[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Xen.efi and secure boot
On Mon, 26 Nov 2012 20:12:04 +0000 Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx> wrote: > On Mon, 26 Nov 2012, George Dunlap wrote: > > So while doing a bit of investigation into a request that we have > > instructions for how to sign a Xen binary, I came across a related pair of > > questions. If we > > boot from a signed Xen binary, then: > > 1. Will Xen then successfully boot a signed dom0 kernel / initrd? > > 2. Will Xen fail to boot an unsigned dom0 kernel / initrd? > > > > I think if Xen is signed, then ideally we want both 1 and 2 to be true, > > right? > > I think that you are right I think you'd have to be out of your tree to try and sign Xen itself using the MS setup - assuming you can ever get a key and get it to work which seems to be an issue of its own. You want to sign a small bootloader that is tightly auditable and do your own key management within that for anything else. I would think you'd be able to make use of the Linux bootloader work. Better yet would be to take the entire sorry EFI and 'secure' boot mess and kick it where the sun won't shine but alas that may be a challenge until the PC manufacturers realise they can't handle the support costs of things in the current state and fix it. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |