Working Group for Secure Boot

Working Group for Secure Boot

[Bob Eshleman]

Hey all,

We would like to start a working group for secure boot support in Xen
to coordinate the various interested parties and set out a plan for
the feature and its implications for the whole Xen system.

The end goal is a full implementation that restricts the interfaces
dom0 has to affect Xen, akin to Linux's lockdown LSM.  This implicates
important parts of the ABI (e.g., /dev/xen/privcmd/) and so will
require input from the greater community.

I'm not familiar with how working groups function in the Xen project,
so this email also opens the floor for suggestions as to how this might
be managed.

We'd love to hear from anyone interested in such a group and how the
community as a whole feels about such an effort.

Best regards.

---

Bobby Eshleman
SE at Vates SAS

Re: Working Group for Secure Boot

[Jan Beulich]

On 11.03.2021 19:34, Bob Eshleman wrote:
> We would like to start a working group for secure boot support in Xen
> to coordinate the various interested parties and set out a plan for
> the feature and its implications for the whole Xen system.
> 
> The end goal is a full implementation that restricts the interfaces
> dom0 has to affect Xen, akin to Linux's lockdown LSM.  This implicates
> important parts of the ABI (e.g., /dev/xen/privcmd/) and so will
> require input from the greater community.
> 
> I'm not familiar with how working groups function in the Xen project,
> so this email also opens the floor for suggestions as to how this might
> be managed.
> 
> We'd love to hear from anyone interested in such a group and how the
> community as a whole feels about such an effort.

I'm definitely interested, but I'm uncertain if a WG is the way to
go here. There may be a lot of corners to touch, and hence a lot
of people to consult. While it may be possible to have a pretty
large WG for this reason, it may well be better to have the
discussions on xen-devel right away, and form WGs only when more
narrow sub-aspects need sorting out.

Jan

Re: Working Group for Secure Boot

[Andrew Cooper]

On 11/03/2021 18:34, Bob Eshleman wrote:
> Hey all,
>
> We would like to start a working group for secure boot support in Xen
> to coordinate the various interested parties and set out a plan for
> the feature and its implications for the whole Xen system.
>
> The end goal is a full implementation that restricts the interfaces
> dom0 has to affect Xen, akin to Linux's lockdown LSM.  This implicates
> important parts of the ABI (e.g., /dev/xen/privcmd/) and so will
> require input from the greater community.
>
> I'm not familiar with how working groups function in the Xen project,
> so this email also opens the floor for suggestions as to how this might
> be managed.
>
> We'd love to hear from anyone interested in such a group and how the
> community as a whole feels about such an effort.

Count me in.  This is years and years overdue.

~Andrew

Re: Working Group for Secure Boot

[Marek Marczykowski-Górecki]

[-- Attachment #1: Type: text/plain, Size: 994 bytes --]

On Thu, Mar 11, 2021 at 10:34:02AM -0800, Bob Eshleman wrote:
> Hey all,
> 
> We would like to start a working group for secure boot support in Xen
> to coordinate the various interested parties and set out a plan for
> the feature and its implications for the whole Xen system.
> 
> The end goal is a full implementation that restricts the interfaces
> dom0 has to affect Xen, akin to Linux's lockdown LSM.  This implicates
> important parts of the ABI (e.g., /dev/xen/privcmd/) and so will
> require input from the greater community.
> 
> I'm not familiar with how working groups function in the Xen project,
> so this email also opens the floor for suggestions as to how this might
> be managed.
> 
> We'd love to hear from anyone interested in such a group and how the
> community as a whole feels about such an effort.

Count me in too.

Also, I'm cc-ing Trammell, who might be interested too.

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: Working Group for Secure Boot

[Trammell Hudson]

On Fri, Mar 12, 2021 at 04:24:53PM +0100, Marek Marczykowski-G??recki wrote:
> On Thu, Mar 11, 2021 at 10:34:02AM -0800, Bob Eshleman wrote:
> > We would like to start a working group for secure boot support in Xen
> > to coordinate the various interested parties and set out a plan for
> > the feature and its implications for the whole Xen system.
> [...]
> > We'd love to hear from anyone interested in such a group and how the
> > community as a whole feels about such an effort.
> 
> Count me in too.
> 
> Also, I'm cc-ing Trammell, who might be interested too.

Thanks for the invite, Marek.

I'm also interested in discussing how to lockdown a running Xen system.
Now that the unified EFI image patches have been merged, we can boot
with a little more integrity and hopefully transfer the chain of trust
to a trustworthy system.

-- 
Trammell

Re: Working Group for Secure Boot

[Daniel P. Smith]

On 3/11/21 1:34 PM, Bob Eshleman wrote:
> Hey all,
> 
> We would like to start a working group for secure boot support in Xen
> to coordinate the various interested parties and set out a plan for
> the feature and its implications for the whole Xen system.
> 
> The end goal is a full implementation that restricts the interfaces
> dom0 has to affect Xen, akin to Linux's lockdown LSM.  This implicates
> important parts of the ABI (e.g., /dev/xen/privcmd/) and so will
> require input from the greater community.
> 
> I'm not familiar with how working groups function in the Xen project,
> so this email also opens the floor for suggestions as to how this might
> be managed.
> 
> We'd love to hear from anyone interested in such a group and how the
> community as a whole feels about such an effort.
> 
> Best regards.
> 
> ---
> 
> Bobby Eshleman
> SE at Vates SAS
> 

Yes, please count me in since it will definitely overlap with the work I
am doing under DomB/Hyperlaunch as well as planned work under the
TrenchBoot project.

V/r,
Daniel P. Smith

Re: Working Group for Secure Boot

[Andrew Cooper]

On 11/03/2021 18:34, Bob Eshleman wrote:
> Hey all,
>
> We would like to start a working group for secure boot support in Xen
> to coordinate the various interested parties and set out a plan for
> the feature and its implications for the whole Xen system.
>
> The end goal is a full implementation that restricts the interfaces
> dom0 has to affect Xen, akin to Linux's lockdown LSM.  This implicates
> important parts of the ABI (e.g., /dev/xen/privcmd/) and so will
> require input from the greater community.
>
> I'm not familiar with how working groups function in the Xen project,
> so this email also opens the floor for suggestions as to how this might
> be managed.
>
> We'd love to hear from anyone interested in such a group and how the
> community as a whole feels about such an effort.
>
> Best regards.

CCing Roman as I expect he'll be interested too.

~Andrew

Re: Working Group for Secure Boot

[Bob Eshleman]

Awesome, it's great to see this interest.

I'll wait until early next week to give more
people a chance to pitch in, then start
bugging everybody about availability to
schedule a meeting.  I'll put together a
small agenda then to get the ball rolling.

Thanks all.

Re: Working Group for Secure Boot

[Roman Shaposhnik]

Would love to participate! What are the next steps?

Thanks,
Roman.

On Fri, Mar 12, 2021 at 11:06 AM Bob Eshleman <bobbyeshleman@gmail.com> wrote:
>
> Awesome, it's great to see this interest.
>
> I'll wait until early next week to give more
> people a chance to pitch in, then start
> bugging everybody about availability to
> schedule a meeting.  I'll put together a
> small agenda then to get the ball rolling.
>
> Thanks all.
>

Re: Working Group for Secure Boot

[Bob Eshleman]

Hey everyone,

I think most who are interested have acked the thread at
this point and I've CC'd everyone (please add anyone if
I've missed them).

I'd like to suggest we have a first group call to
set out an agenda, define scope, and start identifying
the direction the project would like to go for secure
boot.

I'll prepare the call similar to how
community calls are handled, with a public cryptpad
for agenda items and such.

Which of these dates work best for you? Which absolutely
do not work?

  Mon. March 29th, 16:00 UTC
  Wed. March 31st, 16:00 UTC
  Mon. April  5th, 16:00 UTC

Given the Xen community call is at 16:00 UTC, I figure
that probably best captures our geographic spread.  Feel
free to suggest alternative dates/times if none of the
above work.

We can host the meeting on Jitsi which works quite well
from any web browser.  I'll send out a invite link when
we've decided on a suitable date and time.

Thanks.

-- 
Bobby Eshleman
SE at Vates SAS

Re: Working Group for Secure Boot

[Roman Shaposhnik]

WFIW: all 3 time slots work for me.

Looking forward to this!

Thanks,
Roman.

On Tue, Mar 16, 2021 at 12:42 PM Bob Eshleman <bobbyeshleman@gmail.com> wrote:
>
> Hey everyone,
>
> I think most who are interested have acked the thread at
> this point and I've CC'd everyone (please add anyone if
> I've missed them).
>
> I'd like to suggest we have a first group call to
> set out an agenda, define scope, and start identifying
> the direction the project would like to go for secure
> boot.
>
> I'll prepare the call similar to how
> community calls are handled, with a public cryptpad
> for agenda items and such.
>
> Which of these dates work best for you? Which absolutely
> do not work?
>
>   Mon. March 29th, 16:00 UTC
>   Wed. March 31st, 16:00 UTC
>   Mon. April  5th, 16:00 UTC
>
> Given the Xen community call is at 16:00 UTC, I figure
> that probably best captures our geographic spread.  Feel
> free to suggest alternative dates/times if none of the
> above work.
>
> We can host the meeting on Jitsi which works quite well
> from any web browser.  I'll send out a invite link when
> we've decided on a suitable date and time.
>
> Thanks.
>
> --
> Bobby Eshleman
> SE at Vates SAS

Re: Working Group for Secure Boot

[Bob Eshleman]

On 3/16/21 1:07 PM, Roman Shaposhnik wrote:
> WFIW: all 3 time slots work for me.
> 
> Looking forward to this!
> 
> Thanks,
> Roman.
> 
Thanks Roman, same here!

-- 
Bobby Eshleman
SE at Vates SAS

Re: Working Group for Secure Boot

[Christopher Clark]

> On Mar 16, 2021, at 12:43 PM, Bob Eshleman <bobbyeshleman@gmail.com> wrote:
> 
> Hey everyone,
> 
> I think most who are interested have acked the thread at
> this point and I've CC'd everyone (please add anyone if
> I've missed them).

Hi Bobby,

Please add me to your list too - this will be interesting work!

> 
> I'd like to suggest we have a first group call to
> set out an agenda, define scope, and start identifying
> the direction the project would like to go for secure
> boot.
> 
> I'll prepare the call similar to how
> community calls are handled, with a public cryptpad
> for agenda items and such.
> 
> Which of these dates work best for you? Which absolutely
> do not work?
> 
>  Mon. March 29th, 16:00 UTC
>  Wed. March 31st, 16:00 UTC
>  Mon. April  5th, 16:00 UTC
> 
> Given the Xen community call is at 16:00 UTC, I figure
> that probably best captures our geographic spread.  Feel
> free to suggest alternative dates/times if none of the
> above work.

I appreciate the time of day choice and can be available for whichever of those is chosen.

Thanks!

Christopher 

> 
> We can host the meeting on Jitsi which works quite well
> from any web browser.  I'll send out a invite link when
> we've decided on a suitable date and time.
> 
> Thanks.
> 
> -- 
> Bobby Eshleman
> SE at Vates SAS
> 

Re: Working Group for Secure Boot

[Andrew Cooper]

On 16/03/2021 19:42, Bob Eshleman wrote:
> Which of these dates work best for you? Which absolutely
> do not work?
>
>   Mon. March 29th, 16:00 UTC
>   Wed. March 31st, 16:00 UTC
>   Mon. April  5th, 16:00 UTC

All fine by me.  Thanks,

~Andrew

Re: Working Group for Secure Boot

[Marek Marczykowski-Górecki]

[-- Attachment #1: Type: text/plain, Size: 382 bytes --]

On Tue, Mar 16, 2021 at 12:42:26PM -0700, Bob Eshleman wrote:
> Which of these dates work best for you? Which absolutely
> do not work?
> 
>   Mon. March 29th, 16:00 UTC
>   Wed. March 31st, 16:00 UTC
>   Mon. April  5th, 16:00 UTC

All three works for me, with a slight preference to either Monday.

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: Working Group for Secure Boot

[Bob Eshleman]

Hey all,

It looks like the following date works best:

Mon. March 29th, 16:00 UTC

The meeting place URL:

https://meet.vates.fr/xen-lockdown

Feel free to let us know if the time presents a conflict.

-- 
Bobby Eshleman
SE at Vates SAS

Re: Working Group for Secure Boot

[Roger Pau Monné]

On Thu, Mar 11, 2021 at 10:34:02AM -0800, Bob Eshleman wrote:
> Hey all,
> 
> We would like to start a working group for secure boot support in Xen
> to coordinate the various interested parties and set out a plan for
> the feature and its implications for the whole Xen system.
> 
> The end goal is a full implementation that restricts the interfaces
> dom0 has to affect Xen, akin to Linux's lockdown LSM.  This implicates
> important parts of the ABI (e.g., /dev/xen/privcmd/) and so will
> require input from the greater community.
> 
> I'm not familiar with how working groups function in the Xen project,
> so this email also opens the floor for suggestions as to how this might
> be managed.
> 
> We'd love to hear from anyone interested in such a group and how the
> community as a whole feels about such an effort.

Please add me, if nothing else I need to at least to figure out if
this could also be used for secure boot on FreeBSD.

Thanks, Roger.