Re: [Xen-devel] Booting signed xen.efi through shim

["Jan Beulich" <JBeulich@xxxxxxxx>]

>>> On 13.09.17 at 01:40, <tamas@xxxxxxxxxxxxx> wrote:
> for the last couple weeks I've been poking around the options
> available to get Xen booted on a Secureboot enabled box. My goal is to
> extend the chain of trust to the dom0 kernel. According to
> https://wiki.xenproject.org/wiki/Xen_EFI this is something that's
> supposed to be supported out-of-the-box right now via the shim
> protocol. However, when I try to boot a signed xen.efi (4.10 unstable
> head) through shim I get the error "Section 6 is inside image header"
> and shim refuses to load Xen. OTOH I had been able to boot a
> custom-compiled grub2 from the shim no problem with Secureboot
> enabled. The signed xen.efi also boots fine with Secureboot enabled if
> booted directly as an EFI application (but then no dom0 verification
> is done AFAIU). Does anyone have any pointers on what's going on with
> booting through the shim?

Well, without telling us what section layout your xen.efi has I
don't think it'll be possible to give advice. Looking at one of
mine that's the .data section, and that one is clearly not inside
the image header. And fwiw I agree with an image loader
refusing to load such a binary - overlapping sections may
occasionally be useful, but sections overlapping the image
header are a pretty good sign of something being wrong (and
perhaps maliciously so). Perhaps the signing tool corrupted
you binary in some way?

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel