[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Xen.efi and secure boot

On Mon, Nov 26, 2012 at 9:51 PM, Alan Cox <alan@xxxxxxxxxxxxxxxxxxx> wrote:
I think you'd have to be out of your tree to try and sign Xen itself
using the MS setup - assuming you can ever get a key and get it to work
which seems to be an issue of its own.

You want to sign a small bootloader that is tightly auditable and do your
own key management within that for anything else. I would think you'd be
able to make use of the Linux bootloader work.

I was thinking of people who wanted to install their own keys.  Some people think that since you have EFI you shouldn't need a bootloader. :-)

But you're right, I think on the whole the critical thing is just to make sure that "secure" bootloaders from distros know how to load signed Xen / Linux images.  Booting Xen directly is probably going to be a bit niche.  That said, I'm sure there are people who will want to do it, so it probably should be on our "to-do" list.

Better yet would be to take the entire sorry EFI and 'secure' boot mess
and kick it where the sun won't shine but alas that may be a challenge
until the PC manufacturers realise they can't handle the support costs of
things in the current state and fix it.

I'm not sure the vendors have much choice in the matter, as long as a single vendor controls the majority of the market and can dictate terms.

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.