[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] EFI and multiboot2 devlopment work for Xen

To: Daniel Kiper <daniel.kiper@xxxxxxxxxx>
From: Vladimir 'Ï-coder/phcoder' Serbinenko <phcoder@xxxxxxxxx>
Date: Wed, 23 Oct 2013 10:44:56 +0200
Cc: The development of GNU GRUB <grub-devel@xxxxxxx>, keir@xxxxxxx, david.woodhouse@xxxxxxxxx, stefano.stabellini@xxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, ross.philipson@xxxxxxxxxx, pjones@xxxxxxxxxx, jbeulich@xxxxxxxx, boris.ostrovsky@xxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, richard.l.maliszewski@xxxxxxxxx, ian.campbell@xxxxxxxxxx
Delivery-date: Wed, 23 Oct 2013 08:48:31 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 23.10.2013 09:43, Daniel Kiper wrote:
> On Mon, Oct 21, 2013 at 11:16:24PM +0200, Vladimir 'Ï-coder/phcoder' 
> Serbinenko wrote:
>> Mail is big, I think I got your essential points but I didn't read it whole.
>> On 21.10.2013 14:57, Daniel Kiper wrote:
>>> Hi,
>>>
>>> During work on multiboot2 protocol support for Xen it was discovered
>>> that memory map passed via relevant tag could not represent wide range
>>> of memory types available on EFI platforms. Additionally, GRUB2
>>> implementation calls ExitBootServices() on them just before jumping
>>> into loaded image. In this situation loaded system could not clearly
>>> identify reserved memory regions, EFI runtime services regions and others.
>>>
>> Will a multiboot2 tag with whole EFI memory map solve your problem?
>>> Additionally, it should be mentioned that there is no possibility or it 
>>> could
>>> be very difficult to implement secure boot on EFI platforms using GRUB2 as 
>>> boot
>>> loader because, as it was mentioned earlier, it calls ExitBootServices().
>>>
>> GRUB has generic support for signing kernels/modules/whatsoever using
>> GnuPG signatures. You'd just have to ship xen.sig and kernel.sig. This
>> method doesn't have any controversy associated with EFI stuff but at
>> this particular case does exactly the same thing: verify signature.
>> multiboot2 is mainly memory structure specification so probably how the
>> files are checked is outside of its scope. But it's possible to add
>> specification on how to embed signatures in kernel.
> 
> I think that EFI signatures should be supported because they are quite
> common right now. However, I think that it is also worth to support
> GnuPG signatures. This way anybody will be able to choose good solution
> for a given case.
> 
Agreed.

> Daniel
>

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] EFI and multiboot2 devlopment work for Xen
  - From: Daniel Kiper
- Re: [Xen-devel] EFI and multiboot2 devlopment work for Xen
  - From: Vladimir 'Ï-coder/phcoder' Serbinenko
- Re: [Xen-devel] EFI and multiboot2 devlopment work for Xen
  - From: Daniel Kiper

Prev by Date: Re: [Xen-devel] [PATCH 3/3 V3] XSA-60 security hole: cr0.cd handling
Next by Date: [Xen-devel] [xen-unstable test] 21085: tolerable FAIL
Previous by thread: Re: [Xen-devel] EFI and multiboot2 devlopment work for Xen
Next by thread: [Xen-devel] libxl: ocaml: improve the bindings
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.