Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dracut.sh: add --sbat option to add sbat policy to UKI #2426

Merged
merged 1 commit into from
Aug 5, 2023

Conversation

esposem
Copy link
Contributor

@esposem esposem commented Jul 12, 2023

Take existing .sbat section from the uefi stub and merge it with vmlinux .sbat (if it exists) and user-provided .sbat file using the new --sbat option.

For some reasons, --update-section in objcopy does not resize the .sbat section, so remove the section from the stub and add it to the UKI as new one, to avoid having incomplete SBAT strings.

Changes

Checklist

  • I have tested it locally
  • I have reviewed and updated any documentation if relevant
  • I am providing new code and test(s) for it

Fixes #

@esposem
Copy link
Contributor Author

esposem commented Jul 13, 2023

Not sure what TEST: root filesystem on LVM on encrypted partitions of a RAID-5 [FAILED] has to do with my patch. Any help?

@LaszloGombos
Copy link
Collaborator

Not sure what TEST: root filesystem on LVM on encrypted partitions of a RAID-5 [FAILED] has to do with my patch. Any help?

Those test failures are not regressions form this PR.
Currently only TEST-18 is using UEFI boot (bu not UEFI secure boot)

@aafeijoo-suse
Copy link
Member

@esposem
Copy link
Contributor Author

esposem commented Jul 21, 2023

Nice thread: https://lore.kernel.org/lkml/[email protected]/T/#u

I am the author of that patch. We will probably not end up having anything in kernel upstream, but distros might add their own SBAT section to the vmlinux binary. So IMHO this PR is still needed, also because:

  • giving a sbat string will be optional
  • ukify (the systemd tool that builds UKI the same way as dracut does) also supports it. So if you want to maintain a minimum of consistency with the other tools, you need this.

Copy link
Member

@aafeijoo-suse aafeijoo-suse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please, also document the new option in dracut.8.asc and dracut.conf.5.asc.

dracut.sh Outdated Show resolved Hide resolved
dracut.sh Outdated Show resolved Hide resolved
dracut.sh Outdated Show resolved Hide resolved
dracut.sh Outdated Show resolved Hide resolved
dracut.sh Outdated Show resolved Hide resolved
dracut.sh Outdated Show resolved Hide resolved
dracut.sh Show resolved Hide resolved
dracut.sh Outdated Show resolved Hide resolved
dracut.sh Outdated Show resolved Hide resolved
dracut.sh Outdated Show resolved Hide resolved
@esposem esposem force-pushed the sbat branch 2 times, most recently from 16d9814 to 904a3ec Compare July 24, 2023 13:22
@esposem esposem force-pushed the sbat branch 2 times, most recently from 72bbdea to 1ffcb0c Compare August 2, 2023 08:40
Copy link
Member

@aafeijoo-suse aafeijoo-suse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other than that, it looks good from my side. Just one minor thing I forgot last time, could you please add the bash completion for the new --sbat option after https://github.com/dracutdevs/dracut/blob/master/shell-completion/bash/dracut#L49

dracut.sh Outdated Show resolved Hide resolved
@esposem
Copy link
Contributor Author

esposem commented Aug 2, 2023

See if it makes sense for you 👍

@aafeijoo-suse
Copy link
Member

See if it makes sense for you +1

Have you added the new changes to the commit? I can see the diff but the PR was not updated...
btw you can reword the and user-provided .sbat file part of the commit message :)

Take existing .sbat section from the uefi stub and merge it
with vmlinux .sbat (if it exists) and user-provided .sbat parameters
using the new --sbat option.

For some reasons, --update-section in objcopy does not resize the
.sbat section, so remove the section from the stub and add it
to the UKI as new one, to avoid having incomplete SBAT strings.

Signed-off-by: Emanuele Giuseppe Esposito <[email protected]>
@esposem
Copy link
Contributor Author

esposem commented Aug 2, 2023

done

Copy link
Member

@aafeijoo-suse aafeijoo-suse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

Copy link
Collaborator

@LaszloGombos LaszloGombos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@LaszloGombos LaszloGombos merged commit fffeade into dracutdevs:master Aug 5, 2023
71 of 78 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants