Xen project Mailing List

Re: [PATCH 1/6] Add SBAT section to the PE binary

To: Jan Beulich <jbeulich@xxxxxxxx>, Frediano Ziglio <freddy77@xxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Tue, 2 Jun 2026 13:54:36 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GqbwujTX8M/R4DGpzx0GFaWiKG/+grpNJ50K49Rtsxk=; b=q8wiF8IC+FWtli9F56cV1nkc2YqsMAqB0A/NRwQAfFSEh11JxxxrCj58T3+oI6UsH8N4sLw8Vt2PkdavhgVerUovt8XWlQ6WMriwK12A/Es3THizwSkHFbovr7sqCHshuT1JH4P2COyo5c4Bt+/gCkSfFdsFoSFwiKMN7UpXHzEq8fdR8pPCDpjnyvj/Z36z1DR9/eEu53EwP1+x8hX7sdzW+M02vUkcmxR5VTvCuoFlrUOgyp1DfycF33mBQ5gFH1jGeRhWWAf+OPRmKWg3hmpnGnVd4MRl1o4bEjpZHLcwBTuEluglEQrBeUO/aUct6A4T+Zxljyl5T8WxPjV36A==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ieDvl+A2lA0ySHKUrgcnmeuyQWPkJlZGflCA1tivgPieDu4lxSv+u6fBjCJomSppzpW7NEBlZE/5Sw17Yend6hmYXaD96IFwN1/0teeML+igV5nkkSxkHkcDb30VsTv97m5BNiIvQmX7XxPFRB++/x+FXJXY6LQdLCzQ3lSjK8j+OYdG2NEu9bA0ER2/gCd72ml20HoizeKPmeabOcO7Zhk/D4r2qrvekX8EGrp2xUoeiIV7dr+qlNHxKpmOoL/GOyGqiIHE1xeiwRB9fht6pM+9FsIDzVrLWiA3B07Z+J1eDos8hVeP91nN0FYSoDIq3zluXB71nIakRM4xldrLNg==

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=citrix.com header.i="@citrix.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Autocrypt: addr=andrew.cooper3@xxxxxxxxxx; keydata= xsFNBFLhNn8BEADVhE+Hb8i0GV6mihnnr/uiQQdPF8kUoFzCOPXkf7jQ5sLYeJa0cQi6Penp VtiFYznTairnVsN5J+ujSTIb+OlMSJUWV4opS7WVNnxHbFTPYZVQ3erv7NKc2iVizCRZ2Kxn srM1oPXWRic8BIAdYOKOloF2300SL/bIpeD+x7h3w9B/qez7nOin5NzkxgFoaUeIal12pXSR Q354FKFoy6Vh96gc4VRqte3jw8mPuJQpfws+Pb+swvSf/i1q1+1I4jsRQQh2m6OTADHIqg2E ofTYAEh7R5HfPx0EXoEDMdRjOeKn8+vvkAwhviWXTHlG3R1QkbE5M/oywnZ83udJmi+lxjJ5 YhQ5IzomvJ16H0Bq+TLyVLO/VRksp1VR9HxCzItLNCS8PdpYYz5TC204ViycobYU65WMpzWe LFAGn8jSS25XIpqv0Y9k87dLbctKKA14Ifw2kq5OIVu2FuX+3i446JOa2vpCI9GcjCzi3oHV e00bzYiHMIl0FICrNJU0Kjho8pdo0m2uxkn6SYEpogAy9pnatUlO+erL4LqFUO7GXSdBRbw5 gNt25XTLdSFuZtMxkY3tq8MFss5QnjhehCVPEpE6y9ZjI4XB8ad1G4oBHVGK5LMsvg22PfMJ ISWFSHoF/B5+lHkCKWkFxZ0gZn33ju5n6/FOdEx4B8cMJt+cWwARAQABzSlBbmRyZXcgQ29v cGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPsLBegQTAQgAJAIbAwULCQgHAwUVCgkI CwUWAgMBAAIeAQIXgAUCWKD95wIZAQAKCRBlw/kGpdefoHbdD/9AIoR3k6fKl+RFiFpyAhvO 59ttDFI7nIAnlYngev2XUR3acFElJATHSDO0ju+hqWqAb8kVijXLops0gOfqt3VPZq9cuHlh IMDquatGLzAadfFx2eQYIYT+FYuMoPZy/aTUazmJIDVxP7L383grjIkn+7tAv+qeDfE+txL4 SAm1UHNvmdfgL2/lcmL3xRh7sub3nJilM93RWX1Pe5LBSDXO45uzCGEdst6uSlzYR/MEr+5Z JQQ32JV64zwvf/aKaagSQSQMYNX9JFgfZ3TKWC1KJQbX5ssoX/5hNLqxMcZV3TN7kU8I3kjK mPec9+1nECOjjJSO/h4P0sBZyIUGfguwzhEeGf4sMCuSEM4xjCnwiBwftR17sr0spYcOpqET ZGcAmyYcNjy6CYadNCnfR40vhhWuCfNCBzWnUW0lFoo12wb0YnzoOLjvfD6OL3JjIUJNOmJy RCsJ5IA/Iz33RhSVRmROu+TztwuThClw63g7+hoyewv7BemKyuU6FTVhjjW+XUWmS/FzknSi dAG+insr0746cTPpSkGl3KAXeWDGJzve7/SBBfyznWCMGaf8E2P1oOdIZRxHgWj0zNr1+ooF /PzgLPiCI4OMUttTlEKChgbUTQ+5o0P080JojqfXwbPAyumbaYcQNiH1/xYbJdOFSiBv9rpt TQTBLzDKXok86M7BTQRS4TZ/ARAAkgqudHsp+hd82UVkvgnlqZjzz2vyrYfz7bkPtXaGb9H4 Rfo7mQsEQavEBdWWjbga6eMnDqtu+FC+qeTGYebToxEyp2lKDSoAsvt8w82tIlP/EbmRbDVn 7bhjBlfRcFjVYw8uVDPptT0TV47vpoCVkTwcyb6OltJrvg/QzV9f07DJswuda1JH3/qvYu0p vjPnYvCq4NsqY2XSdAJ02HrdYPFtNyPEntu1n1KK+gJrstjtw7KsZ4ygXYrsm/oCBiVW/OgU g/XIlGErkrxe4vQvJyVwg6YH653YTX5hLLUEL1NS4TCo47RP+wi6y+TnuAL36UtK/uFyEuPy wwrDVcC4cIFhYSfsO0BumEI65yu7a8aHbGfq2lW251UcoU48Z27ZUUZd2Dr6O/n8poQHbaTd 6bJJSjzGGHZVbRP9UQ3lkmkmc0+XCHmj5WhwNNYjgbbmML7y0fsJT5RgvefAIFfHBg7fTY/i kBEimoUsTEQz+N4hbKwo1hULfVxDJStE4sbPhjbsPCrlXf6W9CxSyQ0qmZ2bXsLQYRj2xqd1 bpA+1o1j2N4/au1R/uSiUFjewJdT/LX1EklKDcQwpk06Af/N7VZtSfEJeRV04unbsKVXWZAk uAJyDDKN99ziC0Wz5kcPyVD1HNf8bgaqGDzrv3TfYjwqayRFcMf7xJaL9xXedMcAEQEAAcLB XwQYAQgACQUCUuE2fwIbDAAKCRBlw/kGpdefoG4XEACD1Qf/er8EA7g23HMxYWd3FXHThrVQ HgiGdk5Yh632vjOm9L4sd/GCEACVQKjsu98e8o3ysitFlznEns5EAAXEbITrgKWXDDUWGYxd pnjj2u+GkVdsOAGk0kxczX6s+VRBhpbBI2PWnOsRJgU2n10PZ3mZD4Xu9kU2IXYmuW+e5KCA vTArRUdCrAtIa1k01sPipPPw6dfxx2e5asy21YOytzxuWFfJTGnVxZZSCyLUO83sh6OZhJkk b9rxL9wPmpN/t2IPaEKoAc0FTQZS36wAMOXkBh24PQ9gaLJvfPKpNzGD8XWR5HHF0NLIJhgg 4ZlEXQ2fVp3XrtocHqhu4UZR4koCijgB8sB7Tb0GCpwK+C4UePdFLfhKyRdSXuvY3AHJd4CP 4JzW0Bzq/WXY3XMOzUTYApGQpnUpdOmuQSfpV9MQO+/jo7r6yPbxT7CwRS5dcQPzUiuHLK9i nvjREdh84qycnx0/6dDroYhp0DFv4udxuAvt1h4wGwTPRQZerSm4xaYegEFusyhbZrI0U9tJ B8WrhBLXDiYlyJT6zOV2yZFuW47VrLsjYnHwn27hmxTC/7tvG3euCklmkn9Sl9IAKFu29RSo d5bD8kMSCYsTqtTfT6W4A3qHGvIDta3ptLYpIAOD2sY3GYq2nf3Bbzx81wZK14JdDDHUX2Rs 6+ahAA==

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Gerald Elder-Vass <gerald.elder-vass@xxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Teddy Astie <teddy.astie@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, Frediano Ziglio <frediano.ziglio@xxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

Delivery-date: Tue, 02 Jun 2026 12:55:54 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 02/06/2026 1:06 pm, Jan Beulich wrote: > On 29.05.2026 17:35, Frediano Ziglio wrote: >> From: Gerald Elder-Vass <gerald.elder-vass@xxxxxxxxx> >> >> The SBAT section provides a way for the binary to declare a generation >> id for its upstream source and any vendor changes applied. A compatible >> loader can then revoke vulnerable binaries by generation, using the >> binary's declared generation id(s) to determine if it is safe to load. >> >> More information about SBAT is available here: >> https://github.com/rhboot/shim/blob/main/SBAT.md >> >> Populate the SBAT section in the Xen binary by using the information >> in xen/arch/x86/sbat.csv. >> >> On XenServer, the version and release fields are populated by the spec >> file during the build process. >> >> Signed-off-by: Gerald Elder-Vass <gerald.elder-vass@xxxxxxxxx> >> Signed-off-by: Frediano Ziglio <frediano.ziglio@xxxxxxxxx> >> --- >> xen/arch/x86/Makefile | 4 ++++ >> xen/arch/x86/xen.lds.S | 2 ++ >> xen/include/xen/xen.lds.h | 3 ++- >> 3 files changed, 8 insertions(+), 1 deletion(-) > This gives the impression of being an entirely new patch, when really the > (standalone) patch was already at v4, and my comment there wasn't addressed > (perhaps merely by extending the description some). It also feels like there > were other pending comments, or else why would this not have gone in long > ago? The content of the SBAT table is still pending the security document, and in particular the decision over whether upstream Xen maintains a global revision or not. Although the global revision could be appended later. > Additionally, ... > >> --- a/xen/arch/x86/Makefile >> +++ b/xen/arch/x86/Makefile >> @@ -71,6 +71,7 @@ obj-$(CONFIG_TBOOT) += tboot.o >> obj-y += hpet.o >> obj-$(CONFIG_VM_EVENT) += vm_event.o >> obj-y += xstate.o >> +obj-y += sbat_data.o > ... like elsewhere: New files' names should prefer dashes over underscores. > Question of course is why this isn't simply sbat.o in the first place. Also sorted. > >> @@ -275,6 +276,9 @@ $(obj)/efi.lds: AFLAGS-y += -DEFI >> $(obj)/xen.lds $(obj)/efi.lds: $(src)/xen.lds.S FORCE >> $(call if_changed_dep,cpp_lds_S) >> >> +$(obj)/sbat_data.o: $(src)/sbat.csv >> + $(OBJCOPY) -I binary -O elf64-x86-64 --rename-section >> .data=.sbat,readonly,data,contents --add-section .note.GNU-stack=/dev/null >> $(srcdir)/sbat.csv $@ > That'll be an SHT_PROGBITS .note.GNU-stack, won't it? When it really wants to > be SHT_NOTE at least for bleeding edge GNU binutils (see relatively recent > changes there). That was my addition to prevent there being a warning about RWX stacks cascade all the way up the build. Maybe a better option is to have sbat.S with an .incbin sbat.csv ? ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.