From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Luca Boccassi <bluca@debian.org>,
Eric Snowberg <eric.snowberg@oracle.com>
Cc: "Ard Biesheuvel" <ardb@kernel.org>,
"Daniel P. Berrangé" <berrange@redhat.com>,
"Emanuele Giuseppe Esposito" <eesposit@redhat.com>,
"x86@kernel.org" <x86@kernel.org>,
"Thomas Gleixner" <tglx@linutronix.de>,
"lennart@poettering.net" <lennart@poettering.net>,
"Ingo Molnar" <mingo@redhat.com>,
"Borislav Petkov" <bp@alien8.de>,
"Dave Hansen" <dave.hansen@linux.intel.com>,
"H. Peter Anvin" <hpa@zytor.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Masahiro Yamada" <masahiroy@kernel.org>,
"Alexander Potapenko" <glider@google.com>,
"Nick Desaulniers" <ndesaulniers@google.com>,
"Vitaly Kuznetsov" <vkuznets@redhat.com>,
"open list" <linux-kernel@vger.kernel.org>,
"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
"Jarkko Sakkinen" <jarkko@kernel.org>
Subject: Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage
Date: Fri, 21 Jul 2023 07:24:28 -0400 [thread overview]
Message-ID: <c2f451e0f8d72cf3183aff9cbaf23f135fc7b495.camel@HansenPartnership.com> (raw)
In-Reply-To: <CAMw=ZnQtEwNFyZ-Gt6ODb9gp22KY1GimaSfW46N7o-S1Hkfp4A@mail.gmail.com>
On Fri, 2023-07-21 at 09:55 +0100, Luca Boccassi wrote:
> On Fri, 21 Jul 2023 at 02:49, Eric Snowberg
> <eric.snowberg@oracle.com> wrote:
> > > On Jul 20, 2023, at 1:16 PM, Luca Boccassi <bluca@debian.org>
> > > wrote:
> > > On Thu, 20 Jul 2023 at 18:11, Eric Snowberg
> > > <eric.snowberg@oracle.com> wrote:
[...]
> > > > I agree with James in the previous thread; adding the SBAT
> > > > section to the kernel should be handled by the signing tools.
> > > > It really doesn't need to be included in the mainline kernel
> > > > code. I also agree with the sentiment that mainline and the
> > > > stable branches should not have SBAT versions attached
> > > > to them. These are things distros should be responsible for
> > > > including in their kernel if they want to have SBAT support.
> > >
> > > Why would 'signing tools' handle that? It's just a text-based PE
> > > section, it doesn't require access to private key materials to be
> > > handled, nor it has any relationship with signing.
> >
> > There is a relationship, the sbat information within the signed
> > file can be used for revocation in lieu of revoking the hash or
> > signing certificate at a later time.
>
> No, it is completely disjoint. In fact, the kernel doesn't even have
> to be signed at all, but it still _must_ have a .sbat section when it
> is used in a UKI.
Just a minute, this is wrong. I was talking to Peter after all of this
blew up about how we handle signed kernels with no sbat (since we need
that still to work for developers who sign their own kernels). I
thought he was planning to require an sbat section for all EFI
binaries, but he says that's not true. The current way shim does the
sbat check is that if the section doesn't exist the binary is processed
as having an empty sbat section (i.e. no sbat level checking will be
done because there's no named sbat level for anything and it will just
work) and they're planning to keep it that way so that a signed but no
sbat kernel will always "just work" without any special key handling in
shim. So if we're planning to keep this no-sbat case in discrete
kernels, even when the shim verifier checks sbat, the UKI kernel will
need to work for this case as well.
James
next prev parent reply other threads:[~2023-07-21 11:24 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20230711154449.1378385-1-eesposit@redhat.com>
[not found] ` <ZK/9MlTh435FP5Ji@gambale.home>
2023-07-13 13:52 ` [RFC PATCH v2] x86/boot: add .sbat section to the bzImage Ard Biesheuvel
2023-07-13 20:39 ` Emanuele Giuseppe Esposito
2023-07-13 22:31 ` Luca Boccassi
2023-07-14 8:52 ` Ard Biesheuvel
2023-07-14 9:13 ` Matthew Garrett
2023-07-14 9:14 ` Ard Biesheuvel
2023-07-14 9:25 ` Luca Boccassi
2023-07-17 16:08 ` James Bottomley
2023-07-17 16:56 ` Daniel P. Berrangé
2023-07-17 17:15 ` James Bottomley
2023-07-17 18:16 ` Daniel P. Berrangé
2023-07-20 16:46 ` Eric Snowberg
2023-07-20 17:07 ` James Bottomley
2023-07-20 18:10 ` Eric Snowberg
2023-07-20 19:16 ` Luca Boccassi
2023-07-21 0:02 ` Eric Snowberg
2023-07-21 8:55 ` Luca Boccassi
2023-07-21 11:24 ` James Bottomley [this message]
2023-07-21 12:40 ` Luca Boccassi
2023-07-21 13:01 ` James Bottomley
2023-07-21 13:10 ` Luca Boccassi
2023-07-21 13:33 ` James Bottomley
2023-07-21 15:14 ` Luca Boccassi
2023-07-21 15:22 ` Luca Boccassi
2023-07-21 15:27 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c2f451e0f8d72cf3183aff9cbaf23f135fc7b495.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=akpm@linux-foundation.org \
--cc=ardb@kernel.org \
--cc=berrange@redhat.com \
--cc=bluca@debian.org \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=eesposit@redhat.com \
--cc=eric.snowberg@oracle.com \
--cc=glider@google.com \
--cc=hpa@zytor.com \
--cc=jarkko@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=lennart@poettering.net \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=masahiroy@kernel.org \
--cc=mingo@redhat.com \
--cc=ndesaulniers@google.com \
--cc=tglx@linutronix.de \
--cc=vkuznets@redhat.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox