dracut.sh: add --sbat option to add sbat policy to UKI

[esposem]

Take existing .sbat section from the uefi stub and merge it with vmlinux .sbat (if it exists) and user-provided .sbat file using the new --sbat option.

For some reasons, --update-section in objcopy does not resize the .sbat section, so remove the section from the stub and add it to the UKI as new one, to avoid having incomplete SBAT strings.

Changes

Checklist

• [x] I have tested it locally
• [x] I have reviewed and updated any documentation if relevant
• [ ] I am providing new code and test(s) for it

Fixes #

[esposem]

Not sure what TEST: root filesystem on LVM on encrypted partitions of a RAID-5 [FAILED] has to do with my patch. Any help?

[LaszloGombos]

Not sure what TEST: root filesystem on LVM on encrypted partitions of a RAID-5 [FAILED] has to do with my patch. Any help?

Those test failures are not regressions form this PR. Currently only TEST-18 is using UEFI boot (bu not UEFI secure boot)

[aafeijoo-suse]

Nice thread: https://lore.kernel.org/lkml/7DF38657-99C7-4C88-8835-7EE28E82C829@zytor.com/T/#u

[esposem]

Nice thread: https://lore.kernel.org/lkml/7DF38657-99C7-4C88-8835-7EE28E82C829@zytor.com/T/#u

I am the author of that patch. We will probably not end up having anything in kernel upstream, but distros might add their own SBAT section to the vmlinux binary. So IMHO this PR is still needed, also because:

• giving a sbat string will be optional
• ukify (the systemd tool that builds UKI the same way as dracut does) also supports it. So if you want to maintain a minimum of consistency with the other tools, you need this.

[esposem]

See if it makes sense for you :+1:

[aafeijoo-suse]

See if it makes sense for you +1

Have you added the new changes to the commit? I can see the diff but the PR was not updated... btw you can reword the and user-provided .sbat file part of the commit message :)

[esposem]

done