File sbom.patch of Package fwupd-efi2
From 459dc73463cfc29a418c5901d90c68821164fd38 Mon Sep 17 00:00:00 2001
From: Callum Farmer <gmbr3@opensuse.org>
Date: Sat, 2 Sep 2023 20:42:31 +0100
Subject: [PATCH] Add SBOM section to linker scripts
Signed-off-by: Callum Farmer <gmbr3@opensuse.org>
---
efi/lds/elf_aarch64_efi.lds | 11 +++++++++++
efi/lds/elf_arm_efi.lds | 11 +++++++++++
efi/lds/elf_ia32_efi.lds | 2 ++
efi/lds/elf_x86_64_efi.lds | 2 ++
4 files changed, 26 insertions(+)
diff --git a/efi/lds/elf_aarch64_efi.lds b/efi/lds/elf_aarch64_efi.lds
index 866c837..ad10bdb 100644
--- a/efi/lds/elf_aarch64_efi.lds
+++ b/efi/lds/elf_aarch64_efi.lds
@@ -102,6 +102,17 @@ SECTIONS
} =0
_sbat_size = _epsbat - _sbat;
_sbat_vsize = _esbat - _sbat;
+ . = ALIGN(4096);
+ .sbom :
+ {
+ _sbom = .;
+ *(.sbom)
+ _esbom = .;
+ . = ALIGN(4096);
+ _epsbom = .;
+ } =0
+ _sbom_size = _epsbom - _sbom;
+ _sbom_vsize = _esbom - _sbom;
_image_end = .;
_alldata_size = _image_end - _reloc;
diff --git a/efi/lds/elf_arm_efi.lds b/efi/lds/elf_arm_efi.lds
index 1f7f708..2eafb7c 100644
--- a/efi/lds/elf_arm_efi.lds
+++ b/efi/lds/elf_arm_efi.lds
@@ -101,6 +101,17 @@ SECTIONS
} =0
_sbat_size = _epsbat - _sbat;
_sbat_vsize = _esbat - _sbat;
+ . = ALIGN(4096);
+ .sbom :
+ {
+ _sbom = .;
+ *(.sbom)
+ _esbom = .;
+ . = ALIGN(4096);
+ _epsbom = .;
+ } =0
+ _sbom_size = _epsbom - _sbom;
+ _sbom_vsize = _esbom - _sbom;
_image_end = .;
_alldata_size = _image_end - _reloc;
diff --git a/efi/lds/elf_ia32_efi.lds b/efi/lds/elf_ia32_efi.lds
index 192075b..f07b76e 100644
--- a/efi/lds/elf_ia32_efi.lds
+++ b/efi/lds/elf_ia32_efi.lds
@@ -81,6 +81,8 @@ SECTIONS
_edata = .;
_data_size = _edata - _etext;
. = ALIGN(4096);
+ .sbom : { *(.sbom) }
+ . = ALIGN(4096);
.reloc : /* This is the PECOFF .reloc section! */
{
KEEP (*(.reloc))
diff --git a/efi/lds/elf_x86_64_efi.lds b/efi/lds/elf_x86_64_efi.lds
index 3e14998..8fbbae8 100644
--- a/efi/lds/elf_x86_64_efi.lds
+++ b/efi/lds/elf_x86_64_efi.lds
@@ -87,6 +87,8 @@ SECTIONS
_sbat_size = _epsbat - _sbat;
_sbat_vsize = _esbat - _sbat;
. = ALIGN(4096);
+ .sbom : { *(.sbom) }
+ . = ALIGN(4096);
.dynsym : { *(.dynsym) }
. = ALIGN(4096);
.dynstr : { *(.dynstr) }
From a9bbafc3f1c07a7c1b3fcad2fc224e9ebffb336f Mon Sep 17 00:00:00 2001
From: Callum Farmer <gmbr3@opensuse.org>
Date: Sun, 3 Sep 2023 16:06:46 +0100
Subject: [PATCH] crt0: allow removing SBAT section from PE
Signed-off-by: Callum Farmer <gmbr3@opensuse.org>
---
efi/crt0/crt0-efi-aarch64.S | 4 +++-
efi/crt0/crt0-efi-arm.S | 5 +++--
efi/meson.build | 10 ++++++++++
3 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/efi/crt0/crt0-efi-aarch64.S b/efi/crt0/crt0-efi-aarch64.S
index 1a64d53..7871d98 100644
--- a/efi/crt0/crt0-efi-aarch64.S
+++ b/efi/crt0/crt0-efi-aarch64.S
@@ -31,7 +31,7 @@ pe_header:
.2byte 0
coff_header:
.2byte 0xaa64 // AArch64
- .2byte 5 // nr_sections
+ .2byte NR_SECTIONS // nr_sections
.4byte 0 // TimeDateStamp
.4byte 0 // PointerToSymbolTable
.4byte 0 // NumberOfSymbols
@@ -146,6 +146,7 @@ section_table:
.2byte 0 // NumberOfLineNumbers
.4byte 0x40000040 // Characteristics (section flags)
+#ifdef USING_SBAT
.ascii ".sbat\0\0\0"
.4byte _sbat_vsize - ImageBase // VirtualSize
.4byte _sbat - ImageBase // VirtualAddress
@@ -157,6 +158,7 @@ section_table:
.2byte 0 // NumberOfRelocations (0 for executables)
.2byte 0 // NumberOfLineNumbers (0 for executables)
.4byte 0x40000040 // Characteristics (section flags)
+#endif
.text
.globl _start
diff --git a/efi/crt0/crt0-efi-arm.S b/efi/crt0/crt0-efi-arm.S
index 2c3659d..35d7c2d 100644
--- a/efi/crt0/crt0-efi-arm.S
+++ b/efi/crt0/crt0-efi-arm.S
@@ -31,7 +31,7 @@ pe_header:
.2byte 0
coff_header:
.2byte 0x1c2 // Mixed ARM/Thumb
- .2byte 5 // nr_sections
+ .2byte NR_SECTIONS // nr_sections
.4byte 0 // TimeDateStamp
.4byte 0 // PointerToSymbolTable
.4byte 0 // NumberOfSymbols
@@ -147,7 +147,7 @@ section_table:
.2byte 0 // NumberOfRelocations
.2byte 0 // NumberOfLineNumbers
.4byte 0x40000040 // Characteristics (section flags)
-
+#ifdef USING_SBAT
.ascii ".sbat\0\0\0"
.4byte _sbat_vsize - ImageBase // VirtualSize
.4byte _sbat - ImageBase // VirtualAddress
@@ -158,6 +158,7 @@ section_table:
.2byte 0 // NumberOfRelocations
.2byte 0 // NumberOfLineNumbers
.4byte 0x40000040 // Characteristics (section flags)
+#endif
.balign 256
.globl _start
diff --git a/efi/meson.build b/efi/meson.build
index 46122e0..9f633ca 100644
--- a/efi/meson.build
+++ b/efi/meson.build
@@ -209,6 +209,16 @@ else
efi_format = ['--target=efi-app-@0@'.format(gnu_efi_arch)]
endif
+# Section data
+if objcopy_manualsymbols
+ nr_sections = 4
+ if get_option('efi_sbat_distro_id') != ''
+ compile_args += ['-DUSING_SBAT']
+ nr_sections = nr_sections + 1
+ endif
+ compile_args += ['-DNR_SECTIONS=@0@'.format(nr_sections)]
+endif
+
libgcc_file_name = run_command(cc.cmd_array(), '-print-libgcc-file-name', check: true).stdout().strip()
efi_name = 'fwupd@0@.efi'.format(EFI_MACHINE_TYPE_NAME)
From 1169801a2b73d89c3e8b2089be163ce6032df290 Mon Sep 17 00:00:00 2001
From: Callum Farmer <gmbr3@opensuse.org>
Date: Sun, 3 Sep 2023 16:11:49 +0100
Subject: [PATCH] crt0: add SBOM section
Signed-off-by: Callum Farmer <gmbr3@opensuse.org>
---
efi/crt0/crt0-efi-aarch64.S | 13 +++++++++++++
efi/crt0/crt0-efi-arm.S | 13 +++++++++++++
efi/meson.build | 4 ++++
3 files changed, 30 insertions(+)
diff --git a/efi/crt0/crt0-efi-aarch64.S b/efi/crt0/crt0-efi-aarch64.S
index 7871d98..edd1fa1 100644
--- a/efi/crt0/crt0-efi-aarch64.S
+++ b/efi/crt0/crt0-efi-aarch64.S
@@ -159,6 +159,19 @@ section_table:
.2byte 0 // NumberOfLineNumbers (0 for executables)
.4byte 0x40000040 // Characteristics (section flags)
#endif
+#ifdef USING_SBOM
+ .ascii ".sbom\0\0\0"
+ .4byte _sbom_vsize - ImageBase // VirtualSize
+ .4byte _sbom - ImageBase // VirtualAddress
+ .4byte _sbom_size - ImageBase // SizeOfRawData
+ .4byte _sbom - ImageBase // PointerToRawData
+
+ .4byte 0 // PointerToRelocations (0 for executables)
+ .4byte 0 // PointerToLineNumbers (0 for executables)
+ .2byte 0 // NumberOfRelocations (0 for executables)
+ .2byte 0 // NumberOfLineNumbers (0 for executables)
+ .4byte 0x40000040 // Characteristics (section flags)
+#endif
.text
.globl _start
diff --git a/efi/crt0/crt0-efi-arm.S b/efi/crt0/crt0-efi-arm.S
index 35d7c2d..2c00906 100644
--- a/efi/crt0/crt0-efi-arm.S
+++ b/efi/crt0/crt0-efi-arm.S
@@ -159,6 +159,19 @@ section_table:
.2byte 0 // NumberOfLineNumbers
.4byte 0x40000040 // Characteristics (section flags)
#endif
+#ifdef USING_SBOM
+ .ascii ".sbom\0\0\0"
+ .4byte _sbom_vsize - ImageBase // VirtualSize
+ .4byte _sbom - ImageBase // VirtualAddress
+ .4byte _sbom_size - ImageBase // SizeOfRawData
+ .4byte _sbom - ImageBase // PointerToRawData
+
+ .4byte 0 // PointerToRelocations (0 for executables)
+ .4byte 0 // PointerToLineNumbers (0 for executables)
+ .2byte 0 // NumberOfRelocations (0 for executables)
+ .2byte 0 // NumberOfLineNumbers (0 for executables)
+ .4byte 0x40000040 // Characteristics (section flags)
+#endif
.balign 256
.globl _start
diff --git a/efi/meson.build b/efi/meson.build
index 9f633ca..1dea8fe 100644
--- a/efi/meson.build
+++ b/efi/meson.build
@@ -216,6 +216,10 @@ if objcopy_manualsymbols
compile_args += ['-DUSING_SBAT']
nr_sections = nr_sections + 1
endif
+ if uswid.found()
+ compile_args += ['-DUSING_SBOM']
+ nr_sections = nr_sections + 1
+ endif
compile_args += ['-DNR_SECTIONS=@0@'.format(nr_sections)]
endif
From e6bbca32763a342c9d5624052dd0234fb7462d35 Mon Sep 17 00:00:00 2001
From: Callum Farmer <gmbr3@opensuse.org>
Date: Mon, 4 Sep 2023 16:09:49 +0100
Subject: [PATCH] SBOM needs local copy of linker script
Signed-off-by: Callum Farmer <gmbr3@opensuse.org>
---
efi/meson.build | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/efi/meson.build b/efi/meson.build
index 1dea8fe..87181bd 100644
--- a/efi/meson.build
+++ b/efi/meson.build
@@ -102,7 +102,7 @@ endif
# older objcopy for Aarch64 and ARM32 are not EFI capable.
# Use 'binary' instead, and add required symbols manually.
-if host_cpu == 'arm' or (host_cpu == 'aarch64' and (objcopy_version.version_compare ('< 2.38') or coff_header_in_crt0))
+if host_cpu == 'arm' or (host_cpu == 'aarch64' and (objcopy_version.version_compare ('< 2.38') or coff_header_in_crt0 or uswid.found()))
objcopy_manualsymbols = true
generate_binary_extra = ['--objcopy-manualsymbols']
else
@@ -121,6 +121,13 @@ if get_option('efi_sbat_distro_id') != ''
endif
endif
+# SBOM is never in system lds
+if uswid.found()
+ warning('Switching to local copy of linker script as using SBOM')
+ efi_ldsdir = join_paths(meson.current_source_dir(), 'lds')
+ arch_lds = 'elf_@0@@1@_efi.lds'.format(gnu_efi_arch, lds_os)
+endif
+
# is the system crt0 for arm and aarch64 new enough to know about SBAT?
if objcopy_manualsymbols
if get_option('efi_sbat_distro_id') != ''
From d83a705601bac07385c183f8bd1d25ebde34b467 Mon Sep 17 00:00:00 2001
From: Callum Farmer <gmbr3@opensuse.org>
Date: Tue, 5 Sep 2023 13:25:26 +0100
Subject: [PATCH] crt0: needs local crt0 for SBOM section
Signed-off-by: Callum Farmer <gmbr3@opensuse.org>
---
efi/meson.build | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/efi/meson.build b/efi/meson.build
index 87181bd..5547b1d 100644
--- a/efi/meson.build
+++ b/efi/meson.build
@@ -142,6 +142,15 @@ if objcopy_manualsymbols
endif
endif
+# SBOM not in system crt0
+if objcopy_manualsymbols
+ if uswid.found()
+ warning('Switching to local copy of crt0 as using SBOM')
+ efi_crtdir = join_paths(meson.current_build_dir(), 'crt0')
+ efi_ldsdir = join_paths(meson.current_source_dir(), 'lds')
+ endif
+endif
+
message('efi-libdir: "@0@"'.format(efi_libdir))
message('efi-ldsdir: "@0@"'.format(efi_ldsdir))
message('efi-crtdir: "@0@"'.format(efi_crtdir))
From bbe32542c92a7f551b69dd34db91668524f14fb0 Mon Sep 17 00:00:00 2001
From: Callum Farmer <gmbr3@opensuse.org>
Date: Wed, 27 Sep 2023 13:48:27 +0100
Subject: [PATCH] Use cflags with uswid
Signed-off-by: Callum Farmer <gmbr3@opensuse.org>
---
efi/meson.build | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/efi/meson.build b/efi/meson.build
index 85c85b1..ae22534 100644
--- a/efi/meson.build
+++ b/efi/meson.build
@@ -285,6 +285,11 @@ o_files += custom_target('fwup-sbat.o',
])
if uswid.found()
+ if uswid.version().version_compare('>=0.4.3')
+ uswid_cflags = ['--cflags', ' '.join(compile_args)]
+ else
+ uswid_cflags = []
+ endif
o_files += custom_target('fwup-sbom.o',
output : 'fwup-sbom.o',
command : [
@@ -293,7 +298,7 @@ if uswid.found()
'--objcopy', objcopy,
'--load', swid_xml,
'--save', '@OUTPUT@',
- ])
+ ] + uswid_cflags)
endif
fwupd_so_deps = []
