[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v4 4/4] efi: Do not use command line if secure boot is enabled.

To: Jan Beulich <jbeulich@xxxxxxxx>
From: Trammell Hudson <hudson@xxxxxxxx>
Date: Thu, 17 Sep 2020 14:05:34 +0000
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, "roger.pau@xxxxxxxxxx" <roger.pau@xxxxxxxxxx>, "andrew.cooper3@xxxxxxxxxx" <andrew.cooper3@xxxxxxxxxx>, "wl@xxxxxxx" <wl@xxxxxxx>
Delivery-date: Thu, 17 Sep 2020 14:05:42 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Thursday, September 17, 2020 8:51 AM, Jan Beulich <jbeulich@xxxxxxxx> wrote:
> On 14.09.2020 13:50, Trammell Hudson wrote:
> > If secure boot is enabled, the Xen command line arguments are ignored.
> > If a unified Xen image is used, then the bundled configuration, dom0
> > kernel, and initrd are prefered over the ones listed in the config file.
> > Unlike the shim based verification, the PE signature on a unified image
> > covers the all of the Xen+config+kernel+initrd modules linked into the
> > unified image. This also ensures that properly configured platforms
> > will measure the entire runtime into the TPM for unsealing secrets or
> > remote attestation.
>
> The command line may also include a part handed on to the Dom0 kernel.
> If the Dom0 kernel image comes from disk, I don't see why that part of
> the command line shouldn't be honored. Similarly, if the config file
> doesn't come from the unified image, I think Xen's command line options
> should also be honored.

Ignoring the command line and breaking the shim behaviour in a
unified image should be ok; that is an explicit decision by the
system owner to sign and configure the new image (and the shim
is not used in a unified image anyway).

If we have a way to detect a unified image early enough, then
we can avoid the backwards incompatibility if it is not unified.
That would require moving the config parsing to above the relocation call.  I'm 
testing that now to see if it works on x86.

--
Trammell

Follow-Ups:
- Re: [PATCH v4 4/4] efi: Do not use command line if secure boot is enabled.
  - From: Jan Beulich

References:
- [PATCH v4 0/4] efi: Unified Xen hypervisor/kernel/initrd images
  - From: Trammell Hudson
- [PATCH v4 4/4] efi: Do not use command line if secure boot is enabled.
  - From: Trammell Hudson
- Re: [PATCH v4 4/4] efi: Do not use command line if secure boot is enabled.
  - From: Jan Beulich

Prev by Date: Re: [PATCH v2 16/21] drm/vgem: Introduce GEM object functions
Next by Date: Re: [PATCH] x86/mm: do not mark IO regions as Xen heap
Previous by thread: Re: [PATCH v4 4/4] efi: Do not use command line if secure boot is enabled.
Next by thread: Re: [PATCH v4 4/4] efi: Do not use command line if secure boot is enabled.
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.