Xen project Mailing List

Re: [PATCH v3 2/5] livepatch: Embed public key in Xen

To: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>

Date: Fri, 20 Jun 2025 12:09:21 +0200

Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Kevin Lampis <kevin.lampis@xxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>

Delivery-date: Fri, 20 Jun 2025 10:09:39 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 20.06.2025 11:39, Roger Pau Monné wrote: > On Mon, Jun 02, 2025 at 02:36:34PM +0100, Ross Lagerwall wrote: >> From: Kevin Lampis <kevin.lampis@xxxxxxxxx> >> >> Make it possible to embed a public key in Xen to be used when verifying >> live patch payloads. Inclusion of the public key is optional. >> >> To avoid needing to include a DER / X.509 parser in the hypervisor, the >> public key is unpacked at build time and included in a form that is >> convenient for the hypervisor to consume. This is different approach >> from that used by Linux which embeds the entire X.509 certificate and >> builds in a parser for it. >> >> A suitable key can be created using openssl: >> >> openssl req -x509 -newkey rsa:2048 -keyout priv.pem -out pub.pem \ >> -sha256 -days 3650 -nodes \ >> -subj >> "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname" >> openssl x509 -inform PEM -in pub.pem -outform PEM -pubkey -nocert -out >> verify_key.pem >> >> Signed-off-by: Kevin Lampis <kevin.lampis@xxxxxxxxx> >> Signed-off-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx> >> --- >> >> In v3: >> >> * Drop unnecessary condition in Makefile >> * Use dashes instead of underscores >> * Drop section placement annotation on declaration >> * Clarify endianness of embedded key >> >> xen/common/Kconfig | 18 +++++++++++++++++ >> xen/crypto/Makefile | 11 ++++++++++ >> xen/include/xen/livepatch.h | 5 +++++ >> xen/tools/extract-key.py | 40 +++++++++++++++++++++++++++++++++++++ >> 4 files changed, 74 insertions(+) >> create mode 100755 xen/tools/extract-key.py >> >> diff --git a/xen/common/Kconfig b/xen/common/Kconfig >> index 0951d4c2f286..74673078202a 100644 >> --- a/xen/common/Kconfig >> +++ b/xen/common/Kconfig >> @@ -472,6 +472,24 @@ config LIVEPATCH >> >> If unsure, say Y. >> >> +config PAYLOAD_VERIFY >> + bool "Verify signed LivePatch payloads" >> + depends on LIVEPATCH >> + select CRYPTO >> + help >> + Verify signed LivePatch payloads using an RSA public key built >> + into the Xen hypervisor. Selecting this option requires a >> + public key in PEM format to be available for embedding during >> + the build. >> + >> +config PAYLOAD_VERIFY_KEY >> + string "File name of public key used to verify payloads" >> + default "verify_key.pem" >> + depends on PAYLOAD_VERIFY >> + help >> + The file name of an RSA public key in PEM format to be used for >> + verifying signed LivePatch payloads. > > I think this is likely to break the randconfig testing that we do in > Gitlab CI, as randconfig could select PAYLOAD_VERIFY, but there will > be no key included, and hence the build will fail? > > Ideally Gitlab CI would need to be adjusted to provide such key so the > build doesn't fail. I think it could be provided unconditionally to > simplify the logic, if the option is not selected the file will simply > be ignored. Alternatively the two options could be folded, the default being the empty string meaning "no payload verification". I don't think randconfig can sensibly make up random strings ... Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.