From mboxrd@z Thu Jan  1 00:00:00 1970
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Subject: Re: Xen 4.3 development update, and stock-taking
Date: Fri, 18 Jan 2013 10:24:32 -0500
Message-ID: <20130118152432.GE9973@phenom.dumpdata.com>
References: <CAFLBxZZrWH9mT88tPsvBe1C7cJYA8UBBr1XxXUt4S26Df=bzzg@mail.gmail.com>
	<50F7CDBF02000078000B6A95@nat28.tlf.novell.com>
	<50F7DCA2.1070405@eu.citrix.com>
	<50F801F102000078000B6CEE@nat28.tlf.novell.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Content-Disposition: inline
In-Reply-To: <50F801F102000078000B6CEE@nat28.tlf.novell.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Jan Beulich <JBeulich@suse.com>, Daniel Kiper <daniel.kiper@oracle.com>
Cc: MatthewFioravante <matthew.fioravante@jhuapl.edu>, Ian Campbell <Ian.Campbell@citrix.com>, Wei Liu <liuw@liuw.name>, George Dunlap <george.dunlap@eu.citrix.com>, "xen-devel@lists.xen.org" <xen-devel@lists.xen.org>, Jim Fehlig <JFEHLIG@suse.com>, Anthony Perard <anthony.perard@citrix.com>, Daniel De Graaf <dgdegra@tycho.nsa.gov>, Roger Pau Monne <roger.pau@citrix.com>
List-Id: xen-devel@lists.xenproject.org

On Thu, Jan 17, 2013 at 12:51:45PM +0000, Jan Beulich wrote:
> >>> On 17.01.13 at 12:12, George Dunlap <george.dunlap@eu.citrix.com> wrote:
> > On 17/01/13 09:09, Jan Beulich wrote:
> >>>>> On 16.01.13 at 18:55, George Dunlap <George.Dunlap@eu.citrix.com> wrote:
> >>> * Xen EFI boot
> >>>   - Signature checking for dom0 kernel / initrd?
> >>>   status: No owner.
> >>>   prognosis: Probably not for 4.4
> >> This is already in the tree (c/s 26262:b62bd62b2683). Nothing else
> >> should be necessary on the hypervisor side if the shim is to be used.
> >>
> >> But of course pv-ops Linux continues to lack EFI support altogether.
> > 
> > OK, so I think the description needs an update, then.  For Xen to be 
> > fully featured, I think it would need all of the following:
> > * An EFI-bootable dom0 (this should be done, right?)
> 
> "Done" in the sense of todo for pvops (our kernels have been able
> to for quite a long while).
> 
> > * dom0 able to make use of EFI run-time services
> 
> Indirectly, through hypercalls.
> 
> > * Xen able to use EFI boot-time services (?)
> 
> Sure, that's how things work. Otherwise we wouldn't boot at
> all from EFI. The one extra thing that some people had asked
> for was to be able to also properly boot Xen via grub.efi.
> 
> > * Xen able to detect the existence of a signed Linux binary, and leave 
> > EFI boot-time services enabled for dom0 to use when appropriate
> 
> No. We can't leave bot services enabled, and we also don't
> need to. The model is that only the Dom0 kernel binary needs
> validation at the boot loader level. Everything else will be
> done in the kernel (including initrd validation, or really the
> parts of it that need validation).
> 
> > * dom0 able to use boot-time EFI services and disable them when done
> 
> As above - that's not even an option.
> 
> Jan

>>From the Linux pvops side it is all in 'Not-done' camp. Daniel is now
taking a look at it.

>