[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Unified Xen executable for UEFI Secure Boot support



I have preliminary patches to support bundling the Xen hypervisor, xen.cfg, the 
Linux kernel, initrd and XSM into a single "unified" EFI executable that can be 
signed by sbsigntool for verification by UEFI Secure Boot.  It is inspired by 
systemd-boot's unified kernel technique and borrows the function to locate PE 
sections from systemd's LGPL'ed code.

The configuration, kernel, etc are added after building using objcopy to add 
named sections for each input file.  This allows an administrator to update the 
components independently without requiring rebuilding xen. During EFI boot, Xen 
looks at its own loaded image to locate the PE sections and, if secure boot is 
enabled, only allows use of the unified components.

The resulting EFI executable can be invoked directly from the UEFI Boot 
Manager, removing the need to use a separate loader like grub. Unlike the shim 
based verification, the signature covers the entire Xen+config+kernel+initrd 
unified file. This also ensures that properly configured platforms will measure 
the entire runtime into the TPM for unsealing secrets or remote attestation.

I've tested it on qemu OVMF with Secure Boot enabled, as well as on real 
Thinkpad hardware.  The EFI console is very slow, although it works and is able 
to boot into dom0.

The current patch set is here, and I'd appreciate suggestions on the technique 
or cleanup for submission:
https://github.com/osresearch/xen/tree/secureboot

--
Trammell



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.