Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Message-ID: <5e01b6a5-f993-f99d-41a0-ab671ec598f8@redhat.com>
Date:   Wed, 12 Jul 2023 08:19:32 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.10.0
Subject: Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage
Content-Language: de-CH
To:     "H. Peter Anvin" <hpa@zytor.com>, x86@kernel.org
Cc:     Thomas Gleixner <tglx@linutronix.de>, bluca@debian.org,
        lennart@poettering.net, Ingo Molnar <mingo@redhat.com>,
        Borislav Petkov <bp@alien8.de>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Masahiro Yamada <masahiroy@kernel.org>,
        Alexander Potapenko <glider@google.com>,
        Nick Desaulniers <ndesaulniers@google.com>,
        Vitaly Kuznetsov <vkuznets@redhat.com>,
        =?UTF-8?Q?Daniel_P_=2e_Berrang=c3=a9?= <berrange@redhat.com>,
        linux-kernel@vger.kernel.org
References: <20230711154449.1378385-1-eesposit@redhat.com>
 <7E9D397B-439F-484C-B950-9094605A7B4D@zytor.com>
From:   Emanuele Giuseppe Esposito <eesposit@redhat.com>
In-Reply-To: <7E9D397B-439F-484C-B950-9094605A7B4D@zytor.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: bulk


Am 12/07/2023 um 03:33 schrieb H. Peter Anvin:
> On July 11, 2023 8:44:49 AM PDT, Emanuele Giuseppe Esposito <eesposit@redhat.com> wrote:
>> *Important*: this is just an RFC, as I am not expert in this area and
>> I don't know what's the best way to achieve this.
>>
>> v2:
>> * add standard "sbat,1,SBAT Version,..." header string
>>
>> The aim of this patch is to add a .sbat section to the linux binary
>> (https://github.com/rhboot/shim/blob/main/SBAT.md).
>> We mainly need SBAT in UKIs (Unified Kernel Images), as we might want
>> to revoke authorizations to specific signed PEs that were initially
>> considered as trusted. The reason might be for example a security issue
>> related to a specific linux release.
>>
>> A .sbat is simply a section containing a string with the component name
>> and a version number. This version number is compared with the value in
>> OVMF_VARS, and if it's less than the variable, the binary is not trusted,
>> even if it is correctly signed.
>>
>> Right now an UKI is built with a .sbat section containing the
>> systemd-stub sbat string (upstream + vendor), we would like to add
>> also a per-component specific string (ie vmlinux has its own sbat,
>> again upstream + vendor, each signed add-on its own and so on).
>> In this way, if a specific kernel version has an issue, we can revoke
>> it without compromising all other UKIs that are using a different
>> kernel with the same stub/initrd/something else.
>>
>> Issues with this patch:
>> * the string is added in a file but it is never deleted
>> * if the code is not modified but make is issued again, objcopy will
>>  be called again and will fail because .sbat exists already, making
>>  compilation fail
>> * minor display issue: objcopy command is printed in the make logs
>>
> Please ignore my previous message. It is a separate PECOFF section because it is consumed by UEFI rather than Linux.
> 
No worries :) thanks for responding!
Any hints on how to solve any of the issues I mention above?

And any comment on the SBAT string itself? I would like to get an
agreement on
"linux,1,The Linux Developers,linux,$(KERNELVERSION),https://linux.org"
before we use it as semplate also for downstream.

Thank you,
Emanuele