Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp5857430rwp; Mon, 17 Jul 2023 10:27:22 -0700 (PDT) X-Google-Smtp-Source: APBJJlE/3Zufgu6K4nY+3z7QGVCgon/N9rA/MQghbGIVjE8nbxa+ZqEwdCCaX//tYx8B32l9cP60 X-Received: by 2002:a05:6e02:1563:b0:348:8396:9f88 with SMTP id k3-20020a056e02156300b0034883969f88mr444841ilu.9.1689614842256; Mon, 17 Jul 2023 10:27:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689614842; cv=none; d=google.com; s=arc-20160816; b=fK5H0kdiH0Xj8460U8iwuWatOSysk4AyCajnGlVK+QvnuQXRBT7gz1pFAuWxDUkLlo BD8lJRSemycxFC+0AJcqGUTPyiFrZ/EK2CViKsfgrCyvP3mHANNIA+gFOpErO9ntWKNc /4Nha9Vkf5rvc24vsH7kDkn54xRAlvMXeadqGzak3ULUJTh6dtj2+StzG4m59KCHYxh7 CgCh42q0yufo3oOD9ddvOtkxHCkg2pcFrTKWcS73FAKQLn0Lx1uHuW5XBgcdG8OjX3Wj PQe75/2rTuPuWjxGxrkaAYA5+Lr1jBKVCyrilYe4uXqA+FEA1QKNvx8hS0xE7L8YLerF eqCw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:reply-to:message-id:subject:cc:to:from:date :dkim-signature; bh=AMmCJfIuZBK8TOlrXcnRNW71QMAvrCE4A3yY2m0hwhE=; fh=PF6OJSaYB5lHR4CJOEtVYfbcwUH6OBgqVPFyjnyvSuc=; b=Xfm/AWa60BAEbwwjqxy977c+SC5nlnI3L9KIPboM5wN4ZYWEyEcoNqeN1l5z+EFlty 4CEyHc1VrlyaLJFt0tLMdrCvqz5WLmxGPeamMbmKJMHpr6CmBlvNjeZjMmmyv9dJHjUK m8kQMKFKfvmBAPz1XXbtQoHLV5XJqBTroRY+HM/OwIAVbEVPCvdNJKpXTpvmBjyHhK3D BQKGw8PSGs+qScEDEIPYFmkmxxCoY63ibeR2x/7k8fyW0Obz48w1AyrC9GF1JO/ZsZfn CDjy7h6O2w7zta6KB5xwIgrXabbyQBO8Cfj/YUiN8fsxyqFtDmqxV4BqqQHO8wpPEP4F ZZ8A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=WJqweyMW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id pc11-20020a17090b3b8b00b00263deaac48esi162471pjb.8.2023.07.17.10.27.08; Mon, 17 Jul 2023 10:27:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=WJqweyMW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229999AbjGQQ50 (ORCPT + 99 others); Mon, 17 Jul 2023 12:57:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56684 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229674AbjGQQ5Z (ORCPT ); Mon, 17 Jul 2023 12:57:25 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 59946D1 for ; Mon, 17 Jul 2023 09:56:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1689612995; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references; bh=AMmCJfIuZBK8TOlrXcnRNW71QMAvrCE4A3yY2m0hwhE=; b=WJqweyMW3Hd7FHm28BdfuGTe0QnJEBa9r+UbubytCPD0kwyD+lLQV6XVkvWqzXxebUyssq 0LHeCqYAHtfvON5ca/06rUoilRQ1Aw/b1w4moUmoK/oKthw+Nb9yNBsCLegeu5b7rt8gqI KuGFJAgDdN0VMHTIU0yEnXmN4JZrmq8= Received: from mimecast-mx02.redhat.com (66.187.233.73 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-468-WBCtU6FiNPKTnL0Eemngyw-1; Mon, 17 Jul 2023 12:56:34 -0400 X-MC-Unique: WBCtU6FiNPKTnL0Eemngyw-1 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4B9EA3C19340; Mon, 17 Jul 2023 16:56:33 +0000 (UTC) Received: from redhat.com (unknown [10.42.28.62]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E9D104CD0F1; Mon, 17 Jul 2023 16:56:30 +0000 (UTC) Date: Mon, 17 Jul 2023 17:56:28 +0100 From: Daniel =?utf-8?B?UC4gQmVycmFuZ8Op?= To: James Bottomley Cc: Ard Biesheuvel , Emanuele Giuseppe Esposito , x86@kernel.org, Thomas Gleixner , bluca@debian.org, lennart@poettering.net, Ingo Molnar , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , Andrew Morton , Masahiro Yamada , Alexander Potapenko , Nick Desaulniers , Vitaly Kuznetsov , linux-kernel@vger.kernel.org, linux-efi@vger.kernel.org Subject: Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage Message-ID: Reply-To: Daniel =?utf-8?B?UC4gQmVycmFuZ8Op?= References: <20230711154449.1378385-1-eesposit@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/2.2.9 (2022-11-12) X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 17, 2023 at 12:08:26PM -0400, James Bottomley wrote: > On Thu, 2023-07-13 at 15:52 +0200, Ard Biesheuvel wrote: > > (add linux-efi@ cc) > > Thanks for that, since this is really EFI related rather than x86. snip > The problem, as I see it, is if the distros give the kernel an .sbat > section, that means any vanilla kernel that's built by a user and > signed by their key now won't work (even if their key is in MoK) > because it won't have an sbat section ... and the sbat mechanism is > component specific, not key specific, so the signer has no choice but > to adopt it. AFAICT, that problem only exists for binaries directly invoked from shim. So that would be a problem for the boot loader (grub), or a kernel image being booted directly without a bootloader present. For kernel binaries invoked indirectly by the boot loader, the use of SBAT is currently optional. ie missing SBAT record would be treated as success. This was a pragmatic way to introduce SBAT support as it only impacted grub at that time. Once a distro starts adding SBAT to their kenrels too though, we can forsee that they would like to enforce SBAT for the whole boot chain, to prevent rollback to previously signed binaries that lacked SBAT info. This policy could be enforced per key though. eg require SBAT for anything verified against the vendor key that's compiled into shim, but not require SBAT for binaries verified with the MoK entries. The user specific MoK entries don't have such a compelling use case for SBAT, since if they need to revoke old binaries, the end users always have the easy fallback option of just rotating their signing keys and switching out the enrolled key in MoK. The choice of whether to mandate SBAT for binaries signed with a MoK entry, could be set by the end user themselves at the time their enroll their signing cert in the MoK DB. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|