[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAMj1kXHSW1=k59J9vOQULw2A_htLiKYc0h9zQ12xYqmutja+eg@mail.gmail.com>
Date: Fri, 9 May 2025 11:16:44 +0200
From: Ard Biesheuvel <ardb@...nel.org>
To: Vitaly Kuznetsov <vkuznets@...hat.com>
Cc: x86@...nel.org, linux-efi@...r.kernel.org,
Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>,
Dave Hansen <dave.hansen@...ux.intel.com>, "H. Peter Anvin" <hpa@...or.com>,
Peter Jones <pjones@...hat.com>, Daniel Berrange <berrange@...hat.com>,
Emanuele Giuseppe Esposito <eesposit@...hat.com>, Gerd Hoffmann <kraxel@...hat.com>,
Greg KH <gregkh@...uxfoundation.org>, Luca Boccassi <bluca@...ian.org>,
Peter Zijlstra <peterz@...radead.org>, Matthew Garrett <mjg59@...f.ucam.org>,
James Bottomley <James.Bottomley@...senpartnership.com>,
Eric Snowberg <eric.snowberg@...cle.com>, Paolo Bonzini <pbonzini@...hat.com>,
Paul Walmsley <paul.walmsley@...ive.com>, Palmer Dabbelt <palmer@...belt.com>,
Albert Ou <aou@...s.berkeley.edu>, Alexandre Ghiti <alex@...ti.fr>, linux-riscv@...ts.infradead.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 1/2] efi: zboot specific mechanism for embedding SBAT section
On Mon, 5 May 2025 at 17:45, Vitaly Kuznetsov <vkuznets@...hat.com> wrote:
>
> SBAT is a mechanism which improves SecureBoot revocations of UEFI binaries
> by introducing a generation-based technique. Compromised or vulnerable UEFI
> binaries can be prevented from booting by bumping the minimal required
> generation for the specific component in the bootloader. More information
> on the SBAT can be obtained here:
>
> https://github.com/rhboot/shim/blob/main/SBAT.md
>
> Upstream Linux kernel does not currently participate in any way in SBAT as
> there's no existing policy in how SBAT generation number should be
> defined. Keep the status quo and provide a mechanism for distro vendors and
> anyone else who signs their kernel for SecureBoot to include their own SBAT
> data. This leaves the decision on the policy to the vendor. Basically, each
> distro implementing SecureBoot today, will have an option to inject their
> own SBAT data during kernel build and before it gets signed by their
> SecureBoot CA. Different distro do not need to agree on the common SBAT
> component names or generation numbers as each distro ships its own 'shim'
> with their own 'vendor_cert'/'vendor_db'
>
> Implement support for embedding SBAT data for architectures using
> zboot (arm64, loongarch, riscv). Put '.sbat' section in between '.data' and
> '.text' as the former also covers '.bss' and thus must be the last one.
>
> Signed-off-by: Vitaly Kuznetsov <vkuznets@...hat.com>
Reviewed-by: Ard Biesheuvel <ardb@...nel.org>
> ---
> drivers/firmware/efi/Kconfig | 24 +++++++++++++++++++++
> drivers/firmware/efi/libstub/Makefile.zboot | 4 ++++
> drivers/firmware/efi/libstub/zboot-header.S | 22 +++++++++++++++++--
> drivers/firmware/efi/libstub/zboot.lds | 11 ++++++++++
> 4 files changed, 59 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/firmware/efi/Kconfig b/drivers/firmware/efi/Kconfig
> index 5fe61b9ab5f9..db8c5c03d3a2 100644
> --- a/drivers/firmware/efi/Kconfig
> +++ b/drivers/firmware/efi/Kconfig
> @@ -281,6 +281,30 @@ config EFI_EMBEDDED_FIRMWARE
> bool
> select CRYPTO_LIB_SHA256
>
> +config EFI_SBAT
> + def_bool y if EFI_SBAT_FILE!=""
> +
> +config EFI_SBAT_FILE
> + string "Embedded SBAT section file path"
> + depends on EFI_ZBOOT
> + help
> + SBAT section provides a way to improve SecureBoot revocations of UEFI
> + binaries by introducing a generation-based mechanism. With SBAT, older
> + UEFI binaries can be prevented from booting by bumping the minimal
> + required generation for the specific component in the bootloader.
> +
> + Note: SBAT information is distribution specific, i.e. the owner of the
> + signing SecureBoot certificate must define the SBAT policy. Linux
> + kernel upstream does not define SBAT components and their generations.
> +
> + See https://github.com/rhboot/shim/blob/main/SBAT.md for the additional
> + details.
> +
> + Specify a file with SBAT data which is going to be embedded as '.sbat'
> + section into the kernel.
> +
> + If unsure, leave blank.
> +
> endmenu
>
> config UEFI_CPER
> diff --git a/drivers/firmware/efi/libstub/Makefile.zboot b/drivers/firmware/efi/libstub/Makefile.zboot
> index 48842b5c106b..92e3c73502ba 100644
> --- a/drivers/firmware/efi/libstub/Makefile.zboot
> +++ b/drivers/firmware/efi/libstub/Makefile.zboot
> @@ -44,6 +44,10 @@ AFLAGS_zboot-header.o += -DMACHINE_TYPE=IMAGE_FILE_MACHINE_$(EFI_ZBOOT_MACH_TYPE
> $(obj)/zboot-header.o: $(srctree)/drivers/firmware/efi/libstub/zboot-header.S FORCE
> $(call if_changed_rule,as_o_S)
>
> +ifneq ($(CONFIG_EFI_SBAT_FILE),)
> +$(obj)/zboot-header.o: $(CONFIG_EFI_SBAT_FILE)
> +endif
> +
> ZBOOT_DEPS := $(obj)/zboot-header.o $(objtree)/drivers/firmware/efi/libstub/lib.a
>
> LDFLAGS_vmlinuz.efi.elf := -T $(srctree)/drivers/firmware/efi/libstub/zboot.lds
> diff --git a/drivers/firmware/efi/libstub/zboot-header.S b/drivers/firmware/efi/libstub/zboot-header.S
> index fb676ded47fa..e02247458b65 100644
> --- a/drivers/firmware/efi/libstub/zboot-header.S
> +++ b/drivers/firmware/efi/libstub/zboot-header.S
> @@ -123,11 +123,29 @@ __efistub_efi_zboot_header:
> IMAGE_SCN_MEM_READ | \
> IMAGE_SCN_MEM_EXECUTE
>
> +#ifdef CONFIG_EFI_SBAT
> + .ascii ".sbat\0\0\0"
> + .long __sbat_size
> + .long _sbat - .Ldoshdr
> + .long __sbat_size
> + .long _sbat - .Ldoshdr
> +
> + .long 0, 0
> + .short 0, 0
> + .long IMAGE_SCN_CNT_INITIALIZED_DATA | \
> + IMAGE_SCN_MEM_READ | \
> + IMAGE_SCN_MEM_DISCARDABLE
> +
> + .pushsection ".sbat", "a", @progbits
> + .incbin CONFIG_EFI_SBAT_FILE
> + .popsection
> +#endif
> +
> .ascii ".data\0\0\0"
> .long __data_size
> - .long _etext - .Ldoshdr
> + .long _data - .Ldoshdr
> .long __data_rawsize
> - .long _etext - .Ldoshdr
> + .long _data - .Ldoshdr
>
> .long 0, 0
> .short 0, 0
> diff --git a/drivers/firmware/efi/libstub/zboot.lds b/drivers/firmware/efi/libstub/zboot.lds
> index 9ecc57ff5b45..c3a166675450 100644
> --- a/drivers/firmware/efi/libstub/zboot.lds
> +++ b/drivers/firmware/efi/libstub/zboot.lds
> @@ -29,7 +29,17 @@ SECTIONS
> . = _etext;
> }
>
> +#ifdef CONFIG_EFI_SBAT
> + .sbat : ALIGN(4096) {
> + _sbat = .;
> + *(.sbat)
> + _esbat = ALIGN(4096);
> + . = _esbat;
> + }
> +#endif
> +
> .data : ALIGN(4096) {
> + _data = .;
> *(.data* .init.data*)
> _edata = ALIGN(512);
> . = _edata;
> @@ -52,3 +62,4 @@ PROVIDE(__efistub__gzdata_size =
>
> PROVIDE(__data_rawsize = ABSOLUTE(_edata - _etext));
> PROVIDE(__data_size = ABSOLUTE(_end - _etext));
> +PROVIDE(__sbat_size = ABSOLUTE(_esbat - _sbat));
> --
> 2.49.0
>
Powered by blists - more mailing lists