[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH v3 2/5] livepatch: Embed public key in Xen
On 02.06.2025 15:36, Ross Lagerwall wrote: > From: Kevin Lampis <kevin.lampis@xxxxxxxxx> > > Make it possible to embed a public key in Xen to be used when verifying > live patch payloads. Inclusion of the public key is optional. > > To avoid needing to include a DER / X.509 parser in the hypervisor, the > public key is unpacked at build time and included in a form that is > convenient for the hypervisor to consume. This is different approach > from that used by Linux which embeds the entire X.509 certificate and > builds in a parser for it. > > A suitable key can be created using openssl: > > openssl req -x509 -newkey rsa:2048 -keyout priv.pem -out pub.pem \ > -sha256 -days 3650 -nodes \ > -subj > "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname" > openssl x509 -inform PEM -in pub.pem -outform PEM -pubkey -nocert -out > verify_key.pem > > Signed-off-by: Kevin Lampis <kevin.lampis@xxxxxxxxx> > Signed-off-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx> > --- > > In v3: > > * Drop unnecessary condition in Makefile > * Use dashes instead of underscores > * Drop section placement annotation on declaration > * Clarify endianness of embedded key > > xen/common/Kconfig | 18 +++++++++++++++++ > xen/crypto/Makefile | 11 ++++++++++ > xen/include/xen/livepatch.h | 5 +++++ > xen/tools/extract-key.py | 40 +++++++++++++++++++++++++++++++++++++ > 4 files changed, 74 insertions(+) > create mode 100755 xen/tools/extract-key.py > > diff --git a/xen/common/Kconfig b/xen/common/Kconfig > index 0951d4c2f286..74673078202a 100644 > --- a/xen/common/Kconfig > +++ b/xen/common/Kconfig > @@ -472,6 +472,24 @@ config LIVEPATCH > > If unsure, say Y. > > +config PAYLOAD_VERIFY > + bool "Verify signed LivePatch payloads" > + depends on LIVEPATCH > + select CRYPTO > + help > + Verify signed LivePatch payloads using an RSA public key built > + into the Xen hypervisor. Selecting this option requires a > + public key in PEM format to be available for embedding during > + the build. > + > +config PAYLOAD_VERIFY_KEY This identifier to me mean "verify the key of payloads", when really ... > + string "File name of public key used to verify payloads" ... you mean the key used for verification. To express this in the name, how about PAYLOAD_VERIFICATION_KEY? > + default "verify_key.pem" The revlog says you replaced underscores by dashes. > + depends on PAYLOAD_VERIFY > + help > + The file name of an RSA public key in PEM format to be used for > + verifying signed LivePatch payloads. Perhaps the fact that it needs to be an RSA key may also want expressing in the Kconfig identifier? Should the help text perhaps further clarify where the file is going to be looked for in case it's a relative path (as in particular the default is)? Seeing that ... > --- a/xen/crypto/Makefile > +++ b/xen/crypto/Makefile > @@ -1,2 +1,13 @@ > obj-y += rijndael.o > obj-y += vmac.o > + > +obj-$(CONFIG_PAYLOAD_VERIFY) += builtin-payload-key.o > + > +key-path := $(objtree)/$(patsubst "%",%,$(CONFIG_PAYLOAD_VERIFY_KEY)) ... it's in the object tree now (which will break if an absolute path was specified), how do you intend the key to make it there? In the default case, for an out-of-tree build the build tree doesn't exist ahead of the build being invoked. > +$(obj)/builtin-payload-key.bin: $(key-path) $(srctree)/tools/extract-key.py > + $(srctree)/tools/extract-key.py < $< > $@.new > + $(call move-if-changed,$@.new,$@) > + > +$(obj)/builtin-payload-key.S: BINFILE_FLAGS := -i > +$(obj)/builtin-payload-key.S: $(srctree)/tools/binfile > $(obj)/builtin-payload-key.bin FORCE > + $(call if_changed,binfile,$(obj)/builtin-payload-key.bin > xen_livepatch_key_data) Does the builtin- prefix have any real significance here? Anything that's part of the hypervisor build is "built in", after all. > --- a/xen/include/xen/livepatch.h > +++ b/xen/include/xen/livepatch.h > @@ -143,6 +143,11 @@ struct payload; > int revert_payload(struct payload *data); > void revert_payload_tail(struct payload *data); > > +#ifdef CONFIG_PAYLOAD_VERIFY > +/* The public key data contained with Xen used to verify payload signatures. > */ > +extern const uint8_t xen_livepatch_key_data[]; > +#endif What's our position towards such declarations without (C) definition? The 8.6 deviation talks about cases "when the definition is compiled-out or optimized-out by the compiler". Shouldn't we follow the 8.4 model here and annotate them asmlinkage as well? Jan
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |