Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.kernel > #81210

Re: How to revoke Debian kernels for secure boot

From Julian Andres Klode <jak@debian.org>
Newsgroups linux.debian.kernel
Subject Re: How to revoke Debian kernels for secure boot
Date 2023-12-14 10:00 +0100
Message-ID <HKPJw-due8-9@gated-at.bofh.it> (permalink)
References <HKFAu-do4X-3@gated-at.bofh.it> <HKFKa-do93-5@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

On Wed, Dec 13, 2023 at 10:18:40PM +0000, Dimitri John Ledkov wrote:
> At the moment the best options are:
> 
> - rotate online signing key
> - build new shim with old signing key in vendorx (revoked ESL)
> - build new kernels with old signing key built-in revoked keyring
> 
> This is to ensure that old shim & old kernel can boot or kexec new kernels.
> To ensure new shim cannot boot old kernels.
> To ensure that new kernels cannot kexec old kernels.
> 
> This is revocation strategy used by Canonical Kernel Team for Ubuntu
> Kernels.
> 
> There is no sbat for kernels yet (and/or nobody has yet started to use sbat
> for kernels).

Reading this summary also made me realize that if we do SBAT for kernels
and want to rely it, we also need to make kernels *check* SBAT so that
it is respected at kexec.

This can be done two ways:

- You do an SBAT self-check at startup to see if you are revoked
  yourself, which is what shim does

- You check the SBAT of the kernel you are about to kexec

I'd generally prefer the self-check I think because that also applies
if you boot kernels via UEFI directly or something.

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en

Back to linux.debian.kernel | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

How to revoke Debian kernels for secure boot Bastian Blank <waldi@debian.org> - 2023-12-13 23:10 +0100
  Re: How to revoke Debian kernels for secure boot Dimitri John Ledkov <dimitri.ledkov@canonical.com> - 2023-12-13 23:20 +0100
    Re: How to revoke Debian kernels for secure boot Julian Andres Klode <jak@debian.org> - 2023-12-14 10:00 +0100
    Re: How to revoke Debian kernels for secure boot Steve McIntyre <steve@einval.com> - 2023-12-14 16:20 +0100
      Re: How to revoke Debian kernels for secure boot Bastian Blank <waldi@debian.org> - 2023-12-14 21:50 +0100
        Re: How to revoke Debian kernels for secure boot Bastian Blank <waldi@debian.org> - 2023-12-15 00:40 +0100

csiph-web