[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [Xen-users] UEFI Secure Boot Xen 4.9



On Tue, May 16, 2017 at 5:04 AM, Daniel Kiper <daniel.kiper@xxxxxxxxxx> wrote:
> On Mon, May 15, 2017 at 07:09:54PM +0000, Bill Jacobs (billjac) wrote:
>> > -----Original Message-----
>> > From: Daniel Kiper [mailto:daniel.kiper@xxxxxxxxxx]
>> > Sent: Monday, May 15, 2017 6:13 AM
>> > To: Bill Jacobs (billjac) <billjac@xxxxxxxxx>; george.dunlap@xxxxxxxxxx
>> > Cc: xen-devel@xxxxxxxxxxxxx; xen-users@xxxxxxxxxxxxx
>> > Subject: Re: [Xen-users] UEFI Secure Boot Xen 4.9
>> >
>> > Hey,
>> >
>> > CC-ing Xen-devel to spread some knowledge about the issue.
>> >
>> > On Mon, May 15, 2017 at 10:42:23AM +0100, George Dunlap wrote:
>> > > On Wed, May 10, 2017 at 11:36 PM, Bill Jacobs (billjac)
>> > > <billjac@xxxxxxxxx> wrote:
>> > > > Hi all
>> > > >
>> > > > I gather that with 4.9, UEFI secure boot of Xen should be possible.
>> > > >
>> > > > Is this true?
>> > > >
>> > > > If so, what are the options for utilizing UEFI secure boot? Do I
>> > > > need a MSFT-signed shim or grub? Any special changes required for
>> > > > Xen kernel
>> > > > (signing?) or has that been done?
>> > >
>> > > Bill,
>> > >
>> > > I guess in part it depends on what you mean by "utilizing UEFI secure
>> > > boot".  If you simply want to boot an unsigned Xen on a UEFI system
>> > > with SecureBoot enabled, then grub would probably work.  If you want
>> > > to actually do the full SecureBoot thing -- where you have grub check
>> > > Xen's signature and that of the kernel and initrd, you probably need a
>> > > bit more.
>> > >
>> > > Daniel,
>> > >
>> > > Is there any good documentation on this?  The Xen EFI guide
>> > > (https://wiki.xenproject.org/wiki/Xen_EFI) mentions the shim, but
>> > > doesn't go into detail about how to sign a binary &c.
>> >
>> > Unfortunately I do not know anything like that. As you said in general 
>> > shim is
>> > supported. Sadly, it works only if you load xen.efi directly from EFI.
>> > __Upstream__ GRUB2 has not have support for shim yet. I am working on it
>> > (shim support via GRUB2 requires also some changes in Xen). I hope that I 
>> > will
>> > have something which works before Xen conf in Budapest.
>> >
>> > If you wish to use shim with xen.efi then you have to sign xen.efi and 
>> > vmlinux
>> > with your key using sbsign or pesign. The process works in the same way 
>> > like in
>> > case vmlinux alone. Of course you have to install your public key into MOK
>> > before enabling secure boot.
>> >
>> > Daniel
>>
>> Yes, there are options in how this is achievable, and the solutions may be 
>> different.
>>
>> We are targeting a secure boot chain from UEFI fw to .ko, using same signing.
>> In our case would skip shim and reduce attack surface, but it appears that 
>> the mechanisms
>> 'out there' for passing pub key (cert) from UEFI db to Linux chainring 
>> require shim to do
>> the work. Is that accurate? Does it have to be the case? I don't see why.
>
> AIUI, if EFI secure boot is enabled then EFI verifies signatures of every
> loaded/executed PE file. Unfortunately, you are not able to use secure boot
> protocol directly to verify yourself PE's loaded from your app. So, this is
> one of reasons why shim was introduced. It exposes protocol which can be
> used by you to do verification.
>
>> For us, ideal case is :
>> UEFI fw -> (signed)GRUB2.efi->Multiboot2->Xen(signed .ko)
>
> AFAICT, it is not possible. We should do following thing:
>
>   UEFI -> shim -> GRUB2 -> Multiboot2 -> Xen/Linux/etc.
>
> UEFI will verify shim secure boot signature then shim will verify GRUB2
> signature then GRUB2 will verify (with shim protocol) Xen signature and
> finally Xen will verify (with shim protocol) Linux kernel signature. Then
> your kernel can verify modules using whatever you want.
>
>> I would be happy to work to help achieve this.
>
> There is a chance that I will have something very raw at the beginning
> of June. If you wish to do tests drop me a line.

Hi Daniel,
is there any news on this? I would be interested in giving this a shot too.

Thanks,
Tamas

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.