Re: [XEN PATCH v3] sbat: Add SBAT section to the Xen EFI binary

["Marek Marczykowski-Górecki" <marmarek@invisiblethingslab.com>]

[-- Attachment #1: Type: text/plain, Size: 1822 bytes --]

On Thu, May 08, 2025 at 01:28:21PM +0100, Frediano Ziglio wrote:
> On Thu, May 8, 2025 at 12:55 PM Andrew Cooper <andrew.cooper3@citrix.com> wrote:
> >
> > On 08/05/2025 11:31 am, Marek Marczykowski-Górecki wrote:
> > > On Thu, May 08, 2025 at 09:51:59AM +0100, Andrew Cooper wrote:
> > >> Also,
> > >>
> > >>> ld: warning: orphan section `.sbat' from `prelink.o' being placed in section `.sbat'
> > >> This is because sbat.o is getting linked into the non-EFI build of Xen too.
> > >>
> > >> I'm less sure how to go about fixing this.  There's no nice way I can
> > >> see of of getting sbat.o only in the EFI build.  The other option is to
> > >> discard it for the ELF build.
> > > This is kinda related to my question on Matrix - is multiboot2 binary
> > > also supposed to (eventually) support UEFI SB?
> >
> > This is mixing two things.
> >
> > Xen is either an ELF binary (ultimately zipped, so xen.gz) or is an EFI
> > binary (xen.efi).
> >
> > Both of these binaries currently have an MB2 header.  This was by
> > accident, as xen.efi is a strict superset of the ELF build.
> >
> 
> We are planning to use multiboot2 booting. The reason is the way we
> want some parameters (like command line) to be passed. We are going to
> use grub2.

Which means that multiboot2 binary needs to be signed somehow, and for
MS to be happy, needs to include SBAT too.

Relevant series:
https://lore.kernel.org/xen-devel/20240328151106.1451104-1-ross.lagerwall@citrix.com/
I don't recall seeing v3 posted.

And relevant grub series:
https://lore.kernel.org/xen-devel/20240328151302.1451158-1-ross.lagerwall@citrix.com/

> > AIUI, SBAT only makes sense to exist in the EFI binary.
> >
> > ~Andrew
> 
> Frediano

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]