Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
MIME-Version: 1.0
References: <20230711154449.1378385-1-eesposit@redhat.com> <ZK/9MlTh435FP5Ji@gambale.home>
 <df7941b9-11ea-9abd-e070-4e9926aecdc3@redhat.com> <CAMw=ZnTSyeL4x1o_GVKNsZdCUe2D2H53quK-TSFhOkuONjC73A@mail.gmail.com>
 <CABgObfb_jGgs-yMSsHtHhEStFDp4f072LN7pW+3dSuVhAP87Ag@mail.gmail.com>
 <ZLa/R9tZ0hB0KOXj@redhat.com> <CABgObfZjVrGOSn8iuFeUBOv3NAU_HB-6vtUTCRcSPW=Guua1jQ@mail.gmail.com>
In-Reply-To: <CABgObfZjVrGOSn8iuFeUBOv3NAU_HB-6vtUTCRcSPW=Guua1jQ@mail.gmail.com>
From:   Luca Boccassi <bluca@debian.org>
Date:   Wed, 19 Jul 2023 14:34:34 +0100
Message-ID: <CAMw=ZnR6DBPxwdbP9jJRLzkryaoz++Nkxx5KV-3RdHL5PXKoqQ@mail.gmail.com>
Subject: Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage
To:     Paolo Bonzini <pbonzini@redhat.com>
Cc:     =?UTF-8?Q?Daniel_P=2E_Berrang=C3=A9?= <berrange@redhat.com>,
        Ard Biesheuvel <ardb@kernel.org>,
        Emanuele Giuseppe Esposito <eesposit@redhat.com>,
        x86@kernel.org, Thomas Gleixner <tglx@linutronix.de>,
        lennart@poettering.net, Ingo Molnar <mingo@redhat.com>,
        Borislav Petkov <bp@alien8.de>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        "H. Peter Anvin" <hpa@zytor.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Masahiro Yamada <masahiroy@kernel.org>,
        Alexander Potapenko <glider@google.com>,
        Nick Desaulniers <ndesaulniers@google.com>,
        Vitaly Kuznetsov <vkuznets@redhat.com>,
        linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8BIT
Precedence: bulk

On Wed, 19 Jul 2023 at 14:22, Paolo Bonzini <pbonzini@redhat.com> wrote:
>
> On Tue, Jul 18, 2023 at 6:35 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
> > There's a slight caveat that when parsing sbat shim currently appears
> > to store the generation number in a uint16, so the size is somewhat
> > limited. Probably still just enough bits to encode a kernel version,
> > though changing shim code to uint32 looks easy enough too.
>
> Encoding a kernel version needs a uint32 if you want to make it human
> readable; you need at least 10^6 (9.99.999) for the upstream version.
>
> However a SBAT policy based on kernel versions will not allow stable
> versions, so it's basically unusable.
>
> One possibility would be to encode the major and minor versions as
> different products, so a Fedora package for Linux 6.1.137 would have:
>
> linux.6,1,Linux,https://kernel.org/
> linux.6.1,137,Linux 6.1.y,6.1.137,https://kernel.org/
> linux.6.1.fc38,302,Fedora,6.1.137-302.fc38,https://koji.fedoraproject.org/koji/packageinfo?packageID=8
>
> where old kernel versions can be "prohibited" without consuming too
> much space in the policy, for example
>
> linux.5,255       # block all 5.x kernels.
> linux.6.1,138    # oh no, 6.1.137 had a *really* bad vulnerability
>
> The questions then are
>
> 1) if this satisfies the requirements
>
> 2) if upstream people accept to expose the version in this format in
> the upstream kernel

That doesn't work, because it requires a new line for each new
release, which means the sbat revocation variable and payload have
unbounded growth, and the number one goal of this mechanism was to
avoid exactly that. That's why it's a generation id, and that's why
it's per-product.

Once again: this is not some generic, multi-purpose tracking. This is
not for human consumption. This is not a substitute for a version, or
a bug tracker, or whatever else. This does not inform users of
anything.
This is a machine-targeted mechanism to allow centrally-managed
revocations for the UEFI 3rd party CA + Shim flow in a way that works
for the constrained EFI environment w.r.t size, wear and tear, in
substitution of DBX which is not fit for this purpose.

> > Directly encoding the version number though has implications for
> > revokation wrt stable branches though. My impression is that the
> > generation number was intentionally separate from a version number,
> > so that people could backport particular fixes to a stable branch
> > and then declare it to be the same "generation" as the latest
> > devel branch, or other stable branches which also included the
> > equiv fixes.
>
> Right, but that also requires a central authority that makes up these
> revocation indices. This is unlikely to happen for Linux. :)

It will happen, the only question is how painful it is going to be to
maintain it. The revocation payload is unique and global, and it could
not be otherwise. Just like DBX is published centrally, and just like
Shim signing is done centrally.