Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp6914535rwp; Tue, 18 Jul 2023 07:33:30 -0700 (PDT) X-Google-Smtp-Source: APBJJlHSFslravbV9QEp6IDd/ARSfAY6NYfN7jim7O/FWkcLhuuzIhboo9JVrhNQlp9WRs5wgmfM X-Received: by 2002:a2e:9d45:0:b0:2b9:40c7:f5ed with SMTP id y5-20020a2e9d45000000b002b940c7f5edmr3772859ljj.17.1689690810578; Tue, 18 Jul 2023 07:33:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689690810; cv=none; d=google.com; s=arc-20160816; b=y6dIlR5J6M2Mkw9BdxYW5dK9oou9XlGaeJmpLY89Ik8IivUKm5VS+948qwA77ghl6E plLRf8Xs7L+qRghAAkF11rz9WBJHuwlTuAZUIfwrmY0mroOiYeS2qt3UaHpp5moIil7Z JPd44t9XREteVmdCsUa3f2nxkuVA9qldtpOJw0SH7cq1GUmUXh3k0BsFcc+HGH1q8y8o qfkBAQGUmjKKxMDQdKtOgPH7VlzhJx29UiGzM/aIIvU8h4NB7oIu/RYOr2ntjKikH4Uf DpRkojOlOXjxT2VcIdkTQX5/OVFEy+ZUNq6b7aHaRoquamgJ3EBPlfRrOaTnta6s/tg9 9pKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version; bh=IfJdZldamVRoiem+genboss9wXHBkzaKw5u/tIWjMWQ=; fh=/xf0KMOVFA2/PZ5LDX1R5tty/wEEI9us15ViXw93oOk=; b=yC69TptkGCdNC4q9TNdMd1Q53iDEiJ7KiZ8P4myCdQql3GDg+BsSodYMD9f3Y/huMj PLSpbHiKrcA4QNyzGjSnjzWvOaQSvWsmxL7xlRr1GmDvZPOuasGjb3NMPgFdwzBN14Tp dimw8Q0URUaCCzgTe+ToX8AnCt5+jGm+gFJZuTsF3RlrTUW9lfQHa6mQQpM7zSvO981g FcRdpLSEgLvmZnKUyy2jDPfnda41qcT1oGJ/CuD/qWaVbeccL0pwNVxH96l8TWCIgIkR q97pGIwjuFCfYsDLYT5EaDcwvo0pVzpCnbPLMVfPu/UfN06XXK1+g1vPrewrVfitMCN4 C/nQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ko7-20020a170907986700b009889a249ae6si1074893ejc.1026.2023.07.18.07.33.05; Tue, 18 Jul 2023 07:33:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233274AbjGROEw (ORCPT + 99 others); Tue, 18 Jul 2023 10:04:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59492 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233231AbjGROEe (ORCPT ); Tue, 18 Jul 2023 10:04:34 -0400 Received: from mail-yw1-f180.google.com (mail-yw1-f180.google.com [209.85.128.180]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0A27F211F for ; Tue, 18 Jul 2023 07:03:32 -0700 (PDT) Received: by mail-yw1-f180.google.com with SMTP id 00721157ae682-579de633419so53612207b3.3 for ; Tue, 18 Jul 2023 07:03:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689688989; x=1692280989; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=IfJdZldamVRoiem+genboss9wXHBkzaKw5u/tIWjMWQ=; b=W2c9O6m1MQ82BoOwTdgUg6eqB6tP4I1TnAvYuZk1HwtQq8CTfvKcYsrvyTVxI3RYkW RCtJaM7B0q0xMUfxJ41/dnowZWNYp9dF9favIybQfqfrPcJuUrUgfZbfBxPNbNj7AuO9 X7S3v2Qls1WAAqY2CrNxyQZpyndrQ+tVKkTFLzIuXD8uGxA7ZMV1XmpsRRTqAxJ1ZKTC k+aZGJ7/f2h8ON9QdEyEQG6G+ujllspUdf544KjZmNQLtDAUPCYEGWTq9F9xiNCnw4Eu Oz77g/EQDbkJAfvsbwWdeSnv+5wBL2hYMFJcNpnwI2xx5Sw3wK/gBjgm2L4faAb9bomX kFIg== X-Gm-Message-State: ABy/qLY3kXCPu5SiwBRe61wo1ctfIZD4msH16DY7PCw3uHNCm9+ZiddV /cSQbNwmmYo1+nfHBhkxTCg9pmG+l2/unw== X-Received: by 2002:a81:dd06:0:b0:57a:6a2c:f4dd with SMTP id e6-20020a81dd06000000b0057a6a2cf4ddmr13545607ywn.36.1689688989217; Tue, 18 Jul 2023 07:03:09 -0700 (PDT) Received: from mail-yb1-f172.google.com (mail-yb1-f172.google.com. [209.85.219.172]) by smtp.gmail.com with ESMTPSA id b68-20020a0df247000000b005771bb5a25dsm471078ywf.61.2023.07.18.07.03.08 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 18 Jul 2023 07:03:08 -0700 (PDT) Received: by mail-yb1-f172.google.com with SMTP id 3f1490d57ef6-bcb6dbc477eso4414255276.1 for ; Tue, 18 Jul 2023 07:03:08 -0700 (PDT) X-Received: by 2002:a25:41d0:0:b0:bc6:377a:d9c7 with SMTP id o199-20020a2541d0000000b00bc6377ad9c7mr11296210yba.23.1689688988254; Tue, 18 Jul 2023 07:03:08 -0700 (PDT) MIME-Version: 1.0 References: <20230711154449.1378385-1-eesposit@redhat.com> In-Reply-To: From: Luca Boccassi Date: Tue, 18 Jul 2023 15:02:55 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage To: Paolo Bonzini Cc: Ard Biesheuvel , Emanuele Giuseppe Esposito , x86@kernel.org, Thomas Gleixner , lennart@poettering.net, Ingo Molnar , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , Andrew Morton , Masahiro Yamada , Alexander Potapenko , Nick Desaulniers , Vitaly Kuznetsov , =?UTF-8?Q?Daniel_P=2E_Berrang=C3=A9?= , linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 18 Jul 2023 at 14:35, Paolo Bonzini wrote: > > [note: while there is some overlap between the developers and Red Hat > employees that are involved in KVM, I was not involved in this work and > only learnt about it last Friday] > > On 7/13/23 15:33, Ard Biesheuvel wrote: > >> A .sbat is simply a section containing a string with the component name > >> and a version number. This version number is compared with the value in > >> OVMF_VARS, and if it's less than the variable, the binary is not trusted, > >> even if it is correctly signed. > >> > > > > Also, 'version number' is a bit vague, better to stick with existing > > terminology that makes this more self explanatory: the component that > > authenticates the kernel image keeps a revocation counter, and refuses > > to load authentic images whose revocation index is lower than the > > revocation counter. This approach removes the need for revoking > > individual image hashes or having to rotate the signing keys when a > > vulnerability is discovered. > > > > The argument that we need this in the upstream kernel seems to be > > predicated on the assumption that there is one universal signing > > authority and revocation domain, but this is not necessarily true. > > I am not sure about this. I think that a revocation index could _in > theory_ make sense as a way to double check that you have backported all > the relevant bugfixes. If you backport the patch that changes the index > from 2 to 3 but your tree has index=1, it will conflict and hopefully > fix it or lead you to document why that is happening. > > But I'm saying "in theory", because I'm not sure it makes sense to apply > the concept to an OS kernel. A revocation index makes sense for boot > loaders, whose purpose is to check something about the next stage and > then get out of the way. When using a bootloader for secure boot there > is a limited amount of parsing and basically no user interaction. With > some handwaving, that makes it is possible to say things like "oh no I > found the 234th bug in my codebase, let's bump the revocation index to 235". > > If you try to do this for the OS, however, Linux's "vulnerabilities are > just bugs" mantra hits hard---more specifically the reverse: all bugs > are potential vulnerabilities. Sure you can hope for the best, which is > what we do with module signing and with the (non-upstream) secure boot > lockdown patches. In the end, however, an unpatched code execution or > memory write vulnerability is always a potential rootkit. While we > don't have _too_ many of those, there are enough that the idea of a > revocation index becomes completely unfeasible, not too mention those > that are fixed silently not because "that's the way Linus does it" but > rather because we genuinely didn't think of them as security fixes. Lockdown is upstream and has been for several years. Apart from that, I'm not sure why there is this idea that the kernel is somehow 'special', but it is not grounded in reality. If you ask the owners of any components, 9 times out of 10 they'll tell you their project is absolutely unique and special and could not possibly be bundled together with , but it's just exceptionalism. Grub also gets plenty of bug fixes that are not classed as security fixes, and so does Shim, and so does everything else. And they both have plenty of user interaction, and plenty of variability. Heck, Grub has its own complex configuration language that can take live input at boot, _and_ reimplements most of the kernel filesystems! But anyway, from the point of view of the 3rd party CA plus Shim workflow, they are the same, and can be treated the same - sorry, but the kernel is not special in any way. The only thing that matters is if, given a bug, somebody either observed it being used as a secure boot bypass by bad actors in the wild, or was bothered enough to write down a self-contained, real and fully working proof of concept for secure boot bypass. If yes, then somebody will send the one-liner to bump the generation id, and a new sbat policy will be deployed. If no, then most likely nobody will care, and that's fine, and I expect that's what will happen most of the time. > So perhaps there could be some kind of protocol that would let a new > kernel tell the bootloader "don't boot an older kernel than me in the > future". It could even be an extension to the SBAT spec itself. I > haven't really thought much about it, tbh. However, I'm quite positive > that a revocation index attached to the kernel image cannot really work > as a concept, not even if it is managed by the distro. You are pretty much describing SBAT there. Except for the detail that it can't be the component that can be compromised that tells you whether it's compromised and you should trust it... A system's SBAT policy is a single entity, managed centrally, and deployed everywhere.