Re: [Xen-devel] [Xen-users] UEFI Secure Boot Xen 4.9

[Daniel Kiper <daniel.kiper@xxxxxxxxxx>]

Hey,

CC-ing Xen-devel to spread some knowledge about the issue.

On Mon, May 15, 2017 at 10:42:23AM +0100, George Dunlap wrote:
> On Wed, May 10, 2017 at 11:36 PM, Bill Jacobs (billjac)
> <billjac@xxxxxxxxx> wrote:
> > Hi all
> >
> > I gather that with 4.9, UEFI secure boot of Xen should be possible.
> >
> > Is this true?
> >
> > If so, what are the options for utilizing UEFI secure boot? Do I need a
> > MSFT-signed shim or grub? Any special changes required for Xen kernel
> > (signing?) or has that been done?
>
> Bill,
>
> I guess in part it depends on what you mean by "utilizing UEFI secure
> boot".  If you simply want to boot an unsigned Xen on a UEFI system
> with SecureBoot enabled, then grub would probably work.  If you want
> to actually do the full SecureBoot thing -- where you have grub check
> Xen's signature and that of the kernel and initrd, you probably need a
> bit more.
>
> Daniel,
>
> Is there any good documentation on this?  The Xen EFI guide
> (https://wiki.xenproject.org/wiki/Xen_EFI) mentions the shim, but
> doesn't go into detail about how to sign a binary &c.

Unfortunately I do not know anything like that. As you said in general
shim is supported. Sadly, it works only if you load xen.efi directly from
EFI. __Upstream__ GRUB2 has not have support for shim yet. I am working
on it (shim support via GRUB2 requires also some changes in Xen). I hope
that I will have something which works before Xen conf in Budapest.

If you wish to use shim with xen.efi then you have to sign xen.efi and
vmlinux with your key using sbsign or pesign. The process works in the same
way like in case vmlinux alone. Of course you have to install your public
key into MOK before enabling secure boot.

Daniel

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel