Bug 2229635

Summary: Backport sbat patches for UKI
Product: Red Hat Enterprise Linux 9 Reporter: Emanuele Giuseppe Esposito <eesposit>
Component: dracutAssignee: dracut-maint-list
Status: NEW --- QA Contact: Li Tian <litian>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 9.3CC: ailan, dtardon, litian, vkuznets, yacao, yuxisun
Target Milestone: rcKeywords: FeatureBackport, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Emanuele Giuseppe Esposito 2023-08-07 07:01:33 UTC 
Description of problem:
In order to create an UKI, RHEL currently uses dracut to pack initrd, systemd-stub and vmlinux all together.
In addition to these sections, we also need a .sbat section to support the SBAT mechanism that is used to revoke UKIs that contain security issues. More info about SBAT here: https://github.com/rhboot/shim/blob/main/SBAT.md

We need to update dracut to include this PR https://github.com/dracutdevs/dracut/pull/2426 so that it is able to automatically take a sbat section from vmlinux and systemd-stub and merge them in a new UKI sbat section. More infos in the PR.

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. clone systemd repo && make sure packages shim efibootmgr kernel-uki-virt are installed
2. compile systemd stub (mkdif build && ./configure -Dbootloader=true && make)
3. generate UKI with dracut (dracut-virt.conf is taken from https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/blob/main/redhat/dracut-virt.conf) 

dracut --conf=/root/dracut-virt.conf --confdir=$(mktemp -d) --verbose --kver 5.14.0-284.el9.x86_64 --kmoddir=/lib/modules/5.14.0-284.el9.x86_64/ --uefi --kernel-image=/boot/vmlinuz-5.14.0-284.el9.x86_64 --kernel-cmdline "console=tty0 console=ttyS0 $CMD_LINE" --uefi-stub /mnt/systemd/build/src/boot/efi/linuxx64.efi.stub  --force /boot/efi/EFI/Linux/$EFI_FILE

printf "\\\EFI\\\Linux\\\\${EFI_FILE}\0" | iconv -f ASCII -t UCS-2 > /tmp/bootarg
efibootmgr -c -d /dev/vda -p 2 --append-binary-args /tmp/bootarg -L $EFI_NAME -l "\EFI\redhat\shimx64.efi"

4. check that the UKI has a .sbat section and the section contains 1) the sbat generic string, 2) systemd-stub sbat version, 3) eventually vmlinux section if there is one.

Also test with --sbat "some sbat string" added to dracut in step 3 and verify in step 4 that it is present in the UKI too

objcopy -O binary --only-section=.sbat $EFI_FILE sbat_output.txt
Comment 1 Emanuele Giuseppe Esposito 2023-08-07 07:04:02 UTC 
Note: if this is not backported, we are forced to do the same operation using objcopy by ourselves: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/2861
Comment 2 Li Tian 2023-08-16 02:37:44 UTC 
# cat sbat_output.txt 
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
systemd,1,The systemd Developers,systemd,254,https://systemd.io/
systemd.rhel,1,Red Hat Enterprise Linux,systemd,254,https://bugzilla.redhat.com/

We are able to test this on Azure. Taking the QA.