SecureBoot requirements regarding Dom0

["Teddy Astie" <teddy.astie@xxxxxxxxxx>]

I have some questions regarding SecureBoot and Xen.
The only document that appears to define some sort of policy between Xen 
and SecureBoot is this one 
https://andrewcoop-xen.readthedocs.io/en/docs-secureboot/admin-guide/uefi-secure-boot.html.
That is also similar to discussions made in SecureBoot-related talks.

 > Within the Xen architecture, Xen, the control domain and hardware 
domain share responsibility for running and administering the platform. 
This makes their kernels privileged as far as Secure Boot is concerned.

Why does SecureBoot needs to expand to Dom0 kernel ? If you e.g restrict 
DMA through IOMMU and restrict some key hypercalls like kexec (among 
some others), Dom0 shouldn't be able to compromise Xen (in principle); 
hence can't escape SecureBoot boundaries.

SecureBoot doesn't appears to require preventing device access from 
"unprivileged code" otherwise VFIO wouldn't be allowed under SecureBoot. 
But such device access still needs to be contained (e.g through IOMMU 
enforcement), that's something Xen already supports (e.g 
dom0-iommu=strict / PVH Dom0).
In that case, devices are only allowed to access Dom0, but can't access 
outside of it.

 From a technical standpoint, PVH Dom0 setups (and also PV Dom0 
depending on configuration) acts very similarly to a SecureBoot-able 
Linux kernel which runs a KVM virtual machine with all host devices 
passed-through it (using vfio-pci).
In that case, such VM doesn't need to be SecureBoot compliant, but it 
cannot be leveraged to escape SecureBoot.

Am I missing any specific detail which could explain the need for 
SecureBoot in Dom0 kernel ?

Teddy


--
Teddy Astie | Vates XCP-ng Developer

XCP-ng & Xen Orchestra - Vates solutions

web: https://vates.tech