Merge: uki_addons: add downstream SBAT for UKI addons

MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6893

JIRA: https://issues.redhat.com/browse/RHEL-92594

Upstream Status: RHEL-Only

Replace the old sbat/sbat.conf mechanism with a input-provided sbat one.

Also provide a downstream sbat for the generated addons, as it's better to have it in case we have bugs in the command line too.

Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>

Approved-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Approved-by: Jan Stancek <jstancek@redhat.com>
Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com>

Merged-by: Jan Stancek <jstancek@redhat.com>

Author: jstancek

redhat/kernel.spec.template

@@ -2382,6 +2382,12 @@ BuildKernel() {
 	EOF
 	)
 
+        ADDONS_SBAT=$(cat <<- EOF
+	sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+	kernel-uki-virt-addons.$SBATsuffix,1,Red Hat,kernel-uki-virt-addons,$KernelVer,mailto:secalert@redhat.com
+	EOF
+	)
+
         KernelUnifiedImageDir="$RPM_BUILD_ROOT/lib/modules/$KernelVer"
         KernelUnifiedImage="$KernelUnifiedImageDir/$InstallName-virt.efi"
 
@@ -2401,7 +2407,7 @@ BuildKernel() {
 
         KernelAddonsDirOut="$KernelUnifiedImage.extra.d"
         mkdir -p $KernelAddonsDirOut
-        python3 %{SOURCE151} %{SOURCE152} $KernelAddonsDirOut virt %{primary_target} %{_target_cpu}
+        python3 %{SOURCE151} %{SOURCE152} $KernelAddonsDirOut virt %{primary_target} %{_target_cpu} "$ADDONS_SBAT"
 
 %if %{signkernel}
 

redhat/scripts/uki_addons/uki_create_addons.py

@@ -4,7 +4,7 @@
 # creates an addon for each key/value pair matching the given uki, distro and
 # arch provided in input.
 #
-# Usage: python uki_create_addons.py input_json out_dir uki distro arch
+# Usage: python uki_create_addons.py input_json out_dir uki distro arch [sbat]
 #
 # This tool requires the systemd-ukify and systemd-boot packages.
 #
@@ -26,14 +26,6 @@
 # json['virt']['common']['test.addon'] = ['test2'], any other uki except virt
 # will have a test.addon.efi with text "test1", and virt will have a
 # test.addon.efi with "test2"
-#
-# sbat.conf
-#----------
-# This dict is containing the sbat string for *all* addons being created.
-# This dict is optional, but when used has to be put in a sub-dict with
-# { 'sbat' : { 'sbat.conf' : ['your text here'] }}
-# It follows the same syntax as the addon files, meaning '#' is comment and
-# the rest is taken as sbat string and feed to ukify.
 
 import os
 import sys
@@ -45,7 +37,7 @@
 UKIFY_PATH = '/usr/lib/systemd/ukify'
 
 def usage(err):
-    print(f'Usage: {os.path.basename(__file__)} input_json output_dir uki distro arch')
+    print(f'Usage: {os.path.basename(__file__)} input_json output_dir uki distro arch [sbat]')
     print(f'Error:{err}')
     sys.exit(1)
 
@@ -62,37 +54,26 @@ def check_clean_arguments(input_json, out_dir):
 UKICmdlineAddon = collections.namedtuple('UKICmdlineAddon', ['name', 'cmdline'])
 uki_addons_list = []
 uki_addons = {}
-addon_sbat_string = None
 
-def parse_lines(lines, rstrip=True):
+def parse_lines(lines):
     cmdline = ''
     for l in lines:
         l = l.lstrip()
         if not l:
             continue
         if l[0] == '#':
             continue
-        # rstrip is used only for addons cmdline, not sbat.conf, as it replaces
-        # return lines with spaces.
-        if rstrip:
-            l = l.rstrip() + ' '
-        cmdline += l
+        cmdline += l.rstrip() + ' '
     if cmdline == '':
         return ''
     return cmdline
 
 def parse_all_addons(in_obj):
-    global addon_sbat_string
-
     for el in in_obj.keys():
         # addon found: copy it in our global dict uki_addons
         if el.endswith('.addon'):
             uki_addons[el] = in_obj[el]
 
-    if 'sbat' in in_obj and 'sbat.conf' in in_obj['sbat']:
-        # sbat.conf found: override sbat with the most specific one found
-        addon_sbat_string = parse_lines(in_obj['sbat']['sbat.conf'], rstrip=False)
-
 def recursively_find_addons(in_obj, folder_list):
     # end of recursion, leaf directory. Search all addons here
     if len(folder_list) == 0:
@@ -121,21 +102,21 @@ def parse_in_json(in_json, uki_name, distro, arch):
         if cmdline:
             uki_addons_list.append(UKICmdlineAddon(addon_full_name, cmdline))
 
-def create_addons(out_dir):
+def create_addons(out_dir, sbat):
     for uki_addon in uki_addons_list:
         out_path = os.path.join(out_dir, uki_addon.name)
         cmd = [
             f'{UKIFY_PATH}', 'build',
             '--cmdline', uki_addon.cmdline,
             '--output', out_path]
-        if addon_sbat_string:
-            cmd.extend(['--sbat', addon_sbat_string.rstrip()])
+        if sbat:
+            cmd.extend(['--sbat', sbat.rstrip()])
 
         subprocess.check_call(cmd, text=True)
 
 if __name__ == "__main__":
     argc = len(sys.argv) - 1
-    if argc != 5:
+    if argc < 5 or argc > 6:
         usage('too few or too many parameters!')
 
     input_json = sys.argv[1]
@@ -144,8 +125,12 @@ def create_addons(out_dir):
     distro = sys.argv[4]
     arch = sys.argv[5]
 
+    custom_sbat = None
+    if argc == 6:
+        custom_sbat = sys.argv[6]
+
     out_dir = check_clean_arguments(input_json, out_dir)
     parse_in_json(input_json, uki_name, distro, arch)
-    create_addons(out_dir)
+    create_addons(out_dir, custom_sbat)
 
 

redhat/scripts/uki_addons/uki_create_json.py

@@ -21,7 +21,7 @@
 # The name of the end resulting addon is taken from the folder hierarchy, but this
 # is handled by uki_create_addons.py when building the rpm. This script only
 # prepares the json file to be added in the srpm. For more information about
-# the folder hierarchy, what the 'common' and 'sbat' folder are, look at
+# the folder hierarchy and what the 'common' folder is, look at
 # uki_create_addons.py.
 #
 # The common folder, present in any folder under redhat/uki_addons
@@ -51,7 +51,7 @@ def usage(err):
     sys.exit(1)
 
 def find_addons():
-    cmd = ['/usr/bin/find', 'uki_addons', "(", '-name', '*.addon', '-o', '-name', 'sbat.conf', ")"]
+    cmd = ['/usr/bin/find', 'uki_addons', '-name', '*.addon']
     proc_out = subprocess.run(cmd, check=True, capture_output=True, text=True)
     if proc_out.returncode == 0:
         return proc_out.stdout