From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Eric Snowberg <eric.snowberg@oracle.com>,
Ard Biesheuvel <ardb@kernel.org>
Cc: "Daniel P. Berrangé" <berrange@redhat.com>,
"Emanuele Giuseppe Esposito" <eesposit@redhat.com>,
"x86@kernel.org" <x86@kernel.org>,
"Thomas Gleixner" <tglx@linutronix.de>,
"bluca@debian.org" <bluca@debian.org>,
"lennart@poettering.net" <lennart@poettering.net>,
"Ingo Molnar" <mingo@redhat.com>,
"Borislav Petkov" <bp@alien8.de>,
"Dave Hansen" <dave.hansen@linux.intel.com>,
"H. Peter Anvin" <hpa@zytor.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Masahiro Yamada" <masahiroy@kernel.org>,
"Alexander Potapenko" <glider@google.com>,
"Nick Desaulniers" <ndesaulniers@google.com>,
"Vitaly Kuznetsov" <vkuznets@redhat.com>,
"open list" <linux-kernel@vger.kernel.org>,
"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
"Jarkko Sakkinen" <jarkko@kernel.org>
Subject: Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage
Date: Thu, 20 Jul 2023 13:07:34 -0400 [thread overview]
Message-ID: <d67ac07c71097a4c97c8792c7c1fac9f4d5850dd.camel@HansenPartnership.com> (raw)
In-Reply-To: <FBDC67DD-856F-429B-8E91-B0CA8B0F24B9@oracle.com>
On Thu, 2023-07-20 at 16:46 +0000, Eric Snowberg wrote:
> If a distro adds a SBAT section to either their UKI, or if kernel
> SBAT enforcement is turned on from GRUB2 by default, there is one
> piece missing that would need to be handled by the mainline kernel
> which is SBAT enforcement for kexec. This would mean the revocations
> SBAT protect against would need to be referenced before doing the
> signature validation in kexec. If this is not added, any distro that
> allows kexec really doesn’t have a SBAT protected kernel.
Um, actually, this is actually one of the misunderstandings of the
whole thread: sbat is a revocation mechanism for protecting EFI boot
security. It's design is to prevent malicious actors exploiting buggy
code to get into the EFI boot system before ExitBootServices is called
and nothing more. The kernel's intrusion into EFI boot security is
tiny: it's basically the EFI stub up to ExitBootServices, so even if
the kernel were to have an sbat number it would obviously be under the
control of the maintainers of only that code (i.e. Ard) and it would
only rev if we actually found a usable exploit in the efi stub.
As far as kexec is concerned, ExitBootServices is long gone and nothing
a future kexec'd kernel can do can alter that, so there's no EFI
security benefit to making kexec sbat aware, and thus it seems there's
no need to do anything about it for kexec. Now if we're interested in
sbat as a more general revocation mechanism, that might change, but I
think sbat is too tightly designed for the problems of EFI variables to
be more generally useful.
James
next prev parent reply other threads:[~2023-07-20 17:07 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20230711154449.1378385-1-eesposit@redhat.com>
[not found] ` <ZK/9MlTh435FP5Ji@gambale.home>
2023-07-13 13:52 ` [RFC PATCH v2] x86/boot: add .sbat section to the bzImage Ard Biesheuvel
2023-07-13 20:39 ` Emanuele Giuseppe Esposito
2023-07-13 22:31 ` Luca Boccassi
2023-07-14 8:52 ` Ard Biesheuvel
2023-07-14 9:13 ` Matthew Garrett
2023-07-14 9:14 ` Ard Biesheuvel
2023-07-14 9:25 ` Luca Boccassi
2023-07-17 16:08 ` James Bottomley
2023-07-17 16:56 ` Daniel P. Berrangé
2023-07-17 17:15 ` James Bottomley
2023-07-17 18:16 ` Daniel P. Berrangé
2023-07-20 16:46 ` Eric Snowberg
2023-07-20 17:07 ` James Bottomley [this message]
2023-07-20 18:10 ` Eric Snowberg
2023-07-20 19:16 ` Luca Boccassi
2023-07-21 0:02 ` Eric Snowberg
2023-07-21 8:55 ` Luca Boccassi
2023-07-21 11:24 ` James Bottomley
2023-07-21 12:40 ` Luca Boccassi
2023-07-21 13:01 ` James Bottomley
2023-07-21 13:10 ` Luca Boccassi
2023-07-21 13:33 ` James Bottomley
2023-07-21 15:14 ` Luca Boccassi
2023-07-21 15:22 ` Luca Boccassi
2023-07-21 15:27 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d67ac07c71097a4c97c8792c7c1fac9f4d5850dd.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=akpm@linux-foundation.org \
--cc=ardb@kernel.org \
--cc=berrange@redhat.com \
--cc=bluca@debian.org \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=eesposit@redhat.com \
--cc=eric.snowberg@oracle.com \
--cc=glider@google.com \
--cc=hpa@zytor.com \
--cc=jarkko@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=lennart@poettering.net \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=masahiroy@kernel.org \
--cc=mingo@redhat.com \
--cc=ndesaulniers@google.com \
--cc=tglx@linutronix.de \
--cc=vkuznets@redhat.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox