2230876 – Make SBAT variable payload introspectable

Bug 2230876 - Make SBAT variable payload introspectable

Summary: Make SBAT variable payload introspectable

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	shim
Sub Component:
Version:	CentOS Stream
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Bootloader engineering team
QA Contact:	Release Test Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-08-10 08:17 UTC by Vitaly Kuznetsov
Modified:	2023-08-10 08:29 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-165363	0	None	None	None	2023-08-10 08:17:55 UTC

Description Vitaly Kuznetsov 2023-08-10 08:17:05 UTC

RHEL currently ships shim-15.6 which doesn't contain

commit 0eb07e11b20680200d3ce9c5bc59299121a75388
Author: Chris Coulson <chris.coulson>
Date:   Tue May 31 22:21:26 2022 +0100

    Make SBAT variable payload introspectable
 
and thus doesn't contain '.sbatlevel' PE section:

$ objdump -h shimx64.efi 

shimx64.efi:     file format pei-x86-64

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
  0 .eh_frame     0001db1c  0000000000005000  0000000000005000  00000400  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  1 .text         0005e663  0000000000023000  0000000000023000  0001e000  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  2 .reloc        0000000a  0000000000082000  0000000000082000  0007c800  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  3 .data.ident   00000049  0000000000084000  0000000000084000  0007ca00  2**4
                  CONTENTS, ALLOC, LOAD, DATA
  4 .data         0002d5b4  0000000000085000  0000000000085000  0007cc00  2**4
                  CONTENTS, ALLOC, LOAD, DATA
  5 .vendor_cert  0000037c  00000000000b3000  00000000000b3000  000aa200  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  6 .dynamic      00000100  00000000000b4000  00000000000b4000  000aa600  2**2
                  CONTENTS, ALLOC, LOAD, DATA
  7 .rela         0001b468  00000000000b5000  00000000000b5000  000aa800  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  8 .sbat         000000df  00000000000d1000  00000000000d1000  000c5e00  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA

This makes it hard to predict the resulting PCR7 as SBAT level is measured there:

- EventNum: 25
  PCRIndex: 7
  EventType: EV_EFI_VARIABLE_AUTHORITY
  DigestCount: 3
  Digests:
  - AlgorithmId: sha384
    Digest: "f143e2948d63fcd3442e841bb36a7e180871f0a8946541961fe9d12e70d0727874600956264dba531e2edd8729c5eb38"
  - AlgorithmId: sha256
    Digest: "922e939a5565798a5ef12fe09d8b49bf951a8e7f89a0cca7a51636693d41a34d"
  - AlgorithmId: sha1
    Digest: "15875d39b8872f8aff3a92fc9f9e40ac75268e04"
  EventSize: 68
  Event:
    VariableName: 605dab50-e046-4300-abb6-3dd810dd8b23
    UnicodeNameLength: 9
    VariableDataLength: 18
    UnicodeName: SbatLevel
    VariableData: "736261742c312c323032313033303231380a"

Please consider backporting the above mentioned commit or rebasing shim to 15.7+

Note You need to log in before you can comment on or make changes to this bug.