[PW_SID:956503] efi: Add a mechanism for embedding SBAT section by linux-riscv-bot · Pull Request #339 · linux-riscv/linux

linux-riscv-bot · 2025-04-24T09:47:06Z

PR for series 956503 applied to workflow__riscv__fixes

Name: efi: Add a mechanism for embedding SBAT section
URL: https://patchwork.kernel.org/project/linux-riscv/list/?series=956503
Version: 1

SBAT is a mechanism which improves SecureBoot revocations of UEFI binaries by introducing a generation-based technique. Compromised or vulnerable UEFI binaries can be prevented from booting by bumping the minimal required generation for the specific component in the bootloader. More information on the SBAT can be obtained here: https://github.com/rhboot/shim/blob/main/SBAT.md Upstream Linux kernel does not currently participate in any way in SBAT as there's no existing policy in how SBAT generation number should be defined. Keep the status quo and provide a mechanism for distro vendors and anyone else who signs their kernel for SecureBoot to include their own SBAT data. This leaves the decision on the policy to the vendor. Basically, each distro implementing SecureBoot today, will have an option to inject their own SBAT data during kernel build and before it gets signed by their SecureBoot CA. Different distro do not need to agree on the common SBAT component names or generation numbers as each distro ships its own 'shim' with their own 'vendor_cert'/'vendor_db' Implement support for embedding SBAT data for architectures using zboot (arm64, loongarch, riscv). Build '.sbat' section along with libstub so it can be reused by x86 implementation later. Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com> Signed-off-by: Linux RISC-V bot <linux.riscv.bot@gmail.com>

Similar to zboot architectures, implement support for embedding SBAT data for x86. Put '.sbat' section to the very end of the binary. Note, the obsolete CRC-32 checksum (see commit 9c54baa ("x86/boot: Drop CRC-32 checksum and the build tool that generates it")) is gone and while it would've been possible to reserve the last 4 bytes in '.sbat' section too (like it's done today in '.data'), it seems to be a pointless exercise: SBAT makes zero sense without a signature on the EFI binary so '.sbat' won't be at the very end of the file anyway. Any tool which uses the last 4 bytes of the file as a checksum is broken with signed EFI binaries already. Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com> Signed-off-by: Linux RISC-V bot <linux.riscv.bot@gmail.com>

linux-riscv-bot · 2025-04-24T09:50:20Z

Patch 1: "[1/2] efi/libstub: zboot specific mechanism for embedding SBAT section"
build-rv32-defconfig
Desc: Builds riscv32 defconfig
Duration: 103.14 seconds
Result: PASS

linux-riscv-bot · 2025-04-24T10:05:21Z

Patch 1: "[1/2] efi/libstub: zboot specific mechanism for embedding SBAT section"
build-rv64-clang-allmodconfig
Desc: Builds riscv64 allmodconfig with Clang, and checks for errors and added warnings
Duration: 898.81 seconds
Result: PASS

linux-riscv-bot · 2025-04-24T10:25:09Z

Patch 1: "[1/2] efi/libstub: zboot specific mechanism for embedding SBAT section"
build-rv64-gcc-allmodconfig
Desc: Builds riscv64 allmodconfig with GCC, and checks for errors and added warnings
Duration: 1186.56 seconds
Result: PASS

linux-riscv-bot · 2025-04-24T10:25:30Z

Patch 1: "[1/2] efi/libstub: zboot specific mechanism for embedding SBAT section"
build-rv64-nommu-k210-defconfig
Desc: Builds riscv64 defconfig with NOMMU for K210
Duration: 20.19 seconds
Result: PASS

linux-riscv-bot · 2025-04-24T10:25:53Z

Patch 1: "[1/2] efi/libstub: zboot specific mechanism for embedding SBAT section"
build-rv64-nommu-k210-virt
Desc: Builds riscv64 defconfig with NOMMU for the virt platform
Duration: 21.11 seconds
Result: PASS

linux-riscv-bot · 2025-04-24T10:25:57Z

Patch 1: "[1/2] efi/libstub: zboot specific mechanism for embedding SBAT section"
checkpatch
Desc: Runs checkpatch.pl on the patch
Duration: 2.50 seconds
Result: WARNING
Output:

WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#111: 
new file mode 100644

total: 0 errors, 1 warnings, 0 checks, 110 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

Commit 4266b5fcd884 ("efi/libstub: zboot specific mechanism for embedding SBAT section") has style problems, please review.

NOTE: Ignored message types: ALLOC_SIZEOF_STRUCT CAMELCASE COMMIT_LOG_LONG_LINE GIT_COMMIT_ID MACRO_ARG_REUSE NO_AUTHOR_SIGN_OFF

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.
total: 0 errors, 1 warnings, 0 checks, 110 lines checked
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?

linux-riscv-bot · 2025-04-24T10:26:36Z

Patch 1: "[1/2] efi/libstub: zboot specific mechanism for embedding SBAT section"
dtb-warn-rv64
Desc: Checks for Device Tree warnings/errors
Duration: 38.25 seconds
Result: PASS

linux-riscv-bot · 2025-04-24T10:26:38Z

Patch 1: "[1/2] efi/libstub: zboot specific mechanism for embedding SBAT section"
header-inline
Desc: Detects static functions without inline keyword in header files
Duration: 0.22 seconds
Result: PASS

linux-riscv-bot · 2025-04-24T10:26:40Z

Patch 1: "[1/2] efi/libstub: zboot specific mechanism for embedding SBAT section"
kdoc
Desc: Detects for kdoc errors
Duration: 0.89 seconds
Result: PASS

linux-riscv-bot · 2025-04-24T10:26:42Z

Patch 1: "[1/2] efi/libstub: zboot specific mechanism for embedding SBAT section"
module-param
Desc: Detect module_param changes
Duration: 0.25 seconds
Result: PASS

linux-riscv-bot · 2025-04-24T10:26:43Z

Patch 1: "[1/2] efi/libstub: zboot specific mechanism for embedding SBAT section"
verify-fixes
Desc: Verifies that the Fixes: tags exist
Duration: 0.22 seconds
Result: PASS

linux-riscv-bot · 2025-04-24T10:26:46Z

Patch 1: "[1/2] efi/libstub: zboot specific mechanism for embedding SBAT section"
verify-signedoff
Desc: Verifies that Signed-off-by: tags are correct
Duration: 1.71 seconds
Result: PASS

linux-riscv-bot · 2025-04-24T10:28:42Z

Patch 2: "[2/2] x86/efi: Implement support for embedding SBAT data for x86"
build-rv32-defconfig
Desc: Builds riscv32 defconfig
Duration: 101.34 seconds
Result: PASS

linux-riscv-bot · 2025-04-24T10:43:21Z

Patch 2: "[2/2] x86/efi: Implement support for embedding SBAT data for x86"
build-rv64-clang-allmodconfig
Desc: Builds riscv64 allmodconfig with Clang, and checks for errors and added warnings
Duration: 877.05 seconds
Result: PASS

linux-riscv-bot · 2025-04-24T11:02:31Z

Patch 2: "[2/2] x86/efi: Implement support for embedding SBAT data for x86"
build-rv64-gcc-allmodconfig
Desc: Builds riscv64 allmodconfig with GCC, and checks for errors and added warnings
Duration: 1149.08 seconds
Result: PASS

linux-riscv-bot · 2025-04-24T11:02:53Z

Patch 2: "[2/2] x86/efi: Implement support for embedding SBAT data for x86"
build-rv64-nommu-k210-defconfig
Desc: Builds riscv64 defconfig with NOMMU for K210
Duration: 20.19 seconds
Result: PASS

linux-riscv-bot · 2025-04-24T11:03:15Z

Patch 2: "[2/2] x86/efi: Implement support for embedding SBAT data for x86"
build-rv64-nommu-k210-virt
Desc: Builds riscv64 defconfig with NOMMU for the virt platform
Duration: 20.90 seconds
Result: PASS

linux-riscv-bot · 2025-04-24T11:03:18Z

Patch 2: "[2/2] x86/efi: Implement support for embedding SBAT data for x86"
checkpatch
Desc: Runs checkpatch.pl on the patch
Duration: 1.47 seconds
Result: PASS

linux-riscv-bot · 2025-04-24T11:03:59Z

Patch 2: "[2/2] x86/efi: Implement support for embedding SBAT data for x86"
dtb-warn-rv64
Desc: Checks for Device Tree warnings/errors
Duration: 39.29 seconds
Result: PASS

linux-riscv-bot · 2025-04-24T11:04:00Z

Patch 2: "[2/2] x86/efi: Implement support for embedding SBAT data for x86"
header-inline
Desc: Detects static functions without inline keyword in header files
Duration: 0.23 seconds
Result: PASS

linux-riscv-bot · 2025-04-24T11:04:02Z

Patch 2: "[2/2] x86/efi: Implement support for embedding SBAT data for x86"
kdoc
Desc: Detects for kdoc errors
Duration: 0.90 seconds
Result: PASS

linux-riscv-bot · 2025-04-24T11:04:04Z

Patch 2: "[2/2] x86/efi: Implement support for embedding SBAT data for x86"
module-param
Desc: Detect module_param changes
Duration: 0.25 seconds
Result: PASS

linux-riscv-bot · 2025-04-24T11:04:06Z

Patch 2: "[2/2] x86/efi: Implement support for embedding SBAT data for x86"
verify-fixes
Desc: Verifies that the Fixes: tags exist
Duration: 0.22 seconds
Result: PASS

linux-riscv-bot · 2025-04-24T11:04:08Z

Patch 2: "[2/2] x86/efi: Implement support for embedding SBAT data for x86"
verify-signedoff
Desc: Verifies that Signed-off-by: tags are correct
Duration: 0.29 seconds
Result: PASS

Linux RISC-V bot and others added 3 commits April 16, 2025 18:23

Adding CI files

6c2725a

linux-riscv-bot force-pushed the workflow__riscv__fixes branch 2 times, most recently from c8da138 to 4d9ad71 Compare April 30, 2025 11:41

linux-riscv-bot closed this May 2, 2025

linux-riscv-bot deleted the pw956503 branch May 2, 2025 01:03

Conversation

linux-riscv-bot commented Apr 24, 2025

Uh oh!

linux-riscv-bot commented Apr 24, 2025

Uh oh!

linux-riscv-bot commented Apr 24, 2025

Uh oh!

linux-riscv-bot commented Apr 24, 2025

Uh oh!

linux-riscv-bot commented Apr 24, 2025

Uh oh!

linux-riscv-bot commented Apr 24, 2025

Uh oh!

linux-riscv-bot commented Apr 24, 2025

Uh oh!

linux-riscv-bot commented Apr 24, 2025

Uh oh!

linux-riscv-bot commented Apr 24, 2025

Uh oh!

linux-riscv-bot commented Apr 24, 2025

Uh oh!

linux-riscv-bot commented Apr 24, 2025

Uh oh!

linux-riscv-bot commented Apr 24, 2025

Uh oh!

linux-riscv-bot commented Apr 24, 2025

Uh oh!

linux-riscv-bot commented Apr 24, 2025

Uh oh!

linux-riscv-bot commented Apr 24, 2025

Uh oh!

linux-riscv-bot commented Apr 24, 2025

Uh oh!

linux-riscv-bot commented Apr 24, 2025

Uh oh!

linux-riscv-bot commented Apr 24, 2025

Uh oh!

linux-riscv-bot commented Apr 24, 2025

Uh oh!

linux-riscv-bot commented Apr 24, 2025

Uh oh!

linux-riscv-bot commented Apr 24, 2025

Uh oh!

linux-riscv-bot commented Apr 24, 2025

Uh oh!

linux-riscv-bot commented Apr 24, 2025

Uh oh!

linux-riscv-bot commented Apr 24, 2025

Uh oh!

linux-riscv-bot commented Apr 24, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants