Xen project Mailing List

Re: [Xen-devel] Xen.efi and secure boot

From: George Dunlap <George.Dunlap@xxxxxxxxxxxxx>

Date: Tue, 27 Nov 2012 09:50:55 +0000

Cc: "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>, "Keir \(Xen.org\)" <keir@xxxxxxx>, Ian Campbell <Ian.Campbell@xxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

Delivery-date: Tue, 27 Nov 2012 09:51:40 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

I think you'd have to be out of your tree to try and sign Xen itself
using the MS setup - assuming you can ever get a key and get it to work
which seems to be an issue of its own.

You want to sign a small bootloader that is tightly auditable and do your
own key management within that for anything else. I would think you'd be
able to make use of the Linux bootloader work.

I was thinking of people who wanted to install their own keys. Some people think that since you have EFI you shouldn't need a bootloader. :-)

But you're right, I think on the whole the critical thing is just to make sure that "secure" bootloaders from distros know how to load signed Xen / Linux images. Booting Xen directly is probably going to be a bit niche. That said, I'm sure there are people who will want to do it, so it probably should be on our "to-do" list.

Better yet would be to take the entire sorry EFI and 'secure' boot mess
and kick it where the sun won't shine but alas that may be a challenge
until the PC manufacturers realise they can't handle the support costs of
things in the current state and fix it.

I'm not sure the vendors have much choice in the matter, as long as a single vendor controls the majority of the market and can dictate terms.

-George

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel