[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5e01b6a5-f993-f99d-41a0-ab671ec598f8@redhat.com>
Date: Wed, 12 Jul 2023 08:19:32 +0200
From: Emanuele Giuseppe Esposito <eesposit@...hat.com>
To: "H. Peter Anvin" <hpa@...or.com>, x86@...nel.org
Cc: Thomas Gleixner <tglx@...utronix.de>, bluca@...ian.org,
lennart@...ttering.net, Ingo Molnar <mingo@...hat.com>,
Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Masahiro Yamada <masahiroy@...nel.org>,
Alexander Potapenko <glider@...gle.com>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Vitaly Kuznetsov <vkuznets@...hat.com>,
Daniel P . Berrangé <berrange@...hat.com>,
linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage
Am 12/07/2023 um 03:33 schrieb H. Peter Anvin:
> On July 11, 2023 8:44:49 AM PDT, Emanuele Giuseppe Esposito <eesposit@...hat.com> wrote:
>> *Important*: this is just an RFC, as I am not expert in this area and
>> I don't know what's the best way to achieve this.
>>
>> v2:
>> * add standard "sbat,1,SBAT Version,..." header string
>>
>> The aim of this patch is to add a .sbat section to the linux binary
>> (https://github.com/rhboot/shim/blob/main/SBAT.md).
>> We mainly need SBAT in UKIs (Unified Kernel Images), as we might want
>> to revoke authorizations to specific signed PEs that were initially
>> considered as trusted. The reason might be for example a security issue
>> related to a specific linux release.
>>
>> A .sbat is simply a section containing a string with the component name
>> and a version number. This version number is compared with the value in
>> OVMF_VARS, and if it's less than the variable, the binary is not trusted,
>> even if it is correctly signed.
>>
>> Right now an UKI is built with a .sbat section containing the
>> systemd-stub sbat string (upstream + vendor), we would like to add
>> also a per-component specific string (ie vmlinux has its own sbat,
>> again upstream + vendor, each signed add-on its own and so on).
>> In this way, if a specific kernel version has an issue, we can revoke
>> it without compromising all other UKIs that are using a different
>> kernel with the same stub/initrd/something else.
>>
>> Issues with this patch:
>> * the string is added in a file but it is never deleted
>> * if the code is not modified but make is issued again, objcopy will
>> be called again and will fail because .sbat exists already, making
>> compilation fail
>> * minor display issue: objcopy command is printed in the make logs
>>
> Please ignore my previous message. It is a separate PECOFF section because it is consumed by UEFI rather than Linux.
>
No worries :) thanks for responding!
Any hints on how to solve any of the issues I mention above?
And any comment on the SBAT string itself? I would like to get an
agreement on
"linux,1,The Linux Developers,linux,$(KERNELVERSION),https://linux.org"
before we use it as semplate also for downstream.
Thank you,
Emanuele
Powered by blists - more mailing lists