|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Xen.efi and secure boot
On 26/11/12 17:57, George Dunlap wrote: > So while doing a bit of investigation into a request that we have > instructions for how to sign a Xen binary, I came across a related > pair of questions. If we boot from a signed Xen binary, then: > 1. Will Xen then successfully boot a signed dom0 kernel / initrd? > 2. Will Xen fail to boot an unsigned dom0 kernel / initrd? > > I think if Xen is signed, then ideally we want both 1 and 2 to be > true, right? Does UEFI provide a way to check the signature of > files? Does it happen automatically, or would we need to add extra > support? Or would we need to embed a public key within the Xen binary > and have Xen check the signatures of files that it reads? > > -George The problem is deeper than that. The idea of secure boot is that only signed/verified code can perform privileged operations. One can argue as to exactly where this boundary lies, but in the native case, it contains any kernel level code. Userspace uses the kernel API/ABI subject to the permissions checks present and (assuming no security holes), everyone is happy. In the Xen case, Xen will happily accept any privileged hypercalls from dom0. So you could argue that anything able to make ioctls against /dev/xen/privcmd (and friends) would need to be within the signed code. This is the entire toolstack, and all root processes. Furthermore, cross-domain systems like xenbus/xenstore would also need to be signed. Imagine the carnage a malicious xenstored could cause! I am struggling to think of a way of getting secure boot working correctly without signing all of dom0. -- Andrew Cooper - Dom0 Kernel Engineer, Citrix XenServer T: +44 (0)1223 225 900, http://www.citrix.com _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |