Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp2209309rwp; Fri, 14 Jul 2023 02:33:20 -0700 (PDT) X-Google-Smtp-Source: APBJJlFjOUp3QysZLpl71O0ZJy15ue0uaIpd6x0KSmRN3ziSIrXQ++iiu8Rl07DWkol3qjGYVN4r X-Received: by 2002:aa7:c505:0:b0:51d:df5e:5674 with SMTP id o5-20020aa7c505000000b0051ddf5e5674mr4241696edq.1.1689327200477; Fri, 14 Jul 2023 02:33:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689327200; cv=none; d=google.com; s=arc-20160816; b=DRqzsnUbEBLQPUztoq7RvCVZOFWptSPE93BLJVGZ7WJYBuMPAj2SU1d6PX3YW1ZNqT 5ZOVUqCHcrsvjDbAx12l0VA3TqgW0n8YZV/Tr9dewjWGikYcg6GCFct2tT5ZvoQENr7q 1zx/fWE0zRpszxoBWIYxG+IA66+j5AArFWuvoXiyDfCMgffdVhc8Q4AYhWMz3uBsEjS9 AHXE6QBMz/Wpx6keVe5Y2xijbPLpND21BwS0x1kbgxnNOaHOn4DR0fwf5bdxQYpcR+j3 cy4p5gOdGiKp4G0ZuNF4hrjcchc9EaK+g10BrI/JK9CgpKpKa+DK1KH/ULSENdhRfAAy pccQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version; bh=XYNF9HcVfVcn/kw99SG+o7wE4m9+wPd9Q/o4Fey/z2s=; fh=Dgu23nHb61xn3X4gwsbJLdwXWKYmWhR9G/iEOjvWrGA=; b=RYEmryxnAIPyPmH5ng4ys1+v3htXw/57J8WZ4gRWiqx3P/1FjjjMMKiSmMODm+kaeM 8X5+NnN36WiP3qh49zFhOGQXTKhCa1xJaiVIERZGfWmMG44WTJGh7SKylJdolqLr0vck ANp+FcAWcOj0l/G2ZkfPjOl53Wl7Ou+uYAZoblpYDFFCZ5GjbbJrI15jVmow0BT1k+T1 S/pM9W8qHTAKKIRTeuGx0by7EdC3g37dc+LETkKSVY1+/O3XfhRwomg5eFc6C4uBYHr5 RiBKLrrLGX0BPTXNmOoxMsOHH29pPh7vWLzzIQMkxOnU1p50wJD0OXx9NVJG7bwlYPM/ ItoQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u18-20020aa7d892000000b0051e5cabfebdsi1981100edq.373.2023.07.14.02.32.56; Fri, 14 Jul 2023 02:33:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235389AbjGNJ0D (ORCPT + 99 others); Fri, 14 Jul 2023 05:26:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51272 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235194AbjGNJ0B (ORCPT ); Fri, 14 Jul 2023 05:26:01 -0400 Received: from mail-yb1-f179.google.com (mail-yb1-f179.google.com [209.85.219.179]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 456DC1FC9; Fri, 14 Jul 2023 02:26:00 -0700 (PDT) Received: by mail-yb1-f179.google.com with SMTP id 3f1490d57ef6-c5e76dfcc36so1615038276.2; Fri, 14 Jul 2023 02:26:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689326759; x=1691918759; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=XYNF9HcVfVcn/kw99SG+o7wE4m9+wPd9Q/o4Fey/z2s=; b=UwXpU0GZqGKJtfST0ZMHhvhO6Z54/JohLyqQPpsPo6nnN+d7G4sNzuAkWYvI922hJQ RUNyvmZQzv62EaSl7OhZ1oSMXq12ptf3693HQFRNte7KXMUaUl1U1LjRd4Ft2A4vmILn hNmkrIBclFkbm526ilBzoEKvGmhhnbtl5dpQoqZ78oXSOUN3ZVixleVe8j46+cSWprJu Cs3CuSqKtmZK95X3af4ijb+kKaGq7QHCeVDeDK18y1zaFXyqARELWN/t8B27MHICGNXm sXGt1Xno4UhIqoNmaDF0IwTnOigBhuZF6B0KvEdgGIj4yTTkdQeHl4mtFUxloAOt7/B0 IPnQ== X-Gm-Message-State: ABy/qLY7jKFo6S6JKi+U1MGMAHOIzREXaYk4zs+c/ixKLVQiMAozhIB6 ZpGRntpXFd+m5v2y493PObjlXriKu5vd3g== X-Received: by 2002:a81:8083:0:b0:576:93f1:d110 with SMTP id q125-20020a818083000000b0057693f1d110mr4368029ywf.14.1689326759340; Fri, 14 Jul 2023 02:25:59 -0700 (PDT) Received: from mail-yw1-f179.google.com (mail-yw1-f179.google.com. [209.85.128.179]) by smtp.gmail.com with ESMTPSA id i65-20020a819144000000b0057072e7fa77sm2211534ywg.95.2023.07.14.02.25.58 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 14 Jul 2023 02:25:58 -0700 (PDT) Received: by mail-yw1-f179.google.com with SMTP id 00721157ae682-56fff21c2ebso15714697b3.3; Fri, 14 Jul 2023 02:25:58 -0700 (PDT) X-Received: by 2002:a0d:e981:0:b0:56f:e7b0:1753 with SMTP id s123-20020a0de981000000b0056fe7b01753mr4066372ywe.17.1689326757805; Fri, 14 Jul 2023 02:25:57 -0700 (PDT) MIME-Version: 1.0 References: <20230711154449.1378385-1-eesposit@redhat.com> In-Reply-To: From: Luca Boccassi Date: Fri, 14 Jul 2023 10:25:45 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage To: Ard Biesheuvel Cc: Peter Jones , Matthew Garrett , Emanuele Giuseppe Esposito , x86@kernel.org, Thomas Gleixner , lennart@poettering.net, Ingo Molnar , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , Andrew Morton , Masahiro Yamada , Alexander Potapenko , Nick Desaulniers , Vitaly Kuznetsov , =?UTF-8?Q?Daniel_P_=2E_Berrang=C3=A9?= , linux-kernel@vger.kernel.org, linux-efi@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 14 Jul 2023 at 09:52, Ard Biesheuvel wrote: > > (cc Peter and Matthew) > > On Fri, 14 Jul 2023 at 00:32, Luca Boccassi wrote: > > > > On Thu, 13 Jul 2023 at 14:52, Ard Biesheuvel wrote: > > > > > > > > > Note that by Windows-crippled, I mean x86 PCs built by OEMs who care > > > about nothing other than the Windows logo sticker. These PCs often don't > > > allow secure boot keys to be modified by the owner of the machine, or > > > secure boot to be disabled at all. This is why shim exists, not because > > > UEFI secure boot is broken by design. > > > > AFAIK that's not only against the spec but also the logo > > certification, which x86 OEMs are doing that and in which models? > > Happy to flag that and inquire. > > Thanks. My Yoga C630 Snapdragon laptop definitely does not allow me to > update the keys from the UI, but it does allow me to disable secure > boot. It might work with SetVariable() directly but I've never tried. That's not an x86 machine though? For Arm IIRC the logo certification requirement was more lax there (or more locked down, depending on your point of view), at least in the past. I am not sure what is the current state.