Bug 2230876

Summary: Make SBAT variable payload introspectable
Product: Red Hat Enterprise Linux 9 Reporter: Vitaly Kuznetsov <vkuznets>
Component: shimAssignee: Bootloader engineering team <bootloader-eng-team>
Status: NEW --- QA Contact: Release Test Team <release-test-team>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: CentOS StreamCC: berrange, bstinson, jwboyer, pjones
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vitaly Kuznetsov 2023-08-10 08:17:05 UTC 
RHEL currently ships shim-15.6 which doesn't contain

commit 0eb07e11b20680200d3ce9c5bc59299121a75388
Author: Chris Coulson <chris.coulson>
Date:   Tue May 31 22:21:26 2022 +0100

    Make SBAT variable payload introspectable
 
and thus doesn't contain '.sbatlevel' PE section:

$ objdump -h shimx64.efi 

shimx64.efi:     file format pei-x86-64

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
  0 .eh_frame     0001db1c  0000000000005000  0000000000005000  00000400  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  1 .text         0005e663  0000000000023000  0000000000023000  0001e000  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  2 .reloc        0000000a  0000000000082000  0000000000082000  0007c800  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  3 .data.ident   00000049  0000000000084000  0000000000084000  0007ca00  2**4
                  CONTENTS, ALLOC, LOAD, DATA
  4 .data         0002d5b4  0000000000085000  0000000000085000  0007cc00  2**4
                  CONTENTS, ALLOC, LOAD, DATA
  5 .vendor_cert  0000037c  00000000000b3000  00000000000b3000  000aa200  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  6 .dynamic      00000100  00000000000b4000  00000000000b4000  000aa600  2**2
                  CONTENTS, ALLOC, LOAD, DATA
  7 .rela         0001b468  00000000000b5000  00000000000b5000  000aa800  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  8 .sbat         000000df  00000000000d1000  00000000000d1000  000c5e00  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA

This makes it hard to predict the resulting PCR7 as SBAT level is measured there:

- EventNum: 25
  PCRIndex: 7
  EventType: EV_EFI_VARIABLE_AUTHORITY
  DigestCount: 3
  Digests:
  - AlgorithmId: sha384
    Digest: "f143e2948d63fcd3442e841bb36a7e180871f0a8946541961fe9d12e70d0727874600956264dba531e2edd8729c5eb38"
  - AlgorithmId: sha256
    Digest: "922e939a5565798a5ef12fe09d8b49bf951a8e7f89a0cca7a51636693d41a34d"
  - AlgorithmId: sha1
    Digest: "15875d39b8872f8aff3a92fc9f9e40ac75268e04"
  EventSize: 68
  Event:
    VariableName: 605dab50-e046-4300-abb6-3dd810dd8b23
    UnicodeNameLength: 9
    VariableDataLength: 18
    UnicodeName: SbatLevel
    VariableData: "736261742c312c323032313033303231380a"

Please consider backporting the above mentioned commit or rebasing shim to 15.7+