[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [Xen-users] UEFI Secure Boot Xen 4.9

To: Tamas K Lengyel <tamas.k.lengyel@xxxxxxxxx>
From: Daniel Kiper <daniel.kiper@xxxxxxxxxx>
Date: Mon, 4 Sep 2017 14:40:14 +0200
Cc: "xen-users@xxxxxxxxxxxxx" <xen-users@xxxxxxxxxxxxx>, "george.dunlap@xxxxxxxxxx" <george.dunlap@xxxxxxxxxx>, "Bill Jacobs \(billjac\)" <billjac@xxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>
Delivery-date: Mon, 04 Sep 2017 12:40:44 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Wed, Aug 30, 2017 at 10:16:23AM -0600, Tamas K Lengyel wrote:
> On Tue, Aug 29, 2017 at 2:01 PM, Daniel Kiper <daniel.kiper@xxxxxxxxxx> wrote:
> > Hey Tamas,
> >
> > Sorry for late reply. I was on vacation.
> >
> > On Tue, Aug 22, 2017 at 09:01:06PM -0600, Tamas K Lengyel wrote:
> >> On Tue, May 16, 2017 at 5:04 AM, Daniel Kiper <daniel.kiper@xxxxxxxxxx> 
> >> wrote:
> >
> > [...]
> >
> >> > UEFI will verify shim secure boot signature then shim will verify GRUB2
> >> > signature then GRUB2 will verify (with shim protocol) Xen signature and
> >> > finally Xen will verify (with shim protocol) Linux kernel signature. Then
> >> > your kernel can verify modules using whatever you want.
> >> >
> >> >> I would be happy to work to help achieve this.
> >> >
> >> > There is a chance that I will have something very raw at the beginning
> >> > of June. If you wish to do tests drop me a line.
> >>
> >> Hi Daniel,
> >> is there any news on this? I would be interested in giving this a shot too.
> >
> > Please look at
> >
> >   https://lists.xen.org/archives/html/xen-devel/2017-07/msg00982.html
> >
> > and at
> >
> >   https://lists.xen.org/archives/html/xen-devel/2017-07/msg00985.html
> >
> > Attachments contain the same patches as above but rebased on latest
> > GRUB2 and Xen git repositories.
> >
> > Due to some travel I am going to restart work on this in the second
> > half of September.
> >
> > If you have any questions please drop me a line.
> >
>
> Hi Daniel,
> thanks for the update, I'll give it a shot today to set it up. In a
> somewhat related note, are you aware of any work on getting secure
> boot + UEFI working in a guest? There is a PoC patch on OpenXT
> (https://github.com/OpenXT/xenclient-oe/pull/729) but was wondering if
> there are any parallel efforts ongoing.

I do not follow this issue in detail. However, I suppose that if OVMF
supports UEFI secure boot (well, QEMU has to enable SMM support too;
I do not know does it work with Xen or not) then guest should work
without any issue. Just guessing...

Daniel

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [Xen-users] UEFI Secure Boot Xen 4.9
  - From: Tamas K Lengyel

Prev by Date: [Xen-devel] [ovmf baseline-only test] 72059: all pass
Next by Date: Re: [Xen-devel] [PATCH 1/1] x86/xen: fix section of xen_init_time_ops() in header
Previous by thread: [Xen-devel] [ovmf baseline-only test] 72059: all pass
Next by thread: Re: [Xen-devel] [Xen-users] UEFI Secure Boot Xen 4.9
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.