Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage

[Eric Snowberg]

(add keyrings@ cc)

> On Jul 17, 2023, at 11:15 AM, James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote:
> 
> On Mon, 2023-07-17 at 17:56 +0100, Daniel P. Berrangé wrote:
>> On Mon, Jul 17, 2023 at 12:08:26PM -0400, James Bottomley wrote:
>>> On Thu, 2023-07-13 at 15:52 +0200, Ard Biesheuvel wrote:
>>>> (add linux-efi@ cc)
>>> 
>>> Thanks for that, since this is really EFI related rather than x86.
>> 
>> snip
>> 
>>> The problem, as I see it, is if the distros give the kernel an
>>> .sbat section, that means any vanilla kernel that's built by a user
>>> and signed by their key now won't work (even if their key is in
>>> MoK) because it won't have an sbat section ... and the sbat
>>> mechanism is component specific, not key specific, so the signer
>>> has no choice but to adopt it.
>> 
>> AFAICT, that problem only exists for binaries directly invoked
>> from shim. So that would be a problem for the boot loader (grub),
>> or a kernel image being booted directly without a bootloader
>> present.
> 
> Well, currently, yes; that's the in_protocol check in
> shim.c:verify_sbat_section().  However, I was assuming based on this
> thread, that that was being tightened up (either because people are
> moving away from grub or because the shim verifier protocol would
> enforce it) as you imply below.
> 
>> For kernel binaries invoked indirectly by the boot loader, the
>> use of SBAT is currently optional. ie missing SBAT record would
>> be treated as success.
>> 
>> This was a pragmatic way to introduce SBAT support as it only
>> impacted grub at that time.
>> 
>> Once a distro starts adding SBAT to their kenrels too though, we
>> can forsee that they would like to enforce SBAT for the whole
>> boot chain, to prevent rollback to previously signed binaries
>> that lacked SBAT info.
>> 
>> This policy could be enforced per key though. eg require SBAT
>> for anything verified against the vendor key that's compiled into
>> shim, but not require SBAT for binaries verified with the MoK
>> entries.
> 
> That might work, but it's not currently in the shim code base.  It also
> wouldn't work for SUSE I suspect: they actually put all of their distro
> keys into MokList (so the machine owner has to approve any SUSE key
> update), so how can shim tell the difference between my key and their
> key?
> 
>> The user specific MoK entries don't have such a compelling use
>> case for SBAT, since if they need to revoke old binaries, the
>> end users always have the easy fallback option of just rotating
>> their signing keys and switching out the enrolled key in MoK.
>> 
>> The choice of whether to mandate SBAT for binaries signed with
>> a MoK entry, could be set by the end user themselves at the time
>> their enroll their signing cert in the MoK DB.
> 
> Well, I agree with this, since it was my original point.  However, a
> key observation still seems to be that none of this exception proposal
> is actually coded anywhere, so if shim does tighten up sbat
> verification, everyone currently gets caught by it (and if it doesn't
> then the kernel doesn't need an sbat section).
> 
> I really think if this exception proposal is what everyone is planning,
> then you can simply leave the upstream kernel alone, since it won't
> require sbat information unless incorporated into a distro.
> 
> So the direction forward seems to be to get this exception proposal
> coded up and agreed and then we can decide based on that whether the
> upstream kernel needs to care.

I agree with James in the previous thread;  adding the SBAT section to
the kernel should be handled by the signing tools. It really doesn't need to 
be included in the mainline kernel code. I also agree with the sentiment that 
mainline and the stable branches should not have SBAT versions attached 
to them. These are things distros should be responsible for including in their 
kernel if they want to have SBAT support.

If a distro adds a SBAT section to either their UKI, or if kernel SBAT enforcement 
is turned on from GRUB2 by default, there is one piece missing that would need 
to be handled by the mainline kernel which is SBAT enforcement for kexec. This 
would mean the revocations SBAT protect against would need to be referenced 
before doing the signature validation in kexec. If this is not added, any distro that 
allows kexec really doesn’t have a SBAT protected kernel.

Proposal for SBAT kexec protection:

Linux contains a machine and a platform keyring. The platform keyring contains 
keys that are in the UEFI Secure Boot DB. The machine keyring contains all the 
Machine Owner Keys (MOK). Today, MOK keys are a collection of keys 
embedded into shim as well as user enrolled keys. There is also a MOKX which 
contains revocations that currently get loaded into the blacklist keyring.

The current SBAT doc implies that things signed by a MOK cert can be revoked 
by SBAT. Previously, revocations came from MOKX. Instead of changing the 
current MOK usage in the kernel, how about shim adding a new keyring? Any 
cert that is embedded or enrolled into shim requiring SBAT enforcement would 
be contained within this new keyring. The original MOK keyring would start out 
empty in shim (or it could also contain distro certs used to sign older non-SBAT 
kernels for backwards compatibility). If the enduser wants to enroll their own key 
to boot a custom signed kernel, nothing changes. When the machine boots, shim 
references both keyrings. MOK keys do not require SBAT enforcement, the shim 
SBAT keyring does. When Linux boots, MOK keys go into the machine keyring. 
Linux then adds support for a new keyring that loads the keys requiring SBAT 
enforcement (calling it the sbat keyring for now). During kexec the machine, 
platform, builtin_trusted, secondary and new sbat keyring all get referenced. The 
machine, builtin, and secondary keyrings do not require SBAT enforcement for 
kexec. Both the platform and sbat keyring require SBAT enforcement.

This would allow distros to sign kernels using updated signing tools that append the 
proper SBAT information. It allows distros to support non-SBAT kernels it previously 
signed for backwards compatibility. It leaves the mainline kernel out of needing to 
have a SBAT level or ever maintaining one. It allows end-users to enroll their own 
keys and sign their own kernels just like they can today. It also allows mainline Linux 
to understand SBAT only to the point necessary to enforce the SBAT level for a kexec.