[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Xen 4.3 development update, and stock-taking

>>> On 17.01.13 at 17:04, George Dunlap <george.dunlap@xxxxxxxxxxxxx> wrote:
> I just looked back over a discussion I had with Colin Watson at Ubuntu 
> after UDS.  He said:
> --- Begin Quote ---
> Specifically, we sign kernels in order that we can enter the
> kernel without calling ExitBootServices, have the kernel perform some
> quirks handling at startup (such as fixing up the framebuffer stride),
> and then have the kernel call ExitBootServices itself before doing
> anything else interesting.  When Secure Boot is enabled, unsigned
> kernels must be entered after calling ExitBootServices, and so cannot
> make use of UEFI boot services.

Which would mean neither Xen nor Linux can be started if not
signed, and if secure boot is enabled. There's no way for the
boot loader or shim to fake up firmware tables in a compatible

But there might be some fundamental understanding issue here:
I take it that it is not a property of a system whether one wants
secure boot, but a request of the owner of the system. If (s)he
wants to boot securely, then of course anything that isn't signed
doesn't even get loaded. If (s)he wants to boot "normally", the
shim gets left out of the picture, and off we go. But maybe I'm
wrong with that?

> --- End Quote ---
> So unless we plan to handle the same quirks in Xen, we're going to need 
> to make it possible for dom0 to do it.

We will have to - see my other reply.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.