Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp334850rwp; Wed, 12 Jul 2023 14:12:28 -0700 (PDT) X-Google-Smtp-Source: APBJJlFcoqm5KGWLtBy3wNi913FSuEFXDEia+3kn/C/nrELdjh7Sd5paq5I5ANGeaKSyZIdDvEMl X-Received: by 2002:a05:6a20:1c6:b0:12f:dc60:4817 with SMTP id 6-20020a056a2001c600b0012fdc604817mr16054507pzz.47.1689196348340; Wed, 12 Jul 2023 14:12:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689196348; cv=none; d=google.com; s=arc-20160816; b=jdP+Jr4P6U2PQflahQp930L/PCa5klwHlr0D/dRsdjdo3Vx9VInJZbcF8PSP47UkTh +G6U/7Vts6Gm+fO8l6lo6MyIc+LlCfp+CfnPWEoxI21UtTu6C1ZMKW7RAb7+XkC4xL6b wk4X9RV5+gdab5fO8tF1pQc4KIqewFjpn3BsZeLleQjiSCouFTxv/QWdf/zR7RW+6fPK 7nDIUJ5dZswhmTN8k77uGU4rEJRxWPLffz06EKgI8TCogB0R70Lm+21np53CybJz/DbK zjh7CRw2lg2YvVnuBJcNIfTxl+EmBvF1Ge0/NeGMNHMFSgjjogbx/CWRJs1pLFP5Gvjm amtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version; bh=rwqNcY338V9nHktVTi28zn400a3uIFcG1sGwe2sZX8g=; fh=oaRLvq+SNFhR2PdKwRFYQR7RywPaVIflP3DGyvVee8g=; b=pFo6Fi03R8spt2oVy4GdB5aEvnzvn5QwVARy4F0+TkGNXGH0PlIi9y/OaIeYjG3hcs dpNeWpW//Neh6GUCvdsCVGfSHlRPjCJwu0vBqxxY3CdLmaAy08IrntBLTcYo7t8ilhGR zurM1HQkeU9vcsL/2fv7eR42N+IQJNcnKUZxlQlbKYDV4+gdE1SubJAH0ERbtW7QlXI7 zAwsbdMHDAnsybmRqHSkrBQAEl3gzmQOoYGX26ULZ43uP54S/VP3ehTXJ2hnGe9cRIRi 9Sb6mV2XeS8EGjlaAzS+QIsUHUYEo+SapvFkJxsmBFWZzWO9PzOSoFKbg3ceXQMAOV7H AzQQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k68-20020a633d47000000b0055793097dbesi3792259pga.469.2023.07.12.14.12.15; Wed, 12 Jul 2023 14:12:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231891AbjGLT4w (ORCPT + 99 others); Wed, 12 Jul 2023 15:56:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40162 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231177AbjGLT4v (ORCPT ); Wed, 12 Jul 2023 15:56:51 -0400 Received: from mail-yw1-f170.google.com (mail-yw1-f170.google.com [209.85.128.170]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DB2B81FDB for ; Wed, 12 Jul 2023 12:56:49 -0700 (PDT) Received: by mail-yw1-f170.google.com with SMTP id 00721157ae682-5701810884aso77871567b3.0 for ; Wed, 12 Jul 2023 12:56:49 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689191809; x=1691783809; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=rwqNcY338V9nHktVTi28zn400a3uIFcG1sGwe2sZX8g=; b=gvHhdU1ef1fAD4YhHFqtElhbo7WxEQNhEL7lpruEKhmqi91qoOVGzyTAP5jxXfTRpI WlogzCrfbExydg4kgS8C9vnUpW5X+QdtF4qx8zgCmMYQuNNHmMrOPnjJgdpS7v2PdoH1 jVFOeLTNkFuBSwcSY584xLccVyqnu5BVNh/WCL5R6zl6LnO6a5n9PpVoP0+OylPZwrlI LrWLei/ZKD42z09FFhdLeeNmczMaCzzDnZEb+HINulTq+8dYG3vpCXNgprESuZARvFNl 0pQWmgzAT1aFXk4QdxHff9UHrMWtThYQjPL4pwwa6kMgWuzg1tQULsium1c9LlWkwfvq Wd/g== X-Gm-Message-State: ABy/qLZSr4vNX2gsiWfL8z4oGn/oQSmgHbhStuWtWbQVIv4RgOpATV4M CTyZZtFqi1vCMpiy4iVCaX4ggENwkfVjLQ== X-Received: by 2002:a81:5a8b:0:b0:56f:fbc6:3b0 with SMTP id o133-20020a815a8b000000b0056ffbc603b0mr22301815ywb.14.1689191808948; Wed, 12 Jul 2023 12:56:48 -0700 (PDT) Received: from mail-yb1-f174.google.com (mail-yb1-f174.google.com. [209.85.219.174]) by smtp.gmail.com with ESMTPSA id s126-20020a0dd084000000b0057a918d6644sm1340706ywd.128.2023.07.12.12.56.48 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 12 Jul 2023 12:56:48 -0700 (PDT) Received: by mail-yb1-f174.google.com with SMTP id 3f1490d57ef6-c5f98fc4237so6838063276.2 for ; Wed, 12 Jul 2023 12:56:48 -0700 (PDT) X-Received: by 2002:a0d:d5c7:0:b0:579:ecfd:bb90 with SMTP id x190-20020a0dd5c7000000b00579ecfdbb90mr19465127ywd.1.1689191807709; Wed, 12 Jul 2023 12:56:47 -0700 (PDT) MIME-Version: 1.0 References: <20230712120002.GIZK6Vwga6DlJqdjEh@fat_crate.local> <20230712132840.GKZK6qiK70m1O90jFL@fat_crate.local> <2023071200-unopposed-unbuckled-cde8@gregkh> <2023071239-progress-molasses-3b3d@gregkh> <2023071229-dusk-repacking-da3a@gregkh> <20230712194202.GNZK8CCj4yacgFMgfB@fat_crate.local> In-Reply-To: <20230712194202.GNZK8CCj4yacgFMgfB@fat_crate.local> From: Luca Boccassi Date: Wed, 12 Jul 2023 20:56:36 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage To: Borislav Petkov Cc: Greg KH , =?UTF-8?Q?Daniel_P=2E_Berrang=C3=A9?= , Emanuele Giuseppe Esposito , "H. Peter Anvin" , x86@kernel.org, Thomas Gleixner , lennart@poettering.net, Ingo Molnar , Dave Hansen , Andrew Morton , Masahiro Yamada , Alexander Potapenko , Nick Desaulniers , Vitaly Kuznetsov , linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 12 Jul 2023 at 20:42, Borislav Petkov wrote: > > On Wed, Jul 12, 2023 at 08:35:14PM +0100, Luca Boccassi wrote: > > No, all will not be fine, because stable branches exist, so it would > > not be _one_ kernel version but N, with monotonically increasing > > values of N. That doesn't work, and the reason for that are explained > > in the protocol documentation that was linked in the initial mail. > > Lemme give Peter's example from earlier today: > > Bugfix A -> number 2 > Bugfix B -> number 3 > > Tree backports only Bugfix B. Which number do you use? > > And so on and so on. Everything < 3 is revoked _and_ the generation id in the stable branch is _not_ bumped, because it's still vulnerable and so that branch is effectively dead and unbootable on any system with secure boot enabled. This is a revocation mechanism, not a bug tracking mechanism. There's no mix-and-matching. > Patch your own trees - this doesn't belong upstream. Nah, it belongs in both places. Please read the documentation and spend at least some time trying to understand the actual problem being solved before commenting - or don't comment at all, that's fine too.