2229635 – Backport sbat patches for UKI

Bug 2229635 - Backport sbat patches for UKI

Summary: Backport sbat patches for UKI

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	dracut
Sub Component:
Version:	9.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	dracut-maint-list
QA Contact:	Li Tian
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-08-07 07:01 UTC by Emanuele Giuseppe Esposito
Modified:	2023-08-16 02:37 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dracutdevs dracut pull 2426	0	None	Merged	dracut.sh: add --sbat option to add sbat policy to UKI	2023-08-07 12:53:37 UTC
Red Hat Issue Tracker	RHELPLAN-164694	0	None	None	None	2023-08-07 07:05:47 UTC

Description Emanuele Giuseppe Esposito 2023-08-07 07:01:33 UTC

Description of problem:
In order to create an UKI, RHEL currently uses dracut to pack initrd, systemd-stub and vmlinux all together.
In addition to these sections, we also need a .sbat section to support the SBAT mechanism that is used to revoke UKIs that contain security issues. More info about SBAT here: https://github.com/rhboot/shim/blob/main/SBAT.md

We need to update dracut to include this PR https://github.com/dracutdevs/dracut/pull/2426 so that it is able to automatically take a sbat section from vmlinux and systemd-stub and merge them in a new UKI sbat section. More infos in the PR.

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. clone systemd repo && make sure packages shim efibootmgr kernel-uki-virt are installed
2. compile systemd stub (mkdif build && ./configure -Dbootloader=true && make)
3. generate UKI with dracut (dracut-virt.conf is taken from https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/blob/main/redhat/dracut-virt.conf) 

dracut --conf=/root/dracut-virt.conf --confdir=$(mktemp -d) --verbose --kver 5.14.0-284.el9.x86_64 --kmoddir=/lib/modules/5.14.0-284.el9.x86_64/ --uefi --kernel-image=/boot/vmlinuz-5.14.0-284.el9.x86_64 --kernel-cmdline "console=tty0 console=ttyS0 $CMD_LINE" --uefi-stub /mnt/systemd/build/src/boot/efi/linuxx64.efi.stub  --force /boot/efi/EFI/Linux/$EFI_FILE

printf "\\\EFI\\\Linux\\\\${EFI_FILE}\0" | iconv -f ASCII -t UCS-2 > /tmp/bootarg
efibootmgr -c -d /dev/vda -p 2 --append-binary-args /tmp/bootarg -L $EFI_NAME -l "\EFI\redhat\shimx64.efi"

4. check that the UKI has a .sbat section and the section contains 1) the sbat generic string, 2) systemd-stub sbat version, 3) eventually vmlinux section if there is one.

Also test with --sbat "some sbat string" added to dracut in step 3 and verify in step 4 that it is present in the UKI too

objcopy -O binary --only-section=.sbat $EFI_FILE sbat_output.txt

Comment 1 Emanuele Giuseppe Esposito 2023-08-07 07:04:02 UTC

Note: if this is not backported, we are forced to do the same operation using objcopy by ourselves: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/2861

Comment 2 Li Tian 2023-08-16 02:37:44 UTC

# cat sbat_output.txt 
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
systemd,1,The systemd Developers,systemd,254,https://systemd.io/
systemd.rhel,1,Red Hat Enterprise Linux,systemd,254,https://bugzilla.redhat.com/

We are able to test this on Azure. Taking the QA.

Note You need to log in before you can comment on or make changes to this bug.