From f4f9adf618cd85d330a896e1f721f3aa78d2409d Mon Sep 17 00:00:00 2001
From: Michael Brown <mcb30@ipxe.org>
Date: Thu, 13 Jan 2022 14:10:03 +0000
Subject: [efi] Include Secure Boot Advanced Targeting (SBAT) metadata

SBAT defines an encoding for security generation numbers stored as a
CSV file within a special ".sbat" section in the signed binary.  If a
Secure Boot exploit is discovered then the generation number will be
incremented alongside the corresponding fix.

Platforms may then record the minimum generation number required for
any given product.  This allows for an efficient revocation mechanism
that consumes minimal flash storage space (in contrast to the DBX
mechanism, which allows for only a single-digit number of revocation
events to ever take place across all possible signed binaries).

Add SBAT metadata to iPXE EFI binaries to support this mechanism.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 src/scripts/efi.lds | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'src/scripts')

diff --git a/src/scripts/efi.lds b/src/scripts/efi.lds
index dd7b3f019..218b1df66 100644
--- a/src/scripts/efi.lds
+++ b/src/scripts/efi.lds
@@ -74,6 +74,19 @@ SECTIONS {
 	_ebss = .;
     }
 
+    /*
+     * The SBAT section
+     *
+     */
+
+    . = ALIGN ( _page_align );
+    .sbat : {
+	_sbat = .;
+	KEEP(*(.sbat))
+	KEEP(*(.sbat.*))
+	_esbat = .;
+    }
+
     /*
      * Weak symbols that need zero values if not otherwise defined
      *
-- 
cgit