Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp8347437rwp; Wed, 19 Jul 2023 08:34:54 -0700 (PDT) X-Google-Smtp-Source: APBJJlF4sBsXM8i2dS8Wt3Bqwr1plO9kCiXBCwJuYEVOZpaqx2k2MsJrE8+EDD/eeMKQ2oWfFisQ X-Received: by 2002:a17:902:ecc1:b0:1bb:2093:efb1 with SMTP id a1-20020a170902ecc100b001bb2093efb1mr2712296plh.27.1689780894512; Wed, 19 Jul 2023 08:34:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689780894; cv=none; d=google.com; s=arc-20160816; b=y5hdL8cUwL+ZKGrgXnOlxaVdyIdjZ8F+ahn+AQqi2B5HJ9Q7SIXnp8RPQhEuirplP0 Lt+T+qUWYRxcfbNM0bnQXjAFP25UgRNyNQnXv47cuMykVZQBiC56l/rsGcKR0f7+sd37 2QDlUr/xH3IUnwpurbYZsEglQ2LKf2OxoCD3CjXApm6GMn/TRRXLAUQY8Ce1Kb+b5omS SmLF1sOhcfCynesCLbxcndzuQWcDul3C0AkMzhF8QvG4GYfMU+5oSwYEuDmBP9mYpk5l EhicRRbs4YcADB86ocBK+KZac0XBsrpUBSP7ChkhzrDi1GzYcWD2DVyFXNwpQtfQf2zs bb1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=AHRnuCablbWqrA+Hti70vOGADpZIM1PYpR/CUGSTLvI=; fh=R5tHaAh8Rb/rEAmKgMSgRSCwnQOKJOZLEl+4wIOnzA0=; b=g40q+bO2IXB231+aLx6nvoMCRCBiWH6d86c32MnaKbqNx+IKaQvCQ7p1oJyRUwTlmP 8qGksSofWQWjgeT0U0IArlBWoGWRBrowqU75zCS6S6OSOAJ+uMxo4GT62bASHloGKwQb mUxMIJkLGCC7UWg1U4pRYfqphWdl/nyFKfI21n+GvfyFKG3UOw7aymBd7atSCxTuNBst VUw8rpWkd57lk3IJ+1FJYn7XoetjpqJ62zHWq426USySOrPtwojWIzzxKV8whWQpoT4d 27s2UAUn+0tAyyK3R7OdtNsk2FOVgxMJCzExhbZZYS5k0FIWVc5dvJq1cwopGycMAlff h0OQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=J2PSHkjs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q15-20020a170902eb8f00b001b9d2659694si3706110plg.270.2023.07.19.08.34.41; Wed, 19 Jul 2023 08:34:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=J2PSHkjs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229920AbjGSPMM (ORCPT + 99 others); Wed, 19 Jul 2023 11:12:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52368 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229974AbjGSPMK (ORCPT ); Wed, 19 Jul 2023 11:12:10 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 77FD1E6F for ; Wed, 19 Jul 2023 08:11:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1689779482; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AHRnuCablbWqrA+Hti70vOGADpZIM1PYpR/CUGSTLvI=; b=J2PSHkjsqcndq1rZrvQMZv+hQhs6txYG/JxhgRmHGKpuYcwu8e7rJ42UW0NS9vB7bkWZPd vg4gRn40Ysi5ALxyRNaqzsmEcgltkTc3bAQW1J3YdZ0CB0W8yT+eQxUdnl+4eQfEGEaUSa MQ+qDGvcF536yNCg7UE2WKF+8uTlc3A= Received: from mail-oo1-f70.google.com (mail-oo1-f70.google.com [209.85.161.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-214-WoFWUrGtPQSJKDXMQBW6YA-1; Wed, 19 Jul 2023 11:11:20 -0400 X-MC-Unique: WoFWUrGtPQSJKDXMQBW6YA-1 Received: by mail-oo1-f70.google.com with SMTP id 006d021491bc7-5634c4df8c4so9302587eaf.1 for ; Wed, 19 Jul 2023 08:11:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689779479; x=1692371479; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=AHRnuCablbWqrA+Hti70vOGADpZIM1PYpR/CUGSTLvI=; b=ZEt5cQgmIV8fS/pWH+LMH+aggWdaqi8l6296Kow6rwMhxiyDHG3ZktT6UxkKbcRQW4 GADZ0AbUnlUqPY8V0ZEAMeR+U0lJgGPO65jHPyqus0cc+ca5j4JHFnOpmTTg2+JWQZRz 88OnruQaT9jPgb8neS6rpa73o5ncCBeP+ql3aiXEOMpV1wQUpSPp9vPyiWddlacLtkSg ZUBnUh8UAtFnsgy0MPMjgu+Lex/3tQyXKT5xWlRt9OtaHYPdXpyHVVpLreX5Rp7nHmpV 3dtgyZNkiwl/HEd4qDFnHtp78peCnQEKruhVa+U6J+X3VtaXtwFnCxmgCQ58ldAANSLG pmIQ== X-Gm-Message-State: ABy/qLZkvkyeXE6fJOKh5kIwhxWSfH4uHyh53PX+wlAB3r5ZIL6G4xBe 1FyewXGsn6hJEVIFp3S3xjYhng7YWk02kx4kNyqXAm3i6eo7OOOxC5N8Gf90zQcU/9ITQ85H7oG ahVjDDc2wuYTMgvuMDEX3CtcdNIZniFIoEUAb70rH X-Received: by 2002:a05:6358:3402:b0:134:ec9d:ef18 with SMTP id h2-20020a056358340200b00134ec9def18mr2670027rwd.28.1689779479386; Wed, 19 Jul 2023 08:11:19 -0700 (PDT) X-Received: by 2002:a05:6358:3402:b0:134:ec9d:ef18 with SMTP id h2-20020a056358340200b00134ec9def18mr2670004rwd.28.1689779479053; Wed, 19 Jul 2023 08:11:19 -0700 (PDT) MIME-Version: 1.0 References: <20230711154449.1378385-1-eesposit@redhat.com> In-Reply-To: From: Paolo Bonzini Date: Wed, 19 Jul 2023 17:11:07 +0200 Message-ID: Subject: Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage To: Luca Boccassi Cc: =?UTF-8?Q?Daniel_P=2E_Berrang=C3=A9?= , Ard Biesheuvel , Emanuele Giuseppe Esposito , x86@kernel.org, Thomas Gleixner , lennart@poettering.net, Ingo Molnar , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , Andrew Morton , Masahiro Yamada , Alexander Potapenko , Nick Desaulniers , Vitaly Kuznetsov , linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jul 19, 2023 at 3:34=E2=80=AFPM Luca Boccassi wr= ote: > > Right, but that also requires a central authority that makes up these > > revocation indices. This is unlikely to happen for Linux. :) > > It will happen, the only question is how painful it is going to be to > maintain it. The revocation payload is unique and global, and it could > not be otherwise. Just like DBX is published centrally, and just like > Shim signing is done centrally. If you are intending to go with the generation number, that essentially means tracking vulnerabilities and that's a business that Linux developers don't want to be in. And in fact, neither DBX nor shim signing is managed by (upstream) open source projects. That raises many other questions: - What is the right place for that generation number authority and for the registry of vulnerable kernel versions? Is it shim/mokutil, and if so are the developers on board with doing that? How are SBAT updates currently distributed? - Distros will have to be the ones setting the SBAT policy. If the central authority will use the "exploit in active use" policy (which IMNSHO is nothing but security theater), are all distros that consume ukify fine with that or do they want to actually start tracking kernel vulnerabilities? - Sorry for beating on the "Linux is different" dead horse, but what happens if people for whatever reason don't want to run the latest kernel? If a stable kernel update breaks hotplugging of external displays and fixes a code execution vulnerability in a weird device driver, do I have to fiddle with mokutil in order to keep my external display working? Or replace "breaks hotplugging of external displays" with "breaks the NVIDIA driver". In any case, I think there's agreement that it's not a Linux developer problem, so the discussion can continue elsewhere. Paolo