Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp38248178rwd;
        Wed, 12 Jul 2023 05:20:06 -0700 (PDT)
X-Google-Smtp-Source: APBJJlH7pesFymktzAOC/VoYP/B5GBaFOJFhqttezFb5vMFdV3vheYCT7Vt7HhGhfinbJjLuqzj/
X-Received: by 2002:a17:906:83:b0:992:42d4:a7dc with SMTP id 3-20020a170906008300b0099242d4a7dcmr18942578ejc.21.1689164406066;
        Wed, 12 Jul 2023 05:20:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1689164406; cv=none;
        d=google.com; s=arc-20160816;
        b=MUqwwbRvQswu0gMXZuoHGh19HvcRb7UfdI398o+Xma6a2UxFb33263UBIfPm6MXfqC
         Hl0CY9K3R6fxW6JiTXizEnG33sNfVf6hCcnScAG/SzF2TJn3OfVe9U2IzJ0nOSTp8nYs
         66jKvhAWNZrWOEYvpptB3vDioq6+RTtYMPTSScJoUVGHE70upGg0sVEMUPWS3zTQaT/3
         3szQJh/ygTIb2xzcku+n6ptCOGOFOfHT7iZ6Y1G311j7xJf2ximloRWpCRmSD22vwmfW
         rytg6ntu5yw8dlcDbiGrihymRpFxJmQsITcIUYEmR1kck3o7JTJAvS1w0FbpXMG5QOyB
         irsA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature
         :dkim-signature;
        bh=J1nbq+Flb3xWaMjMRyH8lLNErBvozlvfas8/OBqBdaA=;
        fh=wwTNX3nXeRp2qO16n0TTFIFKQvebwS5Lk96rcKMozwA=;
        b=gqqmBWJTrd1tmo5x35c/iWMxoVXQFIPKYbM7fJNTsCWdYKdZWBDDvYaaUUWWxmQjGB
         MoKCwCiF79yYyDxdzVOTg3wIYf63ARp4snoOY/TeCqnd3Vwso4uMkx0P5tjetvrT6L/B
         gv2VsAw0Aq/LAldXflEAsyk6yWI9w8PPrlD4nIHywsqh+8sc9rf+xW+q0jDq0Ny4TnvX
         YNix7sxFl0vAsxh+hwpTmYA7WlsMOtkcfbf0hzAyCYC66WXx/4T680q3q7TOfL8gNmrP
         R9yoQi/RmetC7outDl+rok03RzTPwRbxtyjoHZHozs4K/sOvk/W6cOwR73F4QlkCHJDl
         cYtg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@alien8.de header.s=dkim header.b=LUYU17FG;
       dkim=pass header.i=@alien8.de header.s=alien8 header.b=e7ooaicP;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=alien8.de
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id i8-20020a17090639c800b0097885fd66f4si5035752eje.162.2023.07.12.05.19.41;
        Wed, 12 Jul 2023 05:20:06 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@alien8.de header.s=dkim header.b=LUYU17FG;
       dkim=pass header.i=@alien8.de header.s=alien8 header.b=e7ooaicP;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=alien8.de
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232706AbjGLMAx (ORCPT <rfc822;allen.lkml@gmail.com> + 99 others);
        Wed, 12 Jul 2023 08:00:53 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51774 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232351AbjGLMAu (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 12 Jul 2023 08:00:50 -0400
Received: from mail.skyhub.de (mail.skyhub.de [IPv6:2a01:4f8:190:11c2::b:1457])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 45BA51BEC
        for <linux-kernel@vger.kernel.org>; Wed, 12 Jul 2023 05:00:27 -0700 (PDT)
Received: from mail.alien8.de (mail.alien8.de [IPv6:2a01:4f9:3051:3f93::2])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.skyhub.de (SuperMail on ZX Spectrum 128k) with ESMTPSA id 548D21EC0CAF;
        Wed, 12 Jul 2023 14:00:25 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alien8.de; s=dkim;
        t=1689163225;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:in-reply-to:in-reply-to:  references:references;
        bh=J1nbq+Flb3xWaMjMRyH8lLNErBvozlvfas8/OBqBdaA=;
        b=LUYU17FGQjunOIsffE5Q9g+h6T1HJW+eV9N7ZGpV93yzm55MeXxEtHUxLOT06Ycfs0bE/V
        qKaIaw6kPuToq72Nnzm/T6VmVfgoRYAF9YPUW1Rc3zFvB/MZYUmclEUqyaswBCTj+cxu4P
        YRHtaQomlbSMEJGoNAHDDEX7tqXAieg=
X-Virus-Scanned: Debian amavisd-new at mail.alien8.de
Authentication-Results: mail.alien8.de (amavisd-new); dkim=pass (4096-bit key)
        header.d=alien8.de
Received: from mail.alien8.de ([127.0.0.1])
        by localhost (mail.alien8.de [127.0.0.1]) (amavisd-new, port 10026)
        with ESMTP id eAP0VmbZHX2N; Wed, 12 Jul 2023 12:00:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alien8.de; s=alien8;
        t=1689163222; bh=J1nbq+Flb3xWaMjMRyH8lLNErBvozlvfas8/OBqBdaA=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=e7ooaicP5bzfGbenwSFp5l/E4k8cNlwbvX7maVZi2+gdzCNZTXJu3DDmekDqm6wW6
         Rmcd+BH0Yc+Hxc55nVQjtq6HyuErnoNrdYvktJ0ubLBI+eImIfzPCwOii38Y51aVfw
         Mw91xmjpSvnwKChzy7Y/Ok2XXjPwfgv5t85trmW3M2wKC79440toTOy3ixri0v83MU
         sWpFsl13SjQMrZNDFGCZoDY5f8G6BTDzZ/Jspc5BQhiHGHvHdRrbc111HvyB8gZnun
         CLLu5vzVYzrMDZsvVNFKbR1BU555FgdPb/Wi524LadW7VyPSKBrscl0ZXqW57SGgbG
         d0nkDvPNYG9CjYWSiZHz2zyM7/Ek5SiDJKUmhjgea0yeUU2Bk/xGMFCqaj2VfSjvkV
         oIKzfMxecGcBQRzhhrTOO5VLZIQ3NN6PX2U/HkPehOYfpQXfS9FXt/Kokl1b9ZXNVy
         O2Q1EaYNPvqPlLADd5fRJHaDx1sSEel6d/NqBgTJbSgM96isgPycR5TCNPZESH349v
         wSUx9cVsxpF9KMaVPbJX6hxXBE8HtTXmyeZsYhlXJjAufogAMqFhmLVRILNWFXRMgj
         G3LiT55Ay7cZPfq0fDOb7y7/gTVzNesSGk0uqSFnIeDite44ZDHX3Se4akzduyDIHc
         RpRelWVA1MQnUwbREumzEjc4=
Received: from zn.tnic (pd9530d32.dip0.t-ipconnect.de [217.83.13.50])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256)
        (No client certificate requested)
        by mail.alien8.de (SuperMail on ZX Spectrum 128k) with ESMTPSA id 03A9440E0140;
        Wed, 12 Jul 2023 12:00:06 +0000 (UTC)
Date:   Wed, 12 Jul 2023 14:00:02 +0200
From:   Borislav Petkov <bp@alien8.de>
To:     Emanuele Giuseppe Esposito <eesposit@redhat.com>
Cc:     "H. Peter Anvin" <hpa@zytor.com>, x86@kernel.org,
        Thomas Gleixner <tglx@linutronix.de>, bluca@debian.org,
        lennart@poettering.net, Ingo Molnar <mingo@redhat.com>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Masahiro Yamada <masahiroy@kernel.org>,
        Alexander Potapenko <glider@google.com>,
        Nick Desaulniers <ndesaulniers@google.com>,
        Vitaly Kuznetsov <vkuznets@redhat.com>,
        Daniel P =?utf-8?B?LiBCZXJyYW5nw6k=?= <berrange@redhat.com>,
        linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage
Message-ID: <20230712120002.GIZK6Vwga6DlJqdjEh@fat_crate.local>
References: <20230711154449.1378385-1-eesposit@redhat.com>
 <7E9D397B-439F-484C-B950-9094605A7B4D@zytor.com>
 <5e01b6a5-f993-f99d-41a0-ab671ec598f8@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <5e01b6a5-f993-f99d-41a0-ab671ec598f8@redhat.com>
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Jul 12, 2023 at 08:19:32AM +0200, Emanuele Giuseppe Esposito wrote:
> And any comment on the SBAT string itself? I would like to get an
> agreement on
> "linux,1,The Linux Developers,linux,$(KERNELVERSION),https://linux.org"
> before we use it as semplate also for downstream.

Yeah, looks useless to me. With your patch I get:

$ cat linux.sbat
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
linux,1,The Linux Developers,linux,6.5.0-rc1,https://linux.org

But my branch is:

$ git describe
v6.5-rc1-6-g3f01e9fed845

So your thing needs to enable CONFIG_LOCALVERSION_AUTO or so which
allows for uniquely identifying the build. At least I think it did at
some point. So that you can do stuff like:

$ file vmlinux
vmlinux: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=19f22ac85675ea30042fb703373d97c460bb5a61, with debug_info, not stripped

and you have a build ID sha there.

But not even that works because if I change the source, I still get the
same sha. So it needs to be an mechanism which identifies the kernel
image uniquely.

And then why does it have to be a separate section? All those
requirements need to be written down.

And regardless what you do, this looks like a contract between the
kernel and userspace tools so it absolutely needs to be documented
somewhere prominently - not in a commit message with links to flaky URLs
which would probably change in the future - and explained what the tools
parse and where one can find that parsing code.

Because if we go and change that, we need to be able to verify whether
we're not breaking any userspace tools.

Actually, I wouldn't mind even having a small script which does the
parsing and which we can use to check that we're not breaking things.

Also, while building this says:

objcopy --set-section-alignment '.sbat=512' --add-section .sbat=linux.sbat arch/x86/boot/bzImage;
objcopy: arch/x86/boot/st2fStm6:.sbat: section below image base

So you need to make it quiet.

And so on and so on...

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette