Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp2208734rwp;
        Fri, 14 Jul 2023 02:32:39 -0700 (PDT)
X-Google-Smtp-Source: APBJJlGyL7BTIfxFlHKB/r/lp3KsDLUtC1++GJH5pUvPEWJiy+VKVt3BIkriswrgqYV+s32eo14X
X-Received: by 2002:a05:6a20:4285:b0:132:ff57:7def with SMTP id o5-20020a056a20428500b00132ff577defmr3770829pzj.58.1689327158807;
        Fri, 14 Jul 2023 02:32:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1689327158; cv=none;
        d=google.com; s=arc-20160816;
        b=x0cE44pmBWIS7WyVyktXKvslaPxO2G61XIJY0TlJULm1FBs4gVKrP0Jn0Qlvc6faaz
         +uca2eRdaCpMK0CglE/hLUH2iruW65OdEyNiJ7kEP2GREvKrnnfQoBiatQsHr9m6XJOz
         O9dYW+fdeHIv5c3pFsj4rGMfJxr0CLtlrrrCQ3+fC4c9ZMS6xDm5/qRy6UCZotRQA3eP
         Vo1v1z9Dy8DlviK2YL2ACn/AYqG74mLDVaYm/gSX3q6KzuKt5ZKbWRzgvukl04qxCnwM
         o7rMQPPAAF6/qPhO5+JmQqM8WWtxnNAvkeW7OnRQcqhdZP2hliJ4B2wQYlzcLrylXclE
         7WFA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=zSjLJFb39FNBSOh5wQyvDIfWzbGx5usUOhILzUK9hgs=;
        fh=9OASFO00zpl/xk+4iGbLC/T5aRheolU/Gw2MbPwt1s4=;
        b=zQ4IUr4lh/XdWXE56SQ/ZczcZVE8DT9sYEOu0lzvZ/gOgMVywfJhre5FpEbaKTcrSF
         NpmBcOtJs+ht597LOl0W5rtaRm+WHDvbwrMINkjCyVcmNcHg7KoasjMX+0DGE0ieA8CM
         E9kQwHQ8DyWHLhyQkJV5J9uatZHPfiV1SldQyRUBaQZiLpUIyNHiL07d91YLY4jFixVz
         ZqaPbp2MxI15QnO34mQ6iIE+7oa6bM42HQIAd6QtZASlgC0wIvciR8njl97fNaI4kfW/
         KnEdxPesta4hho6lMfbymHzy30+KEVSHpLXWLcocY/mgrCmBPzANUgj+6Wc7A4gALNL+
         12xQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b="tz23xm0/";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id g13-20020a170902c98d00b001b8b4198474si6417833plc.282.2023.07.14.02.32.26;
        Fri, 14 Jul 2023 02:32:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b="tz23xm0/";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235686AbjGNIwi (ORCPT <rfc822;allen.lkml@gmail.com> + 99 others);
        Fri, 14 Jul 2023 04:52:38 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57156 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S235672AbjGNIwg (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 14 Jul 2023 04:52:36 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 40BD31FFC;
        Fri, 14 Jul 2023 01:52:35 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id B618D61CAA;
        Fri, 14 Jul 2023 08:52:34 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 25D9BC43397;
        Fri, 14 Jul 2023 08:52:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1689324754;
        bh=zSjLJFb39FNBSOh5wQyvDIfWzbGx5usUOhILzUK9hgs=;
        h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
        b=tz23xm0/NIzfbUxiApNIthA8Rcr9DIQ7TVF9IxLipiJb1+QiOh44dsMidIFkgDXCh
         kImpco0A227V59OzDVFOdwXayLJdMO6NXLzQgLlQBnVuGifGD4jw1aos2xA0dDJfaq
         HmSiivVZMfjF3usBlAhLVOrLyBSd/OB9tDpz8W5jIfVDqZVKMVS9fKPC9w7BwoVwdV
         qM8UY/UylCxQMn+Ub+gcRaxaDXpOLzqvUcMgdgQ/M0c1PZ5QtWZQnsoDlivt6JRZ93
         sDYgc3xVodvHfYigw/pspBEL87/l4GaNFWH8jU62bjZc+vDlCNLZISO31x7GFxOrpL
         HXwZCANd3xlKA==
Received: by mail-lj1-f174.google.com with SMTP id 38308e7fff4ca-2b703c900e3so24858461fa.1;
        Fri, 14 Jul 2023 01:52:34 -0700 (PDT)
X-Gm-Message-State: ABy/qLa85wLjV0CXrk1LHbeKgCXwIsrTKxtgdlaFLePJRUwczF6ecGOB
        Iwt2vrgl0PKmbzQjtx70UFibor90Qi1CgYQqj+E=
X-Received: by 2002:a2e:9b15:0:b0:2b6:ec2b:659 with SMTP id
 u21-20020a2e9b15000000b002b6ec2b0659mr3473777lji.17.1689324752099; Fri, 14
 Jul 2023 01:52:32 -0700 (PDT)
MIME-Version: 1.0
References: <20230711154449.1378385-1-eesposit@redhat.com> <ZK/9MlTh435FP5Ji@gambale.home>
 <ZLABozIRVGmwuIBf@gambale.home> <CAMw=ZnSF_s-+74gURPpXCU+YSTeXDAYfVp_A9DOFoW7oL2T_Hw@mail.gmail.com>
In-Reply-To: <CAMw=ZnSF_s-+74gURPpXCU+YSTeXDAYfVp_A9DOFoW7oL2T_Hw@mail.gmail.com>
From:   Ard Biesheuvel <ardb@kernel.org>
Date:   Fri, 14 Jul 2023 10:52:20 +0200
X-Gmail-Original-Message-ID: <CAMj1kXG1Sk1G=3PCRmiHZ24qPdUYiGRkSbq57u1-KUbyorX8Lg@mail.gmail.com>
Message-ID: <CAMj1kXG1Sk1G=3PCRmiHZ24qPdUYiGRkSbq57u1-KUbyorX8Lg@mail.gmail.com>
Subject: Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage
To:     Luca Boccassi <bluca@debian.org>, Peter Jones <pjones@redhat.com>,
        Matthew Garrett <mjg59@srcf.ucam.org>
Cc:     Emanuele Giuseppe Esposito <eesposit@redhat.com>, x86@kernel.org,
        Thomas Gleixner <tglx@linutronix.de>, lennart@poettering.net,
        Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        "H. Peter Anvin" <hpa@zytor.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Masahiro Yamada <masahiroy@kernel.org>,
        Alexander Potapenko <glider@google.com>,
        Nick Desaulniers <ndesaulniers@google.com>,
        Vitaly Kuznetsov <vkuznets@redhat.com>,
        =?UTF-8?Q?Daniel_P_=2E_Berrang=C3=A9?= <berrange@redhat.com>,
        linux-kernel@vger.kernel.org, linux-efi@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
        RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

(cc Peter and Matthew)

On Fri, 14 Jul 2023 at 00:32, Luca Boccassi <bluca@debian.org> wrote:
>
> On Thu, 13 Jul 2023 at 14:52, Ard Biesheuvel <ardb@kernel.org> wrote:
> >
> >
> > Note that by Windows-crippled, I mean x86 PCs built by OEMs who care
> > about nothing other than the Windows logo sticker. These PCs often don't
> > allow secure boot keys to be modified by the owner of the machine, or
> > secure boot to be disabled at all. This is why shim exists, not because
> > UEFI secure boot is broken by design.
>
> AFAIK that's not only against the spec but also the logo
> certification, which x86 OEMs are doing that and in which models?
> Happy to flag that and inquire.

Thanks. My Yoga C630 Snapdragon laptop definitely does not allow me to
update the keys from the UI, but it does allow me to disable secure
boot. It might work with SetVariable() directly but I've never tried.

Maybe the OEMs have gotten better at this over the years, but it is
definitely not possible for the distros to rely on being able to get
their own cert into KEK and sign their builds directly.