[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v3 0/5] Support Secure Boot for multiboot2 Xen

To: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: Bobby Eshleman <bobbyeshleman@xxxxxxxxx>
Date: Thu, 21 Jan 2021 16:51:39 -0800
Cc: Bobby Eshleman <bobbyeshleman@xxxxxxxxx>, Daniel Kiper <daniel.kiper@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Olivier Lambert <olivier.lambert@xxxxxxxx>
Delivery-date: Fri, 22 Jan 2021 00:55:28 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

This is version 3 for a patch set sent out to the ML in 2018 [1] to
support UEFI Secure Boot for Xen on multiboot2 platforms.

A new binary, xen.mb.efi, is built.  It contains the mb2 header as well
as a hand-crafted PE/COFF header.  The dom0 kernel is verified using the
shim lock protocol.

I followed with v2 feedback and attempted to convert the PE/COFF header
into C instead of ASM.  Unfortunately, this was only possible for the
first part (Legacy) of the PE/COFF header.  The other parts required
addresses only available at link time (such as __2M_rwdata_end,
__pe_SizeOfImage, efi_mb_start address, etc...), which effectively ruled
out C.

The biggest difference between v2 and v3 is that in v3 we do not attempt
to merge xen.mb.efi and xen.efi into a single binary.  Instead, this
will be left to a future patch set, unless requested otherwise.

[1]: https://lists.xen.org/archives/html/xen-devel/2018-06/msg01292.html

Changes in v3:

- add requested comment clarification
- remove unnecessary fake data from PE/COFF head (like linker versions)
- macro-ize and refactor Makefile according to Jan's feedback
- break PE/COFF header into its own file
- shrink the PE/COFF to start 0x40 instead of 0x80 (my tests showed
  this function with no problem, on a live nested vm or using
  objdump/objcopy)
- support SOURCE_EPOCH for posix time
- removed `date` invocation that would break on FreeBSD
- style changes
- And obviously, ported to current HEAD

Daniel Kiper (5):
  xen: add XEN_BUILD_POSIX_TIME
  xen/x86: manually build xen.mb.efi binary
  xen/x86: add some addresses to the Multiboot header
  xen/x86: add some addresses to the Multiboot2 header
  xen/x86/efi: Verify dom0 kernel with SHIM_LOCK protocol in
    efi_multiboot2()

 xen/Makefile                 |  22 ++++---
 xen/arch/x86/Makefile        |   7 +-
 xen/arch/x86/arch.mk         |   2 +
 xen/arch/x86/boot/Makefile   |   1 +
 xen/arch/x86/boot/head.S     |  53 +++++++++++++--
 xen/arch/x86/boot/pecoff.S   | 123 +++++++++++++++++++++++++++++++++++
 xen/arch/x86/efi/efi-boot.h  |  30 ++++++++-
 xen/arch/x86/efi/stub.c      |  17 ++++-
 xen/arch/x86/xen.lds.S       |  34 ++++++++++
 xen/common/efi/boot.c        |  19 ++++--
 xen/include/xen/compile.h.in |   1 +
 xen/include/xen/efi.h        |   1 +
 12 files changed, 283 insertions(+), 27 deletions(-)
 create mode 100644 xen/arch/x86/boot/pecoff.S

-- 
2.30.0

Follow-Ups:
- Re: [PATCH v3 0/5] Support Secure Boot for multiboot2 Xen
  - From: Jan Beulich
- [PATCH v3 5/5] xen/x86/efi: Verify dom0 kernel with SHIM_LOCK protocol in efi_multiboot2()
  - From: Bobby Eshleman
- [PATCH v3 4/5] xen/x86: add some addresses to the Multiboot2 header
  - From: Bobby Eshleman
- [PATCH v3 2/5] xen/x86: manually build xen.mb.efi binary
  - From: Bobby Eshleman
- [PATCH v3 3/5] xen/x86: add some addresses to the Multiboot header
  - From: Bobby Eshleman
- [PATCH v3 1/5] xen: add XEN_BUILD_POSIX_TIME
  - From: Bobby Eshleman

Prev by Date: [xen-unstable-smoke test] 158565: tolerable all pass - PUSHED
Next by Date: [PATCH v3 1/5] xen: add XEN_BUILD_POSIX_TIME
Previous by thread: [xen-unstable-smoke test] 158565: tolerable all pass - PUSHED
Next by thread: [PATCH v3 1/5] xen: add XEN_BUILD_POSIX_TIME
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.