From 121c4eba0af041219a25c66622c8ec66df5007d4 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Wed, 6 Mar 2024 01:12:19 +0000 Subject: [PATCH] ukify: really add default .sbat for UKIs This was lost on refactor, and only addons had a default uki line in the .sbat. Add it back, and differentiate between the default for UKIs vs the default for addons, so that they can be revoked separately. These are only defaults and users are encouraged to provide their own. Follow-up for a8b645dec8e6abf4c9ba0c93a6a0088953a2155e --- man/ukify.xml | 10 ++++++---- src/ukify/ukify.py | 11 ++++++++--- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/man/ukify.xml b/man/ukify.xml index dc7910fcd2..a81cbcb47b 100644 --- a/man/ukify.xml +++ b/man/ukify.xml @@ -485,8 +485,10 @@ SBAT metadata associated with the UKI or addon. SBAT policies are useful to revoke whole groups of UKIs or addons with a single, static policy update that does not take space in DBX/MOKX. If not specified manually, a default metadata entry consisting of - uki,1,UKI,uki,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html - will be used, to ensure it is always possible to revoke UKIs and addons. For more information on + uki,1,UKI,uki,1,https://uapi-group.org/specifications/specs/unified_kernel_image/ + for UKIs and + uki-addon,1,UKI Addon,addon,1,https://www.freedesktop.org/software/systemd/man/latest/systemd-stub.html + for addons will be used, to ensure it is always possible to revoke them. For more information on SBAT see Shim documentation. @@ -569,7 +571,7 @@ --initrd=early_cpio \ --initrd=/some/path/initramfs-6.0.9-300.fc37.x86_64.img \ --sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md - uki.author.myimage,1,UKI for System,uki.author.myimage,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html' \ + uki.author.myimage,1,UKI for System,uki.author.myimage,1,https://uapi-group.org/specifications/specs/unified_kernel_image/' \ --pcr-private-key=pcr-private-initrd-key.pem \ --pcr-public-key=pcr-public-initrd-key.pem \ --phases='enter-initrd' \ @@ -642,7 +644,7 @@ $ ukify -c ukify.conf build \ --secureboot-certificate=sb.cert \ --cmdline='debug' \ --sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md - uki.addon.author,1,UKI Addon for System,uki.addon.author,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html' + uki-addon.author,1,UKI Addon for System,uki-addon.author,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html' --output=debug.cmdline diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py index 2e89ba17d9..686377200f 100755 --- a/src/ukify/ukify.py +++ b/src/ukify/ukify.py @@ -870,14 +870,19 @@ def make_uki(opts): if linux is not None: # Merge the .sbat sections from stub, kernel and parameter, so that revocation can be done on either. - uki.add_section(Section.create('.sbat', merge_sbat([opts.stub, linux], opts.sbat), measure=True)) + input_pes = [opts.stub, linux] + if not opts.sbat: + opts.sbat = ["""sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md +uki,1,UKI,uki,1,https://uapi-group.org/specifications/specs/unified_kernel_image/ +"""] else: # Addons don't use the stub so we add SBAT manually + input_pes = [] if not opts.sbat: opts.sbat = ["""sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md -uki,1,UKI,uki,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html +uki-addon,1,UKI Addon,addon,1,https://www.freedesktop.org/software/systemd/man/latest/systemd-stub.html """] - uki.add_section(Section.create('.sbat', merge_sbat([], opts.sbat), measure=False)) + uki.add_section(Section.create('.sbat', merge_sbat(input_pes, opts.sbat), measure=linux is not None)) # PCR measurement and signing -- 2.25.1