[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <c4f3d532-289d-57eb-ac69-f8a503c11206@redhat.com>
Date: Mon, 10 Jul 2023 08:52:16 +0200
From: Emanuele Giuseppe Esposito <eesposit@...hat.com>
To: x86@...nel.org
Cc: Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>,
"H. Peter Anvin" <hpa@...or.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Masahiro Yamada <masahiroy@...nel.org>,
Alexander Potapenko <glider@...gle.com>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Vitaly Kuznetsov <vkuznets@...hat.com>,
Daniel P . Berrangé <berrange@...hat.com>,
linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH] x86/boot: add .sbat section to the bzImage
Am 23/06/2023 um 14:36 schrieb Emanuele Giuseppe Esposito:
> *Important*: this is just an RFC, as I am not expert in this area and
> I don't know what's the best way to achieve this.
>
> The aim of this patch is to add a .sbat section to the linux binary
> (https://github.com/rhboot/shim/blob/main/SBAT.md).
> We mainly need SBAT in UKIs (Unified Kernel Images), as we might want
> to revoke authorizations to specific signed PEs that were initially
> considered as trusted. The reason might be for example a security issue
> related to a specific linux release.
>
> A .sbat is simply a section containing a string with the component name
> and a version number. This version number is compared with the value in
> OVMF_VARS, and if it's less than the variable, the binary is not trusted,
> even if it is correctly signed.
>
> Right now an UKI is built with a .sbat section containing the
> systemd-stub sbat string (upstream + vendor), we would like to add
> also a per-component specific string (ie vmlinux has its own sbat,
> again upstream + vendor, each signed add-on its own and so on).
> In this way, if a specific kernel version has an issue, we can revoke
> it without compromising all other UKIs that are using a different
> kernel with the same stub/initrd/something else.
>
> Issues with this patch:
> * the string is added in a file but it is never deleted
> * if the code is not modified but make is issued again, objcopy will
> be called again and will fail because .sbat exists already, making
> compilation fail
> * minor display issue: objcopy command is printed in the make logs
>
> Signed-off-by: Emanuele Giuseppe Esposito <eesposit@...hat.com>
> ---
> arch/x86/boot/Makefile | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile
> index 9e38ffaadb5d..65ff6fcf5372 100644
> --- a/arch/x86/boot/Makefile
> +++ b/arch/x86/boot/Makefile
> @@ -83,6 +83,8 @@ cmd_image = $(obj)/tools/build $(obj)/setup.bin $(obj)/vmlinux.bin \
>
> $(obj)/bzImage: $(obj)/setup.bin $(obj)/vmlinux.bin $(obj)/tools/build FORCE
> $(call if_changed,image)
> + @$(kecho) "linux,1,The Linux Developers,linux,$(KERNELVERSION),https://linux.org" > linux.sbat;
> + $(OBJCOPY) --set-section-alignment '.sbat=512' --add-section .sbat=linux.sbat $@;
> @$(kecho) 'Kernel: $@ is ready' ' (#'$(or $(KBUILD_BUILD_VERSION),`cat .version`)')'
>
> OBJCOPYFLAGS_vmlinux.bin := -O binary -R .note -R .comment -S
ping?
Powered by blists - more mailing lists