Open mcb30 opened 1 year ago
Kernels to my knowledge have no SBAT ability yet, so you need to either build a UKI with the systemd-boot stub with SBAT section in it, or use grub. Maybe you can objcopy a .sbat section into a raw kernel PE image too, I do not know.
@julian-klode Thank you for the information.
Building a custom UKI will produce a binary without any distro Secure Boot signature, and using objcopy
to add an .sbat
section to an existing kernel image would invalidate its existing distro Secure Boot signature, so unfortunately neither of those are viable options.
Is the intention that the kernel should eventually gain SBAT support, or is this not even a planned feature?
Is the intention that the kernel should eventually gain SBAT support
Yes.
or is this not even a planned feature?
False dichotomy.
Is the intention that the kernel should eventually gain SBAT support
Yes.
Great, thanks! Any chance you could you point me towards the mailing list posts to add it? I can't find them, sorry.
or is this not even a planned feature?
False dichotomy.
...?
Intention is not execution. Just because something should happen does not mean it currently is.
False dichotomy occurs when a relationship of the form "Either a, or b" is expressed while a and b are either not mutually exclusive or the union of a and b does not fully cover the range of possibility. In this case, the second: it is not correct to assume that something is either intended or not planned.
Intention is not execution. Just because something should happen does not mean it currently is.
False dichotomy occurs when a relationship of the form "Either a, or b" is expressed while a and b are either not mutually exclusive or the union of a and b does not fully cover the range of possibility. In this case, the second: it is not correct to assume that something is either intended or not planned.
OK, so it sounds as though you're saying there is a general vague intention that the kernel should at some undefined future point gain SBAT support, but that as far as you know nobody has yet done anything about it and nobody is actively working on it. Is this a fair summary?
OK, so it sounds as though you're saying there is a general vague intention that the kernel should at some undefined future point gain SBAT support, but that as far as you know nobody has yet done anything about it and nobody is actively working on it. Is this a fair summary?
FYI there was a somewhat painful thread on this topic the past week or two:
https://lore.kernel.org/lkml/20230711154449.1378385-1-eesposit@redhat.com/
TL;DR; there is strong pushback against the idea of adding SBAT info upstream. Unless something changes in this POV, any SBAT info added to the kernel binaries is likely to end up being a downstream only vendor addition at the time they build and sign their kernel images.
OK, so it sounds as though you're saying there is a general vague intention that the kernel should at some undefined future point gain SBAT support, but that as far as you know nobody has yet done anything about it and nobody is actively working on it. Is this a fair summary?
FYI there was a somewhat painful thread on this topic the past week or two:
https://lore.kernel.org/lkml/20230711154449.1378385-1-eesposit@redhat.com/
Ouch. Thanks for your efforts in trying to get SBAT upstreamed.
For now, we've had to work around it in iPXE by disabling the SBAT check in shim. I don't like doing this (because SBAT is a sane mechanism), but if the generally available signed distro kernels don't include SBAT sections then we have no alternative available to us. :cry:
Current versions of shim (from 15.3 onwards) will refuse to invoke a second stage loader that does not have an
.sbat
data section: https://github.com/rhboot/shim/blob/f23883ccf78f1f605a272f9e5700f47e5494a71d/pe.c#L844-L852As far as I can tell, Linux kernels do not include an
.sbat
section. There is no sign of SBAT support within the kernel sources, andobjdump -x
confirms that at least current Fedora kernels do not have.sbat
.There is some reference in https://github.com/rhboot/shim/blob/f23883ccf78f1f605a272f9e5700f47e5494a71d/SBAT.md#kernel-support-for-sbat to separate SBAT-containing files for the kernel:
However, I can find no existent examples of such a key file, and from looking through the code I don't see any way that
shim
would be able to consume these files even if they existed.So, questions: