|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Booting signed xen.efi through shim
On Fri, Sep 22, 2017 at 02:25:46AM -0600, Jan Beulich wrote: > >>> On 22.09.17 at 00:46, <tamas@xxxxxxxxxxxxx> wrote: > > One piece that I see still missing is the Xen command line parameters > > not being verified. It would be ideal to have the option to get that > > set during compile time as well, similar to Linux's CONFIG_CMDLINE > > option, to avoid for example getting iommu or XSM being turned off by > > someone with physical access. > > We do have CMDLINE and CMDLINE_OVERRIDE. But for someone > with physical access it would likely also be possible to avoid secure > boot altogether? Another solutions is here: http://lists.gnu.org/archive/html/grub-devel/2017-07/msg00003.html It is TPM based and WIP. It requires verifiers framework which should be posted on grub-devel soon. Or you can add your own method based on verifiers. Patches are welcome... Have a nice weekend, Daniel _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |