Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp9852766rwp; Thu, 20 Jul 2023 10:35:29 -0700 (PDT) X-Google-Smtp-Source: APBJJlHiGE/wZBSY2zMHR4Nlgnkerx0+iuSWetRwUt0PmwrOQDEhaTrNhJ+x4nYaZy46SZbrMelo X-Received: by 2002:a05:6a00:1505:b0:67a:6af6:5171 with SMTP id q5-20020a056a00150500b0067a6af65171mr11490332pfu.13.1689874529027; Thu, 20 Jul 2023 10:35:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689874529; cv=none; d=google.com; s=arc-20160816; b=pNe8isDYDPA5O1gQiQ6nZ3NPzjAi67sg2OBxUeSUis+yBruBIvEULgq74VqdL2hDJq G8FhC6xciEAFrsoBIyG7F41BIS+uCpbcvgcEdxiajkmP5uiB7Uoo0Txv2pbbFD3Lsna+ KFKpAeLw6smgWnvwWS2SKlydPhPLe2jvN2IJYml5miWOhFT4gX4+zWG2TmyicdvzYDPR EA9OIZ2fhS1uR5Q6HQRqe2yo/+uTPVrKevCcRz8fFWfEhEcr/2gkUcihLRVSyXlUQGYy a0oI3PfQuqCzD+1TGun7RpPBZmrkfmXscVnwFEcq6bH5T5R6wm9Eyo4pFtwLytNQTtQd xMcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature:dkim-signature; bh=+1lkSmbxDokjpW8vblZiemvJ9GrKJwH7oJ9bkQwDswY=; fh=5vZaxMBjom30flK1c337bJjGlIVnLC48nZBNDhzXf60=; b=yeUZuwql4Z4uHcVzI0zyyQN54k7M32aM8wumbOBFSjt8zk1Atog9QusKvRnZ6So0j8 9IyzCP6FoPHOC160DLoqPuKa8C9SvVtcalOz+gLOeHZbgKGRmnhQe/1JkmkeDgHkI4uT Tny6tDGImXEBvkcH4jtlpdUI5R/bjXleDzC0Li2EI6/+HteLkTXGCV4AiulAeBxnC+Ld ueNA9YFjqKXE/r9y6yPnx8EiN3tLu+GsraeGJF/vhdL6KjwUTsl7QfMK4v2bfnqZNA95 s9uHY6rqniorLyg+QVKm2RgiTzDIRserpO4+srCe0stlricXdpKSFfX0m7ajfsACy11I L7LQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=EQOWoZCS; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=EQOWoZCS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d64-20020a633643000000b00553a99dd783si1202621pga.778.2023.07.20.10.35.16; Thu, 20 Jul 2023 10:35:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=EQOWoZCS; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=EQOWoZCS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230339AbjGTRHu (ORCPT + 99 others); Thu, 20 Jul 2023 13:07:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49230 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229457AbjGTRHt (ORCPT ); Thu, 20 Jul 2023 13:07:49 -0400 Received: from bedivere.hansenpartnership.com (bedivere.hansenpartnership.com [IPv6:2607:fcd0:100:8a00::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 848A7193; Thu, 20 Jul 2023 10:07:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1689872857; bh=glW40uY0uFwX/9MnPDdB2OI8tCiPfxvzTv6gvs9+Orw=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=EQOWoZCSu3UjMQztHHrpJIOz6h+TL40/8jSm2Qr16lk9s4/ZN6Na7mNG/CbFE5g69 8tWicaM2WKEJSA9yHQOwf3xQ5IxTP3DDZTcta9XB6CRbsdaX/NH24B3vSt2uGnShP5 FI3Hmxt9L1Kx7yhKhRqYIER1pD+68CuuWMXomPBY= Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id E4B69128648C; Thu, 20 Jul 2023 13:07:37 -0400 (EDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavis, port 10024) with ESMTP id ECnMdAaPFcSl; Thu, 20 Jul 2023 13:07:37 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1689872857; bh=glW40uY0uFwX/9MnPDdB2OI8tCiPfxvzTv6gvs9+Orw=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=EQOWoZCSu3UjMQztHHrpJIOz6h+TL40/8jSm2Qr16lk9s4/ZN6Na7mNG/CbFE5g69 8tWicaM2WKEJSA9yHQOwf3xQ5IxTP3DDZTcta9XB6CRbsdaX/NH24B3vSt2uGnShP5 FI3Hmxt9L1Kx7yhKhRqYIER1pD+68CuuWMXomPBY= Received: from lingrow.int.hansenpartnership.com (unknown [IPv6:2601:5c4:4302:c21::c14]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 0410A1286255; Thu, 20 Jul 2023 13:07:35 -0400 (EDT) Message-ID: Subject: Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage From: James Bottomley To: Eric Snowberg , Ard Biesheuvel Cc: "Daniel P." =?ISO-8859-1?Q?Berrang=E9?= , Emanuele Giuseppe Esposito , "x86@kernel.org" , Thomas Gleixner , "bluca@debian.org" , "lennart@poettering.net" , Ingo Molnar , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , Andrew Morton , Masahiro Yamada , Alexander Potapenko , Nick Desaulniers , Vitaly Kuznetsov , open list , "linux-efi@vger.kernel.org" , "keyrings@vger.kernel.org" , Jarkko Sakkinen Date: Thu, 20 Jul 2023 13:07:34 -0400 In-Reply-To: References: <20230711154449.1378385-1-eesposit@redhat.com> <0aa647f719103e8620d7209cbde40f04a7334749.camel@HansenPartnership.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.4 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2023-07-20 at 16:46 +0000, Eric Snowberg wrote: > If a distro adds a SBAT section to either their UKI, or if kernel > SBAT enforcement is turned on from GRUB2 by default, there is one > piece missing that would need to be handled by the mainline kernel > which is SBAT enforcement for kexec. This would mean the revocations > SBAT protect against would need to be referenced before doing the > signature validation in kexec. If this is not added, any distro that > allows kexec really doesn’t have a SBAT protected kernel. Um, actually, this is actually one of the misunderstandings of the whole thread: sbat is a revocation mechanism for protecting EFI boot security. It's design is to prevent malicious actors exploiting buggy code to get into the EFI boot system before ExitBootServices is called and nothing more. The kernel's intrusion into EFI boot security is tiny: it's basically the EFI stub up to ExitBootServices, so even if the kernel were to have an sbat number it would obviously be under the control of the maintainers of only that code (i.e. Ard) and it would only rev if we actually found a usable exploit in the efi stub. As far as kexec is concerned, ExitBootServices is long gone and nothing a future kexec'd kernel can do can alter that, so there's no EFI security benefit to making kexec sbat aware, and thus it seems there's no need to do anything about it for kexec. Now if we're interested in sbat as a more general revocation mechanism, that might change, but I think sbat is too tightly designed for the problems of EFI variables to be more generally useful. James