Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp8209963rwp; Wed, 19 Jul 2023 06:51:31 -0700 (PDT) X-Google-Smtp-Source: APBJJlGEMWC8ot6+0Z3QMqA3AZGe0gE/3Om9L8IQ+a0KO4hkkkjfK01EtG5ORz8zupjiLE1eTygv X-Received: by 2002:a17:903:1ce:b0:1b6:b829:7065 with SMTP id e14-20020a17090301ce00b001b6b8297065mr2551069plh.63.1689774690981; Wed, 19 Jul 2023 06:51:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689774690; cv=none; d=google.com; s=arc-20160816; b=zDJ0RM31ab4k1H7dOKQWAEx02hbx6s7QWxor7MlDe63LUUhG7t3vkGnORZCF91bkGL HkGKR4F6Ge71RRpejHqz3CeOdhEVqaFPGPxu9g7Y62hmbHU1htEfmeF8BOhBAA8a7vm4 nQl5RTNYMktW6fINxG65iKZVBuXOLa4jClb53wIMDl376pbGvPNC8wZGHyyfL+VQ5oUJ zvTS5vcg1q7l6j526+SeDFNkabEzVULr48Ch7Z/ql9sC3Oa1D6yAne0IqOjffiBPQHsF Ow/J1zkZHjiFogyb7R1WGecq8qT09Xjccpi0QVZMPHROHr1CXYJ7jvGUpVwgsV1EsUml BUjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version; bh=pRu2QWSXSsDqhtLnlp5Es+i7USf8kNT6FnARa9+KIwg=; fh=F7Cg2o6h0SNkNXx9KFHiYEFL79qw2BOmR2XDkGv9b3I=; b=wn0OmrS1uPuW/7hdJvYCgO+wVX3mLDTLhNM9RKSUSB3evfggX/wWMPQ9KAgY5bwQhu VqV/7AKMnUm+VgglUg//luXqyy4vzdPJeVgrLO8fQIEeFpAR3eKAXgvElbLvVbfQ0bCv G2eT7OlKzdm7nXUG34Dns+6Z0hrTq8cI7AEIviF5n75tF5wJ49SMsbTBGvhgKGTRKHJz xuHyVOGDP0ZgH4yY+bTBD2w7MeEHNtJ4OyoJYPtNiQn7ztpV0kJFcQ2eQ9uNFfKAvoN2 6YeaVvqBZ5DucXkAFhZK1hnWKMhHlcOfziGmAPChu9BxWRskrkSXvIJr/j68qsFwULCZ kT8w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z1-20020a170902ee0100b001b895a2c09esi3433139plb.381.2023.07.19.06.51.17; Wed, 19 Jul 2023 06:51:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231377AbjGSNfB convert rfc822-to-8bit (ORCPT + 99 others); Wed, 19 Jul 2023 09:35:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55270 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231357AbjGSNex (ORCPT ); Wed, 19 Jul 2023 09:34:53 -0400 Received: from mail-oi1-f182.google.com (mail-oi1-f182.google.com [209.85.167.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3B8ED11B for ; Wed, 19 Jul 2023 06:34:49 -0700 (PDT) Received: by mail-oi1-f182.google.com with SMTP id 5614622812f47-3a3c77e0154so4999745b6e.1 for ; Wed, 19 Jul 2023 06:34:49 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689773688; x=1692365688; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6hOHfI48cJJvjh3hiXU4UP9h02hFndeaP36jJ0WH2IE=; b=Ogboe7xnAGvr+uR9hbRNMCzCTq4RHppsFYYpQ/15Bq74JJ06I9iOrgACExYsMTLGJV 1oWlgH+61U4ksPWk8efsEZY7ilX1lrgo8OtC1izvymOw0FRZyt7TgJZrp+DVUpHamhF7 lOOgUoof7MTZ88IVvbH3T/rvA7KBQVMXbzu4+ALCPltFqXkSYpp111zp70DyDOR6cl90 iaIVHssrfJFZijFU5Dc4OyLWdNcVs2cX2BOxVfuktRIweHsW8JxWwc9zVGrCC9SM6Mmz WIVXuuWqMoEozbgLkr8w/bDm4bJUpbkMUswlqMTuldvwZ2dt0B68ScRQ1K06QpThcklY EFQg== X-Gm-Message-State: ABy/qLZxVQcoXyjUQIzf49rafFxLxvZ7lxMIBv6tSQuTy7FCuLccmTrb mZmLPEC+lQdORw0xu4gJNbYEsCb6xCz8uw== X-Received: by 2002:a05:6358:3393:b0:133:e1e:f0b5 with SMTP id i19-20020a056358339300b001330e1ef0b5mr2735554rwd.12.1689773688058; Wed, 19 Jul 2023 06:34:48 -0700 (PDT) Received: from mail-yw1-f181.google.com (mail-yw1-f181.google.com. [209.85.128.181]) by smtp.gmail.com with ESMTPSA id f7-20020a5b0c07000000b00ca6d2ad070csm839270ybq.29.2023.07.19.06.34.47 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 19 Jul 2023 06:34:47 -0700 (PDT) Received: by mail-yw1-f181.google.com with SMTP id 00721157ae682-5774098f16eso73635717b3.0 for ; Wed, 19 Jul 2023 06:34:47 -0700 (PDT) X-Received: by 2002:a0d:d247:0:b0:583:437f:cf8a with SMTP id u68-20020a0dd247000000b00583437fcf8amr3088987ywd.24.1689773687000; Wed, 19 Jul 2023 06:34:47 -0700 (PDT) MIME-Version: 1.0 References: <20230711154449.1378385-1-eesposit@redhat.com> In-Reply-To: From: Luca Boccassi Date: Wed, 19 Jul 2023 14:34:34 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage To: Paolo Bonzini Cc: =?UTF-8?Q?Daniel_P=2E_Berrang=C3=A9?= , Ard Biesheuvel , Emanuele Giuseppe Esposito , x86@kernel.org, Thomas Gleixner , lennart@poettering.net, Ingo Molnar , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , Andrew Morton , Masahiro Yamada , Alexander Potapenko , Nick Desaulniers , Vitaly Kuznetsov , linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8BIT X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 19 Jul 2023 at 14:22, Paolo Bonzini wrote: > > On Tue, Jul 18, 2023 at 6:35 PM Daniel P. Berrangé wrote: > > There's a slight caveat that when parsing sbat shim currently appears > > to store the generation number in a uint16, so the size is somewhat > > limited. Probably still just enough bits to encode a kernel version, > > though changing shim code to uint32 looks easy enough too. > > Encoding a kernel version needs a uint32 if you want to make it human > readable; you need at least 10^6 (9.99.999) for the upstream version. > > However a SBAT policy based on kernel versions will not allow stable > versions, so it's basically unusable. > > One possibility would be to encode the major and minor versions as > different products, so a Fedora package for Linux 6.1.137 would have: > > linux.6,1,Linux,https://kernel.org/ > linux.6.1,137,Linux 6.1.y,6.1.137,https://kernel.org/ > linux.6.1.fc38,302,Fedora,6.1.137-302.fc38,https://koji.fedoraproject.org/koji/packageinfo?packageID=8 > > where old kernel versions can be "prohibited" without consuming too > much space in the policy, for example > > linux.5,255 # block all 5.x kernels. > linux.6.1,138 # oh no, 6.1.137 had a *really* bad vulnerability > > The questions then are > > 1) if this satisfies the requirements > > 2) if upstream people accept to expose the version in this format in > the upstream kernel That doesn't work, because it requires a new line for each new release, which means the sbat revocation variable and payload have unbounded growth, and the number one goal of this mechanism was to avoid exactly that. That's why it's a generation id, and that's why it's per-product. Once again: this is not some generic, multi-purpose tracking. This is not for human consumption. This is not a substitute for a version, or a bug tracker, or whatever else. This does not inform users of anything. This is a machine-targeted mechanism to allow centrally-managed revocations for the UEFI 3rd party CA + Shim flow in a way that works for the constrained EFI environment w.r.t size, wear and tear, in substitution of DBX which is not fit for this purpose. > > Directly encoding the version number though has implications for > > revokation wrt stable branches though. My impression is that the > > generation number was intentionally separate from a version number, > > so that people could backport particular fixes to a stable branch > > and then declare it to be the same "generation" as the latest > > devel branch, or other stable branches which also included the > > equiv fixes. > > Right, but that also requires a central authority that makes up these > revocation indices. This is unlikely to happen for Linux. :) It will happen, the only question is how painful it is going to be to maintain it. The revocation payload is unique and global, and it could not be otherwise. Just like DBX is published centrally, and just like Shim signing is done centrally.