Ard Biesheuvel <ardb@xxxxxxxxxx> writes: > On Thu, 15 Feb 2024 at 12:12, Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: >> >> On Thu, Feb 15, 2024 at 10:41:57AM +0100, Ard Biesheuvel wrote: >> > On Thu, 15 Feb 2024 at 10:27, Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: >> > > >> > > On Thu, Feb 15, 2024 at 10:17:20AM +0100, Ard Biesheuvel wrote: >> > > > (cc stakeholders from various distros - apologies if I missed anyone) >> > > > >> > > > Please consider the patches below for backporting to the linux-6.6.y >> > > > stable tree. >> > > > >> > > > These are prerequisites for building a signed x86 efistub kernel image >> > > > that complies with the tightened UEFI boot requirements imposed by >> > > > MicroSoft, and this is the condition under which it is willing to sign >> > > > future Linux secure boot shim builds with its 3rd party CA >> > > > certificate. (Such builds must enforce a strict separation between >> > > > executable and writable code, among other things) >> > > > > ... >> > > And is this not an issue for 6.1.y as well? >> > > >> > >> > It is, but there are many more changes that would need to go into v6.1: >> > >> > Documentation/x86/boot.rst | 2 +- >> > arch/x86/Kconfig | 17 + >> > arch/x86/boot/Makefile | 2 +- >> > arch/x86/boot/compressed/Makefile | 13 +- >> > arch/x86/boot/compressed/efi_mixed.S | 328 ++++++++++++++ >> > arch/x86/boot/compressed/efi_thunk_64.S | 195 -------- >> > arch/x86/boot/compressed/head_32.S | 38 +- >> > arch/x86/boot/compressed/head_64.S | 593 +++++-------------------- >> > arch/x86/boot/compressed/mem_encrypt.S | 152 ++++++- >> > arch/x86/boot/compressed/misc.c | 61 ++- >> > arch/x86/boot/compressed/misc.h | 2 - >> > arch/x86/boot/compressed/pgtable.h | 10 +- >> > arch/x86/boot/compressed/pgtable_64.c | 87 ++-- >> > arch/x86/boot/compressed/sev.c | 112 +++-- >> > arch/x86/boot/compressed/vmlinux.lds.S | 6 +- >> > arch/x86/boot/header.S | 215 ++++----- >> > arch/x86/boot/setup.ld | 14 +- >> > arch/x86/boot/tools/build.c | 271 +---------- >> > arch/x86/include/asm/boot.h | 8 + >> > arch/x86/include/asm/efi.h | 14 +- >> > arch/x86/include/asm/sev.h | 7 + >> > drivers/firmware/efi/libstub/Makefile | 8 +- >> > drivers/firmware/efi/libstub/alignedmem.c | 5 +- >> > drivers/firmware/efi/libstub/arm64-stub.c | 6 +- >> > drivers/firmware/efi/libstub/efi-stub-helper.c | 2 + >> > drivers/firmware/efi/libstub/efistub.h | 28 +- >> > drivers/firmware/efi/libstub/mem.c | 3 +- >> > drivers/firmware/efi/libstub/randomalloc.c | 13 +- >> > drivers/firmware/efi/libstub/x86-5lvl.c | 95 ++++ >> > drivers/firmware/efi/libstub/x86-stub.c | 327 +++++++------- >> > drivers/firmware/efi/libstub/x86-stub.h | 17 + >> > include/linux/efi.h | 1 + >> > 32 files changed, 1204 insertions(+), 1448 deletions(-) >> > > ... >> > If you're happy to take these too, I can give you the proper list, but >> > perhaps we should deal with v6.6 first? >> >> Yeah, let's deal with 6.6 first :) >> >> What distros are going to need/want this for 6.1.y? Will normal users >> care as this is only for a new requirement by Microsoft, not for older >> releases, right? >> > > I will let the distro folks on cc answer this one. Canonical will want to backport this at least as far back as v4.15 for Ubuntu and Ubuntu Pro. So yeah, as far back as possible will be apperiated by everybody involved. Since if/when firmware (VMs or Hardware) starts to require NX compat, it will be desired to have all stable supported kernels with this support built-in. Regards, Dimitri.
