Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp10777367rwp; Fri, 21 Jul 2023 05:01:49 -0700 (PDT) X-Google-Smtp-Source: APBJJlFbKhs0/fzOoC/XMyIf7RXpyDM03jFc3tg9w31Jf+gtyaL/aE/yFOPa3TkWSmCklDj7COUD X-Received: by 2002:a05:6402:696:b0:521:ef75:e227 with SMTP id f22-20020a056402069600b00521ef75e227mr758091edy.26.1689940909220; Fri, 21 Jul 2023 05:01:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689940909; cv=none; d=google.com; s=arc-20160816; b=t7Ks31lRrpJHnFITLZueDNb/F4E3O8vIXZAu8WU8dogkhW+iLcpezVfwJ92nNIpmC0 voy/BhtV4KyEqBPp4/o223SVEbwiw9+MJo/QxUgkqV88ou6Wo9u8khZQr30TouWUFGdT jNgIZZvp+H99vXMVSXG9gsSK+AlfNVMETHWh9H4KqVx2Q2PNaLfywfD6cvcjdCONkBFR x9tpeM1OAKG/OpoMzLjO9o3eiEPyd/f88BbUx7HfWxrXXE3739RV1MeF0y62pW8RJmph I+FJ1NsBv3HCJ2wrefzpCGOsDAQnqTvO1FCywbiVlboPtw+kyumTc6KxwIqTz7KfcaAu AeOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature:dkim-signature; bh=O6RvcSQeuzU5Yv3PGPZKGTfa2CjLRwgn7pI25q2lE+o=; fh=u5iVrzFjIV/rnvQWnCHxeGAfPW1yezCAY3f1VxODKwM=; b=mcoYZMNPO955EHVttpXeoxlbPH+Cb2JwzAwmBc6IyFvIFueko+zlTJOkFOtAEmcU/D 1ubiTtD0f+1E3dDB+pb8aAQewsAQwfgbavNcVlY7SdJIy0VL/Z00WnEWH7pFRJKWGDvi w7FZfTAqzh0qgm2AvPz51GaX5h2ihAsDC4wOWbIhc0SfhGMoZT5gToa/ZJZpxgd7vk4R Amf/AoZdsjNFadngYZRTXelMBe2FQri18PUnJfrYHvjBUlfaofXowwyMV1WKwypeSmB2 AKMF1n1X4HPlHbetBVnz0DUvsZycMpm4lyD0/IMxODLXc2I1drKbLIeL1bi0kDyCntB4 U5fg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=sLru+sKO; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=sLru+sKO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a25-20020a50ff19000000b0051e0fa6f696si2251980edu.434.2023.07.21.05.01.09; Fri, 21 Jul 2023 05:01:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=sLru+sKO; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=sLru+sKO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230181AbjGULYf (ORCPT + 99 others); Fri, 21 Jul 2023 07:24:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37542 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230044AbjGULYe (ORCPT ); Fri, 21 Jul 2023 07:24:34 -0400 Received: from bedivere.hansenpartnership.com (bedivere.hansenpartnership.com [IPv6:2607:fcd0:100:8a00::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B8BF71996; Fri, 21 Jul 2023 04:24:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1689938671; bh=Su+fAd/hk2qW820IuX6Kbh5m9vCkDqFgFh+fW7xlJnI=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=sLru+sKOeepl9SHV0S+eEuHY5xha7KEjhBnbIa0GU5qgNLgb9emZQzI+CZjleUlO+ bXj2meMc0fJMKvcU+aICK+4j0V4sXGt2hKTSphy1YS3dpAZZC+qWImhwjVxFBmi2Bv Mi9DhqTtN/DG2CsHkexR6YeiKE2fwz7xHm3tRiGc= Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id F0EF512868AE; Fri, 21 Jul 2023 07:24:31 -0400 (EDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavis, port 10024) with ESMTP id 14wxoYoKcqs8; Fri, 21 Jul 2023 07:24:31 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1689938671; bh=Su+fAd/hk2qW820IuX6Kbh5m9vCkDqFgFh+fW7xlJnI=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=sLru+sKOeepl9SHV0S+eEuHY5xha7KEjhBnbIa0GU5qgNLgb9emZQzI+CZjleUlO+ bXj2meMc0fJMKvcU+aICK+4j0V4sXGt2hKTSphy1YS3dpAZZC+qWImhwjVxFBmi2Bv Mi9DhqTtN/DG2CsHkexR6YeiKE2fwz7xHm3tRiGc= Received: from lingrow.int.hansenpartnership.com (unknown [IPv6:2601:5c4:4302:c21::c14]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits)) (Client did not present a certificate) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 1A4511286497; Fri, 21 Jul 2023 07:24:30 -0400 (EDT) Message-ID: Subject: Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage From: James Bottomley To: Luca Boccassi , Eric Snowberg Cc: Ard Biesheuvel , "Daniel P." =?ISO-8859-1?Q?Berrang=E9?= , Emanuele Giuseppe Esposito , "x86@kernel.org" , Thomas Gleixner , "lennart@poettering.net" , Ingo Molnar , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , Andrew Morton , Masahiro Yamada , Alexander Potapenko , Nick Desaulniers , Vitaly Kuznetsov , open list , "linux-efi@vger.kernel.org" , "keyrings@vger.kernel.org" , Jarkko Sakkinen Date: Fri, 21 Jul 2023 07:24:28 -0400 In-Reply-To: References: <20230711154449.1378385-1-eesposit@redhat.com> <0aa647f719103e8620d7209cbde40f04a7334749.camel@HansenPartnership.com> <635B383C-38A5-479E-80A6-358D5F90988B@oracle.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.4 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 2023-07-21 at 09:55 +0100, Luca Boccassi wrote: > On Fri, 21 Jul 2023 at 02:49, Eric Snowberg > wrote: > > > On Jul 20, 2023, at 1:16 PM, Luca Boccassi > > > wrote: > > > On Thu, 20 Jul 2023 at 18:11, Eric Snowberg > > > wrote: [...] > > > > I agree with James in the previous thread;  adding the SBAT > > > > section to the kernel should be handled by the signing tools. > > > > It really doesn't need to be included in the mainline kernel > > > > code. I also agree with the sentiment that mainline and the > > > > stable branches should not have SBAT versions attached > > > > to them. These are things distros should be responsible for > > > > including in their kernel if they want to have SBAT support. > > > > > > Why would 'signing tools' handle that? It's just a text-based PE > > > section, it doesn't require access to private key materials to be > > > handled, nor it has any relationship with signing. > > > > There is a relationship, the sbat information within the signed > > file can be used for revocation in lieu of revoking the hash or > > signing certificate at a later time. > > No, it is completely disjoint. In fact, the kernel doesn't even have > to be signed at all, but it still _must_ have a .sbat section when it > is used in a UKI. Just a minute, this is wrong. I was talking to Peter after all of this blew up about how we handle signed kernels with no sbat (since we need that still to work for developers who sign their own kernels). I thought he was planning to require an sbat section for all EFI binaries, but he says that's not true. The current way shim does the sbat check is that if the section doesn't exist the binary is processed as having an empty sbat section (i.e. no sbat level checking will be done because there's no named sbat level for anything and it will just work) and they're planning to keep it that way so that a signed but no sbat kernel will always "just work" without any special key handling in shim. So if we're planning to keep this no-sbat case in discrete kernels, even when the shim verifier checks sbat, the UKI kernel will need to work for this case as well. James