| Message ID | 20230623123622.4126234-1-eesposit@redhat.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp5741045vqr;
Fri, 23 Jun 2023 05:41:56 -0700 (PDT)
X-Google-Smtp-Source:
ACHHUZ4Ap8pfw4Qi43nPLQeQ+X2O8C64p/SCX39i97xjQfHkgaq0ErQJMUC8dY4/9y2LEVooT9TS
X-Received: by 2002:a17:90b:1c02:b0:25b:be3a:e6ae with SMTP id
oc2-20020a17090b1c0200b0025bbe3ae6aemr19458264pjb.18.1687524115702;
Fri, 23 Jun 2023 05:41:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1687524115; cv=none;
d=google.com; s=arc-20160816;
b=vyxkZ3fLSlJpyS7CWjHE4oKL6L7XEQg7LgIeGnjnF0oWbJ9fjBjekVsbQjk4zhNaRM
rjvUKc9dRwjydH0A0JzMC6hZMS0JQ72ytTvQXmJgrJO7QA3EVAx6+HzKF/t6slNYyNxC
xQODai16wDP6t+OpQUq5457h+QeiYUXXjNK66qdqGxaeWQxIvobg2oF9ya1Mk6GaP6lV
O1xudl0Qeizi1GJkveAxFnMcya4/DGXkKxvSkIres8+0N/Z5dXZd9XHmiuT68cSaNOkT
KbJbJZP7HSU0cPyBtuUeyJvgeDgo8tkxJ1sxB0kOMG/EIH8JKLAkCyvw4ro8Hp/GB7pg
lfiA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=dtGrfm495E45d+YHItqZvu/mH6EDCO2k98c0kIi0BvU=;
fh=Ag5Vl7Nsa3DIsXwhHO7DJT71wq+9KHREu+vvGgb2clE=;
b=ad6PV46A4rKcK6Gu8lM03uOY9utUHa5m65R+63yv3EWpzo74pm6vUyNRZpTZZ5dWOD
IdLRgytchiqxUp9SVaJZrAkc/87+L+3kb72xjKdlwfV10icjrNqSakDmo4TtxmTNpye2
0v/1UGc9I8iUNmKZ2+Raz+pha3XI4cXBjUd9YeSetsi5qF9uSHBXvGqDYHJ3GPX8AO6Y
EMK9nL/A80LuaIamjcFkrS9cScrdzveSvaD86BMYfcLtAB3f383UVVOC3ur/YL/cJ8Y0
VEWQdSzeRaYQNPC9C/ru5AwVSOBj9v/TgUnaqxIce02bnegiUqZX1uag69Grv7ocVaQK
aztg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@redhat.com header.s=mimecast20190719
header.b=XDoWvXTR;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
14-20020a17090a004e00b00233e301c780si1854560pjb.31.2023.06.23.05.41.42;
Fri, 23 Jun 2023 05:41:55 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@redhat.com header.s=mimecast20190719
header.b=XDoWvXTR;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S231547AbjFWMhX (ORCPT <rfc822;maxin.john@gmail.com> + 99 others);
Fri, 23 Jun 2023 08:37:23 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56592 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S231558AbjFWMhV (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 23 Jun 2023 08:37:21 -0400
Received: from us-smtp-delivery-124.mimecast.com
(us-smtp-delivery-124.mimecast.com [170.10.133.124])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 945671FE3
for <linux-kernel@vger.kernel.org>;
Fri, 23 Jun 2023 05:36:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1687523789;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding;
bh=dtGrfm495E45d+YHItqZvu/mH6EDCO2k98c0kIi0BvU=;
b=XDoWvXTR+oMzWCyiQ45iUv55hcu/WMw48FYZmf7BxhXAQPYo2gyWUfd199ttUABb+IX5h/
v5HId7egTsaLRfb5uNuy2oyc6aIToPbU6MnM9wGtnZpR2B4fSxoCvrAihQFd5OAW5D+6RN
1ZLYmrGdgJtuKvOQDHoHCy4p5DyAcAI=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
[66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
(version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
us-mta-120-8i2q_hhINHGWIFsi3Xo9cw-1; Fri, 23 Jun 2023 08:36:26 -0400
X-MC-Unique: 8i2q_hhINHGWIFsi3Xo9cw-1
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com
[10.11.54.8])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mimecast-mx02.redhat.com (Postfix) with ESMTPS id F032C8E44E1;
Fri, 23 Jun 2023 12:36:25 +0000 (UTC)
Received: from virtlab701.virt.lab.eng.bos.redhat.com
(virtlab701.virt.lab.eng.bos.redhat.com [10.19.152.228])
by smtp.corp.redhat.com (Postfix) with ESMTP id 55FDFC1ED97;
Fri, 23 Jun 2023 12:36:25 +0000 (UTC)
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
To: x86@kernel.org
Cc: Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>,
Borislav Petkov <bp@alien8.de>, Dave Hansen <dave.hansen@linux.intel.com>,
"H. Peter Anvin" <hpa@zytor.com>, Andrew Morton <akpm@linux-foundation.org>,
Masahiro Yamada <masahiroy@kernel.org>,
Alexander Potapenko <glider@google.com>,
Nick Desaulniers <ndesaulniers@google.com>,
Vitaly Kuznetsov <vkuznets@redhat.com>, =?utf-8?q?Daniel_P_=2E_Berrang?=
=?utf-8?q?=C3=A9?= <berrange@redhat.com>, linux-kernel@vger.kernel.org,
Emanuele Giuseppe Esposito <eesposit@redhat.com>
Subject: [RFC PATCH] x86/boot: add .sbat section to the bzImage
Date: Fri, 23 Jun 2023 08:36:22 -0400
Message-Id: <20230623123622.4126234-1-eesposit@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,
T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no
version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1769497287423137758?=
X-GMAIL-MSGID: =?utf-8?q?1769497287423137758?=
|
| Series |
[RFC] x86/boot: add .sbat section to the bzImage
|
|
Commit Message
Emanuele Giuseppe Esposito
June 23, 2023, 12:36 p.m. UTC
*Important*: this is just an RFC, as I am not expert in this area and
I don't know what's the best way to achieve this.
The aim of this patch is to add a .sbat section to the linux binary
(https://github.com/rhboot/shim/blob/main/SBAT.md).
We mainly need SBAT in UKIs (Unified Kernel Images), as we might want
to revoke authorizations to specific signed PEs that were initially
considered as trusted. The reason might be for example a security issue
related to a specific linux release.
A .sbat is simply a section containing a string with the component name
and a version number. This version number is compared with the value in
OVMF_VARS, and if it's less than the variable, the binary is not trusted,
even if it is correctly signed.
Right now an UKI is built with a .sbat section containing the
systemd-stub sbat string (upstream + vendor), we would like to add
also a per-component specific string (ie vmlinux has its own sbat,
again upstream + vendor, each signed add-on its own and so on).
In this way, if a specific kernel version has an issue, we can revoke
it without compromising all other UKIs that are using a different
kernel with the same stub/initrd/something else.
Issues with this patch:
* the string is added in a file but it is never deleted
* if the code is not modified but make is issued again, objcopy will
be called again and will fail because .sbat exists already, making
compilation fail
* minor display issue: objcopy command is printed in the make logs
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
---
arch/x86/boot/Makefile | 2 ++
1 file changed, 2 insertions(+)
Comments
Am 23/06/2023 um 14:36 schrieb Emanuele Giuseppe Esposito: > *Important*: this is just an RFC, as I am not expert in this area and > I don't know what's the best way to achieve this. > > The aim of this patch is to add a .sbat section to the linux binary > (https://github.com/rhboot/shim/blob/main/SBAT.md). > We mainly need SBAT in UKIs (Unified Kernel Images), as we might want > to revoke authorizations to specific signed PEs that were initially > considered as trusted. The reason might be for example a security issue > related to a specific linux release. > > A .sbat is simply a section containing a string with the component name > and a version number. This version number is compared with the value in > OVMF_VARS, and if it's less than the variable, the binary is not trusted, > even if it is correctly signed. > > Right now an UKI is built with a .sbat section containing the > systemd-stub sbat string (upstream + vendor), we would like to add > also a per-component specific string (ie vmlinux has its own sbat, > again upstream + vendor, each signed add-on its own and so on). > In this way, if a specific kernel version has an issue, we can revoke > it without compromising all other UKIs that are using a different > kernel with the same stub/initrd/something else. > > Issues with this patch: > * the string is added in a file but it is never deleted > * if the code is not modified but make is issued again, objcopy will > be called again and will fail because .sbat exists already, making > compilation fail > * minor display issue: objcopy command is printed in the make logs > > Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com> > --- > arch/x86/boot/Makefile | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile > index 9e38ffaadb5d..65ff6fcf5372 100644 > --- a/arch/x86/boot/Makefile > +++ b/arch/x86/boot/Makefile > @@ -83,6 +83,8 @@ cmd_image = $(obj)/tools/build $(obj)/setup.bin $(obj)/vmlinux.bin \ > > $(obj)/bzImage: $(obj)/setup.bin $(obj)/vmlinux.bin $(obj)/tools/build FORCE > $(call if_changed,image) > + @$(kecho) "linux,1,The Linux Developers,linux,$(KERNELVERSION),https://linux.org" > linux.sbat; > + $(OBJCOPY) --set-section-alignment '.sbat=512' --add-section .sbat=linux.sbat $@; > @$(kecho) 'Kernel: $@ is ready' ' (#'$(or $(KBUILD_BUILD_VERSION),`cat .version`)')' > > OBJCOPYFLAGS_vmlinux.bin := -O binary -R .note -R .comment -S ping?
diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile index 9e38ffaadb5d..65ff6fcf5372 100644 --- a/arch/x86/boot/Makefile +++ b/arch/x86/boot/Makefile @@ -83,6 +83,8 @@ cmd_image = $(obj)/tools/build $(obj)/setup.bin $(obj)/vmlinux.bin \ $(obj)/bzImage: $(obj)/setup.bin $(obj)/vmlinux.bin $(obj)/tools/build FORCE $(call if_changed,image) + @$(kecho) "linux,1,The Linux Developers,linux,$(KERNELVERSION),https://linux.org" > linux.sbat; + $(OBJCOPY) --set-section-alignment '.sbat=512' --add-section .sbat=linux.sbat $@; @$(kecho) 'Kernel: $@ is ready' ' (#'$(or $(KBUILD_BUILD_VERSION),`cat .version`)')' OBJCOPYFLAGS_vmlinux.bin := -O binary -R .note -R .comment -S