[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] EFI and multiboot2 devlopment work for Xen
>>> On 21.10.13 at 20:39, Daniel Kiper <daniel.kiper@xxxxxxxxxx> wrote: > On Mon, Oct 21, 2013 at 02:36:38PM +0100, Jan Beulich wrote: >> >>> On 21.10.13 at 14:57, Daniel Kiper <daniel.kiper@xxxxxxxxxx> wrote: >> > Separate multiboot2efi module should be established. It should verify >> > system >> > kernel and all loaded modules using shim on EFI platforms with enabled >> > secure boot >> >> Each involved component verifies only the next image. I.e. the >> shim verifies the Xen image, and Xen verifies the Dom0 kernel >> binary. The Dom0 kernel (assuming it to be Linux) will then be >> responsible for dealing with its initrd. (One open question is how > > Currently Linux Kernel is only verified. Sorry, my fault. > As I know Matthew Garrett would like to verify Linux Kernel > modules too. However, I do not know details now. I think that > we should take into account his work. Sure, Linux modules are to be verified. But that's a Linux thing we can be entirely unconcerned about. In the context of GrUB, "module" can only have the meaning of GrUB modules. >> Xen ought to deal with an eventual XSM module; I take it that > > Could you tell me more about that? What issues do you expect here? We obviously need to have a way to verify the integrity of an XSM module. Otherwise - as with any unverified component - its presence would break the integrity of the supposedly secure system. Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |