This patch modifies the build system in order to generate and use
metadata to add it to the efi binaries. It uses python-uswid [1],
given a set of config files (.ini) with the metadata it converts
them into the coswid format to then push the result to the .sbom
section of the executable file.

SBOM is increasingly important for everyone (both consumers and
vendors) and firmware is now a critical part of systems. The best
way to embed the SBOM metadata is to include generation as part of
the upstream build process, like we did with coreboot [2].

This looks for an sbom.ini file in the Conf directory, as the top
level metadata, and then it autogenerates a per-module .ini file with
information about the module itself, like name, version, git commit
hash (if applicable), etc.

Another interesting tag that is the "edition" tag. This tag contains a
hash of all the sources involved in the building of a module, in a
sort of versioning of it. We did this because the git commit hash
isn't always enough to trace back. During the building, specifically
during the building of the .obj files, I save in a file the sources
that contributed to that .obj file. Later in the process of the .efi
creation I read those files, and generate a new .ini file containing
only the edition tag to later use it with python-uswid.

This patch is heavily experimental and really looking for comments
and more ideas. This is only built for a x86 linux environment as a
POC. Once the idea is more settled I will add support for the other
systems and architectures. It also depends on having bash and
python-swid installed in the system.

For further reference about firmware SBOM [3].

[1] https://github.com/hughsie/python-uswid
[2] https://review.coreboot.org/c/coreboot/+/63639
[3] https://blogs.gnome.org/hughsie/2022/03/10/firmware-software-bill-of-ma=
terials/

Signed-off-by: Martin Fernandez <martin.fernandez@...>
---
BaseTools/Conf/build_rule.template | 10 +++++
.../Source/Python/AutoGen/AutoGenWorker.py | 1 +
BaseTools/Source/Python/AutoGen/GenCoSWID.py | 41 +++++++++++++++++++
.../Source/Python/AutoGen/ModuleAutoGen.py | 6 +++
BaseTools/Source/Python/build/build.py | 1 +
scripts/edition.sh | 20 +++++++++
6 files changed, 79 insertions(+)
create mode 100644 BaseTools/Source/Python/AutoGen/GenCoSWID.py
create mode 100755 scripts/edition.sh

diff --git a/BaseTools/Conf/build_rule.template b/BaseTools/Conf/build_rule=
.template
index 5895b48fd8..080111fcf2 100755
--- a/BaseTools/Conf/build_rule.template
+++ b/BaseTools/Conf/build_rule.template
@@ -130,6 +130,7 @@
=0D
<Command.GCC>=0D
"$(CC)" $(DEPS_FLAGS) $(CC_FLAGS) -c -o ${dst} $(INC) ${src}=0D
+ echo ${src} >> $(OUTPUT_DIR)(+)${s_dir}(+)source_files.lst=0D
=0D
<Command.XCODE>=0D
"$(CC)" $(DEPS_FLAGS) $(CC_FLAGS) -o ${dst} $(INC) ${src}=0D
@@ -152,8 +153,10 @@
*.h, *.H=0D
=0D
<OutputFile>=0D
+ $(OUTPUT_DIR)(+)header_files.lst=0D
=0D
<Command>=0D
+ echo ${src} >> ${dst}=0D
=0D
[Assembly-Code-File.COMMON.COMMON]=0D
<InputFile.MSFT, InputFile.INTEL>=0D
@@ -173,6 +176,7 @@
"$(PP)" $(DEPS_FLAGS) $(PP_FLAGS) $(INC) ${src} > ${d_path}(+)${s_=
base}.ii=0D
Trim --source-code --convert-hex --trim-long -o ${d_path}(+)${s_ba=
se}.iiii ${d_path}(+)${s_base}.ii=0D
"$(ASM)" /Fo${dst} $(ASM_FLAGS) /I${s_path} $(INC) ${d_path}(+)${s=
_base}.iiii=0D
+ echo ${src} >> $(OUTPUT_DIR)(+)${s_dir}(+)source_files.lst=0D
=0D
<Command.GCC>=0D
Trim --asm-file -o ${d_path}(+)${s_base}.i -i $(INC_LIST) ${src}=0D
@@ -227,6 +231,7 @@
"$(PP)" $(DEPS_FLAGS) $(PP_FLAGS) $(INC) ${src} > ${d_path}(+)${s_=
base}.ii=0D
Trim --trim-long --source-code -o ${d_path}(+)${s_base}.iii ${d_pa=
th}(+)${s_base}.ii=0D
"$(NASM)" -I${s_path}(+) $(NASM_INC) $(NASM_FLAGS) -o $dst ${d_pat=
h}(+)${s_base}.iii=0D
+ echo ${src} >> $(OUTPUT_DIR)(+)${s_dir}(+)source_files.lst=0D
=0D
[Device-Tree-Source-File]=0D
<InputFile>=0D
@@ -340,6 +345,9 @@
<InputFile>=0D
?.dll=0D
=0D
+ <ExtraDependency>=0D
+ $(OUTPUT_DIR)(+)header_files.lst=0D
+=0D
<OutputFile>=0D
$(OUTPUT_DIR)(+)$(MODULE_NAME).efi=0D
$(DEBUG_DIR)(+)$(MODULE_NAME).efi=0D
@@ -362,6 +370,8 @@
-$(CP) $(DEBUG_DIR)(+)$(MODULE_NAME).debug $(BIN_DIR)(+)$(MODULE_N=
AME_GUID).debug=0D
=0D
"$(GENFW)" -e $(MODULE_TYPE) -o ${dst} ${src} $(GENFW_FLAGS)=0D
+ bash $(WORKSPACE)(+)scripts(+)edition.sh $(OUTPUT_DIR) $(MODULE_NAME)=0D
+ uswid --verbose --load $(WORKSPACE)(+)Conf(+)sbom.ini --load $(MODULE_NAM=
E).ini --load $(OUTPUT_DIR)(+)$(MODULE_NAME).ini --save ${dst}=0D
$(CP) ${dst} $(DEBUG_DIR)=0D
$(CP) ${dst} $(BIN_DIR)(+)$(MODULE_NAME_GUID).efi=0D
-$(CP) $(DEBUG_DIR)(+)*.map $(OUTPUT_DIR)=0D
diff --git a/BaseTools/Source/Python/AutoGen/AutoGenWorker.py b/BaseTools/S=
ource/Python/AutoGen/AutoGenWorker.py
index 0ba2339bed..4697dcfb0c 100755
--- a/BaseTools/Source/Python/AutoGen/AutoGenWorker.py
+++ b/BaseTools/Source/Python/AutoGen/AutoGenWorker.py
@@ -282,6 +282,7 @@ class AutoGenWorkerInProcess(mp.Process):
=0D
Ma.CreateCodeFile(False)=0D
Ma.CreateMakeFile(False,GenFfsList=3DFfsCmd.get((Ma.MetaFi=
le.Path, Ma.Arch),[]))=0D
+ Ma.CreateCoSWIDFile()=0D
Ma.CreateAsBuiltInf()=0D
if GlobalData.gBinCacheSource and CommandTarget in [None, =
"", "all"]:=0D
try:=0D
diff --git a/BaseTools/Source/Python/AutoGen/GenCoSWID.py b/BaseTools/Sourc=
e/Python/AutoGen/GenCoSWID.py
new file mode 100644
index 0000000000..65dec0c773
--- /dev/null
+++ b/BaseTools/Source/Python/AutoGen/GenCoSWID.py
@@ -0,0 +1,41 @@
+from os import path
+import subprocess
+
+
+class ModuleCoSWID(object):
+ '''Create a per-module ini file with SBOM related data
+
+ Also try to get the git HEAD commit hash if the project is
+ versioned by git
+ '''
+ def __init__(self, ModuleAutoGen):
+ self.Name =3D ModuleAutoGen.Name
+ self.Guid =3D ModuleAutoGen.Guid
+ self.Version =3D ModuleAutoGen.Version
+
+ self.colloquial_version =3D None
+ try:
+ process =3D subprocess.run(["git", "rev-parse", "HEAD"],
+ capture_output=3DTrue,
+ check=3DTrue)
+ self.colloquial_version =3D process.stdout.decode("utf-8").str=
ip()
+ # If either git is not in the system, the tree is not in a
+ # git repo or anything else just don't fail
+ except:
+ pass
+
+ self.FilePath =3D path.join(ModuleAutoGen.BuildDir, self.Name + ".=
ini")
+
+ self.content =3D None
+
+ def Generate(self):
+ self.content =3D "\n".join([
+ "[uSWID]",
+ f"tag-id =3D {self.Guid}",
+ f"software-name =3D {self.Name}",
+ f"software-version =3D {self.Version}",
+ ""
+ ])
+
+ if self.colloquial_version is not None:
+ self.content +=3D f"colloquial-version =3D {self.colloquial_ve=
rsion}\n"
diff --git a/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py b/BaseTools/S=
ource/Python/AutoGen/ModuleAutoGen.py
index d05410b329..6588322e78 100755
--- a/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py
+++ b/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py
@@ -20,6 +20,7 @@ from . import InfSectionParser
from . import GenC=0D
from . import GenMake=0D
from . import GenDepex=0D
+from . import GenCoSWID=0D
from io import BytesIO=0D
from GenPatchPcdTable.GenPatchPcdTable import parsePcdInfoFromMapFile=0D
from Workspace.MetaFileCommentParser import UsageList=0D
@@ -1784,6 +1785,11 @@ class ModuleAutoGen(AutoGen):
FilePath =3D path.join(self.BuildDir, self.Name + ".makefile")=0D
SaveFileOnChange(FilePath, MakefilePath, False)=0D
=0D
+ def CreateCoSWIDFile(self):=0D
+ coSWID =3D GenCoSWID.ModuleCoSWID(self)=0D
+ coSWID.Generate()=0D
+ SaveFileOnChange(coSWID.FilePath, coSWID.content, False)=0D
+=0D
def CopyBinaryFiles(self):=0D
for File in self.Module.Binaries:=0D
SrcPath =3D File.Path=0D
diff --git a/BaseTools/Source/Python/build/build.py b/BaseTools/Source/Pyth=
on/build/build.py
index 07187c0361..a80363acba 100755
--- a/BaseTools/Source/Python/build/build.py
+++ b/BaseTools/Source/Python/build/build.py
@@ -870,6 +870,7 @@ class Build():
=0D
PcdMa.CreateCodeFile(False)=0D
PcdMa.CreateMakeFile(False,GenFfsList =3D DataPipe.Get=
("FfsCommand").get((PcdMa.MetaFile.Path, PcdMa.Arch),[]))=0D
+ PcdMa.CreateCoSWIDFile()=0D
PcdMa.CreateAsBuiltInf()=0D
# Force cache miss for PCD driver=0D
if GlobalData.gBinCacheSource and self.Target in [None=
, "", "all"]:=0D
diff --git a/scripts/edition.sh b/scripts/edition.sh
new file mode 100755
index 0000000000..00de646a6f
--- /dev/null
+++ b/scripts/edition.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+set -xe -o pipefail
+
+output_dir=3D"${1:?}"
+module_name=3D"${2:?}"
+
+edition=3D"$(cat "${output_dir}/source_files.lst" "${output_dir}/header_fi=
les.lst" | \
+ tr ' ' '\n' | \
+ sort -u | \
+ tee "${module_name}.files" | \
+ xargs cat | \
+ sha256sum | \
+ cut -d' ' -f 1)"
+
+cat <<EOF > "${output_dir}/${module_name}.ini"
+[uSWID]
+edition =3D ${edition}
+EOF
+
--=20
2.30.2

On Fri, 3 Jun 2022 at 15:26, Martin Fernandez
<martin.fernandez@...> wrote:

This patch is heavily experimental and really looking for comments
and more ideas.

If it helps drive progress, both AMI and Insyde have been testing
building images based on this patch. I'd really like something like
this to be included in edk2 to avoid two IBVs diverging with subtly
different implementations.

Richard.

Hi Richard,

Would you like to attend one of the community meetings coming up and talk about this patch.

-miki (Community manager Intel)

Great.

Next community meeting is July 7th.
Is morning or evening best for you? i.e. 7am or 7:30pm

Is 20minutes enough time?

-miki

--
Miki Demeter (she/her/Miki)
Security Researcher / FW Developer
FST
Intel Corporation

Co-Chair, Network of Intel African-Ancestry(NIA) - Oregon
NIA-Oregon<https://intel.sharepoint.com/sites/NIA>

Portland Women in Tech Best Speaker
miki.demeter@...<mailto:miki.demeter@...>
503.712.8030 (office)
971.248.0123 (cell)


From: Richard Hughes <hughsient@...>
Date: Monday, June 6, 2022 at 12:03 PM
To: Demeter, Miki <miki.demeter@...>
Cc: rfc@edk2.groups.io <rfc@edk2.groups.io>
Subject: Re: [edk2-rfc] [PATCH] [rfc] Add SBOM (software bill of materials) to the efi binaries
Hi Miki,

Would you like to attend one of the community meetings coming up and talk about this patch.

Sure, not a problem. Let me know what you'd like me to present, and a
rough duration to stick to. I did a similar thing for the coreboot
leadership so it's no problem at all.

Richard

Martin, Richard

Thank you I will add you to the agenda for the July 7th meeting at 7:30 pm

-miki
--
Miki Demeter (she/her/Miki)
Security Researcher / FW Developer
FST
Intel Corporation

Co-Chair, Network of Intel African-Ancestry(NIA) - Oregon
NIA-Oregon<https://intel.sharepoint.com/sites/NIA>

Portland Women in Tech Best Speaker
miki.demeter@...<mailto:miki.demeter@...>
503.712.8030 (office)
971.248.0123 (cell)


From: Richard Hughes <hughsient@...>
Date: Monday, June 6, 2022 at 12:41 PM
To: Demeter, Miki <miki.demeter@...>
Cc: rfc@edk2.groups.io <rfc@edk2.groups.io>, Martin Fernandez <martin.fernandez@...>
Subject: Re: [edk2-rfc] [PATCH] [rfc] Add SBOM (software bill of materials) to the efi binaries
On Mon, 6 Jun 2022 at 20:06, Demeter, Miki <miki.demeter@...> wrote:

Is morning or evening best for you? i.e. 7am or 7:30pm

Definitely the latter please! Martin, is that okay for you?

Is 20minutes enough time?

Yes; I'll do a big picture overview, an introduction into uswid and
Martin can explain the patch functionality in more detail. Does that
sound about right?

Richard.

I am also interested in this capability.

There are (undocumented?) capabilities in the build scripts currently that may be germane. --hash, --binary-destination, --binary-source.
The rough usage is:
build --hash --binary-destination
This creates a tree with binaries and hashes of all the source code and build flags used to generate the binary.

Then you can use
build --hash --binary-source
and the build will only rebuild a driver if source or build options have changed.

The effect is that every build can be roughly an incremental build if you have baseline binaries available. My understanding is that the hash is a combination of all the build inputs for a given INF. And I understand that it is a little blunt, in that if anything in a consumed package changes, it will rebuild the binary.

It may be interesting to understand possible leverage between the two. If the edition use and hash use can or should be well aligned. Anyway, I look forward to the discussion in July.

Regards,
Isaac

Hi Miki,

Would you like to attend one of the community meetings coming up and talk about this patch.

Sure, not a problem. Let me know what you'd like me to present, and a
rough duration to stick to. I did a similar thing for the coreboot
leadership so it's no problem at all.

Richard

On Mon, 6 Jun 2022 at 20:06, Demeter, Miki <miki.demeter@...> wrote:

Is morning or evening best for you? i.e. 7am or 7:30pm

Definitely the latter please! Martin, is that okay for you?

Is 20minutes enough time?

Yes; I'll do a big picture overview, an introduction into uswid and
Martin can explain the patch functionality in more detail. Does that
sound about right?

Richard.

On Mon, Jun 6, 2022 at 4:40 PM Richard Hughes <hughsient@...> wrote:

On Mon, 6 Jun 2022 at 20:06, Demeter, Miki <miki.demeter@...> wrote:

Is morning or evening best for you? i.e. 7am or 7:30pm

Definitely the latter please! Martin, is that okay for you?

Yep, I'm good with the latter.

On Tue, Jun 7, 2022 at 5:31 PM Oram, Isaac W <isaac.w.oram@...> wrote:

I am also interested in this capability.

There are (undocumented?) capabilities in the build scripts currently that may be germane. --hash, --binary-destination, --binary-source.
The rough usage is:
build --hash --binary-destination
This creates a tree with binaries and hashes of all the source code and build flags used to generate the binary.

Then you can use
build --hash --binary-source
and the build will only rebuild a driver if source or build options have changed.

The effect is that every build can be roughly an incremental build if you have baseline binaries available. My understanding is that the hash is a combination of all the build inputs for a given INF. And I understand that it is a little blunt, in that if anything in a consumed package changes, it will rebuild the binary.

It may be interesting to understand possible leverage between the two. If the edition use and hash use can or should be well aligned. Anyway, I look forward to the discussion in July.

Nice, didn't know about those flags. I'll take a closer look at those
and see if any other flag could be useful.

One of the challenges of this patch was to check that the edition
calculation was correct for every case. Probably this --hash will help
to validate that.

Thanks!

It would be 7:30pm PST

Does this work?

-miki

--
Miki Demeter (she/her/Miki)
Security Researcher / FW Developer
FST
Intel Corporation

Co-Chair, Network of Intel African-Ancestry(NIA) - Oregon
NIA-Oregon<https://intel.sharepoint.com/sites/NIA>

Portland Women in Tech Best Speaker
miki.demeter@...<mailto:miki.demeter@...>
503.712.8030 (office)
971.248.0123 (cell)


From: Richard Hughes <hughsient@...>
Date: Monday, July 4, 2022 at 12:36 PM
To: Demeter, Miki <miki.demeter@...>
Cc: rfc@edk2.groups.io <rfc@edk2.groups.io>, Martin Fernandez <martin.fernandez@...>
Subject: Re: [edk2-rfc] [PATCH] [rfc] Add SBOM (software bill of materials) to the efi binaries
On Mon, 6 Jun 2022 at 21:36, Demeter, Miki <miki.demeter@...> wrote:

Thank you I will add you to the agenda for the July 7th meeting at 7:30 pm

Hi Miki; what timezone please? Martin just pointed out you probably
were not talking about GMT. I'm in London so if you're talking about
PST then 4AM local time isn't going to work I'm afraid.

Richard

Does 9:00 am PST / 5:00pm BST work for you?

Sorry, I did not know you were in BST time sone

-miki
--
Miki Demeter (she/her/Miki)
Security Researcher / FW Developer
FST
Intel Corporation

Co-Chair, Network of Intel African-Ancestry(NIA) - Oregon
NIA-Oregon<https://intel.sharepoint.com/sites/NIA>

Portland Women in Tech Best Speaker
miki.demeter@...<mailto:miki.demeter@...>
503.712.8030 (office)
971.248.0123 (cell)


From: Richard Hughes <hughsient@...>
Date: Tuesday, July 5, 2022 at 9:14 AM
To: Demeter, Miki <miki.demeter@...>
Cc: rfc@edk2.groups.io <rfc@edk2.groups.io>, Martin Fernandez <martin.fernandez@...>
Subject: Re: [edk2-rfc] [PATCH] [rfc] Add SBOM (software bill of materials) to the efi binaries
On Tue, 5 Jul 2022 at 15:50, Demeter, Miki <miki.demeter@...> wrote:

It would be 7:30pm PST

Hmm, that's 3:30 AM BST for me. Martin, that's 1:00 AM for you? I
think we might have to send our apologies Miki, unless we can record
something tomorrow for you to show?

Richard.

On Mon, 6 Jun 2022 at 21:36, Demeter, Miki <miki.demeter@...> wrote:

Thank you I will add you to the agenda for the July 7th meeting at 7:30 pm

Hi Miki; what timezone please? Martin just pointed out you probably
were not talking about GMT. I'm in London so if you're talking about
PST then 4AM local time isn't going to work I'm afraid.

Richard

On Tue, 5 Jul 2022 at 15:50, Demeter, Miki <miki.demeter@...> wrote:

It would be 7:30pm PST

Hmm, that's 3:30 AM BST for me. Martin, that's 1:00 AM for you? I
think we might have to send our apologies Miki, unless we can record
something tomorrow for you to show?

Richard.

On Tue, 5 Jul 2022 at 17:18, Demeter, Miki <miki.demeter@...> wrote:

Does 9:00 am PST / 5:00pm BST work for you?

On the 7th? In which case I can do 1700 BST but I have a hard stop at
1745 -- if that helps. Sorry!

RIchard.

Hi Richard

Yes, the 7th of July

That time allowance will be perfect.. I will give you the first time slot to make sure we can meet your schedule.

See you there.. Thank you for working with me on getting this date setup

-miki

--
Miki Demeter (she/her/Miki)
Security Researcher / FW Developer
FST
Intel Corporation

Co-Chair, Network of Intel African-Ancestry(NIA) - Oregon
NIA-Oregon<https://intel.sharepoint.com/sites/NIA>

Portland Women in Tech Best Speaker
miki.demeter@...<mailto:miki.demeter@...>
503.712.8030 (office)
971.248.0123 (cell)


From: Richard Hughes <hughsient@...>
Date: Tuesday, July 5, 2022 at 9:22 AM
To: Demeter, Miki <miki.demeter@...>
Cc: rfc@edk2.groups.io <rfc@edk2.groups.io>, Martin Fernandez <martin.fernandez@...>
Subject: Re: [edk2-rfc] [PATCH] [rfc] Add SBOM (software bill of materials) to the efi binaries
On Tue, 5 Jul 2022 at 17:18, Demeter, Miki <miki.demeter@...> wrote:

Does 9:00 am PST / 5:00pm BST work for you?

On the 7th? In which case I can do 1700 BST but I have a hard stop at
1745 -- if that helps. Sorry!

RIchard.

That works for me too. See you on Tuesday!