Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp10865370rwp;
        Fri, 21 Jul 2023 06:13:08 -0700 (PDT)
X-Google-Smtp-Source: APBJJlFQyTnxYXAzajzPtF7FxW0RaELWEYgaMNoHHAXmjWyvyZtHuQBNij50W4jKkVADp/Pv4V2x
X-Received: by 2002:aa7:d1ca:0:b0:51e:5789:a71d with SMTP id g10-20020aa7d1ca000000b0051e5789a71dmr1362921edp.12.1689945188576;
        Fri, 21 Jul 2023 06:13:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1689945188; cv=none;
        d=google.com; s=arc-20160816;
        b=MbdhWUxe4uwTB0CJq3615o7fkY48MLvsOsHIsjrbj8i24wrANY3QPbSZl78Erv754t
         oIxJpCu2Acgyu5gTqPBAg3Mc8mWqS7aoIokUv+lpO39DJmyj7AP1yy1QMPot0R+ftyda
         3YG3ML+bWwyZz8crDrtGQGLMRY2BX2t14dZNADMNthn28ZaTH/BUoEmt69Ma+rOAsiDh
         d8AI4OpN7SutnbrGjO7JU9nU98XctMY7WLL+n+6KiMxSDXcgGEGbdb2uvxe2io393xDI
         Q6G3lrJrypkOIxuJPqPGIP2d3kAn0OMzegASsHJsVqZMtf0d4TxJ4hYLi2RXWCHU6cbx
         a+Jw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version;
        bh=R1irb96IZdUaV+Zw6SqMt9u0coJjIQi+rgKDiQBXcb0=;
        fh=84upHsOdXirOA/7/3g1OEwNUkYffuk3FBUbUAXg5D/o=;
        b=dQl5ejBEKmRbdAHBRyj913g6F9qVJKylqjAHB+3pwfl8ak+Ky9ZCdFEMG7dj1nSQdV
         hLufYqxibCbkdKtQagVijOiL4hm8ihBQewKiXWmlpaIwLo6yRTNPpjbbyhZm9wOmlaEF
         IokP+xwx9i9qHptbQTJulTs88B1LOa5Cbsafy26WfUwWPR3fOihlOEbzXfaX3deKqPGS
         FIlNc43dDtgEaePOJwGaF7SilGs2gQIFXKJCDIDJRRea0DoQ09ZL8742EciosyKyjG4Z
         rJLs+Ihrj2uDp3LgpYzIgEYI4YDVp7fReXWunUuGFzS9t/bGlQCLRXn3tpe+bRSEHFzE
         BQJg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id h17-20020aa7c611000000b0051dd07680f2si2405806edq.370.2023.07.21.06.12.44;
        Fri, 21 Jul 2023 06:13:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230105AbjGUMkb (ORCPT <rfc822;andreas.gruenbacher@gmail.com>
        + 99 others); Fri, 21 Jul 2023 08:40:31 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44818 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229652AbjGUMka (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 21 Jul 2023 08:40:30 -0400
Received: from mail-yb1-f179.google.com (mail-yb1-f179.google.com [209.85.219.179])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 250E52D58;
        Fri, 21 Jul 2023 05:40:29 -0700 (PDT)
Received: by mail-yb1-f179.google.com with SMTP id 3f1490d57ef6-c15a5ed884dso1742324276.2;
        Fri, 21 Jul 2023 05:40:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1689943228; x=1690548028;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=R1irb96IZdUaV+Zw6SqMt9u0coJjIQi+rgKDiQBXcb0=;
        b=HaPpygDWTM3n/dlCd+2dRXQKm9H9c+F3g8mrWGjCWF5uEe2KXlkyCYisb2IgZySVwD
         0pTYJptedQxoa65oGYZr2ipPcGLoAHDAAovLYRF0QPTHptY1xfk1vI63ok1WR+i4XVZC
         xgJf34Gwm4UOWZRIMDsZ3uvYp//ieTXgrHPjjuu15TiytTTdzNZO4cgUy44Cbx5z4hZY
         1miJC4Aqp9CSneKit/gsEReaRv+d6oSOaFK0rdKRydies4GR53UK9EzrBfVxiFDBXh/+
         kgVkLqexZ+EimnC7V5PGhkj9viO3JaUoJPi+7Ni/0j/u3fwbt8srkrV33M8HFZSwgWbW
         BPoA==
X-Gm-Message-State: ABy/qLY7+QKIbWDac9n/BOw4LrLIkPutoY3IC6PHnfNKa+PQIwI7t1Cq
        oAY6VaFyl4COn1iUbDfVA9XO79UfIgCyCg==
X-Received: by 2002:a25:db91:0:b0:c4c:ec2c:3c95 with SMTP id g139-20020a25db91000000b00c4cec2c3c95mr1780013ybf.4.1689943228123;
        Fri, 21 Jul 2023 05:40:28 -0700 (PDT)
Received: from mail-yw1-f179.google.com (mail-yw1-f179.google.com. [209.85.128.179])
        by smtp.gmail.com with ESMTPSA id 127-20020a250d85000000b00cb6bb265676sm757380ybn.13.2023.07.21.05.40.26
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Fri, 21 Jul 2023 05:40:27 -0700 (PDT)
Received: by mail-yw1-f179.google.com with SMTP id 00721157ae682-57688a146ecso21105217b3.2;
        Fri, 21 Jul 2023 05:40:26 -0700 (PDT)
X-Received: by 2002:a0d:c8c7:0:b0:573:4d8b:471f with SMTP id
 k190-20020a0dc8c7000000b005734d8b471fmr1656720ywd.26.1689943226191; Fri, 21
 Jul 2023 05:40:26 -0700 (PDT)
MIME-Version: 1.0
References: <20230711154449.1378385-1-eesposit@redhat.com> <ZK/9MlTh435FP5Ji@gambale.home>
 <ZLABozIRVGmwuIBf@gambale.home> <ba2354dc63fd741d2d351b18d4312d0771c0935d.camel@HansenPartnership.com>
 <ZLVyvAXwtemx1I6p@redhat.com> <0aa647f719103e8620d7209cbde40f04a7334749.camel@HansenPartnership.com>
 <FBDC67DD-856F-429B-8E91-B0CA8B0F24B9@oracle.com> <CAMw=ZnQ5pjwJZdX9kyib=vFd_c5_5_eUhV_mT5OcRPt693m=Yg@mail.gmail.com>
 <635B383C-38A5-479E-80A6-358D5F90988B@oracle.com> <CAMw=ZnQtEwNFyZ-Gt6ODb9gp22KY1GimaSfW46N7o-S1Hkfp4A@mail.gmail.com>
 <c2f451e0f8d72cf3183aff9cbaf23f135fc7b495.camel@HansenPartnership.com>
In-Reply-To: <c2f451e0f8d72cf3183aff9cbaf23f135fc7b495.camel@HansenPartnership.com>
From:   Luca Boccassi <bluca@debian.org>
Date:   Fri, 21 Jul 2023 13:40:14 +0100
X-Gmail-Original-Message-ID: <CAMw=ZnSHDYrLXoad=d_O_qAsurqv196z3Fc3VRAJXSsJNVXdPw@mail.gmail.com>
Message-ID: <CAMw=ZnSHDYrLXoad=d_O_qAsurqv196z3Fc3VRAJXSsJNVXdPw@mail.gmail.com>
Subject: Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage
To:     James Bottomley <James.Bottomley@hansenpartnership.com>
Cc:     Eric Snowberg <eric.snowberg@oracle.com>,
        Ard Biesheuvel <ardb@kernel.org>,
        =?UTF-8?Q?Daniel_P=2E_Berrang=C3=A9?= <berrange@redhat.com>,
        Emanuele Giuseppe Esposito <eesposit@redhat.com>,
        "x86@kernel.org" <x86@kernel.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        "lennart@poettering.net" <lennart@poettering.net>,
        Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        "H. Peter Anvin" <hpa@zytor.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Masahiro Yamada <masahiroy@kernel.org>,
        Alexander Potapenko <glider@google.com>,
        Nick Desaulniers <ndesaulniers@google.com>,
        Vitaly Kuznetsov <vkuznets@redhat.com>,
        open list <linux-kernel@vger.kernel.org>,
        "linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
        "keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
        Jarkko Sakkinen <jarkko@kernel.org>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00,
        FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,
        RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,
        T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, 21 Jul 2023 at 12:24, James Bottomley
<James.Bottomley@hansenpartnership.com> wrote:
>
> On Fri, 2023-07-21 at 09:55 +0100, Luca Boccassi wrote:
> > On Fri, 21 Jul 2023 at 02:49, Eric Snowberg
> > <eric.snowberg@oracle.com> wrote:
> > > > On Jul 20, 2023, at 1:16 PM, Luca Boccassi <bluca@debian.org>
> > > > wrote:
> > > > On Thu, 20 Jul 2023 at 18:11, Eric Snowberg
> > > > <eric.snowberg@oracle.com> wrote:
> [...]
> > > > > I agree with James in the previous thread;  adding the SBAT
> > > > > section to the kernel should be handled by the signing tools.
> > > > > It really doesn't need to be included in the mainline kernel
> > > > > code. I also agree with the sentiment that mainline and the
> > > > > stable branches should not have SBAT versions attached
> > > > > to them. These are things distros should be responsible for
> > > > > including in their kernel if they want to have SBAT support.
> > > >
> > > > Why would 'signing tools' handle that? It's just a text-based PE
> > > > section, it doesn't require access to private key materials to be
> > > > handled, nor it has any relationship with signing.
> > >
> > > There is a relationship, the sbat information within the signed
> > > file can be used for revocation in lieu of revoking the hash or
> > > signing certificate at a later time.
> >
> > No, it is completely disjoint. In fact, the kernel doesn't even have
> > to be signed at all, but it still _must_ have a .sbat section when it
> > is used in a UKI.
>
> Just a minute, this is wrong.  I was talking to Peter after all of this
> blew up about how we handle signed kernels with no sbat (since we need
> that still to work for developers who sign their own kernels).  I
> thought he was planning to require an sbat section for all EFI
> binaries, but he says that's not true.  The current way shim does the
> sbat check is that if the section doesn't exist the binary is processed
> as having an empty sbat section (i.e. no sbat level checking will be
> done because there's no named sbat level for anything and it will just
> work) and they're planning to keep it that way so that a signed but no
> sbat kernel will always "just work" without any special key handling in
> shim.  So if we're planning to keep this no-sbat case in discrete
> kernels, even when the shim verifier checks sbat, the UKI kernel will
> need to work for this case as well.

Are you sure that's not just about local signing? IE, MoK vs embedded
cert auth flow? As far as I know, the plan for the 3rd party CA flow
is to eventually (very eventually) require it. I might have missed
some development ofc.