[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Xen.efi and secure boot

To: "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Keir Fraser <keir@xxxxxxx>, Ian Campbell <Ian.Campbell@xxxxxxxxxx>
From: George Dunlap <dunlapg@xxxxxxxxx>
Date: Mon, 26 Nov 2012 17:57:18 +0000
Delivery-date: Mon, 26 Nov 2012 17:57:55 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

So while doing a bit of investigation into a request that we have instructions for how to sign a Xen binary, I came across a related pair of questions. If we boot from a signed Xen binary, then:
1. Will Xen then successfully boot a signed dom0 kernel / initrd?
2. Will Xen fail to boot an unsigned dom0 kernel / initrd?

I think if Xen is signed, then ideally we want both 1 and 2 to be true, right? Does UEFI provide a way to check the signature of files? Does it happen automatically, or would we need to add extra support? Or would we need to embed a public key within the Xen binary and have Xen check the signatures of files that it reads?

-George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] Xen.efi and secure boot
  - From: Jan Beulich
- Re: [Xen-devel] Xen.efi and secure boot
  - From: Jan Beulich
- Re: [Xen-devel] Xen.efi and secure boot
  - From: Stefano Stabellini
- Re: [Xen-devel] Xen.efi and secure boot
  - From: Andrew Cooper

Prev by Date: Re: [Xen-devel] [DOCDAY] Maintenance Release Policy
Next by Date: Re: [Xen-devel] [RFC/PATCH v2] XENMEM_claim_pages (subop of existing) hypercall
Previous by thread: [Xen-devel] [PATCH 0 of 5] HVM performance improvements
Next by thread: Re: [Xen-devel] Xen.efi and secure boot
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.