faith with this requirement. Instead, we construct a best guess at the contents of a .sbom section that has some chance of being accepted by the UEFI signing submission process. We assume that anything that passes "sbom-tool validate" will probably be accepted, with the only actual check being that the supplier name must match the registered EV code signing certificate.

To anyone who actually cares about the arguably valuable benefits of having a software bill of materials: please stop creating junk requirements. If you want people to actually make the effort to produce useful SBOM data, then make it clear what data you want. Provide unambiguous specifications. Provide example files. Provide tools that actually do the job they are claimed to do. Don't just throw out another piece of "MUST HAS THING BECAUSE IS MORE SECURITY" garbage and call it a day.

Definition in file sbom.h.

Macro Definition Documentation

◆ SBOM_FIELD

#define SBOM_FIELD	(		key,
			value )

Value:

"\"" key "\":" value

key

union @162305117151260234136356364136041353210355154177 key

Sense key.

Definition scsi.h:3

value

pseudo_bit_t value[0x00020]

Definition arbel.h:2

An SBOM field.

Definition at line 87 of file sbom.h.

◆ SBOM_STRING

#define SBOM_STRING	(		key,
			value )

Value:

SBOM_FIELD ( key, "\"" value "\"" )

SBOM_FIELD

#define SBOM_FIELD(key, value)

An SBOM field.

Definition sbom.h:87

An SBOM string field.

Definition at line 90 of file sbom.h.

◆ SBOM_PACKAGE

#define SBOM_PACKAGE	(	spdxid,
		name,
		supplier,
		version )

Value:

        "{"                                                             \
        SBOM_STRING ( "SPDXID", spdxid ) ","                            \
        SBOM_STRING ( "name", name ) ","                            \
        SBOM_STRING ( "supplier", supplier ) ","                        \
        SBOM_STRING ( "versionInfo", version )                           \
        "}"

An SBOM package.

Definition at line 93 of file sbom.h.

#define SBOM_PACKAGE( spdxid, name, supplier, version )                 \
        "{"                                                             \
        SBOM_STRING ( "SPDXID", spdxid ) ","                            \
        SBOM_STRING ( "name", name ) ","                                \
        SBOM_STRING ( "supplier", supplier ) ","                        \
        SBOM_STRING ( "versionInfo", version )                          \
        "}"

◆ SBOM_MANIFEST

#define SBOM_MANIFEST	(	name,
		supplier,
		version )

Value:

        "{"                                                             \
        SBOM_STRING ( "name", name ) ","                            \
        SBOM_FIELD ( "files", "[]" ) ","                                \
        SBOM_FIELD ( "relationships", "[]" ) ","                        \
        SBOM_FIELD ( "packages", "["                                    \
                     SBOM_PACKAGE ( "", name, supplier, version )        \
                     "]" )                                              \
        "}"

An SBOM manifest.

Definition at line 102 of file sbom.h.

#define SBOM_MANIFEST( name, supplier, version )                        \
        "{"                                                             \
        SBOM_STRING ( "name", name ) ","                                \
        SBOM_FIELD ( "files", "[]" ) ","                                \
        SBOM_FIELD ( "relationships", "[]" ) ","                        \
        SBOM_FIELD ( "packages", "["                                    \
                     SBOM_PACKAGE ( "", name, supplier, version )       \
                     "]" )                                              \
        "}"

◆ __sbom

#define __sbom __attribute__ (( section ( ".sbom" ), aligned ( 512 ) ))

Mark variable as being in the ".sbom" section.

Definition at line 113 of file sbom.h.

Function Documentation

◆ FILE_LICENCE()

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL )

◆ FILE_SECBOOT()

FILE_SECBOOT ( PERMITTED )

Variable Documentation

◆ __sbom

const char sbom [] __sbom

extern

SBOM data (without any NUL terminator)

Definition at line 132 of file version.c.

Macros

Functions

Variables

Detailed Description

Macro Definition Documentation

◆ SBOM_FIELD

◆ SBOM_STRING

◆ SBOM_PACKAGE

◆ SBOM_MANIFEST

◆ __sbom

Function Documentation

◆ FILE_LICENCE()

◆ FILE_SECBOOT()

Variable Documentation

◆ __sbom