[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Booting signed xen.efi through shim

On Fri, Sep 22, 2017 at 02:25:46AM -0600, Jan Beulich wrote:
> >>> On 22.09.17 at 00:46, <tamas@xxxxxxxxxxxxx> wrote:
> > One piece that I see still missing is the Xen command line parameters
> > not being verified. It would be ideal to have the option to get that
> > set during compile time as well, similar to Linux's CONFIG_CMDLINE
> > option, to avoid for example getting iommu or XSM being turned off by
> > someone with physical access.
> We do have CMDLINE and CMDLINE_OVERRIDE. But for someone
> with physical access it would likely also be possible to avoid secure
> boot altogether?

Another solutions is here: 
It is TPM based and WIP. It requires verifiers framework which should
be posted on grub-devel soon. Or you can add your own method based
on verifiers. Patches are welcome...

Have a nice weekend,


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.