Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp2208734rwp; Fri, 14 Jul 2023 02:32:39 -0700 (PDT) X-Google-Smtp-Source: APBJJlGyL7BTIfxFlHKB/r/lp3KsDLUtC1++GJH5pUvPEWJiy+VKVt3BIkriswrgqYV+s32eo14X X-Received: by 2002:a05:6a20:4285:b0:132:ff57:7def with SMTP id o5-20020a056a20428500b00132ff577defmr3770829pzj.58.1689327158807; Fri, 14 Jul 2023 02:32:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689327158; cv=none; d=google.com; s=arc-20160816; b=x0cE44pmBWIS7WyVyktXKvslaPxO2G61XIJY0TlJULm1FBs4gVKrP0Jn0Qlvc6faaz +uca2eRdaCpMK0CglE/hLUH2iruW65OdEyNiJ7kEP2GREvKrnnfQoBiatQsHr9m6XJOz O9dYW+fdeHIv5c3pFsj4rGMfJxr0CLtlrrrCQ3+fC4c9ZMS6xDm5/qRy6UCZotRQA3eP Vo1v1z9Dy8DlviK2YL2ACn/AYqG74mLDVaYm/gSX3q6KzuKt5ZKbWRzgvukl04qxCnwM o7rMQPPAAF6/qPhO5+JmQqM8WWtxnNAvkeW7OnRQcqhdZP2hliJ4B2wQYlzcLrylXclE 7WFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=zSjLJFb39FNBSOh5wQyvDIfWzbGx5usUOhILzUK9hgs=; fh=9OASFO00zpl/xk+4iGbLC/T5aRheolU/Gw2MbPwt1s4=; b=zQ4IUr4lh/XdWXE56SQ/ZczcZVE8DT9sYEOu0lzvZ/gOgMVywfJhre5FpEbaKTcrSF NpmBcOtJs+ht597LOl0W5rtaRm+WHDvbwrMINkjCyVcmNcHg7KoasjMX+0DGE0ieA8CM E9kQwHQ8DyWHLhyQkJV5J9uatZHPfiV1SldQyRUBaQZiLpUIyNHiL07d91YLY4jFixVz ZqaPbp2MxI15QnO34mQ6iIE+7oa6bM42HQIAd6QtZASlgC0wIvciR8njl97fNaI4kfW/ KnEdxPesta4hho6lMfbymHzy30+KEVSHpLXWLcocY/mgrCmBPzANUgj+6Wc7A4gALNL+ 12xQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="tz23xm0/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g13-20020a170902c98d00b001b8b4198474si6417833plc.282.2023.07.14.02.32.26; Fri, 14 Jul 2023 02:32:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="tz23xm0/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235686AbjGNIwi (ORCPT + 99 others); Fri, 14 Jul 2023 04:52:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57156 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235672AbjGNIwg (ORCPT ); Fri, 14 Jul 2023 04:52:36 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 40BD31FFC; Fri, 14 Jul 2023 01:52:35 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id B618D61CAA; Fri, 14 Jul 2023 08:52:34 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 25D9BC43397; Fri, 14 Jul 2023 08:52:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1689324754; bh=zSjLJFb39FNBSOh5wQyvDIfWzbGx5usUOhILzUK9hgs=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=tz23xm0/NIzfbUxiApNIthA8Rcr9DIQ7TVF9IxLipiJb1+QiOh44dsMidIFkgDXCh kImpco0A227V59OzDVFOdwXayLJdMO6NXLzQgLlQBnVuGifGD4jw1aos2xA0dDJfaq HmSiivVZMfjF3usBlAhLVOrLyBSd/OB9tDpz8W5jIfVDqZVKMVS9fKPC9w7BwoVwdV qM8UY/UylCxQMn+Ub+gcRaxaDXpOLzqvUcMgdgQ/M0c1PZ5QtWZQnsoDlivt6JRZ93 sDYgc3xVodvHfYigw/pspBEL87/l4GaNFWH8jU62bjZc+vDlCNLZISO31x7GFxOrpL HXwZCANd3xlKA== Received: by mail-lj1-f174.google.com with SMTP id 38308e7fff4ca-2b703c900e3so24858461fa.1; Fri, 14 Jul 2023 01:52:34 -0700 (PDT) X-Gm-Message-State: ABy/qLa85wLjV0CXrk1LHbeKgCXwIsrTKxtgdlaFLePJRUwczF6ecGOB Iwt2vrgl0PKmbzQjtx70UFibor90Qi1CgYQqj+E= X-Received: by 2002:a2e:9b15:0:b0:2b6:ec2b:659 with SMTP id u21-20020a2e9b15000000b002b6ec2b0659mr3473777lji.17.1689324752099; Fri, 14 Jul 2023 01:52:32 -0700 (PDT) MIME-Version: 1.0 References: <20230711154449.1378385-1-eesposit@redhat.com> In-Reply-To: From: Ard Biesheuvel Date: Fri, 14 Jul 2023 10:52:20 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage To: Luca Boccassi , Peter Jones , Matthew Garrett Cc: Emanuele Giuseppe Esposito , x86@kernel.org, Thomas Gleixner , lennart@poettering.net, Ingo Molnar , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , Andrew Morton , Masahiro Yamada , Alexander Potapenko , Nick Desaulniers , Vitaly Kuznetsov , =?UTF-8?Q?Daniel_P_=2E_Berrang=C3=A9?= , linux-kernel@vger.kernel.org, linux-efi@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org (cc Peter and Matthew) On Fri, 14 Jul 2023 at 00:32, Luca Boccassi wrote: > > On Thu, 13 Jul 2023 at 14:52, Ard Biesheuvel wrote: > > > > > > Note that by Windows-crippled, I mean x86 PCs built by OEMs who care > > about nothing other than the Windows logo sticker. These PCs often don't > > allow secure boot keys to be modified by the owner of the machine, or > > secure boot to be disabled at all. This is why shim exists, not because > > UEFI secure boot is broken by design. > > AFAIK that's not only against the spec but also the logo > certification, which x86 OEMs are doing that and in which models? > Happy to flag that and inquire. Thanks. My Yoga C630 Snapdragon laptop definitely does not allow me to update the keys from the UI, but it does allow me to disable secure boot. It might work with SetVariable() directly but I've never tried. Maybe the OEMs have gotten better at this over the years, but it is definitely not possible for the distros to rely on being able to get their own cert into KEK and sign their builds directly.