Skip to content

Commit 4866961

Browse files
committed
feat(secure-boot): add support for SBAT section
1 parent bbc8f58 commit 4866961

File tree

4 files changed

+70
-0
lines changed

4 files changed

+70
-0
lines changed

build.rs

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
use std::path::PathBuf;
2+
use std::{env, fs};
3+
4+
/// The size of the sbat.csv file.
5+
const SBAT_SIZE: usize = 512;
6+
7+
/// Generate the sbat.csv for the .sbat link section.
8+
///
9+
/// We intake a sbat.template.tsv and output a sbat.csv which is included by src/sbat.rs
10+
fn generate_sbat_csv() {
11+
// Notify Cargo that if the Sprout version changes, we need to regenerate the sbat.csv.
12+
println!("cargo:rerun-if-env-changed=CARGO_PKG_VERSION");
13+
14+
// The version of the sprout crate.
15+
let sprout_version = env::var("CARGO_PKG_VERSION").expect("CARGO_PKG_VERSION not set");
16+
17+
// The output directory to place the sbat.csv into.
18+
let output_dir = PathBuf::from(env::var("OUT_DIR").expect("OUT_DIR not set"));
19+
20+
// The output path to the sbat.csv.
21+
let output_file = output_dir.join("sbat.csv");
22+
23+
// The path to the root of the sprout crate.
24+
let sprout_root =
25+
PathBuf::from(env::var("CARGO_MANIFEST_DIR").expect("CARGO_MANIFEST_DIR not set"));
26+
27+
// The path to the sbat.template.tsv file is in the source directory of the sprout crate.
28+
let template_path = sprout_root.join("src/sbat.template.csv");
29+
30+
// Read the sbat.csv template file.
31+
let template = fs::read_to_string(&template_path).expect("unable to read template file");
32+
33+
// Replace the version placeholder in the template with the actual version.
34+
let sbat = template.replace("{version}", &sprout_version);
35+
36+
// Encode the sbat.csv as bytes.
37+
let mut encoded = sbat.as_bytes().to_vec();
38+
39+
if encoded.len() > SBAT_SIZE {
40+
panic!("sbat.csv is too large");
41+
}
42+
43+
// Pad the sbat.csv to the required size.
44+
while encoded.len() < SBAT_SIZE {
45+
encoded.push(0);
46+
}
47+
48+
// Write the sbat.csv to the output directory.
49+
fs::write(&output_file, encoded).expect("unable to write sbat.csv");
50+
}
51+
52+
/// Build script entry point.
53+
/// Right now, all we need to do is generate the sbat.csv file.
54+
fn main() {
55+
// Generate the sbat.csv file.
56+
generate_sbat_csv();
57+
}

src/main.rs

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,9 @@ pub mod integrations;
5959
/// phases: Hooks into specific parts of the boot process.
6060
pub mod phases;
6161

62+
/// sbat: Secure Boot Attestation section.
63+
pub mod sbat;
64+
6265
/// secure: Secure Boot support.
6366
pub mod secure;
6467

src/sbat.rs

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
/// SBAT must be aligned by 512 bytes.
2+
const SBAT_SIZE: usize = 512;
3+
4+
/// Define the SBAT attestation by including the sbat.csv file.
5+
/// See this document for more details: https://github.com/rhboot/shim/blob/main/SBAT.md
6+
#[used]
7+
#[unsafe(link_section = ".sbat")]
8+
static SBAT: [u8; SBAT_SIZE] = *include_bytes!(concat!(env!("OUT_DIR"), "/sbat.csv"));

src/sbat.template.csv

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
2+
sprout,1,Edera,sprout,{version},https://sprout.edera.dev

0 commit comments

Comments
 (0)