Received: by 2002:a05:6358:701b:b0:131:369:b2a3 with SMTP id 27csp48634rwo; Fri, 21 Jul 2023 08:20:43 -0700 (PDT) X-Google-Smtp-Source: APBJJlGBGm3JGbnnDOcYtooITyGagGfPRIEjKtIewlaURi7wi3OqFf0XKqCA4gQCZ+B9krhWJ7CU X-Received: by 2002:a05:6512:10ca:b0:4f6:2b51:2f74 with SMTP id k10-20020a05651210ca00b004f62b512f74mr1663766lfg.52.1689952842639; Fri, 21 Jul 2023 08:20:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689952842; cv=none; d=google.com; s=arc-20160816; b=Y9qAQL61XbmLfAqY59CqDhIHzzUgo2XwMUSPipsmayntFDa0KTioEBjkh4n39kegY6 98nkvMj83xKvI+pZyC6rtSSEF124Mqg7XIdBM+I2k1d9XAVXPi6/3IGvrz3txqpW6BOr lT8L2Tg/deoF4h1bg/SbaisoWXhg0DeRrxXWxsvSdod8avSYK3sJ1OyVfN0lc/oozC4X +M5KNbFDKOoSW9mPgKFrxSsUejvjgHn5FuWOJdCqpz099Kr2gWj8mI4GXN3dPgsVoiAs 91dkP5qMMcpMkOKgXimzpQTC+icm6wrzP22EnQVR+yKoO/YuSCvGOPuwaCwuWCaFWTo8 1aHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version; bh=4gls07TAhrPZDEI4R+VJXoEx/0hW6Rvn6uyBj2nqCeY=; fh=84upHsOdXirOA/7/3g1OEwNUkYffuk3FBUbUAXg5D/o=; b=MSJ8IwjJm/bptiv5M9Dv+9cokU0DrN/pwgUNPmxxjKWUkmxoJAb0oPjOb16GxpLvJv ftAivTAU0qGDRr61ro+WMAso/9KHVRSDlgHzFaFccyvfqSTVP7UHJfDGwfsC/gA5AokO 7VkIU0gojSgCh0I/98Og9OZsBXVuWPTiCBDFl/y/OMgoorGFs5+0gd8RoCv+rCINmT8b Mxlivel8nuXZ5r+38xK7vYqdAD4MwmfQxyiThn/syjCiTQh8kos+MliXHtPUmukTdqT7 aaOnmdb84xBFCb23U9E/572bo5rgw/wS/kygyADqbf+oJJriB0ayyEhjYDOO1hzxDEhy nbNg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q4-20020a1709060e4400b0098ed8a311besi2351602eji.114.2023.07.21.08.20.17; Fri, 21 Jul 2023 08:20:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231857AbjGUPPa (ORCPT + 99 others); Fri, 21 Jul 2023 11:15:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51094 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231514AbjGUPP0 (ORCPT ); Fri, 21 Jul 2023 11:15:26 -0400 Received: from mail-yw1-f182.google.com (mail-yw1-f182.google.com [209.85.128.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 59A333A8E; Fri, 21 Jul 2023 08:15:02 -0700 (PDT) Received: by mail-yw1-f182.google.com with SMTP id 00721157ae682-579de633419so24002097b3.3; Fri, 21 Jul 2023 08:15:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689952497; x=1690557297; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=4gls07TAhrPZDEI4R+VJXoEx/0hW6Rvn6uyBj2nqCeY=; b=NW5qYZcPNvZXlNlR758095l1tu8OHkcj6s8W2Z6gjWMSXXmULAnuut6ALZuOMfmzkf ftajB7kbfMXNDzMcXaGdGPETYKCNi7gC48J8+M1+LBmn+D4hqL/uQVFCKAKKozneSsBK Fcic569dJvzL9ac04VDw+1bNaQ/TQxAxCx1FqnuGuIrILPOba8MsFIT8JHjmYuTA7bIH 2VY09VYH+KYOwgrXrkVG+YcLXbaFUMvQ6p/ZnynpWc3VrUUM9YMuQO3i1R0VAvijZhdr P1MN1x7gr+mHyZLG+S75w9lLrkMZ1o3UJE1AraVjuwMo68+co9z+BxH8mUz8ftu/TDBp X+uw== X-Gm-Message-State: ABy/qLacF9cNjOBSW7ZvuEmBl8pBXaxps416D5EvVS/jdWydwmwTNNeM 8OlJMT2r18xFwLU0InYjNl0+UxKPls79iQ== X-Received: by 2002:a0d:d844:0:b0:577:3b66:5fa with SMTP id a65-20020a0dd844000000b005773b6605famr376626ywe.42.1689952496898; Fri, 21 Jul 2023 08:14:56 -0700 (PDT) Received: from mail-yw1-f177.google.com (mail-yw1-f177.google.com. [209.85.128.177]) by smtp.gmail.com with ESMTPSA id h184-20020a0dc5c1000000b0057736c436f1sm918540ywd.141.2023.07.21.08.14.56 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 21 Jul 2023 08:14:56 -0700 (PDT) Received: by mail-yw1-f177.google.com with SMTP id 00721157ae682-583a8596e2aso3316627b3.1; Fri, 21 Jul 2023 08:14:56 -0700 (PDT) X-Received: by 2002:a0d:ddd4:0:b0:577:2cac:cd49 with SMTP id g203-20020a0dddd4000000b005772caccd49mr420491ywe.1.1689952496259; Fri, 21 Jul 2023 08:14:56 -0700 (PDT) MIME-Version: 1.0 References: <20230711154449.1378385-1-eesposit@redhat.com> <0aa647f719103e8620d7209cbde40f04a7334749.camel@HansenPartnership.com> <635B383C-38A5-479E-80A6-358D5F90988B@oracle.com> <137ddc2957d43576afd37afb0bedab3ceea1f8d7.camel@HansenPartnership.com> In-Reply-To: From: Luca Boccassi Date: Fri, 21 Jul 2023 16:14:43 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage To: James Bottomley Cc: Eric Snowberg , Ard Biesheuvel , =?UTF-8?Q?Daniel_P=2E_Berrang=C3=A9?= , Emanuele Giuseppe Esposito , "x86@kernel.org" , Thomas Gleixner , "lennart@poettering.net" , Ingo Molnar , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , Andrew Morton , Masahiro Yamada , Alexander Potapenko , Nick Desaulniers , Vitaly Kuznetsov , open list , "linux-efi@vger.kernel.org" , "keyrings@vger.kernel.org" , Jarkko Sakkinen Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 21 Jul 2023 at 14:34, James Bottomley wrote: > > On Fri, 2023-07-21 at 14:10 +0100, Luca Boccassi wrote: > > On Fri, 21 Jul 2023 at 14:01, James Bottomley > > wrote: > [...] > > > Well, my job is to be concerned about how individuals who want to > > > own their own keys, either in MoK or db, participate in this, so I > > > am mostly thinking about local signing. Whatever we decide, there > > > must be a local workflow pathway. > > > > Sure but for local signing via MoK that's obviously fine, as one gets > > to keep the pieces. AFAIK it's a different flow in Shim whether > > something is authorized by MoK, DB or the built-in cert, so having > > different policies built-in for those different cases should be > > doable. Actually at the moment even if Shim loads the image, if it > > gets authorized by DB .sbat isn't checked at all. > > So let's be sure we mean the same thing here. There is really no third > party CA. Microsoft gives the distributions a signing key to allow > them to sign their version of shim. Some distributions, like Red Hat, > also embed their signing certificates in shim, so shim can distinguish > between a RH key and another key added to MokList. However, some > distributions, like SUSE, insist that all signing keys be approved by > the machine owner (so no embedded shim certs for non-enterprise) and > their shim can't distinguish between SUSE keys and machine owner > additions. Given the variances in key handling, I think trying to > distinguish between official and developer keys is a huge addition of > complexity we don't need, so there has to be a workflow that functions > for both and that workflow would seem to be allowing non-existent or > empty sbat sections. Official key holders would *always* add sbat > sections, so there's really no problem that needs a solution to be > mandated here. The certificate is called the "Microsoft Corporation UEFI CA 2011" , issued by the "Microsoft Corporation Third Party Marketplace Root". So for short, we call it UEFI 3rd party CA :-) Anyway, I wasn't aware that SUSE doesn't embed their cert in Shim, we'll have to take that in consideration for sure.