|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [Xen-users] UEFI Secure Boot Xen 4.9
On Tue, Sep 5, 2017 at 12:26 PM, Tamas K Lengyel <tamas.k.lengyel@xxxxxxxxx> wrote: > On Mon, Sep 4, 2017 at 6:40 AM, Daniel Kiper <daniel.kiper@xxxxxxxxxx> wrote: >> On Wed, Aug 30, 2017 at 10:16:23AM -0600, Tamas K Lengyel wrote: >>> On Tue, Aug 29, 2017 at 2:01 PM, Daniel Kiper <daniel.kiper@xxxxxxxxxx> >>> wrote: >>> > Hey Tamas, >>> > >>> > Sorry for late reply. I was on vacation. >>> > >>> > On Tue, Aug 22, 2017 at 09:01:06PM -0600, Tamas K Lengyel wrote: >>> >> On Tue, May 16, 2017 at 5:04 AM, Daniel Kiper <daniel.kiper@xxxxxxxxxx> >>> >> wrote: >>> > >>> > [...] >>> > >>> >> > UEFI will verify shim secure boot signature then shim will verify GRUB2 >>> >> > signature then GRUB2 will verify (with shim protocol) Xen signature and >>> >> > finally Xen will verify (with shim protocol) Linux kernel signature. >>> >> > Then >>> >> > your kernel can verify modules using whatever you want. >>> >> > >>> >> >> I would be happy to work to help achieve this. >>> >> > >>> >> > There is a chance that I will have something very raw at the beginning >>> >> > of June. If you wish to do tests drop me a line. >>> >> >>> >> Hi Daniel, >>> >> is there any news on this? I would be interested in giving this a shot >>> >> too. >>> > >>> > Please look at >>> > >>> > https://lists.xen.org/archives/html/xen-devel/2017-07/msg00982.html >>> > >>> > and at >>> > >>> > https://lists.xen.org/archives/html/xen-devel/2017-07/msg00985.html >>> > >>> > Attachments contain the same patches as above but rebased on latest >>> > GRUB2 and Xen git repositories. >>> > >>> > Due to some travel I am going to restart work on this in the second >>> > half of September. >>> > >>> > If you have any questions please drop me a line. >>> > >>> >>> Hi Daniel, >>> thanks for the update, I'll give it a shot today to set it up. In a >>> somewhat related note, are you aware of any work on getting secure >>> boot + UEFI working in a guest? There is a PoC patch on OpenXT >>> (https://github.com/OpenXT/xenclient-oe/pull/729) but was wondering if >>> there are any parallel efforts ongoing. >> >> I do not follow this issue in detail. However, I suppose that if OVMF >> supports UEFI secure boot (well, QEMU has to enable SMM support too; >> I do not know does it work with Xen or not) then guest should work >> without any issue. Just guessing... >> > > Sure, was just wondering if you are aware of anyone looking at that. > > In other news I was able to get your patches working and have been > able to boot with Secure boot enabled as far as shim -> signed grub -> > signed linux without initrd. If I boot a signed version of Xen from > grub it goes as far as setup_efi_pci but then the system reboots > without anything else being printed on the screen. I haven't been able > to debug it any further yet. > Daniel, just FYI the xen.mb.efi generated with your patches causes pesign to segfault: cms_pe_common.c:generate_digest:198 PE section ".text" has invalid address Segmentation fault Tamas _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |