From: "Bill Jacobs (billjac)" <billjac@cisco.com>
To: Daniel Kiper <daniel.kiper@oracle.com>,
"george.dunlap@citrix.com" <george.dunlap@citrix.com>,
"Bill Jacobs (billjac)" <billjac@cisco.com>
Cc: "xen-users@lists.xen.org" <xen-users@lists.xen.org>,
"xen-devel@lists.xen.org" <xen-devel@lists.xen.org>
Subject: Re: [Xen-users] UEFI Secure Boot Xen 4.9
Date: Mon, 15 May 2017 19:09:54 +0000 [thread overview]
Message-ID: <3e4a14aa5a70417487412e4a5049f89d@XCH-RTP-007.cisco.com> (raw)
In-Reply-To: <20170515131252.GZ30364@olila.local.net-space.pl>
> -----Original Message-----
> From: Daniel Kiper [mailto:daniel.kiper@oracle.com]
> Sent: Monday, May 15, 2017 6:13 AM
> To: Bill Jacobs (billjac) <billjac@cisco.com>; george.dunlap@citrix.com
> Cc: xen-devel@lists.xen.org; xen-users@lists.xen.org
> Subject: Re: [Xen-users] UEFI Secure Boot Xen 4.9
>
> Hey,
>
> CC-ing Xen-devel to spread some knowledge about the issue.
>
> On Mon, May 15, 2017 at 10:42:23AM +0100, George Dunlap wrote:
> > On Wed, May 10, 2017 at 11:36 PM, Bill Jacobs (billjac)
> > <billjac@cisco.com> wrote:
> > > Hi all
> > >
> > > I gather that with 4.9, UEFI secure boot of Xen should be possible.
> > >
> > > Is this true?
> > >
> > > If so, what are the options for utilizing UEFI secure boot? Do I
> > > need a MSFT-signed shim or grub? Any special changes required for
> > > Xen kernel
> > > (signing?) or has that been done?
> >
> > Bill,
> >
> > I guess in part it depends on what you mean by "utilizing UEFI secure
> > boot". If you simply want to boot an unsigned Xen on a UEFI system
> > with SecureBoot enabled, then grub would probably work. If you want
> > to actually do the full SecureBoot thing -- where you have grub check
> > Xen's signature and that of the kernel and initrd, you probably need a
> > bit more.
> >
> > Daniel,
> >
> > Is there any good documentation on this? The Xen EFI guide
> > (https://wiki.xenproject.org/wiki/Xen_EFI) mentions the shim, but
> > doesn't go into detail about how to sign a binary &c.
>
> Unfortunately I do not know anything like that. As you said in general shim is
> supported. Sadly, it works only if you load xen.efi directly from EFI.
> __Upstream__ GRUB2 has not have support for shim yet. I am working on it
> (shim support via GRUB2 requires also some changes in Xen). I hope that I will
> have something which works before Xen conf in Budapest.
>
> If you wish to use shim with xen.efi then you have to sign xen.efi and vmlinux
> with your key using sbsign or pesign. The process works in the same way like in
> case vmlinux alone. Of course you have to install your public key into MOK
> before enabling secure boot.
>
> Daniel
Yes, there are options in how this is achievable, and the solutions may be different.
We are targeting a secure boot chain from UEFI fw to .ko, using same signing.
In our case would skip shim and reduce attack surface, but it appears that the mechanisms 'out there' for passing pub key (cert) from UEFI db to Linux chainring require shim to do the work. Is that accurate? Does it have to be the case? I don't see why.
For us, ideal case is :
UEFI fw -> (signed)GRUB2.efi->Multiboot2->Xen(signed .ko)
I would be happy to work to help achieve this.
-Bill
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2017-05-15 19:09 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <adcea6ce93c54bc6b80d68c5721cc187@XCH-RTP-007.cisco.com>
[not found] ` <CAFLBxZa8EDduCpRXqmLdUDRC-5xz2NiwZQxwUUDbjXD7Q8gCDw@mail.gmail.com>
2017-05-15 13:12 ` [Xen-users] UEFI Secure Boot Xen 4.9 Daniel Kiper
2017-05-15 19:09 ` Bill Jacobs (billjac) [this message]
2017-05-16 11:04 ` Daniel Kiper
2017-08-23 3:01 ` Tamas K Lengyel
2017-08-29 20:01 ` Daniel Kiper
2017-08-30 16:16 ` Tamas K Lengyel
2017-09-04 12:40 ` Daniel Kiper
2017-09-05 16:26 ` Tamas K Lengyel
2017-09-18 15:24 ` Tamas K Lengyel
2017-09-19 12:19 ` Daniel Kiper
2017-10-12 17:03 ` Bill Jacobs (billjac)
2017-10-13 8:09 ` Daniel Kiper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3e4a14aa5a70417487412e4a5049f89d@XCH-RTP-007.cisco.com \
--to=billjac@cisco.com \
--cc=daniel.kiper@oracle.com \
--cc=george.dunlap@citrix.com \
--cc=xen-devel@lists.xen.org \
--cc=xen-users@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).