From patchwork Tue Jul 11 15:44:49 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Emanuele Giuseppe Esposito X-Patchwork-Id: 118639 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:a6b2:0:b0:3e4:2afc:c1 with SMTP id c18csp599711vqm; Tue, 11 Jul 2023 09:22:28 -0700 (PDT) X-Google-Smtp-Source: APBJJlEE6uMTIHcRKR5AFgy5EPZTHlwIVpab9rm6UKxTpPnmncc9ZU188BSkYQAWRk71If5fu0BR X-Received: by 2002:a05:6a20:3ca1:b0:131:44d2:cea3 with SMTP id b33-20020a056a203ca100b0013144d2cea3mr9927077pzj.57.1689092548553; Tue, 11 Jul 2023 09:22:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689092548; cv=none; d=google.com; s=arc-20160816; b=kcLWFPGsAO4c8Y60TxgQ4CitRomVOaumkeKZkLMM9dlK0BBHlmZbYetFvGdx6iIf3c UHTTw6ohoxAm7Cyn1xrhoEGGtx5DXfiG+bt+ijIj3SKVfcarAuM562iLN73HZBDnHJgk 65CMkyYhhZ/8KjnKHKJICI9VbullwFGY1Hyzqy3oIZ40xmop0L917e/uO1b8/fquy5zP ywB1deosoBW0JcvDjc4b7e8fNoyrtzTBlOvWo83B5U9YdRUr6dDZnVrnDLC8oG5ZMK9v /AsYV4ZiPwCqTYPc1+MGVldtMGwR2aj9ay36KZ48q3TGdAnLvnra7hDXXTxw2ZtE3+1o 1B0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=YbWTeU1PSY53BYBv0g/QJEl8QodT4t6R2l7/kEZ8Rmg=; fh=4UWIH+LDkw+6UIHhJDQrOnfq8n2H98VTxc7gh3Q1W4s=; b=0wmR2ZhnDPyqtIav74zA9DoP7EfXWmg1zLotcrBi0+M3WOo8rNuKFI/+dyUROEQMxT VBrlvPje2NnRnenzNizUw8ZlU7o8jx+/B/L7QR1+FFG8KXbwuZ7AYXEjgaIf6mkqYBq0 9tmD6O9SXVRCW7sIIJqlGN7eM6g7evJo0lKxnz3CB3rWtx7j41jHSMH0T5HlMtF89tPO OflBeTW6Llw7XC1Gc+CGomUZAgX3mYSgAlbUMseO1IIpPXAbIWfdNnSwA9eXQe6a1pXG ecXd4vUyhdwZivdSV1ycDk1cZlSMCE2FUdMG5pxkAaGriJtQRreUoNcKKzoUASKR3L58 NVOg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="T1az/Egy"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u36-20020a631424000000b0052c9fa00344si1638967pgl.625.2023.07.11.09.22.15; Tue, 11 Jul 2023 09:22:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="T1az/Egy"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232180AbjGKPp4 (ORCPT + 99 others); Tue, 11 Jul 2023 11:45:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58586 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232477AbjGKPpo (ORCPT ); Tue, 11 Jul 2023 11:45:44 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 37FB295 for ; Tue, 11 Jul 2023 08:44:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1689090296; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=YbWTeU1PSY53BYBv0g/QJEl8QodT4t6R2l7/kEZ8Rmg=; b=T1az/EgyTILtcIWd3TNoKVlmZIfCn47l5BNp+kgPwDZKdK2tss4TDzE9awBjUZ0YPtww4p K8Kkme/0EF97+M2zwbtq4YwqjfGQnPJ9FWMfUNDooZtdyG10XAPQzjeFoR7Dg0RBX6glou 41A1AqixzvjeQHP5sZJQt9eCereLFEs= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-589-W7MyiY4zNFWDpOZFhCt0Wg-1; Tue, 11 Jul 2023 11:44:53 -0400 X-MC-Unique: W7MyiY4zNFWDpOZFhCt0Wg-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 212B81C2BD67; Tue, 11 Jul 2023 15:44:52 +0000 (UTC) Received: from virtlab701.virt.lab.eng.bos.redhat.com (virtlab701.virt.lab.eng.bos.redhat.com [10.19.152.228]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6B39B200AD6E; Tue, 11 Jul 2023 15:44:51 +0000 (UTC) From: Emanuele Giuseppe Esposito To: x86@kernel.org Cc: Thomas Gleixner , bluca@debian.org, lennart@poettering.net, Ingo Molnar , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , Andrew Morton , Masahiro Yamada , Alexander Potapenko , Nick Desaulniers , Vitaly Kuznetsov , =?utf-8?q?Daniel_P_=2E_Berrang?= =?utf-8?q?=C3=A9?= , linux-kernel@vger.kernel.org, Emanuele Giuseppe Esposito Subject: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage Date: Tue, 11 Jul 2023 11:44:49 -0400 Message-Id: <20230711154449.1378385-1-eesposit@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.4 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1771141907771126676 X-GMAIL-MSGID: 1771141907771126676 *Important*: this is just an RFC, as I am not expert in this area and I don't know what's the best way to achieve this. v2: * add standard "sbat,1,SBAT Version,..." header string The aim of this patch is to add a .sbat section to the linux binary (https://github.com/rhboot/shim/blob/main/SBAT.md). We mainly need SBAT in UKIs (Unified Kernel Images), as we might want to revoke authorizations to specific signed PEs that were initially considered as trusted. The reason might be for example a security issue related to a specific linux release. A .sbat is simply a section containing a string with the component name and a version number. This version number is compared with the value in OVMF_VARS, and if it's less than the variable, the binary is not trusted, even if it is correctly signed. Right now an UKI is built with a .sbat section containing the systemd-stub sbat string (upstream + vendor), we would like to add also a per-component specific string (ie vmlinux has its own sbat, again upstream + vendor, each signed add-on its own and so on). In this way, if a specific kernel version has an issue, we can revoke it without compromising all other UKIs that are using a different kernel with the same stub/initrd/something else. Issues with this patch: * the string is added in a file but it is never deleted * if the code is not modified but make is issued again, objcopy will be called again and will fail because .sbat exists already, making compilation fail * minor display issue: objcopy command is printed in the make logs Signed-off-by: Emanuele Giuseppe Esposito --- arch/x86/boot/Makefile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile index 9e38ffaadb5d..6982a50ba0c0 100644 --- a/arch/x86/boot/Makefile +++ b/arch/x86/boot/Makefile @@ -83,6 +83,9 @@ cmd_image = $(obj)/tools/build $(obj)/setup.bin $(obj)/vmlinux.bin \ $(obj)/bzImage: $(obj)/setup.bin $(obj)/vmlinux.bin $(obj)/tools/build FORCE $(call if_changed,image) + @$(kecho) "sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md" > linux.sbat + @$(kecho) "linux,1,The Linux Developers,linux,$(KERNELVERSION),https://linux.org" >> linux.sbat; + $(OBJCOPY) --set-section-alignment '.sbat=512' --add-section .sbat=linux.sbat $@; @$(kecho) 'Kernel: $@ is ready' ' (#'$(or $(KBUILD_BUILD_VERSION),`cat .version`)')' OBJCOPYFLAGS_vmlinux.bin := -O binary -R .note -R .comment -S