Add SBAT variable updating

pbatard · Sep 13, 2024 · 5c388dd · 5c388dd
1 parent 7d87c2b
commit 5c388dd
Show file tree

Hide file tree

Showing 8 changed files with 240 additions and 52 deletions.
diff --git a/.gitattributes b/.gitattributes
@@ -1,3 +1,4 @@
-*.sh     eol=lf
-*.patch  binary
-Makefile eol=lf
+*.patch         binary
+*.sh            eol=lf
+Makefile        eol=lf
+sbat_level.txt  eol=lf
diff --git a/sbat_level.txt b/sbat_level.txt
@@ -0,0 +1,4 @@
+sbat,1,2024010900
+shim,4
+grub,3
+grub.debian,4
diff --git a/src/data.c b/src/data.c
@@ -670,6 +670,15 @@ unsigned char db_ms1_cer[] = {
 };
 unsigned int db_ms1_cer_len = 1499;
 
+// From https://github.com/pbatard/Mosby/raw/main/sbat_level.txt
+unsigned char sbat_level_txt[] = {
+  0x73, 0x62, 0x61, 0x74, 0x2c, 0x31, 0x2c, 0x32, 0x30, 0x32, 0x34, 0x30,
+  0x31, 0x30, 0x39, 0x30, 0x30, 0x0a, 0x73, 0x68, 0x69, 0x6d, 0x2c, 0x34,
+  0x0a, 0x67, 0x72, 0x75, 0x62, 0x2c, 0x33, 0x0a, 0x67, 0x72, 0x75, 0x62,
+  0x2e, 0x64, 0x65, 0x62, 0x69, 0x61, 0x6e, 0x2c, 0x34, 0x0a
+};
+unsigned int sbat_level_txt_len = 46;
+
 // From https://uefi.org/sites/default/files/resources/arm_DBXUpdate.bin
 unsigned char dbx_arm_bin[] = {
   0xda, 0x07, 0x03, 0x06, 0x13, 0x11, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00,
@@ -4328,83 +4337,102 @@ EFI_STATUS InitializeList(
 	IN OUT MOSBY_LIST *List
 )
 {
-	if (MOSBY_MAX_LIST_SIZE < 10)
+	if (MOSBY_MAX_LIST_SIZE < 11)
 		return EFI_INVALID_PARAMETER;
 	ZeroMem(List, sizeof(MOSBY_LIST));
-	List->Entry[List->Size].Description = "Microsoft Corporation KEK CA 2011";
 	List->Entry[List->Size].Type = KEK;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
 	List->Entry[List->Size].Path = L"kek_ms1.cer";
 	List->Entry[List->Size].Url = "https://go.microsoft.com/fwlink/?LinkId=321185";
+	List->Entry[List->Size].Description = "Microsoft Corporation KEK CA 2011";
 	List->Entry[List->Size].Buffer.Data = kek_ms1_cer;
 	List->Entry[List->Size].Buffer.Size = kek_ms1_cer_len;
 	List->Size++;
-	List->Entry[List->Size].Description = "Microsoft Corporation KEK 2K CA 2023";
 	List->Entry[List->Size].Type = KEK;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
 	List->Entry[List->Size].Path = L"kek_ms2.cer";
 	List->Entry[List->Size].Url = "https://go.microsoft.com/fwlink/?linkid=2239775";
+	List->Entry[List->Size].Description = "Microsoft Corporation KEK 2K CA 2023";
 	List->Entry[List->Size].Buffer.Data = kek_ms2_cer;
 	List->Entry[List->Size].Buffer.Size = kek_ms2_cer_len;
 	List->Size++;
-	List->Entry[List->Size].Description = "Windows UEFI CA 2023";
 	List->Entry[List->Size].Type = DB;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
 	List->Entry[List->Size].Path = L"db_ms3.cer";
 	List->Entry[List->Size].Url = "https://go.microsoft.com/fwlink/?linkid=2239776";
+	List->Entry[List->Size].Description = "Windows UEFI CA 2023";
 	List->Entry[List->Size].Buffer.Data = db_ms3_cer;
 	List->Entry[List->Size].Buffer.Size = db_ms3_cer_len;
 	List->Size++;
-	List->Entry[List->Size].Description = "Microsoft Corporation UEFI CA 2011";
 	List->Entry[List->Size].Type = DB;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
 	List->Entry[List->Size].Path = L"db_ms2.cer";
 	List->Entry[List->Size].Url = "https://go.microsoft.com/fwlink/?linkid=321194";
+	List->Entry[List->Size].Description = "Microsoft Corporation UEFI CA 2011";
 	List->Entry[List->Size].Buffer.Data = db_ms2_cer;
 	List->Entry[List->Size].Buffer.Size = db_ms2_cer_len;
 	List->Size++;
-	List->Entry[List->Size].Description = "Microsoft Windows Production PCA 2011";
 	List->Entry[List->Size].Type = DB;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
 	List->Entry[List->Size].Path = L"db_ms1.cer";
 	List->Entry[List->Size].Url = "https://go.microsoft.com/fwlink/?linkid=321192";
+	List->Entry[List->Size].Description = "Microsoft Windows Production PCA 2011";
 	List->Entry[List->Size].Buffer.Data = db_ms1_cer;
 	List->Entry[List->Size].Buffer.Size = db_ms1_cer_len;
 	List->Size++;
+	List->Entry[List->Size].Type = SBAT;
+	List->Entry[List->Size].Flags = USE_BUFFER;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS;
+	List->Entry[List->Size].Path = L"sbat_level.txt";
+	List->Entry[List->Size].Url = "https://github.com/pbatard/Mosby/raw/main/sbat_level.txt";
+	List->Entry[List->Size].Description = "SbatLevel.txt [2024.01.09]";
+	List->Entry[List->Size].Buffer.Data = sbat_level_txt;
+	List->Entry[List->Size].Buffer.Size = sbat_level_txt_len;
+	List->Size++;
 #if defined (_M_ARM) || defined(__arm__)
-	List->Entry[List->Size].Description = "DBX for ARM (32 bit) [2023.05.09]";
 	List->Entry[List->Size].Type = DBX;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
 	List->Entry[List->Size].Path = L"dbx_arm.bin";
 	List->Entry[List->Size].Url = "https://uefi.org/sites/default/files/resources/arm_DBXUpdate.bin";
+	List->Entry[List->Size].Description = "DBX for ARM (32 bit) [2023.05.09]";
 	List->Entry[List->Size].Buffer.Data = dbx_arm_bin;
 	List->Entry[List->Size].Buffer.Size = dbx_arm_bin_len;
 	List->Size++;
 #endif
-	List->Entry[List->Size].Description = "Microsoft UEFI CA 2023";
 	List->Entry[List->Size].Type = DB;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
 	List->Entry[List->Size].Path = L"db_ms4.cer";
 	List->Entry[List->Size].Url = "https://go.microsoft.com/fwlink/?linkid=2239872";
+	List->Entry[List->Size].Description = "Microsoft UEFI CA 2023";
 	List->Entry[List->Size].Buffer.Data = db_ms4_cer;
 	List->Entry[List->Size].Buffer.Size = db_ms4_cer_len;
 	List->Size++;
 #if defined (_M_ARM64) || defined(__aarch64__)
-	List->Entry[List->Size].Description = "DBX for ARM (64 bit) [2023.05.09]";
 	List->Entry[List->Size].Type = DBX;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
 	List->Entry[List->Size].Path = L"dbx_aa64.bin";
 	List->Entry[List->Size].Url = "https://uefi.org/sites/default/files/resources/arm64_DBXUpdate.bin";
+	List->Entry[List->Size].Description = "DBX for ARM (64 bit) [2023.05.09]";
 	List->Entry[List->Size].Buffer.Data = dbx_aa64_bin;
 	List->Entry[List->Size].Buffer.Size = dbx_aa64_bin_len;
 	List->Size++;
 #endif
 #if defined(_M_X64) || defined(__x86_64__)
-	List->Entry[List->Size].Description = "DBX for x86 (64 bit) [2023.05.09]";
 	List->Entry[List->Size].Type = DBX;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
 	List->Entry[List->Size].Path = L"dbx_x64.bin";
 	List->Entry[List->Size].Url = "https://uefi.org/sites/default/files/resources/x64_DBXUpdate.bin";
+	List->Entry[List->Size].Description = "DBX for x86 (64 bit) [2023.05.09]";
 	List->Entry[List->Size].Buffer.Data = dbx_x64_bin;
 	List->Entry[List->Size].Buffer.Size = dbx_x64_bin_len;
 	List->Size++;
 #endif
 #if defined(_M_IX86) || defined(__i386__)
-	List->Entry[List->Size].Description = "DBX for x86 (32 bit) [2023.05.09]";
 	List->Entry[List->Size].Type = DBX;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
 	List->Entry[List->Size].Path = L"dbx_ia32.bin";
 	List->Entry[List->Size].Url = "https://uefi.org/sites/default/files/resources/x86_DBXUpdate.bin";
+	List->Entry[List->Size].Description = "DBX for x86 (32 bit) [2023.05.09]";
 	List->Entry[List->Size].Buffer.Data = dbx_ia32_bin;
 	List->Entry[List->Size].Buffer.Size = dbx_ia32_bin_len;
 	List->Size++;

diff --git a/src/file.c b/src/file.c
@@ -252,8 +252,8 @@ EFI_STATUS SimpleFileReadAll(
 	}
 
 	// Might use memory mapped, so align up to nearest page.
-	// Also + 1 so the data is always NUL terminated.
-	*Buffer = AllocateZeroPool(ALIGN_VALUE(*Size + 1, 4096));
+	// Also + 2 so the data is always NUL terminated.
+	*Buffer = AllocateZeroPool(ALIGN_VALUE(*Size + 2, 4096));
 	if (*Buffer == NULL) {
 		Status = EFI_OUT_OF_RESOURCES;
 		ReportErrorAndExit(L"Failed to allocate buffer of size %d\n", *Size);

diff --git a/src/gen_data.sh b/src/gen_data.sh
@@ -1,5 +1,5 @@
 #!/bin/env bash
-# This script generates the C source for the data we want to embed in Mosby.
+# This script generates the C source for the data we embed in Mosby.
 
 # The binaries we want to embedd and their URLs
 declare -A source=(
@@ -13,6 +13,9 @@ declare -A source=(
   [dbx_ia32.bin]='https://uefi.org/sites/default/files/resources/x86_DBXUpdate.bin'
   [dbx_aa64.bin]='https://uefi.org/sites/default/files/resources/arm64_DBXUpdate.bin'
   [dbx_arm.bin]='https://uefi.org/sites/default/files/resources/arm_DBXUpdate.bin'
+  # Shim does not provide an SBatLevel.txt we can download, so we use our own:
+  # https://github.com/rhboot/shim/issues/685
+  [sbat_level.txt]='https://github.com/pbatard/Mosby/raw/main/sbat_level.txt'
 )
 
 # From https://uefi.org/revocationlistfile.
@@ -70,13 +73,26 @@ cat << EOF
 EOF
 
 for file in "${!source[@]}"; do
-  curl -s -L ${source[${file}]} -o ${file}
+  # '-o' tries to use an override from the current repo
+  if [[ "$1" == "-o" &&  -f ../${file} ]]; then
+    cp ../${file} .
+  else
+    curl -s -L ${source[${file}]} -o ${file}
+  fi
   echo "// From ${source[${file}]}"
   type=${file%%_*}
   if [ "$type" = "dbx" ]; then
     arch=${file%\.*}
     arch=${arch##*_}
     description[${file}]="DBX for ${archname[$arch]} [${archdate[$arch]}]"
+  elif [ "$type" = "sbat" ]; then
+    while IFS=, read -r c1 c2 c3; do
+      if [ "$c1" = "sbat" ]; then
+        date="[${c3:0:4}.${c3:4:2}.${c3:6:2}]"
+        break
+      fi
+    done < ${file}
+    description[${file}]="SbatLevel.txt $date"
   else
     description[${file}]="$(openssl x509 -noout -subject -in ${file} | sed -n '/^subject/s/^.*CN = //p')"
   fi
@@ -100,10 +116,18 @@ for file in "${!source[@]}"; do
   if [ "$type" = "DBX" ]; then
     echo "${archguard[$arch]}"
   fi
-  echo "	List->Entry[List->Size].Description = \"${description[${file}]}\";"
   echo "	List->Entry[List->Size].Type = ${type};"
+  if [[ "$type" = "SBAT" ]]; then
+    echo "	List->Entry[List->Size].Flags = USE_BUFFER;"
+  fi
+  if [[ "$type" = "SBAT" || "$type" = "MOK" ]]; then
+    echo "	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS;"
+  else
+    echo "	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;"
+  fi
   echo "	List->Entry[List->Size].Path = L\"${file}\";"
   echo "	List->Entry[List->Size].Url = \"${source[${file}]}\";"
+  echo "	List->Entry[List->Size].Description = \"${description[${file}]}\";"
   echo "	List->Entry[List->Size].Buffer.Data = ${data};"
   echo "	List->Entry[List->Size].Buffer.Size = ${data}_len;"
   echo "	List->Size++;"