[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Booting signed xen.efi through shim

On Mon, Sep 18, 2017 at 2:58 AM, Jan Beulich <JBeulich@xxxxxxxx> wrote:
>>>> On 14.09.17 at 18:20, <tamas@xxxxxxxxxxxxx> wrote:
>> Of course, you can grab them from here:
>> https://drive.google.com/drive/folders/0B5duyI9SzNtWaXE0cjM1QzZJbVk?usp=shar
>> ing
> So the dumps of the two (using my own tool) are identical except for
> the expected difference due to the certificate. In particular neither
> image has any strange relocation types afaics, and both have the
> sort of unexpected, but also supposedly benign
> IMAGE_SCN_LNK_NRELOC_OVFL flag set for .bss. Hence I'm afraid ...
>> I've verified that xen-signed.efi boots with Secureboot enabled when
>> booted directly but doesn't boot through the shim.
> ... you'll need to do some debugging in order to figure out what's
> going on here. With the above the prime suspect is the shim though,
> fiddling with the image after loading it into memory. So perhaps
> dumping the .reloc section contents in order to compare it with
> what's in the image may be a suitable approach.
> Jan

Yeap, the shim pretty simply removed the .reloc section as it was
marked discardable and did the relocations for Xen. So with that
removed from the shim I no longer get the error and I see that the
dom0 kernel gets verified using the shim lock protocol. I still didn't
get dom0 to boot for some reason but that might be an unrelated issue
(and I have no serial console right now). Nevertheless, progress!


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.