lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87ecz9nevi.fsf@redhat.com>
Date: Fri, 07 Mar 2025 14:34:41 +0100
From: Vitaly Kuznetsov <vkuznets@...hat.com>
To: Ard Biesheuvel <ardb@...nel.org>
Cc: x86@...nel.org, linux-efi@...r.kernel.org, Thomas Gleixner
 <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Dave Hansen
 <dave.hansen@...ux.intel.com>, "H. Peter Anvin" <hpa@...or.com>, Peter
 Jones <pjones@...hat.com>, Daniel Berrange <berrange@...hat.com>, Emanuele
 Giuseppe Esposito <eesposit@...hat.com>, Gerd Hoffmann
 <kraxel@...hat.com>, Greg KH <gregkh@...uxfoundation.org>, Luca Boccassi
 <bluca@...ian.org>, Peter Zijlstra <peterz@...radead.org>, Matthew Garrett
 <mjg59@...f.ucam.org>, James Bottomley
 <James.Bottomley@...senpartnership.com>, Eric Snowberg
 <eric.snowberg@...cle.com>, Paolo Bonzini <pbonzini@...hat.com>,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH RFC] x86/efi: Add a mechanism for embedding SBAT section

Ard Biesheuvel <ardb@...nel.org> writes:

> Hi Vitaly,
>
> Thanks for the elaborate writeup
>
>
> On Wed, 5 Mar 2025 at 11:18, Vitaly Kuznetsov <vkuznets@...hat.com> wrote:
>>
>> SBAT is a mechanism which improves SecureBoot revocations of UEFI binaries
>> by introducing a generation-based technique. Compromised or vulnerable UEFI
>> binaries can be prevented from booting by bumping the minimal required
>> generation for the specific component in the bootloader. More information
>> on the SBAT can be obtained here:
>>
>> https://github.com/rhboot/shim/blob/main/SBAT.md
>>
>> Previously, an attempt was made to add ".sbat" section to the linux kernel:
>>
>> https://lwn.net/Articles/938422/
>>
>> The approach was rejected mainly because currently there's no policy on how
>> to update SBAT generation number when a new vulnerability is discovered. In
>> particular, it is unclear what to do with stable kernels which may or may
>> not backport certain patches making it impossible to describe the current
>> state with a simple number.
>>
>> This patch suggests a different approach: instead of defining SBAT
>> information, provide a mechanism for downstream kernel builders (distros)
>> to include their own SBAT data.
>
> Why does this require a mechanism in the upstream kernel at all?
> Signing the kernel (which includes appending a cert table) does not
> require such changes, so why is this needed when adding an additional
> PE/COFF section?

Hi Ard,

strictly speaking this is not a must (and that's part of the RFC, thanks
for looking into it!). The main intention is to make distro's life
easier by providing a working mechanism upstream. Here is an example of
a downstream-only solution I've drafted for Fedora based distros:

https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3581/diffs?commit_id=07005140712545cb4dfce09da03545d9c54515e6

nothing too complicated but not a trivial one-liner either. I'm fairly
sure kernel maintainers would very much prefer to have a simple
"CONFIG_EFI_SBAT_FILE=/my/distros/sbat/data" instead.

Additional motivation can be to avoid divergence between distros
(e.g. one distro may deside to do things the way this patch does, the
other decides to put it to the end, the third patches 'setup' and so on)
which may lead to some incompatibility and distro-specific workarounds
in bootloaders (e.g. shim) in the future. Third, having the SBAT
*mechanism* supported upstream raises the visibility of the technology
for those who do their own SecureBoot kernel signing.

>
>> This leaves the decision on the policy to
>> the distro vendors. Basically, each distro implementing SecureBoot today,
>> will have an option to inject their own SBAT data during kernel build and
>> before it gets signed by their SecureBoot CA. Different distro do not need
>> to agree on the common SBAT component names or generation numbers as each
>> distro ships its own 'shim' with their own 'vendor_cert'/'vendor_db'. Linux
>> upstream will never, ever need to care about the data unless they choose in
>> the future to participate in that way.
>>
>
> I'm sure this paragraph will make some skeptics happy.
>

It was a heated discussion last time so I had to :-)

>> Currently, shim checks .sbat data for itself in self-test and for second
>> stage bootloaders (grub, sd-boot, UKIs with sd-stub, ...) but kernel
>> revocations require cycling signing keys or adding kernel hashes to shim's
>> internal dbx. Adding .sbat to kernel and enforcing it on kernel loading
>> will allow us to do the same tracking and revocation distros are already
>> doing with a simplified mechanism, and without having to keep lists of
>> kernels outside of the git repos.
>>
>> Finding a place for SBAT section turned out to be a bit tricky. Current
>> PE layout looks like this:
>>
>> - without CONFIG_EFI_MIXED:
>>   +-----------------------------------+-------------------------------+
>>   | setup            [setup_signature]| compressed text | data [crc32]|
>>   +-----------------------------------+-----------------+-------------+
>>
>> - with CONFIG_EFI_MIXED:
>>   +-------+---------------------------+----------------+-------------+
>>   | setup | pecompat [setup_signature]| compressed text| data [crc32]|
>>   +-------+---------------------------+----------------+-------------+
>>
>> Limitations are:
>> - To avoid problems with signatures, all sections must be 4k aligned with
>>   no gaps between them.
>> - CRC32 must be at the end of the file.
>
> We never cared about the CRC32 before with signed EFI images, which
> gets clobbered when the image is signed. Why should we start caring
> about it now?

Oh, that's a good point, actually. As there's no reason to add SBAT to a
kernel which is not going to be signed and signing breaks CRC32 anyway,
we can as well add the section to the very end. Personally, I'd suggest
we then don't put any CRC32 there at all and clearly state that in the
documentation to avoid the confusion when people discover that there's a
CRC which doesn't match.

>
>> - Nothing can be put before 'setup'.
>> - Nothing can be squeezed between [setup_signature] and compressed text.
>> - The whole 'setup' (everything before '.text') must fit into 8 4k pages.
>>
>> Note: .pecompat contains only 8 bytes of useful data but to save the space,
>> the tail from .setup including [setup_signature] is also added to it (see
>> commit 1ad55cecf22f ("x86/efistub: Use 1:1 file:memory mapping for PE/COFF
>> .compat section")).
>>
>> With the limitations, there are three straightforward options:
>> - Put .sbat between .setup and .pecompat. Advantage: with normal sized
>> SBAT, kernel grows by 1 page only. Disadvantage: this one page comes from
>> the precious '8 pages' limit.
>>
>> - Put .sbat to the very end of the file. Advantage: no need to touch
>> 'setup'. Disadvantage: two pages are now needed as we don't want to make
>> CRC32 part of the SBAT section.
>>
>> - Put .sbat between '.text' and '.data'. Advantages: no need to touch
>> 'setup' and CRC32. 'CONFIG_EFI_MIXED' case doesn't seem to make much
>> difference either.
>>
>> Implement the last one as it doesn't seem to have obvious disadvantages.
>>
>> Signed-off-by: Vitaly Kuznetsov <vkuznets@...hat.com>
>> ---
>> RFC part:
>> - General acceptance of the idea.
>> - .sbat section placement.
>>
>> The implementation is done for x86 only at this moment but I think it
>> shouldn't be that hard to extend it to other arches (and I hope the
>> solution for those which use common zboot mechanism will be the same).
>
> Please don't create a special case for x86 again - iff this needs to
> be in upstream (which I am not convinced about) it needs to be
> implemented for all architectures.

Oh, absolutely -- if we get past the 'general acceptance', then let's do
other UEFI supporting arches from day 1. 

>
> So I'd like to understand better what is preventing you from appending
> a PE/COFF section on an arbitrary bzImage (or EFI zboot image).
>
> Given an arbitrary PE/COFF image, I see
>
>   Section {
>     Number: 4
>     Name: .data (2E 64 61 74 61 00 00 00)
>     VirtualSize: 0x47000
>     VirtualAddress: 0x934000
>     RawDataSize: 4608
>     PointerToRawData: 0x934000
>     PointerToRelocations: 0x0
>     PointerToLineNumbers: 0x0
>     RelocationCount: 0
>     LineNumberCount: 0
>     Characteristics [ (0xC0000040)
>       IMAGE_SCN_CNT_INITIALIZED_DATA (0x40)
>       IMAGE_SCN_MEM_READ (0x40000000)
>       IMAGE_SCN_MEM_WRITE (0x80000000)
>     ]
>
> as the last section. There should be sufficient space in the header to
> add an additional section descriptor.
>
> So what is preventing us from just appending the SBAT data to the
> file, and creating a 5th section that lives right after .data both in
> the file view (at 0x934000 + 4608) and in the memory view (0x934000 +
> 0x47000). That should produce a valid PE/COFF image, no?

Yes, if we forget about the CRC32 (which we do anyway), then adding a
section to the end by external tool should work for as long as we have
enough space in the header to add a new section. As this is going to be
a downstream-only approach, nothing will guarantee that long term and
things may eventually break.

-- 
Vitaly

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ