lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAMj1kXF-c46Bdw_cmLK-TckxukefqkpAYkOhg3jzfvW6YucDog@mail.gmail.com>
Date: Fri, 7 Mar 2025 12:12:20 +0100
From: Ard Biesheuvel <ardb@...nel.org>
To: Vitaly Kuznetsov <vkuznets@...hat.com>
Cc: x86@...nel.org, linux-efi@...r.kernel.org, 
	Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, 
	Dave Hansen <dave.hansen@...ux.intel.com>, "H. Peter Anvin" <hpa@...or.com>, 
	Peter Jones <pjones@...hat.com>, Daniel Berrange <berrange@...hat.com>, 
	Emanuele Giuseppe Esposito <eesposit@...hat.com>, Gerd Hoffmann <kraxel@...hat.com>, 
	Greg KH <gregkh@...uxfoundation.org>, Luca Boccassi <bluca@...ian.org>, 
	Peter Zijlstra <peterz@...radead.org>, Matthew Garrett <mjg59@...f.ucam.org>, 
	James Bottomley <James.Bottomley@...senpartnership.com>, 
	Eric Snowberg <eric.snowberg@...cle.com>, Paolo Bonzini <pbonzini@...hat.com>, 
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH RFC] x86/efi: Add a mechanism for embedding SBAT section

Hi Vitaly,

Thanks for the elaborate writeup


On Wed, 5 Mar 2025 at 11:18, Vitaly Kuznetsov <vkuznets@...hat.com> wrote:
>
> SBAT is a mechanism which improves SecureBoot revocations of UEFI binaries
> by introducing a generation-based technique. Compromised or vulnerable UEFI
> binaries can be prevented from booting by bumping the minimal required
> generation for the specific component in the bootloader. More information
> on the SBAT can be obtained here:
>
> https://github.com/rhboot/shim/blob/main/SBAT.md
>
> Previously, an attempt was made to add ".sbat" section to the linux kernel:
>
> https://lwn.net/Articles/938422/
>
> The approach was rejected mainly because currently there's no policy on how
> to update SBAT generation number when a new vulnerability is discovered. In
> particular, it is unclear what to do with stable kernels which may or may
> not backport certain patches making it impossible to describe the current
> state with a simple number.
>
> This patch suggests a different approach: instead of defining SBAT
> information, provide a mechanism for downstream kernel builders (distros)
> to include their own SBAT data.

Why does this require a mechanism in the upstream kernel at all?
Signing the kernel (which includes appending a cert table) does not
require such changes, so why is this needed when adding an additional
PE/COFF section?

> This leaves the decision on the policy to
> the distro vendors. Basically, each distro implementing SecureBoot today,
> will have an option to inject their own SBAT data during kernel build and
> before it gets signed by their SecureBoot CA. Different distro do not need
> to agree on the common SBAT component names or generation numbers as each
> distro ships its own 'shim' with their own 'vendor_cert'/'vendor_db'. Linux
> upstream will never, ever need to care about the data unless they choose in
> the future to participate in that way.
>

I'm sure this paragraph will make some skeptics happy.

> Currently, shim checks .sbat data for itself in self-test and for second
> stage bootloaders (grub, sd-boot, UKIs with sd-stub, ...) but kernel
> revocations require cycling signing keys or adding kernel hashes to shim's
> internal dbx. Adding .sbat to kernel and enforcing it on kernel loading
> will allow us to do the same tracking and revocation distros are already
> doing with a simplified mechanism, and without having to keep lists of
> kernels outside of the git repos.
>
> Finding a place for SBAT section turned out to be a bit tricky. Current
> PE layout looks like this:
>
> - without CONFIG_EFI_MIXED:
>   +-----------------------------------+-------------------------------+
>   | setup            [setup_signature]| compressed text | data [crc32]|
>   +-----------------------------------+-----------------+-------------+
>
> - with CONFIG_EFI_MIXED:
>   +-------+---------------------------+----------------+-------------+
>   | setup | pecompat [setup_signature]| compressed text| data [crc32]|
>   +-------+---------------------------+----------------+-------------+
>
> Limitations are:
> - To avoid problems with signatures, all sections must be 4k aligned with
>   no gaps between them.
> - CRC32 must be at the end of the file.

We never cared about the CRC32 before with signed EFI images, which
gets clobbered when the image is signed. Why should we start caring
about it now?

> - Nothing can be put before 'setup'.
> - Nothing can be squeezed between [setup_signature] and compressed text.
> - The whole 'setup' (everything before '.text') must fit into 8 4k pages.
>
> Note: .pecompat contains only 8 bytes of useful data but to save the space,
> the tail from .setup including [setup_signature] is also added to it (see
> commit 1ad55cecf22f ("x86/efistub: Use 1:1 file:memory mapping for PE/COFF
> .compat section")).
>
> With the limitations, there are three straightforward options:
> - Put .sbat between .setup and .pecompat. Advantage: with normal sized
> SBAT, kernel grows by 1 page only. Disadvantage: this one page comes from
> the precious '8 pages' limit.
>
> - Put .sbat to the very end of the file. Advantage: no need to touch
> 'setup'. Disadvantage: two pages are now needed as we don't want to make
> CRC32 part of the SBAT section.
>
> - Put .sbat between '.text' and '.data'. Advantages: no need to touch
> 'setup' and CRC32. 'CONFIG_EFI_MIXED' case doesn't seem to make much
> difference either.
>
> Implement the last one as it doesn't seem to have obvious disadvantages.
>
> Signed-off-by: Vitaly Kuznetsov <vkuznets@...hat.com>
> ---
> RFC part:
> - General acceptance of the idea.
> - .sbat section placement.
>
> The implementation is done for x86 only at this moment but I think it
> shouldn't be that hard to extend it to other arches (and I hope the
> solution for those which use common zboot mechanism will be the same).

Please don't create a special case for x86 again - iff this needs to
be in upstream (which I am not convinced about) it needs to be
implemented for all architectures.

So I'd like to understand better what is preventing you from appending
a PE/COFF section on an arbitrary bzImage (or EFI zboot image).

Given an arbitrary PE/COFF image, I see

  Section {
    Number: 4
    Name: .data (2E 64 61 74 61 00 00 00)
    VirtualSize: 0x47000
    VirtualAddress: 0x934000
    RawDataSize: 4608
    PointerToRawData: 0x934000
    PointerToRelocations: 0x0
    PointerToLineNumbers: 0x0
    RelocationCount: 0
    LineNumberCount: 0
    Characteristics [ (0xC0000040)
      IMAGE_SCN_CNT_INITIALIZED_DATA (0x40)
      IMAGE_SCN_MEM_READ (0x40000000)
      IMAGE_SCN_MEM_WRITE (0x80000000)
    ]

as the last section. There should be sufficient space in the header to
add an additional section descriptor.

So what is preventing us from just appending the SBAT data to the
file, and creating a 5th section that lives right after .data both in
the file view (at 0x934000 + 4608) and in the memory view (0x934000 +
0x47000). That should produce a valid PE/COFF image, no?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ