Re: [Xen-devel] Xen.efi and secure boot

["Jan Beulich" <JBeulich@xxxxxxxx>]

>>> On 26.11.12 at 18:57, George Dunlap <dunlapg@xxxxxxxxx> wrote:
> So while doing a bit of investigation into a request that we have
> instructions for how to sign a Xen binary, I came across a related pair of
> questions.  If we boot from a signed Xen binary, then:
> 1. Will Xen then successfully boot a signed dom0 kernel / initrd?
> 2. Will Xen fail to boot an unsigned dom0 kernel / initrd?
> 
> I think if Xen is signed, then ideally we want both 1 and 2 to be true,
> right?  Does UEFI provide a way to check the signature of files?  Does it
> happen automatically, or would we need to add extra support?  Or would we
> need to embed a public key within the Xen binary and have Xen check the
> signatures of files that it reads?

I don't have any answers to these questions yet; as we need to
do this for our upcoming SLE11 SP3, I'm expecting our EFI and/or
kernel folks to come forward with an outline of what needs to be
done (and ideally with an implementation in the boot loader) that
I could then just clone for the Xen code. I had expected that to
happen already, but it's apparently not making enough progress
(or the progress is not visible to me).

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel