(cc stakeholders from various distros - apologies if I missed anyone)
Please consider the patches below for backporting to the linux-6.6.y stable tree.
These are prerequisites for building a signed x86 efistub kernel image that complies with the tightened UEFI boot requirements imposed by MicroSoft, and this is the condition under which it is willing to sign future Linux secure boot shim builds with its 3rd party CA certificate. (Such builds must enforce a strict separation between executable and writable code, among other things)
The patches apply cleanly onto 6.6.17 (-rc2), resulting in a defconfig build that boots as expected under OVMF/KVM.
5f51c5d0e905 x86/efi: Drop EFI stub .bss from .data section 7e50262229fa x86/efi: Disregard setup header of loaded image bfab35f552ab x86/efi: Drop alignment flags from PE section headers 768171d7ebbc x86/boot: Remove the 'bugger off' message 8eace5b35556 x86/boot: Omit compression buffer from PE/COFF image memory footprint 7448e8e5d15a x86/boot: Drop redundant code setting the root device b618d31f112b x86/boot: Drop references to startup_64 2e765c02dcbf x86/boot: Grab kernel_info offset from zoffset header directly eac956345f99 x86/boot: Set EFI handover offset directly in header asm 093ab258e3fb x86/boot: Define setup size in linker script aeb92067f6ae x86/boot: Derive file size from _edata symbol efa089e63b56 x86/boot: Construct PE/COFF .text section from assembler fa5750521e0a x86/boot: Drop PE/COFF .reloc section 34951f3c28bd x86/boot: Split off PE/COFF .data section 3e3eabe26dc8 x86/boot: Increase section and file alignment to 4k/512
1ad55cecf22f x86/efistub: Use 1:1 file:memory mapping for PE/COFF .compat section
arch/x86/boot/Makefile | 2 +- arch/x86/boot/compressed/vmlinux.lds.S | 6 +- arch/x86/boot/header.S | 211 ++++++++++-------------- arch/x86/boot/setup.ld | 14 +- arch/x86/boot/tools/build.c | 273 ++------------------------------ drivers/firmware/efi/libstub/Makefile | 7 - drivers/firmware/efi/libstub/x86-stub.c | 46 +----- 7 files changed, 112 insertions(+), 447 deletions(-)
On Thu, Feb 15, 2024 at 10:17:20AM +0100, Ard Biesheuvel wrote:
(cc stakeholders from various distros - apologies if I missed anyone)
Please consider the patches below for backporting to the linux-6.6.y stable tree.
These are prerequisites for building a signed x86 efistub kernel image that complies with the tightened UEFI boot requirements imposed by MicroSoft, and this is the condition under which it is willing to sign future Linux secure boot shim builds with its 3rd party CA certificate. (Such builds must enforce a strict separation between executable and writable code, among other things)
The patches apply cleanly onto 6.6.17 (-rc2), resulting in a defconfig build that boots as expected under OVMF/KVM.
5f51c5d0e905 x86/efi: Drop EFI stub .bss from .data section 7e50262229fa x86/efi: Disregard setup header of loaded image bfab35f552ab x86/efi: Drop alignment flags from PE section headers 768171d7ebbc x86/boot: Remove the 'bugger off' message 8eace5b35556 x86/boot: Omit compression buffer from PE/COFF image memory footprint 7448e8e5d15a x86/boot: Drop redundant code setting the root device b618d31f112b x86/boot: Drop references to startup_64 2e765c02dcbf x86/boot: Grab kernel_info offset from zoffset header directly eac956345f99 x86/boot: Set EFI handover offset directly in header asm 093ab258e3fb x86/boot: Define setup size in linker script aeb92067f6ae x86/boot: Derive file size from _edata symbol efa089e63b56 x86/boot: Construct PE/COFF .text section from assembler fa5750521e0a x86/boot: Drop PE/COFF .reloc section 34951f3c28bd x86/boot: Split off PE/COFF .data section 3e3eabe26dc8 x86/boot: Increase section and file alignment to 4k/512
1ad55cecf22f x86/efistub: Use 1:1 file:memory mapping for PE/COFF .compat section
Is the list here the order in which they should be applied in?
And is this not an issue for 6.1.y as well?
thanks,
greg k-h
On Thu, 15 Feb 2024 at 10:27, Greg KH gregkh@linuxfoundation.org wrote:
On Thu, Feb 15, 2024 at 10:17:20AM +0100, Ard Biesheuvel wrote:
(cc stakeholders from various distros - apologies if I missed anyone)
Please consider the patches below for backporting to the linux-6.6.y stable tree.
These are prerequisites for building a signed x86 efistub kernel image that complies with the tightened UEFI boot requirements imposed by MicroSoft, and this is the condition under which it is willing to sign future Linux secure boot shim builds with its 3rd party CA certificate. (Such builds must enforce a strict separation between executable and writable code, among other things)
The patches apply cleanly onto 6.6.17 (-rc2), resulting in a defconfig build that boots as expected under OVMF/KVM.
5f51c5d0e905 x86/efi: Drop EFI stub .bss from .data section 7e50262229fa x86/efi: Disregard setup header of loaded image bfab35f552ab x86/efi: Drop alignment flags from PE section headers 768171d7ebbc x86/boot: Remove the 'bugger off' message 8eace5b35556 x86/boot: Omit compression buffer from PE/COFF image memory footprint 7448e8e5d15a x86/boot: Drop redundant code setting the root device b618d31f112b x86/boot: Drop references to startup_64 2e765c02dcbf x86/boot: Grab kernel_info offset from zoffset header directly eac956345f99 x86/boot: Set EFI handover offset directly in header asm 093ab258e3fb x86/boot: Define setup size in linker script aeb92067f6ae x86/boot: Derive file size from _edata symbol efa089e63b56 x86/boot: Construct PE/COFF .text section from assembler fa5750521e0a x86/boot: Drop PE/COFF .reloc section 34951f3c28bd x86/boot: Split off PE/COFF .data section 3e3eabe26dc8 x86/boot: Increase section and file alignment to 4k/512
1ad55cecf22f x86/efistub: Use 1:1 file:memory mapping for PE/COFF .compat section
Is the list here the order in which they should be applied in?
Yes. These are all from v6.7 except the last one, but that has been queued for v6.7 already.
And is this not an issue for 6.1.y as well?
It is, but there are many more changes that would need to go into v6.1:
Documentation/x86/boot.rst | 2 +- arch/x86/Kconfig | 17 + arch/x86/boot/Makefile | 2 +- arch/x86/boot/compressed/Makefile | 13 +- arch/x86/boot/compressed/efi_mixed.S | 328 ++++++++++++++ arch/x86/boot/compressed/efi_thunk_64.S | 195 -------- arch/x86/boot/compressed/head_32.S | 38 +- arch/x86/boot/compressed/head_64.S | 593 +++++-------------------- arch/x86/boot/compressed/mem_encrypt.S | 152 ++++++- arch/x86/boot/compressed/misc.c | 61 ++- arch/x86/boot/compressed/misc.h | 2 - arch/x86/boot/compressed/pgtable.h | 10 +- arch/x86/boot/compressed/pgtable_64.c | 87 ++-- arch/x86/boot/compressed/sev.c | 112 +++-- arch/x86/boot/compressed/vmlinux.lds.S | 6 +- arch/x86/boot/header.S | 215 ++++----- arch/x86/boot/setup.ld | 14 +- arch/x86/boot/tools/build.c | 271 +---------- arch/x86/include/asm/boot.h | 8 + arch/x86/include/asm/efi.h | 14 +- arch/x86/include/asm/sev.h | 7 + drivers/firmware/efi/libstub/Makefile | 8 +- drivers/firmware/efi/libstub/alignedmem.c | 5 +- drivers/firmware/efi/libstub/arm64-stub.c | 6 +- drivers/firmware/efi/libstub/efi-stub-helper.c | 2 + drivers/firmware/efi/libstub/efistub.h | 28 +- drivers/firmware/efi/libstub/mem.c | 3 +- drivers/firmware/efi/libstub/randomalloc.c | 13 +- drivers/firmware/efi/libstub/x86-5lvl.c | 95 ++++ drivers/firmware/efi/libstub/x86-stub.c | 327 +++++++------- drivers/firmware/efi/libstub/x86-stub.h | 17 + include/linux/efi.h | 1 + 32 files changed, 1204 insertions(+), 1448 deletions(-)
(Note: the commit hashes below are bogus, they are from my tree [0])
If you're happy to take these too, I can give you the proper list, but perhaps we should deal with v6.6 first?
9d2df639ec41 x86/boot/compressed: Rename efi_thunk_64.S to efi-mixed.S 4dae7beb5530 x86/boot/compressed: Move 32-bit entrypoint code into .text section 8b6ddf82c1e7 x86/boot/compressed: Move bootargs parsing out of 32-bit startup code 31d3e51c565f x86/boot/compressed: Move efi32_pe_entry into .text section 4099d7a76e86 x86/boot/compressed: Move efi32_entry out of head_64.S 7bed86e158bf x86/boot/compressed: Move efi32_pe_entry() out of head_64.S d808c48f53d1 x86/boot/compressed, efi: Merge multiple definitions of image_offset into one bb183fa754f7 x86/boot/compressed: Simplify IDT/GDT preserve/restore in the EFI thunk b78d930f51c9 x86/boot/compressed: Avoid touching ECX in startup32_set_idt_entry() 8c69f96fe1df x86/boot/compressed: Pull global variable reference into startup32_load_idt() 6b84fc96784b x86/boot/compressed: Move startup32_load_idt() into .text section 6dd53426e8ef x86/boot/compressed: Move startup32_load_idt() out of head_64.S 82db0efabd4a x86/boot/compressed: Move startup32_check_sev_cbit() into .text 7aaa10f2f01a x86/boot/compressed: Move startup32_check_sev_cbit() out of head_64.S 6b5a2ab4d783 x86/boot/compressed: Adhere to calling convention in get_sev_encryption_bit() bdd9c458fdf8 x86/boot/compressed: Only build mem_encrypt.S if AMD_MEM_ENCRYPT=y a249efa7500c efi/libstub: Add memory attribute protocol definitions 1bbd66011e5e x86/efi: Make the deprecated EFI handover protocol optional 763512bf9ff8 x86/boot: Robustify calling startup_{32,64}() from the decompressor code 3cfd94f97c8d x86/efistub: Branch straight to kernel entry point from C code 2684d78d8bdc x86/efistub: Simplify and clean up handover entry code 9ef61120b2ab x86/decompressor: Avoid magic offsets for EFI handover entrypoint 067f18102a11 x86/efistub: Clear BSS in EFI handover protocol entrypoint c674fa468fa6 x86/decompressor: Store boot_params pointer in callee save register ed871fc7d947 x86/decompressor: Assign paging related global variables earlier 63915dd5a8fc x86/decompressor: Call trampoline as a normal function 3f6e9fe794ea x86/decompressor: Use standard calling convention for trampoline eef60ef496f6 x86/decompressor: Avoid the need for a stack in the 32-bit trampoline 1f328cfb5700 x86/decompressor: Call trampoline directly from C code 49e67636077d x86/decompressor: Only call the trampoline when changing paging levels a4b6bdff1065 x86/decompressor: Pass pgtable address to trampoline directly fe802898e7a4 x86/decompressor: Merge trampoline cleanup with switching code bd1fd32fdce1 x86/efistub: Perform 4/5 level paging switch from the stub a0bfe7904515 x86/decompressor: Move global symbol references to C code a0731d919a4b x86/decompressor: Factor out kernel decompression and relocation 402e20d21f65 x86/efistub: Prefer EFI memory attributes protocol over DXE services 4eda5ae9b321 efi: libstub: use EFI_LOADER_CODE region when moving the kernel in memory e09c5817b3bb efi/libstub: Add limit argument to efi_random_alloc() b31fdf98b3c0 x86/efistub: Perform SNP feature test while running in the firmware 03c9bd02cbc8 x86/efistub: Avoid legacy decompressor when doing EFI boot
[0] https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=x86-ef...
On Thu, Feb 15, 2024 at 10:41:57AM +0100, Ard Biesheuvel wrote:
On Thu, 15 Feb 2024 at 10:27, Greg KH gregkh@linuxfoundation.org wrote:
On Thu, Feb 15, 2024 at 10:17:20AM +0100, Ard Biesheuvel wrote:
(cc stakeholders from various distros - apologies if I missed anyone)
Please consider the patches below for backporting to the linux-6.6.y stable tree.
These are prerequisites for building a signed x86 efistub kernel image that complies with the tightened UEFI boot requirements imposed by MicroSoft, and this is the condition under which it is willing to sign future Linux secure boot shim builds with its 3rd party CA certificate. (Such builds must enforce a strict separation between executable and writable code, among other things)
The patches apply cleanly onto 6.6.17 (-rc2), resulting in a defconfig build that boots as expected under OVMF/KVM.
5f51c5d0e905 x86/efi: Drop EFI stub .bss from .data section 7e50262229fa x86/efi: Disregard setup header of loaded image bfab35f552ab x86/efi: Drop alignment flags from PE section headers 768171d7ebbc x86/boot: Remove the 'bugger off' message 8eace5b35556 x86/boot: Omit compression buffer from PE/COFF image memory footprint 7448e8e5d15a x86/boot: Drop redundant code setting the root device b618d31f112b x86/boot: Drop references to startup_64 2e765c02dcbf x86/boot: Grab kernel_info offset from zoffset header directly eac956345f99 x86/boot: Set EFI handover offset directly in header asm 093ab258e3fb x86/boot: Define setup size in linker script aeb92067f6ae x86/boot: Derive file size from _edata symbol efa089e63b56 x86/boot: Construct PE/COFF .text section from assembler fa5750521e0a x86/boot: Drop PE/COFF .reloc section 34951f3c28bd x86/boot: Split off PE/COFF .data section 3e3eabe26dc8 x86/boot: Increase section and file alignment to 4k/512
1ad55cecf22f x86/efistub: Use 1:1 file:memory mapping for PE/COFF .compat section
Is the list here the order in which they should be applied in?
Yes. These are all from v6.7 except the last one, but that has been queued for v6.7 already.
And is this not an issue for 6.1.y as well?
It is, but there are many more changes that would need to go into v6.1:
Documentation/x86/boot.rst | 2 +- arch/x86/Kconfig | 17 + arch/x86/boot/Makefile | 2 +- arch/x86/boot/compressed/Makefile | 13 +- arch/x86/boot/compressed/efi_mixed.S | 328 ++++++++++++++ arch/x86/boot/compressed/efi_thunk_64.S | 195 -------- arch/x86/boot/compressed/head_32.S | 38 +- arch/x86/boot/compressed/head_64.S | 593 +++++-------------------- arch/x86/boot/compressed/mem_encrypt.S | 152 ++++++- arch/x86/boot/compressed/misc.c | 61 ++- arch/x86/boot/compressed/misc.h | 2 - arch/x86/boot/compressed/pgtable.h | 10 +- arch/x86/boot/compressed/pgtable_64.c | 87 ++-- arch/x86/boot/compressed/sev.c | 112 +++-- arch/x86/boot/compressed/vmlinux.lds.S | 6 +- arch/x86/boot/header.S | 215 ++++----- arch/x86/boot/setup.ld | 14 +- arch/x86/boot/tools/build.c | 271 +---------- arch/x86/include/asm/boot.h | 8 + arch/x86/include/asm/efi.h | 14 +- arch/x86/include/asm/sev.h | 7 + drivers/firmware/efi/libstub/Makefile | 8 +- drivers/firmware/efi/libstub/alignedmem.c | 5 +- drivers/firmware/efi/libstub/arm64-stub.c | 6 +- drivers/firmware/efi/libstub/efi-stub-helper.c | 2 + drivers/firmware/efi/libstub/efistub.h | 28 +- drivers/firmware/efi/libstub/mem.c | 3 +- drivers/firmware/efi/libstub/randomalloc.c | 13 +- drivers/firmware/efi/libstub/x86-5lvl.c | 95 ++++ drivers/firmware/efi/libstub/x86-stub.c | 327 +++++++------- drivers/firmware/efi/libstub/x86-stub.h | 17 + include/linux/efi.h | 1 + 32 files changed, 1204 insertions(+), 1448 deletions(-)
(Note: the commit hashes below are bogus, they are from my tree [0])
If you're happy to take these too, I can give you the proper list, but perhaps we should deal with v6.6 first?
Yeah, let's deal with 6.6 first :)
What distros are going to need/want this for 6.1.y? Will normal users care as this is only for a new requirement by Microsoft, not for older releases, right?
thanks,
greg k-h
On Thu, 15 Feb 2024 at 12:12, Greg KH gregkh@linuxfoundation.org wrote:
On Thu, Feb 15, 2024 at 10:41:57AM +0100, Ard Biesheuvel wrote:
On Thu, 15 Feb 2024 at 10:27, Greg KH gregkh@linuxfoundation.org wrote:
On Thu, Feb 15, 2024 at 10:17:20AM +0100, Ard Biesheuvel wrote:
(cc stakeholders from various distros - apologies if I missed anyone)
Please consider the patches below for backporting to the linux-6.6.y stable tree.
These are prerequisites for building a signed x86 efistub kernel image that complies with the tightened UEFI boot requirements imposed by MicroSoft, and this is the condition under which it is willing to sign future Linux secure boot shim builds with its 3rd party CA certificate. (Such builds must enforce a strict separation between executable and writable code, among other things)
...
And is this not an issue for 6.1.y as well?
It is, but there are many more changes that would need to go into v6.1:
Documentation/x86/boot.rst | 2 +- arch/x86/Kconfig | 17 + arch/x86/boot/Makefile | 2 +- arch/x86/boot/compressed/Makefile | 13 +- arch/x86/boot/compressed/efi_mixed.S | 328 ++++++++++++++ arch/x86/boot/compressed/efi_thunk_64.S | 195 -------- arch/x86/boot/compressed/head_32.S | 38 +- arch/x86/boot/compressed/head_64.S | 593 +++++-------------------- arch/x86/boot/compressed/mem_encrypt.S | 152 ++++++- arch/x86/boot/compressed/misc.c | 61 ++- arch/x86/boot/compressed/misc.h | 2 - arch/x86/boot/compressed/pgtable.h | 10 +- arch/x86/boot/compressed/pgtable_64.c | 87 ++-- arch/x86/boot/compressed/sev.c | 112 +++-- arch/x86/boot/compressed/vmlinux.lds.S | 6 +- arch/x86/boot/header.S | 215 ++++----- arch/x86/boot/setup.ld | 14 +- arch/x86/boot/tools/build.c | 271 +---------- arch/x86/include/asm/boot.h | 8 + arch/x86/include/asm/efi.h | 14 +- arch/x86/include/asm/sev.h | 7 + drivers/firmware/efi/libstub/Makefile | 8 +- drivers/firmware/efi/libstub/alignedmem.c | 5 +- drivers/firmware/efi/libstub/arm64-stub.c | 6 +- drivers/firmware/efi/libstub/efi-stub-helper.c | 2 + drivers/firmware/efi/libstub/efistub.h | 28 +- drivers/firmware/efi/libstub/mem.c | 3 +- drivers/firmware/efi/libstub/randomalloc.c | 13 +- drivers/firmware/efi/libstub/x86-5lvl.c | 95 ++++ drivers/firmware/efi/libstub/x86-stub.c | 327 +++++++------- drivers/firmware/efi/libstub/x86-stub.h | 17 + include/linux/efi.h | 1 + 32 files changed, 1204 insertions(+), 1448 deletions(-)
...
If you're happy to take these too, I can give you the proper list, but perhaps we should deal with v6.6 first?
Yeah, let's deal with 6.6 first :)
What distros are going to need/want this for 6.1.y? Will normal users care as this is only for a new requirement by Microsoft, not for older releases, right?
I will let the distro folks on cc answer this one.
Ard Biesheuvel ardb@kernel.org writes:
On Thu, 15 Feb 2024 at 12:12, Greg KH gregkh@linuxfoundation.org wrote:
On Thu, Feb 15, 2024 at 10:41:57AM +0100, Ard Biesheuvel wrote:
On Thu, 15 Feb 2024 at 10:27, Greg KH gregkh@linuxfoundation.org wrote:
On Thu, Feb 15, 2024 at 10:17:20AM +0100, Ard Biesheuvel wrote:
(cc stakeholders from various distros - apologies if I missed anyone)
Please consider the patches below for backporting to the linux-6.6.y stable tree.
These are prerequisites for building a signed x86 efistub kernel image that complies with the tightened UEFI boot requirements imposed by MicroSoft, and this is the condition under which it is willing to sign future Linux secure boot shim builds with its 3rd party CA certificate. (Such builds must enforce a strict separation between executable and writable code, among other things)
...
And is this not an issue for 6.1.y as well?
It is, but there are many more changes that would need to go into v6.1:
Documentation/x86/boot.rst | 2 +- arch/x86/Kconfig | 17 + arch/x86/boot/Makefile | 2 +- arch/x86/boot/compressed/Makefile | 13 +- arch/x86/boot/compressed/efi_mixed.S | 328 ++++++++++++++ arch/x86/boot/compressed/efi_thunk_64.S | 195 -------- arch/x86/boot/compressed/head_32.S | 38 +- arch/x86/boot/compressed/head_64.S | 593 +++++-------------------- arch/x86/boot/compressed/mem_encrypt.S | 152 ++++++- arch/x86/boot/compressed/misc.c | 61 ++- arch/x86/boot/compressed/misc.h | 2 - arch/x86/boot/compressed/pgtable.h | 10 +- arch/x86/boot/compressed/pgtable_64.c | 87 ++-- arch/x86/boot/compressed/sev.c | 112 +++-- arch/x86/boot/compressed/vmlinux.lds.S | 6 +- arch/x86/boot/header.S | 215 ++++----- arch/x86/boot/setup.ld | 14 +- arch/x86/boot/tools/build.c | 271 +---------- arch/x86/include/asm/boot.h | 8 + arch/x86/include/asm/efi.h | 14 +- arch/x86/include/asm/sev.h | 7 + drivers/firmware/efi/libstub/Makefile | 8 +- drivers/firmware/efi/libstub/alignedmem.c | 5 +- drivers/firmware/efi/libstub/arm64-stub.c | 6 +- drivers/firmware/efi/libstub/efi-stub-helper.c | 2 + drivers/firmware/efi/libstub/efistub.h | 28 +- drivers/firmware/efi/libstub/mem.c | 3 +- drivers/firmware/efi/libstub/randomalloc.c | 13 +- drivers/firmware/efi/libstub/x86-5lvl.c | 95 ++++ drivers/firmware/efi/libstub/x86-stub.c | 327 +++++++------- drivers/firmware/efi/libstub/x86-stub.h | 17 + include/linux/efi.h | 1 + 32 files changed, 1204 insertions(+), 1448 deletions(-)
...
If you're happy to take these too, I can give you the proper list, but perhaps we should deal with v6.6 first?
Yeah, let's deal with 6.6 first :)
What distros are going to need/want this for 6.1.y? Will normal users care as this is only for a new requirement by Microsoft, not for older releases, right?
I will let the distro folks on cc answer this one.
Canonical will want to backport this at least as far back as v4.15 for Ubuntu and Ubuntu Pro. So yeah, as far back as possible will be apperiated by everybody involved. Since if/when firmware (VMs or Hardware) starts to require NX compat, it will be desired to have all stable supported kernels with this support built-in.
Regards,
Dimitri.
On Tue, 20 Feb 2024 at 02:03, xnox dimitri.ledkov@canonical.com wrote:
Ard Biesheuvel ardb@kernel.org writes:
On Thu, 15 Feb 2024 at 12:12, Greg KH gregkh@linuxfoundation.org wrote:
On Thu, Feb 15, 2024 at 10:41:57AM +0100, Ard Biesheuvel wrote:
On Thu, 15 Feb 2024 at 10:27, Greg KH gregkh@linuxfoundation.org wrote:
On Thu, Feb 15, 2024 at 10:17:20AM +0100, Ard Biesheuvel wrote:
(cc stakeholders from various distros - apologies if I missed anyone)
Please consider the patches below for backporting to the linux-6.6.y stable tree.
These are prerequisites for building a signed x86 efistub kernel image that complies with the tightened UEFI boot requirements imposed by MicroSoft, and this is the condition under which it is willing to sign future Linux secure boot shim builds with its 3rd party CA certificate. (Such builds must enforce a strict separation between executable and writable code, among other things)
...
And is this not an issue for 6.1.y as well?
It is, but there are many more changes that would need to go into v6.1:
...
32 files changed, 1204 insertions(+), 1448 deletions(-)
...
If you're happy to take these too, I can give you the proper list, but perhaps we should deal with v6.6 first?
Yeah, let's deal with 6.6 first :)
What distros are going to need/want this for 6.1.y? Will normal users care as this is only for a new requirement by Microsoft, not for older releases, right?
I will let the distro folks on cc answer this one.
Canonical will want to backport this at least as far back as v4.15 for Ubuntu and Ubuntu Pro. So yeah, as far back as possible will be apperiated by everybody involved. Since if/when firmware (VMs or Hardware) starts to require NX compat, it will be desired to have all stable supported kernels with this support built-in.
Thanks for the data point, and good luck with backporting this to v4.15 or earlier. If it helps, I have a branch that backports LoadFile2 initrd loading support to v5.4 (below), which you will need to backport first. Going further back than v5.4 is going to be very messy IMHO.
https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=efi-lf...
On Tue, 20 Feb 2024 at 08:37, Ard Biesheuvel ardb@kernel.org wrote:
On Tue, 20 Feb 2024 at 02:03, xnox dimitri.ledkov@canonical.com wrote:
Ard Biesheuvel ardb@kernel.org writes:
On Thu, 15 Feb 2024 at 12:12, Greg KH gregkh@linuxfoundation.org wrote:
On Thu, Feb 15, 2024 at 10:41:57AM +0100, Ard Biesheuvel wrote:
On Thu, 15 Feb 2024 at 10:27, Greg KH gregkh@linuxfoundation.org wrote:
On Thu, Feb 15, 2024 at 10:17:20AM +0100, Ard Biesheuvel wrote: > (cc stakeholders from various distros - apologies if I missed anyone) > > Please consider the patches below for backporting to the linux-6.6.y > stable tree. > > These are prerequisites for building a signed x86 efistub kernel image > that complies with the tightened UEFI boot requirements imposed by > MicroSoft, and this is the condition under which it is willing to sign > future Linux secure boot shim builds with its 3rd party CA > certificate. (Such builds must enforce a strict separation between > executable and writable code, among other things) >
...
And is this not an issue for 6.1.y as well?
It is, but there are many more changes that would need to go into v6.1:
...
32 files changed, 1204 insertions(+), 1448 deletions(-)
...
If you're happy to take these too, I can give you the proper list, but perhaps we should deal with v6.6 first?
Yeah, let's deal with 6.6 first :)
What distros are going to need/want this for 6.1.y? Will normal users care as this is only for a new requirement by Microsoft, not for older releases, right?
I will let the distro folks on cc answer this one.
Canonical will want to backport this at least as far back as v4.15 for Ubuntu and Ubuntu Pro. So yeah, as far back as possible will be apperiated by everybody involved. Since if/when firmware (VMs or Hardware) starts to require NX compat, it will be desired to have all stable supported kernels with this support built-in.
Thanks for the data point, and good luck with backporting this to v4.15 or earlier. If it helps, I have a branch that backports LoadFile2 initrd loading support to v5.4 (below), which you will need to backport first. Going further back than v5.4 is going to be very messy IMHO.
https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=efi-lf...
Yeah, we are not yet sure how far back we will actually manage to get to. And things will need to move one series/generation at the time. As other pieces need to land too. And yes, the above repo is helpful.
On Thu, Feb 15, 2024 at 10:17:20AM +0100, Ard Biesheuvel wrote:
(cc stakeholders from various distros - apologies if I missed anyone)
Please consider the patches below for backporting to the linux-6.6.y stable tree.
These are prerequisites for building a signed x86 efistub kernel image that complies with the tightened UEFI boot requirements imposed by MicroSoft, and this is the condition under which it is willing to sign future Linux secure boot shim builds with its 3rd party CA certificate. (Such builds must enforce a strict separation between executable and writable code, among other things)
The patches apply cleanly onto 6.6.17 (-rc2), resulting in a defconfig build that boots as expected under OVMF/KVM.
5f51c5d0e905 x86/efi: Drop EFI stub .bss from .data section 7e50262229fa x86/efi: Disregard setup header of loaded image bfab35f552ab x86/efi: Drop alignment flags from PE section headers 768171d7ebbc x86/boot: Remove the 'bugger off' message 8eace5b35556 x86/boot: Omit compression buffer from PE/COFF image memory footprint 7448e8e5d15a x86/boot: Drop redundant code setting the root device b618d31f112b x86/boot: Drop references to startup_64 2e765c02dcbf x86/boot: Grab kernel_info offset from zoffset header directly eac956345f99 x86/boot: Set EFI handover offset directly in header asm 093ab258e3fb x86/boot: Define setup size in linker script aeb92067f6ae x86/boot: Derive file size from _edata symbol efa089e63b56 x86/boot: Construct PE/COFF .text section from assembler fa5750521e0a x86/boot: Drop PE/COFF .reloc section 34951f3c28bd x86/boot: Split off PE/COFF .data section 3e3eabe26dc8 x86/boot: Increase section and file alignment to 4k/512
1ad55cecf22f x86/efistub: Use 1:1 file:memory mapping for PE/COFF .compat section
All now queued up, thanks!
greg k-h
linux-stable-mirror@lists.linaro.org
-
Ard Biesheuvel -
Dimitri John Ledkov -
Greg KH -
Greg KH -
xnox