Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp5475037rwp; Mon, 17 Jul 2023 05:01:27 -0700 (PDT) X-Google-Smtp-Source: APBJJlEy4M3voJj03/Pd8qKrgaL9x3kiOnCXYhbHWAh5Eq1rjS8ey2//iHOa4T50/Ae0KPh6tuWA X-Received: by 2002:a17:907:a075:b0:978:992e:efd1 with SMTP id ia21-20020a170907a07500b00978992eefd1mr11021996ejc.35.1689595287549; Mon, 17 Jul 2023 05:01:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689595287; cv=none; d=google.com; s=arc-20160816; b=GGxZMo2CGf3l+Ftwxdb1GZcrzEqgCO6a+ySa/uVTyuK7YCdZGtoF6Dl23r0w5L1Qjr 506twaxgx+m37f+vjjyr+eWVoVQu8I0+HVG+x6c/7ZMrMneTyDju+QOKnZ2a34ShbCG9 WdcC4agqtPkRgQzjuaOPb0gwPIqcYJTdMxlEkP8JN0cR9ET8MpW7THfFwOLE3Zbpd8fe yyl5pXTSJAnQnBYzclNkCF21UDgwxyV1vK87nz8Xgi3HCRbdH1yvxvJornmpmtMNqVrZ v+aGIxUsS4cRv3goi5j2goqKFIOuEYVBVRcde4vFQthQ3OZGhaoxlumzuVhB3q4QRGuh s+dg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:reply-to:message-id :subject:cc:to:from:date:dkim-signature; bh=XoC2G0nnA2kPHHcStH+QyclfRSBxpdO+zzyK3ACzr3I=; fh=TSJlRxGlhnVYl7HQ+Uz4igGTM3u9RFOVddqhm6iYLZw=; b=I/fnV7JvtAuB1+8M4d3WkmVlJPwGFQ2BHG08de1wx3BqG3MX9qGMHcKrFLfJFJn+Fp hJ9hPDchU9UIzVsZDaPIilN9RYAQWCRXyQ2YYtCOAES76arebTZyrG4K6Vvw/xEhlWd3 P/w/SDYGGtM0qamiYJX57CLWLIejJkwM5U7wvjtec85rGL2gzEjBc7DPwFdm477HNmxi rG58m+AP+uMaNjnlkNTa+di5GHyqPsEHpTdw3FOSNKe2IIeMIR1gxcb/LGjx+hWcznYD UKKjudA+TVUSFKxwp0aP1J85yeCkRrNFhsQ70k7gLYf5zGvDOIWvfisLtndvYV5CHX2s h9jw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=C3viNnYZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id gt16-20020a170906f21000b00987a947bfa1si13270117ejb.483.2023.07.17.05.01.01; Mon, 17 Jul 2023 05:01:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=C3viNnYZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229796AbjGQLtL (ORCPT + 99 others); Mon, 17 Jul 2023 07:49:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55156 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230439AbjGQLsv (ORCPT ); Mon, 17 Jul 2023 07:48:51 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 39771E63 for ; Mon, 17 Jul 2023 04:47:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1689594452; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XoC2G0nnA2kPHHcStH+QyclfRSBxpdO+zzyK3ACzr3I=; b=C3viNnYZCjM27/J6uTxQ+9NGfhhdQEhFGP/DGdVyv6kRZscZhgzWuMK6RoR9jDSxaRmJKh gXue+zRr/xFe7IBuoABZ4hDRfjLsioqUCigQr0e6u05gzN7Jnc4W1dz4gBDcx0GdHjjRAq qMG6o/avvAIYzFkCkt/kLkDtINBXzuw= Received: from mimecast-mx02.redhat.com (66.187.233.73 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-295-oBBrPLdqMGKcD0j4TgAThg-1; Mon, 17 Jul 2023 07:47:27 -0400 X-MC-Unique: oBBrPLdqMGKcD0j4TgAThg-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 746C928237C7; Mon, 17 Jul 2023 11:47:26 +0000 (UTC) Received: from redhat.com (unknown [10.42.28.62]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4F73C1454143; Mon, 17 Jul 2023 11:47:24 +0000 (UTC) Date: Mon, 17 Jul 2023 12:47:21 +0100 From: Daniel =?utf-8?B?UC4gQmVycmFuZ8Op?= To: Peter Zijlstra Cc: Greg KH , Luca Boccassi , Borislav Petkov , Emanuele Giuseppe Esposito , "H. Peter Anvin" , x86@kernel.org, Thomas Gleixner , lennart@poettering.net, Ingo Molnar , Dave Hansen , Andrew Morton , Masahiro Yamada , Alexander Potapenko , Nick Desaulniers , Vitaly Kuznetsov , linux-kernel@vger.kernel.org Subject: Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage Message-ID: Reply-To: Daniel =?utf-8?B?UC4gQmVycmFuZ8Op?= References: <2023071233-empirical-overturn-744c@gregkh> <2023071350-specked-botanist-6ba8@gregkh> <2023071552-quilt-tranquil-b7bf@gregkh> <2023071643-broiler-level-afbf@gregkh> <20230717110631.GH4253@hirez.programming.kicks-ass.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20230717110631.GH4253@hirez.programming.kicks-ass.net> User-Agent: Mutt/2.2.9 (2022-11-12) X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 17, 2023 at 01:06:31PM +0200, Peter Zijlstra wrote: > On Mon, Jul 17, 2023 at 10:22:51AM +0100, Daniel P. Berrangé wrote: > > I'm not aware of any kernel CVEs since that point in time that > > would have implied SBAT changes, but admittedly I've not paid > > close enough attention to be entirely confident. Is going back > > through 2 years of kernel CVEs (to the point where SBAT was > > invented) a long enough timeframe to satisfy this request for > > info on the frequency of changes ? > > Many *MANY* security bugs never get a CVE. CVE is meaningless when it > comes to kernel bugs. Why does it make sense to review CVEs ? Yes, I know many security bugs gets fixed without a CVE being assigned, but in the context of the question that doesn't matter. The SBAT version number will be incremented in response to an identified security bug. Even if upstream has not assigned a CVE to an issue, downstream vendors are likely to have done so *if* they identified the security issue. If neither upstream, nor downstream, publically identified a fix as a security issue, then by extension they would also not have identified a need to change to the SBAT version info either. Thus looking at publically identified security issues via CVEs is a reasonable proxy to guage how many times SBAT would have been incremented, which is what Greg asked for. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|