Xen project Mailing List

[PATCH 1/6] Add SBAT section to the PE binary

From: Frediano Ziglio <freddy77@xxxxxxxxx>

Date: Fri, 29 May 2026 16:35:26 +0100

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=20251104 header.d=gmail.com header.i="@gmail.com" header.h="Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From"

Cc: Gerald Elder-Vass <gerald.elder-vass@xxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Teddy Astie <teddy.astie@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, Frediano Ziglio <frediano.ziglio@xxxxxxxxx>

Delivery-date: Fri, 29 May 2026 15:36:05 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

From: Gerald Elder-Vass <gerald.elder-vass@xxxxxxxxx> The SBAT section provides a way for the binary to declare a generation id for its upstream source and any vendor changes applied. A compatible loader can then revoke vulnerable binaries by generation, using the binary's declared generation id(s) to determine if it is safe to load. More information about SBAT is available here: https://github.com/rhboot/shim/blob/main/SBAT.md Populate the SBAT section in the Xen binary by using the information in xen/arch/x86/sbat.csv. On XenServer, the version and release fields are populated by the spec file during the build process. Signed-off-by: Gerald Elder-Vass <gerald.elder-vass@xxxxxxxxx> Signed-off-by: Frediano Ziglio <frediano.ziglio@xxxxxxxxx> --- xen/arch/x86/Makefile | 4 ++++ xen/arch/x86/xen.lds.S | 2 ++ xen/include/xen/xen.lds.h | 3 ++- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile index 47dd6c50fe..a2bdcb6f44 100644 --- a/xen/arch/x86/Makefile +++ b/xen/arch/x86/Makefile @@ -71,6 +71,7 @@ obj-$(CONFIG_TBOOT) += tboot.o obj-y += hpet.o obj-$(CONFIG_VM_EVENT) += vm_event.o obj-y += xstate.o +obj-y += sbat_data.o ifneq ($(CONFIG_PV_SHIM_EXCLUSIVE),y) obj-y += domctl.o @@ -275,6 +276,9 @@ $(obj)/efi.lds: AFLAGS-y += -DEFI $(obj)/xen.lds $(obj)/efi.lds: $(src)/xen.lds.S FORCE $(call if_changed_dep,cpp_lds_S) +$(obj)/sbat_data.o: $(src)/sbat.csv + $(OBJCOPY) -I binary -O elf64-x86-64 --rename-section .data=.sbat,readonly,data,contents --add-section .note.GNU-stack=/dev/null $(srcdir)/sbat.csv $@ + clean-files := \ include/asm/asm-macros.* \ $(objtree)/.xen-syms.[0-9]* \ diff --git a/xen/arch/x86/sbat.csv b/xen/arch/x86/sbat.csv new file mode 100644 index 000000000000..1573604e2f10 --- /dev/null +++ b/xen/arch/x86/sbat.csv @@ -0,0 +1,1 @@ +sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md diff --git a/xen/arch/x86/xen.lds.S b/xen/arch/x86/xen.lds.S index b9e888e596..c2b9b5a893 100644 --- a/xen/arch/x86/xen.lds.S +++ b/xen/arch/x86/xen.lds.S @@ -354,6 +354,8 @@ SECTIONS PROVIDE(ALT_START = 0); VIRT_START &= 0; ALT_START &= 0; + + .sbat (NOLOAD) : { *(.sbat) } #elif defined(XEN_BUILD_EFI) /* * Due to the way EFI support is currently implemented, these two symbols diff --git a/xen/include/xen/xen.lds.h b/xen/include/xen/xen.lds.h index ea11e3fb62..c9aa1b7fae 100644 --- a/xen/include/xen/xen.lds.h +++ b/xen/include/xen/xen.lds.h @@ -118,7 +118,8 @@ *(.comment.*) \ *(.note.*) #else -#define DISCARD_EFI_SECTIONS +#define DISCARD_EFI_SECTIONS \ + *(.sbat) #endif /* Sections to be discarded. */ -- 2.43.0

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.