diff options
| author | Michael Brown <mcb30@ipxe.org> | 2022-01-13 14:10:03 +0000 |
|---|---|---|
| committer | Michael Brown <mcb30@ipxe.org> | 2022-01-13 14:12:44 +0000 |
| commit | f4f9adf618cd85d330a896e1f721f3aa78d2409d (patch) | |
| tree | 92cf1a5ad3ac644c8ebfc66213f42ecba973047b /src/arch/x86 | |
| parent | fbbdc39260cf37aa749e897e773f59807d1b8362 (diff) | |
| download | ipxe-f4f9adf618cd85d330a896e1f721f3aa78d2409d.tar.gz | |
[efi] Include Secure Boot Advanced Targeting (SBAT) metadatasbat
SBAT defines an encoding for security generation numbers stored as a
CSV file within a special ".sbat" section in the signed binary. If a
Secure Boot exploit is discovered then the generation number will be
incremented alongside the corresponding fix.
Platforms may then record the minimum generation number required for
any given product. This allows for an efficient revocation mechanism
that consumes minimal flash storage space (in contrast to the DBX
mechanism, which allows for only a single-digit number of revocation
events to ever take place across all possible signed binaries).
Add SBAT metadata to iPXE EFI binaries to support this mechanism.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/arch/x86')
| -rw-r--r-- | src/arch/x86/scripts/pcbios.lds | 2 | ||||
| -rw-r--r-- | src/arch/x86/scripts/prefixonly.lds | 2 |
2 files changed, 4 insertions, 0 deletions
diff --git a/src/arch/x86/scripts/pcbios.lds b/src/arch/x86/scripts/pcbios.lds index de59adca9..e208b174b 100644 --- a/src/arch/x86/scripts/pcbios.lds +++ b/src/arch/x86/scripts/pcbios.lds @@ -229,6 +229,8 @@ SECTIONS { *(.einfo.*) *(.discard) *(.discard.*) + *(.sbat) + *(.sbat.*) } /* diff --git a/src/arch/x86/scripts/prefixonly.lds b/src/arch/x86/scripts/prefixonly.lds index dce0930b5..2fe5b03be 100644 --- a/src/arch/x86/scripts/prefixonly.lds +++ b/src/arch/x86/scripts/prefixonly.lds @@ -24,6 +24,8 @@ SECTIONS { *(.einfo.*) *(.discard) *(.discard.*) + *(.sbat) + *(.sbat.*) } } |