[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Xen.efi and secure boot



On Fri, Nov 30, 2012 at 11:23 AM, Jan Beulich <JBeulich@xxxxxxxx> wrote:
>>> On 30.11.12 at 11:56, George Dunlap <dunlapg@xxxxxxxxx> wrote:
> On Fri, Nov 30, 2012 at 10:27 AM, Jan Beulich <JBeulich@xxxxxxxx> wrote:
>
>>
>> So I learned a little more meanwhile - it's not that trivial: I'm told
>> the shim uses UEFI services to do the verification, and those
>> services only handle PE images. But we obviously can't reasonably
>> expect the Dom0 kernel to be packaged as PE image, as that
>> would then be unusable as DomU kernel (on older hosts at least,
>> i.e. even if we added a PE loader to libxc).
>>
>
> But what does the shim use to check the signature of Xen in this case?
> Does Xen / native Linux need to be a PE image to boot from the shim?

Yes - xen.efi just needs to get a signature implanted for that
part to work, and native Linux uses the EFI_STUB mechanism
to gets its binary into said format (which then also only needs a
signature added).

>  If
> not, wouldn't the native PE image suffice?  And if so, why can't the shim
> check signatures the same way it checks the sig for the thing it's booting?

The checking code only knows to locate signatures inside PE
images. Consequently, whatever you want to pass to that code
needs to look like one. xen.efi and native Linux with EFI_STUB
enabled already do, but if you handed such a kernel binary to
either of the two PV domain kernel loaders Xen has, they would
just bail.

OK... so Fedora and Ubuntu are going to be shipping signed kernel binaries.  Are those binaries going to be in PE / EFI format then?  If so:
1. You won't need to do any fancy on-the-fly repackaging in Xen; you can just pass the already-signed distro-supplied binary
2. The toolstack is simply going to have to be able to read PE kernels for PV guests
3. If distros don't include non-PE kernels, we're going to have to backport that functionality to older versions of Xen.

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.