From: Vitaly Kuznetsov <vkuznets@redhat.com>
To: Ard Biesheuvel <ardb@kernel.org>, Ingo Molnar <mingo@redhat.com>,
Borislav Petkov <bp@alien8.de>
Cc: x86@kernel.org, linux-efi@vger.kernel.org,
Thomas Gleixner <tglx@linutronix.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
"H. Peter Anvin" <hpa@zytor.com>, Peter Jones <pjones@redhat.com>,
Daniel Berrange <berrange@redhat.com>,
Emanuele Giuseppe Esposito <eesposit@redhat.com>,
Gerd Hoffmann <kraxel@redhat.com>,
Luca Boccassi <bluca@debian.org>,
Matthew Garrett <mjg59@srcf.ucam.org>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
Eric Snowberg <eric.snowberg@oracle.com>,
Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [PATCH v2 2/2] x86/efi: Implement support for embedding SBAT data for x86
Date: Mon, 12 May 2025 17:02:24 +0200 [thread overview]
Message-ID: <8734d9oosf.fsf@redhat.com> (raw)
In-Reply-To: <CAMj1kXE5iVsKSEcEPqJs4bZpB03FYR9OcstDVUKNax=2y8nsAg@mail.gmail.com>
Ard Biesheuvel <ardb@kernel.org> writes:
> On Mon, 5 May 2025 at 17:46, Vitaly Kuznetsov <vkuznets@redhat.com> wrote:
>>
>> Similar to zboot architectures, implement support for embedding SBAT data
>> for x86. Put '.sbat' section in between '.data' and '.text' as the former
>> also covers '.bss' and '.pgtable' and thus must be the last one in the
>> file.
>>
>> Note, the obsolete CRC-32 checksum (see commit 9c54baab4401 ("x86/boot:
>> Drop CRC-32 checksum and the build tool that generates it")) is gone and
>> while it would've been possible to reserve the last 4 bytes in '.sbat'
>> section too (like it's done today in '.data'), it seems to be a pointless
>> exercise: SBAT makes zero sense without a signature on the EFI binary so
>> '.sbat' won't be at the very end of the file anyway. Any tool which uses
>> the last 4 bytes of the file as a checksum is broken with signed EFI
>> binaries already.
>>
>
> Is this last paragraph still relevant? If not, please drop it.
>
Ceratinly not relevant anymore, will drop.
>> Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
>> ---
>> arch/x86/boot/Makefile | 2 +-
>> arch/x86/boot/compressed/Makefile | 5 ++++
>> arch/x86/boot/compressed/sbat.S | 7 ++++++
>> arch/x86/boot/compressed/vmlinux.lds.S | 8 +++++++
>> arch/x86/boot/header.S | 33 +++++++++++++++++++-------
>> drivers/firmware/efi/Kconfig | 2 +-
>> 6 files changed, 46 insertions(+), 11 deletions(-)
>> create mode 100644 arch/x86/boot/compressed/sbat.S
>>
>> diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile
>> index 81f55da81967..5f7b52f0e7f5 100644
>> --- a/arch/x86/boot/Makefile
>> +++ b/arch/x86/boot/Makefile
>> @@ -71,7 +71,7 @@ $(obj)/vmlinux.bin: $(obj)/compressed/vmlinux FORCE
>>
>> SETUP_OBJS = $(addprefix $(obj)/,$(setup-y))
>>
>> -sed-zoffset := -e 's/^\([0-9a-fA-F]*\) [a-zA-Z] \(startup_32\|efi.._stub_entry\|efi\(32\)\?_pe_entry\|input_data\|kernel_info\|_end\|_ehead\|_text\|_e\?data\|z_.*\)$$/\#define ZO_\2 0x\1/p'
>> +sed-zoffset := -e 's/^\([0-9a-fA-F]*\) [a-zA-Z] \(startup_32\|efi.._stub_entry\|efi\(32\)\?_pe_entry\|input_data\|kernel_info\|_end\|_ehead\|_text\|_e\?data\|_e\?sbat\|z_.*\)$$/\#define ZO_\2 0x\1/p'
>>
>> quiet_cmd_zoffset = ZOFFSET $@
>> cmd_zoffset = $(NM) $< | sed -n $(sed-zoffset) > $@
>> diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
>> index fdbce022db55..1441435869cc 100644
>> --- a/arch/x86/boot/compressed/Makefile
>> +++ b/arch/x86/boot/compressed/Makefile
>> @@ -106,6 +106,11 @@ vmlinux-objs-$(CONFIG_UNACCEPTED_MEMORY) += $(obj)/mem.o
>>
>> vmlinux-objs-$(CONFIG_EFI) += $(obj)/efi.o
>> vmlinux-libs-$(CONFIG_EFI_STUB) += $(objtree)/drivers/firmware/efi/libstub/lib.a
>> +vmlinux-objs-$(CONFIG_EFI_SBAT) += $(obj)/sbat.o
>> +
>> +ifdef CONFIG_EFI_SBAT
>> +$(obj)/sbat.o: $(CONFIG_EFI_SBAT_FILE)
>> +endif
>>
>> $(obj)/vmlinux: $(vmlinux-objs-y) $(vmlinux-libs-y) FORCE
>> $(call if_changed,ld)
>> diff --git a/arch/x86/boot/compressed/sbat.S b/arch/x86/boot/compressed/sbat.S
>> new file mode 100644
>> index 000000000000..838f70a997dd
>> --- /dev/null
>> +++ b/arch/x86/boot/compressed/sbat.S
>> @@ -0,0 +1,7 @@
>> +/* SPDX-License-Identifier: GPL-2.0 */
>> +/*
>> + * Embed SBAT data in the kernel.
>> + */
>> + .pushsection ".sbat", "a", @progbits
>> + .incbin CONFIG_EFI_SBAT_FILE
>> + .popsection
>> diff --git a/arch/x86/boot/compressed/vmlinux.lds.S b/arch/x86/boot/compressed/vmlinux.lds.S
>> index 3b2bc61c9408..587ce3e7c504 100644
>> --- a/arch/x86/boot/compressed/vmlinux.lds.S
>> +++ b/arch/x86/boot/compressed/vmlinux.lds.S
>> @@ -43,6 +43,14 @@ SECTIONS
>> *(.rodata.*)
>> _erodata = . ;
>> }
>> +#ifdef CONFIG_EFI_SBAT
>> + .sbat : ALIGN(0x1000) {
>> + _sbat = . ;
>> + *(.sbat)
>> + _esbat = ALIGN(0x1000);
>> + . = _esbat;
>> + }
>> +#endif
>> .data : ALIGN(0x1000) {
>> _data = . ;
>> *(.data)
>> diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S
>> index b5c79f43359b..91964818bf50 100644
>> --- a/arch/x86/boot/header.S
>> +++ b/arch/x86/boot/header.S
>> @@ -179,15 +179,17 @@ pecompat_fstart:
>> #else
>> .set pecompat_fstart, setup_size
>> #endif
>> - .ascii ".text"
>> - .byte 0
>> - .byte 0
>> - .byte 0
>> - .long ZO__data
>> - .long setup_size
>> - .long ZO__data # Size of initialized data
>> - # on disk
>> - .long setup_size
>> + .ascii ".text\0\0\0"
>> +#ifdef CONFIG_EFI_SBAT
>> + .long ZO__sbat # VirtualSize
>> + .long setup_size # VirtualAddress
>> + .long ZO__sbat # SizeOfRawData
>> +#else
>> + .long ZO__data # VirtualSize
>> + .long setup_size # VirtualAddress
>> + .long ZO__data # SizeOfRawData
>> +#endif
>> + .long setup_size # PointerToRawData
>
> Would it work if we do the following here
>
> #ifdef CONFIG_EFI_SBAT
> .set .Ltextsize, ZO__sbat
> #else
> .set .Ltextsize, ZO__data
> #endif
>
> and keep a single section definition for .text
>
> .ascii ".text\0\0\0"
> .long .Ltextsize # VirtualSize
> .long setup_size # VirtualAddress
> .long .Ltextsize # SizeOfRawData
> .long setup_size # PointerToRawData
>
As we already have '#ifdef CONFIG_EFI_SBAT' below I'd suggest we set
textsize there, basically:
@@ -199,16 +194,20 @@ pecompat_fstart:
IMAGE_SCN_MEM_EXECUTE # Characteristics
#ifdef CONFIG_EFI_SBAT
- .ascii ".sbat\0\0\0"
- .long ZO__esbat - ZO__sbat # VirtualSize
- .long setup_size + ZO__sbat # VirtualAddress
- .long ZO__esbat - ZO__sbat # SizeOfRawData
- .long setup_size + ZO__sbat # PointerToRawData
+ .ascii ".sbat\0\0\0"
+ .long ZO__esbat - ZO__sbat # VirtualSize
+ .long setup_size + ZO__sbat # VirtualAddress
+ .long ZO__esbat - ZO__sbat # SizeOfRawData
+ .long setup_size + ZO__sbat # PointerToRawData
.long 0, 0, 0
.long IMAGE_SCN_CNT_INITIALIZED_DATA | \
IMAGE_SCN_MEM_READ | \
IMAGE_SCN_MEM_DISCARDABLE # Characteristics
+
+ .set textsize, ZO__sbat
+#else
+ .set textsize, ZO__data
#endif
.ascii ".data\0\0\0"
and nobody seems to care that we use it first and define/set it later.
BTW, does '.L' prefix you suggest has a meaning here? I see we don't use
it for e.g. 'pecompat_fstart', 'section_count'.
>
>> .long 0 # PointerToRelocations
>> .long 0 # PointerToLineNumbers
>> .word 0 # NumberOfRelocations
>> @@ -196,6 +198,19 @@ pecompat_fstart:
>> IMAGE_SCN_MEM_READ | \
>> IMAGE_SCN_MEM_EXECUTE # Characteristics
>>
>> +#ifdef CONFIG_EFI_SBAT
>> + .ascii ".sbat\0\0\0"
>
> Inconsistent indentation? ^^^
>
Yep, fixing.
>> + .long ZO__esbat - ZO__sbat # VirtualSize
>> + .long setup_size + ZO__sbat # VirtualAddress
>> + .long ZO__esbat - ZO__sbat # SizeOfRawData
>> + .long setup_size + ZO__sbat # PointerToRawData
>> +
>> + .long 0, 0, 0
>> + .long IMAGE_SCN_CNT_INITIALIZED_DATA | \
>> + IMAGE_SCN_MEM_READ | \
>> + IMAGE_SCN_MEM_DISCARDABLE # Characteristics
>> +#endif
>> +
>> .ascii ".data\0\0\0"
>> .long ZO__end - ZO__data # VirtualSize
>> .long setup_size + ZO__data # VirtualAddress
>> diff --git a/drivers/firmware/efi/Kconfig b/drivers/firmware/efi/Kconfig
>> index db8c5c03d3a2..16baa038d412 100644
>> --- a/drivers/firmware/efi/Kconfig
>> +++ b/drivers/firmware/efi/Kconfig
>> @@ -286,7 +286,7 @@ config EFI_SBAT
>>
>> config EFI_SBAT_FILE
>> string "Embedded SBAT section file path"
>> - depends on EFI_ZBOOT
>> + depends on EFI_ZBOOT || (EFI_STUB && X86)
>> help
>> SBAT section provides a way to improve SecureBoot revocations of UEFI
>> binaries by introducing a generation-based mechanism. With SBAT, older
>> --
>> 2.49.0
>>
>
> Modulo the nits, I think this patch looks fine, but it will need to go
> through the -tip tree.
>
> So with the changes,
>
> Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Thanks for the review!
>
> Ingo, Boris, given that this depends on the previous patch, mind
> taking both via the -tip tree? I can take them too, but it doesn't
> make sense splitting them up.
>
--
Vitaly
next prev parent reply other threads:[~2025-05-12 15:02 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-05 15:45 [PATCH v2 0/2] efi: Add a mechanism for embedding SBAT section Vitaly Kuznetsov
2025-05-05 15:45 ` Vitaly Kuznetsov
2025-05-05 15:45 ` [PATCH v2 1/2] efi: zboot specific " Vitaly Kuznetsov
2025-05-05 15:45 ` Vitaly Kuznetsov
2025-05-09 9:16 ` Ard Biesheuvel
2025-05-09 9:16 ` Ard Biesheuvel
2025-05-05 15:45 ` [PATCH v2 2/2] x86/efi: Implement support for embedding SBAT data for x86 Vitaly Kuznetsov
2025-05-05 15:45 ` Vitaly Kuznetsov
2025-05-09 9:20 ` Ard Biesheuvel
2025-05-12 15:02 ` Vitaly Kuznetsov [this message]
2025-05-13 12:22 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8734d9oosf.fsf@redhat.com \
--to=vkuznets@redhat.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=ardb@kernel.org \
--cc=berrange@redhat.com \
--cc=bluca@debian.org \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=eesposit@redhat.com \
--cc=eric.snowberg@oracle.com \
--cc=hpa@zytor.com \
--cc=kraxel@redhat.com \
--cc=linux-efi@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=mjg59@srcf.ucam.org \
--cc=pbonzini@redhat.com \
--cc=pjones@redhat.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.