From a69147385ccaac7de27770eb3e0d1571551d940a Mon Sep 17 00:00:00 2001
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Date: Tue, 8 Nov 2022 14:45:34 -0800
Subject: [PATCH 1/5] Create revocations.efi to deliver new sbat level
 requirements

 This covers delivering updates to SBAT_LEVEL without the need
to create and sign a new shim

Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
---
 Makefile                     | 19 ++++++++++++++++++-
 data/sbat_level_latest.csv   |  3 +++
 data/sbat_level_previous.csv |  2 ++
 3 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 data/sbat_level_latest.csv
 create mode 100644 data/sbat_level_previous.csv

diff --git a/Makefile b/Makefile
index ecb7e49..dfe8244 100644
--- a/Makefile
+++ b/Makefile
@@ -55,6 +55,8 @@ $(OBJCOPY) --add-section ".$(patsubst %.csv,%,$(1))=$(1)" $(2)
 endef
 
 SBATPATH = $(TOPDIR)/data/sbat.csv
+SBATLEVELLATESTPATH = $(TOPDIR)/data/sbat_level_latest.csv
+SBATLEVELPREVIOUSPATH = $(TOPDIR)/data/sbat_level_previous.csv
 VENDOR_SBATS := $(sort $(foreach x,$(wildcard $(TOPDIR)/data/sbat.*.csv data/sbat.*.csv),$(notdir $(x))))
 
 OBJFLAGS =
@@ -84,7 +86,7 @@ ifeq ($(ARCH),arm)
 	BUILDFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include)
 endif
 
-all : certwrapper.efi
+all : certmule.efi revocations.efi
 
 certwrapper.so : sbat_data.o certwrapper.o
 certwrapper.so : SOLIBS=
@@ -94,6 +96,15 @@ certwrapper.efi : OBJFLAGS = --strip-unneeded $(call VENDOR_DB, $<)
 certwrapper.efi : SECTIONS=.text .reloc .db .sbat
 certwrapper.efi : VENDOR_DB_FILE?=db.esl
 
+revocations.so : sbat_data.o revocations.o
+revocations.so : SOLIBS=
+revocations.so : SOFLAGS=
+revocations.efi : OBJFLAGS = --strip-unneeded 
+revocations.efi : SECTIONS=.text .reloc .sbat .sbatl .sbatp
+
+revocations.o : certmule.o
+	cp certmule.o revocations.o
+
 %.efi : %.so
 ifneq ($(OBJCOPY_GTE224),1)
 	$(error objcopy >= 2.24 is required)
@@ -109,6 +120,12 @@ sbat_data.o : /dev/null
 	$(OBJCOPY) --add-section .sbat=$(SBATPATH) \
 		--set-section-flags .sbat=contents,alloc,load,readonly,data \
 		$@
+	$(OBJCOPY) --add-section .sbatl=$(SBATLEVELLATESTPATH) \
+		--set-section-flags .sbatl=contents,alloc,load,readonly,data \
+		$@
+	$(OBJCOPY) --add-section .sbatp=$(SBATLEVELPREVIOUSPATH) \
+		--set-section-flags .sbatp=contents,alloc,load,readonly,data \
+		$@
 	$(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@))
 
 %.so : %.o
diff --git a/data/sbat_level_latest.csv b/data/sbat_level_latest.csv
new file mode 100644
index 0000000..cf56b2e
--- /dev/null
+++ b/data/sbat_level_latest.csv
@@ -0,0 +1,3 @@
+sbat,1,2022111500
+shim,2
+grub,3
diff --git a/data/sbat_level_previous.csv b/data/sbat_level_previous.csv
new file mode 100644
index 0000000..51fa1e9
--- /dev/null
+++ b/data/sbat_level_previous.csv
@@ -0,0 +1,2 @@
+sbat,1,2022052400
+grub,2

From 93226b9c9721be0f955e7767a2cd2573c01f2ce4 Mon Sep 17 00:00:00 2001
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Date: Fri, 9 Jun 2023 14:57:58 -0700
Subject: [PATCH 2/5] SkuSiPolicy payload - at the moment this is only for
 testing

Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
---
 Makefile                              |  31 +++++++++++++++++++++-----
 data/SkuSiPolicy_Version_latest.bin   | Bin 0 -> 8 bytes
 data/SkuSiPolicy_Version_previous.bin | Bin 0 -> 8 bytes
 data/SkuSiPolicy_latest.bin           | Bin 0 -> 131 bytes
 data/SkuSiPolicy_previous.bin         | Bin 0 -> 131 bytes
 5 files changed, 25 insertions(+), 6 deletions(-)
 create mode 100644 data/SkuSiPolicy_Version_latest.bin
 create mode 100644 data/SkuSiPolicy_Version_previous.bin
 create mode 100644 data/SkuSiPolicy_latest.bin
 create mode 100644 data/SkuSiPolicy_previous.bin

diff --git a/Makefile b/Makefile
index dfe8244..9f49f07 100644
--- a/Makefile
+++ b/Makefile
@@ -51,12 +51,19 @@ endef
 
 define add-vendor-sbat
 $(OBJCOPY) --add-section ".$(patsubst %.csv,%,$(1))=$(1)" $(2)
+endef
 
+define add-skusi
+$(OBJCOPY) --add-section ".$(patsubst %.bin,%,$(1))=$(1)" $(2)
 endef
 
 SBATPATH = $(TOPDIR)/data/sbat.csv
 SBATLEVELLATESTPATH = $(TOPDIR)/data/sbat_level_latest.csv
 SBATLEVELPREVIOUSPATH = $(TOPDIR)/data/sbat_level_previous.csv
+SSPVLATESTPATH = $(TOPDIR)/data/SkuSiPolicy_Version_latest.bin
+SSPSLATESTPATH = $(TOPDIR)/data/SkuSiPolicy_latest.bin
+SSPVPREVIOUSPATH = $(TOPDIR)/data/SkuSiPolicy_Version_previous.bin
+SSPSPREVIOUSPATH = $(TOPDIR)/data/SkuSiPolicy_previous.bin
 VENDOR_SBATS := $(sort $(foreach x,$(wildcard $(TOPDIR)/data/sbat.*.csv data/sbat.*.csv),$(notdir $(x))))
 
 OBJFLAGS =
@@ -88,7 +95,7 @@ endif
 
 all : certmule.efi revocations.efi
 
-certwrapper.so : sbat_data.o certwrapper.o
+certwrapper.so : revocation_data.o certwrapper.o
 certwrapper.so : SOLIBS=
 certwrapper.so : SOFLAGS=
 certwrapper.so : BUILDFLAGS+=-DVENDOR_DB
@@ -96,11 +103,11 @@ certwrapper.efi : OBJFLAGS = --strip-unneeded $(call VENDOR_DB, $<)
 certwrapper.efi : SECTIONS=.text .reloc .db .sbat
 certwrapper.efi : VENDOR_DB_FILE?=db.esl
 
-revocations.so : sbat_data.o revocations.o
+revocations.so : revocation_data.o revocations.o
 revocations.so : SOLIBS=
 revocations.so : SOFLAGS=
-revocations.efi : OBJFLAGS = --strip-unneeded 
-revocations.efi : SECTIONS=.text .reloc .sbat .sbatl .sbatp
+revocations.efi : OBJFLAGS = --strip-unneeded
+revocations.efi : SECTIONS=.text .reloc .sbat .sbatl .sbatp .sspvp .sspsp .sspvl .sspsl
 
 revocations.o : certmule.o
 	cp certmule.o revocations.o
@@ -114,8 +121,8 @@ endif
 		   $(OBJFLAGS) \
 		   $(FORMAT) $^ $@
 
-sbat_data.o : | $(SBATPATH) $(VENDOR_SBATS)
-sbat_data.o : /dev/null
+revocation_data.o : | $(SBATPATH) $(VENDOR_SBATS)
+revocation_data.o : /dev/null
 	$(CC) $(BUILDFLAGS) -x c -c -o $@ $<
 	$(OBJCOPY) --add-section .sbat=$(SBATPATH) \
 		--set-section-flags .sbat=contents,alloc,load,readonly,data \
@@ -126,6 +133,18 @@ sbat_data.o : /dev/null
 	$(OBJCOPY) --add-section .sbatp=$(SBATLEVELPREVIOUSPATH) \
 		--set-section-flags .sbatp=contents,alloc,load,readonly,data \
 		$@
+	$(OBJCOPY) --add-section .sspvl=$(SSPVLATESTPATH) \
+		--set-section-flags .sspvl=contents,alloc,load,readonly,data \
+		$@
+	$(OBJCOPY) --add-section .sspsl=$(SSPSLATESTPATH) \
+		--set-section-flags .sspsl=contents,alloc,load,readonly,data \
+		$@
+	$(OBJCOPY) --add-section .sspvp=$(SSPVPREVIOUSPATH) \
+		--set-section-flags .sspvp=contents,alloc,load,readonly,data \
+		$@
+	$(OBJCOPY) --add-section .sspsp=$(SSPSPREVIOUSPATH) \
+		--set-section-flags .sspsp=contents,alloc,load,readonly,data \
+		$@
 	$(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@))
 
 %.so : %.o
diff --git a/data/SkuSiPolicy_Version_latest.bin b/data/SkuSiPolicy_Version_latest.bin
new file mode 100644
index 0000000000000000000000000000000000000000..329e937b3fb9c867983245d50d0c408cc7dc59ea
GIT binary patch
literal 8
McmZQ#00CwO0015U1^@s6

literal 0
HcmV?d00001

diff --git a/data/SkuSiPolicy_Version_previous.bin b/data/SkuSiPolicy_Version_previous.bin
new file mode 100644
index 0000000000000000000000000000000000000000..412ee8764ac5c75d4b1aa5692ebfb98c7130c7da
GIT binary patch
literal 8
McmZQ#00AZj000~S1poj5

literal 0
HcmV?d00001

diff --git a/data/SkuSiPolicy_latest.bin b/data/SkuSiPolicy_latest.bin
new file mode 100644
index 0000000000000000000000000000000000000000..02968773e05f5b49940901d1943438bb8cc60051
GIT binary patch
literal 131
zcmZQ%U|?VaVr+mBD98=O7bX@%rJ2BV$g&C)eheBv1<r>mL!-E~*%(<Eo6NbG!8QW`
D(i#V8

literal 0
HcmV?d00001

diff --git a/data/SkuSiPolicy_previous.bin b/data/SkuSiPolicy_previous.bin
new file mode 100644
index 0000000000000000000000000000000000000000..02968773e05f5b49940901d1943438bb8cc60051
GIT binary patch
literal 131
zcmZQ%U|?VaVr+mBD98=O7bX@%rJ2BV$g&C)eheBv1<r>mL!-E~*%(<Eo6NbG!8QW`
D(i#V8

literal 0
HcmV?d00001


From f53847c6ab92e7157cbd5e0671c39f3167c9c316 Mon Sep 17 00:00:00 2001
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Date: Thu, 21 Sep 2023 15:15:43 -0700
Subject: [PATCH 3/5] Update previous (automatic) SbatLevel to 2022111500

---
 data/sbat_level_previous.csv | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/data/sbat_level_previous.csv b/data/sbat_level_previous.csv
index 51fa1e9..e219305 100644
--- a/data/sbat_level_previous.csv
+++ b/data/sbat_level_previous.csv
@@ -1,2 +1,4 @@
-sbat,1,2022052400
-grub,2
+sbat,1,2022111500
+shim,2
+grub,3
+grub.debian,4

From 5c50e85b627ec711107e0f883a06dfd8bdd944a8 Mon Sep 17 00:00:00 2001
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Date: Thu, 21 Sep 2023 15:02:53 -0700
Subject: [PATCH 4/5] 2023 shim and GRUB revocations

This is also included in shim builtin latest revocation, but it
revokes shim binaries impacted by:

* CVE-2023-40547
* CVE-2023-40546
* CVE-2023-40548
* CVE-2023-40549
* CVE-2023-40550
* CVE-2023-40551

And also revokes GRUB binaries impacted by:

* CVE-2023-4692
* CVE-2023-4693
---
 data/sbat_level_latest.csv | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/data/sbat_level_latest.csv b/data/sbat_level_latest.csv
index cf56b2e..de466ab 100644
--- a/data/sbat_level_latest.csv
+++ b/data/sbat_level_latest.csv
@@ -1,3 +1,3 @@
-sbat,1,2022111500
-shim,2
-grub,3
+sbat,1,2023100300
+shim,4
+grub,4

From 4cad0377ceac86ea01381a8d6b6494626adfb5e0 Mon Sep 17 00:00:00 2001
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Date: Fri, 15 Dec 2023 14:36:07 -0800
Subject: [PATCH 5/5] Rename "previous" revocations to "automatic"

When the term previous was introduced for revocations to be
automatically applied there was a hope that everytime a new
revocation was built into shim, the previous revocation could
be applied automatically. Further experience has shown the
real world to be more complex than that. The automatic payload
will realistically contain a set of revocations governed by
both the cadence at which a distro's customer base updates
as well as the severity of the issue being revoked.

This is not a functional change.

Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
---
 Makefile                                      |  20 +++++++++---------
 ....bin => SkuSiPolicy_Version_automatic.bin} | Bin
 ...previous.bin => SkuSiPolicy_automatic.bin} | Bin
 ..._previous.csv => sbat_level_automatic.csv} |   0
 4 files changed, 10 insertions(+), 10 deletions(-)
 rename data/{SkuSiPolicy_Version_previous.bin => SkuSiPolicy_Version_automatic.bin} (100%)
 rename data/{SkuSiPolicy_previous.bin => SkuSiPolicy_automatic.bin} (100%)
 rename data/{sbat_level_previous.csv => sbat_level_automatic.csv} (100%)

diff --git a/Makefile b/Makefile
index 9f49f07..0983a57 100644
--- a/Makefile
+++ b/Makefile
@@ -59,11 +59,11 @@ endef
 
 SBATPATH = $(TOPDIR)/data/sbat.csv
 SBATLEVELLATESTPATH = $(TOPDIR)/data/sbat_level_latest.csv
-SBATLEVELPREVIOUSPATH = $(TOPDIR)/data/sbat_level_previous.csv
+SBATLEVELAUTOMATICPATH = $(TOPDIR)/data/sbat_level_automatic.csv
 SSPVLATESTPATH = $(TOPDIR)/data/SkuSiPolicy_Version_latest.bin
 SSPSLATESTPATH = $(TOPDIR)/data/SkuSiPolicy_latest.bin
-SSPVPREVIOUSPATH = $(TOPDIR)/data/SkuSiPolicy_Version_previous.bin
-SSPSPREVIOUSPATH = $(TOPDIR)/data/SkuSiPolicy_previous.bin
+SSPVAUTOMATICPATH = $(TOPDIR)/data/SkuSiPolicy_Version_automatic.bin
+SSPSAUTOMATICPATH = $(TOPDIR)/data/SkuSiPolicy_automatic.bin
 VENDOR_SBATS := $(sort $(foreach x,$(wildcard $(TOPDIR)/data/sbat.*.csv data/sbat.*.csv),$(notdir $(x))))
 
 OBJFLAGS =
@@ -107,7 +107,7 @@ revocations.so : revocation_data.o revocations.o
 revocations.so : SOLIBS=
 revocations.so : SOFLAGS=
 revocations.efi : OBJFLAGS = --strip-unneeded
-revocations.efi : SECTIONS=.text .reloc .sbat .sbatl .sbatp .sspvp .sspsp .sspvl .sspsl
+revocations.efi : SECTIONS=.text .reloc .sbat .sbatl .sbata .sspva .sspsa .sspvl .sspsl
 
 revocations.o : certmule.o
 	cp certmule.o revocations.o
@@ -130,8 +130,8 @@ revocation_data.o : /dev/null
 	$(OBJCOPY) --add-section .sbatl=$(SBATLEVELLATESTPATH) \
 		--set-section-flags .sbatl=contents,alloc,load,readonly,data \
 		$@
-	$(OBJCOPY) --add-section .sbatp=$(SBATLEVELPREVIOUSPATH) \
-		--set-section-flags .sbatp=contents,alloc,load,readonly,data \
+	$(OBJCOPY) --add-section .sbata=$(SBATLEVELAUTOMATICPATH) \
+		--set-section-flags .sbata=contents,alloc,load,readonly,data \
 		$@
 	$(OBJCOPY) --add-section .sspvl=$(SSPVLATESTPATH) \
 		--set-section-flags .sspvl=contents,alloc,load,readonly,data \
@@ -139,11 +139,11 @@ revocation_data.o : /dev/null
 	$(OBJCOPY) --add-section .sspsl=$(SSPSLATESTPATH) \
 		--set-section-flags .sspsl=contents,alloc,load,readonly,data \
 		$@
-	$(OBJCOPY) --add-section .sspvp=$(SSPVPREVIOUSPATH) \
-		--set-section-flags .sspvp=contents,alloc,load,readonly,data \
+	$(OBJCOPY) --add-section .sspva=$(SSPVAUTOMATICPATH) \
+		--set-section-flags .sspva=contents,alloc,load,readonly,data \
 		$@
-	$(OBJCOPY) --add-section .sspsp=$(SSPSPREVIOUSPATH) \
-		--set-section-flags .sspsp=contents,alloc,load,readonly,data \
+	$(OBJCOPY) --add-section .sspsa=$(SSPSAUTOMATICPATH) \
+		--set-section-flags .sspsa=contents,alloc,load,readonly,data \
 		$@
 	$(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@))
 
diff --git a/data/SkuSiPolicy_Version_previous.bin b/data/SkuSiPolicy_Version_automatic.bin
similarity index 100%
rename from data/SkuSiPolicy_Version_previous.bin
rename to data/SkuSiPolicy_Version_automatic.bin
diff --git a/data/SkuSiPolicy_previous.bin b/data/SkuSiPolicy_automatic.bin
similarity index 100%
rename from data/SkuSiPolicy_previous.bin
rename to data/SkuSiPolicy_automatic.bin
diff --git a/data/sbat_level_previous.csv b/data/sbat_level_automatic.csv
similarity index 100%
rename from data/sbat_level_previous.csv
rename to data/sbat_level_automatic.csv