Xen project Mailing List

Re: [Xen-devel] Booting signed xen.efi through shim

To: Daniel Kiper <daniel.kiper@xxxxxxxxxx>

From: Tamas K Lengyel <tamas@xxxxxxxxxxxxx>

Date: Tue, 12 Sep 2017 23:27:43 -0600

Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, "miodownikj@xxxxxxxxxxxx" <miodownikj@xxxxxxxxxxxx>

Delivery-date: Wed, 13 Sep 2017 05:33:16 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

Hi Daniel, On Tue, Sep 12, 2017 at 11:10 PM, Daniel Kiper <daniel.kiper@xxxxxxxxxx> wrote: > Hi Tamas, > > On Tue, Sep 12, 2017 at 05:40:35PM -0600, Tamas K Lengyel wrote: >> Hi all, >> for the last couple weeks I've been poking around the options >> available to get Xen booted on a Secureboot enabled box. My goal is to >> extend the chain of trust to the dom0 kernel. According to >> https://wiki.xenproject.org/wiki/Xen_EFI this is something that's >> supposed to be supported out-of-the-box right now via the shim >> protocol. However, when I try to boot a signed xen.efi (4.10 unstable >> head) through shim I get the error "Section 6 is inside image header" > > Strange... Could you send more info about your environment? > C compiler type, its version, binutils version, etc. How > did you sign xen.efi? Which tool you used to do that? > Have you seen any warnings or errors during sign? > Stock tools from Debian stretch: gcc version 6.3.0 20170516 (Debian 6.3.0-18), binutils 2.28-5. I used sbsign 0.6 to sign xen.efi with # sbsign --key /home/x/keys/DB.key --cert /home/x/keys/DB.crt --output xen-signed.efi xen/xen.efi It does produce the following warnings: warning: data remaining[2705088 vs 2978877]: gaps between PE/COFF sections? warning: data remaining[2705088 vs 2978880]: gaps between PE/COFF sections? (The same cert in DER format is used when compiling the shim.) >> and shim refuses to load Xen. OTOH I had been able to boot a >> custom-compiled grub2 from the shim no problem with Secureboot > > What do you mean by "custom-compiled grub2"? > The latest grub2 from git with the modules all built into the image with grub-mkimage, then doing the same signing as above with sbsign. When that image is signed no errors/warnings are printed by sbsign. >> enabled. The signed xen.efi also boots fine with Secureboot enabled if >> booted directly as an EFI application (but then no dom0 verification > > IIRC, shim is very picky with PE format. So, anything which is loaded > by EFI loader may not be loaded by shim. > >> is done AFAIU). Does anyone have any pointers on what's going on with > > Right, only shim provides a such functionality. > >> booting through the shim? > > I am happy to help but in cases like that I need more info, e.g.: serial > console logs, output from "objdump -x xen/xen.efi" command, etc. I don't really get serial output at all here as the boot gets stuck at the shim stage. I also have been having problem getting Xen to print to an AMT SoL when booted as an efi (it worked before as a gz using legacy boot) but that's a separate issue. I've attached the objdump output for xen.efi. > Daniel > > PS I am traveling, so, I am reading my emails from time to time. Same here ;) Thanks! Tamas

Attachment: objdump.xen.efi.txt
Description: Text document

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.