Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage

From: Peter Zijlstra
Date: Thu Jul 13 2023 - 05:17:22 EST

Next message: Simon Horman: "Re: [PATCH net-next v3 08/11] net: phy: add support for C45-over-C22 transfers"
Previous message: Srinivas Kandagatla: "Re: [PATCH RESEND v5 2/2] nvmem: core: Expose cells through sysfs"
In reply to: Vitaly Kuznetsov: "Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage"
Next in thread: Greg KH: "Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jul 13, 2023 at 10:57:45AM +0200, Vitaly Kuznetsov wrote:

> this was an RFC to answer a fairly straitforward question: is upstream
> Linux interested in / is a suitable place for having SBAT revocation
> mechanism or not.

If only it would have actually had that question in :/ But then we
would've still had the whole WTF is a SBAT(SHIT) and why should we care
discussion.

Fundamentally, I don't think upstream can care; upstream doesn't have a
signing key, it will never be revoked, bumping the upstream number
doesn't make sense -- ever.

> We can, of course, iron out the details whether it
> should be "linux.org"/"linux.com"/"lore.kernel.org/lkml/" or
> "linux.onion" and where to put objcopy call, whether to silence its

Seriously ?!? kernel.org is the only sane option here, none of the
others make any damn sense.

> output or not but these are rather implemntation details. I don't
> particularly see why anyone would need to get additional sign-offs to
> just ask a question (which I don actually think was asked before!) and
> IMO an RFC/patch is usually the best way to do so.

But there wasn't no question, was there. There isn't a single '?' in
that thing. And it starts of with random implementation detail blabber.

> Following the discussion, it seems that at least x86 maintainer[s] are
> opposed to the very idea of having SBAT revocation mechanism integrated
> upstream because it's hard to meaningfully define what epoch is. This is
> OK (which doesn't mean we all agree to that) but as there's real need to
> revoke "bad" (in UEFI SecureBoot sense) kernels, distros will likely
> come up with their custom, downstream only ways to do it. Without an
> upstream reference, however, they may come up with very differently
> looking SBAT sections, this may or may not be problematic in the future,
> who knows.

Well, if the various stake-holders can't even agree on things, things
are very bleak indeed.

I just don't see why upstream would want/need to carry any of this
because it has no meaning to us, we don't play in the secure boot pen,
not haz key etc.. (for good reasons IIUC).

Next message: Simon Horman: "Re: [PATCH net-next v3 08/11] net: phy: add support for C45-over-C22 transfers"
Previous message: Srinivas Kandagatla: "Re: [PATCH RESEND v5 2/2] nvmem: core: Expose cells through sysfs"
In reply to: Vitaly Kuznetsov: "Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage"
Next in thread: Greg KH: "Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]