lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20230623123622.4126234-1-eesposit@redhat.com>
Date:   Fri, 23 Jun 2023 08:36:22 -0400
From:   Emanuele Giuseppe Esposito <eesposit@...hat.com>
To:     x86@...nel.org
Cc:     Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        "H. Peter Anvin" <hpa@...or.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Masahiro Yamada <masahiroy@...nel.org>,
        Alexander Potapenko <glider@...gle.com>,
        Nick Desaulniers <ndesaulniers@...gle.com>,
        Vitaly Kuznetsov <vkuznets@...hat.com>,
        Daniel P . Berrangé <berrange@...hat.com>,
        linux-kernel@...r.kernel.org,
        Emanuele Giuseppe Esposito <eesposit@...hat.com>
Subject: [RFC PATCH] x86/boot: add .sbat section to the bzImage

*Important*: this is just an RFC, as I am not expert in this area and
I don't know what's the best way to achieve this.

The aim of this patch is to add a .sbat section to the linux binary
(https://github.com/rhboot/shim/blob/main/SBAT.md).
We mainly need SBAT in UKIs (Unified Kernel Images), as we might want
to revoke authorizations to specific signed PEs that were initially
considered as trusted. The reason might be for example a security issue
related to a specific linux release.

A .sbat is simply a section containing a string with the component name
and a version number. This version number is compared with the value in
OVMF_VARS, and if it's less than the variable, the binary is not trusted,
even if it is correctly signed.

Right now an UKI is built with a .sbat section containing the
systemd-stub sbat string (upstream + vendor), we would like to add
also a per-component specific string (ie vmlinux has its own sbat,
again upstream + vendor, each signed add-on its own and so on).
In this way, if a specific kernel version has an issue, we can revoke
it without compromising all other UKIs that are using a different
kernel with the same stub/initrd/something else.

Issues with this patch:
* the string is added in a file but it is never deleted
* if the code is not modified but make is issued again, objcopy will
  be called again and will fail because .sbat exists already, making
  compilation fail
* minor display issue: objcopy command is printed in the make logs

Signed-off-by: Emanuele Giuseppe Esposito <eesposit@...hat.com>
---
 arch/x86/boot/Makefile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile
index 9e38ffaadb5d..65ff6fcf5372 100644
--- a/arch/x86/boot/Makefile
+++ b/arch/x86/boot/Makefile
@@ -83,6 +83,8 @@ cmd_image = $(obj)/tools/build $(obj)/setup.bin $(obj)/vmlinux.bin \
 
 $(obj)/bzImage: $(obj)/setup.bin $(obj)/vmlinux.bin $(obj)/tools/build FORCE
 	$(call if_changed,image)
+	@$(kecho) "linux,1,The Linux Developers,linux,$(KERNELVERSION),https://linux.org" > linux.sbat;
+	$(OBJCOPY) --set-section-alignment '.sbat=512' --add-section .sbat=linux.sbat $@;
 	@$(kecho) 'Kernel: $@ is ready' ' (#'$(or $(KBUILD_BUILD_VERSION),`cat .version`)')'
 
 OBJCOPYFLAGS_vmlinux.bin := -O binary -R .note -R .comment -S
-- 
2.39.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ