[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Unified Xen executable for UEFI Secure Boot support



On 05.08.2020 13:29, Trammell Hudson wrote:
> I have preliminary patches to support bundling the Xen hypervisor, xen.cfg, 
> the Linux kernel, initrd and XSM into a single "unified" EFI executable that 
> can be signed by sbsigntool for verification by UEFI Secure Boot.  It is 
> inspired by systemd-boot's unified kernel technique and borrows the function 
> to locate PE sections from systemd's LGPL'ed code.
> 
> The configuration, kernel, etc are added after building using objcopy to add 
> named sections for each input file.  This allows an administrator to update 
> the components independently without requiring rebuilding xen. During EFI 
> boot, Xen looks at its own loaded image to locate the PE sections and, if 
> secure boot is enabled, only allows use of the unified components.
> 
> The resulting EFI executable can be invoked directly from the UEFI Boot 
> Manager, removing the need to use a separate loader like grub. Unlike the 
> shim based verification, the signature covers the entire 
> Xen+config+kernel+initrd unified file. This also ensures that properly 
> configured platforms will measure the entire runtime into the TPM for 
> unsealing secrets or remote attestation.
> 
> I've tested it on qemu OVMF with Secure Boot enabled, as well as on real 
> Thinkpad hardware.  The EFI console is very slow, although it works and is 
> able to boot into dom0.
> 
> The current patch set is here, and I'd appreciate suggestions on the 
> technique or cleanup for submission:
> https://github.com/osresearch/xen/tree/secureboot

Sounds quite interesting, thanks, but please post the Xen patches here
for commenting, perhaps with an RFC tag for now.

Jan



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.