Re: [Xen-users] UEFI Secure Boot Xen 4.9

["Bill Jacobs (billjac)" <billjac@cisco.com>]

Hi
What is the status of creating a shim to abstract secure boot signing for Xen (to leverage MSFT 3rd party, e.g)?
Thanks
-Bill

> -----Original Message-----
> From: Daniel Kiper [mailto:daniel.kiper@oracle.com]
> Sent: Tuesday, May 16, 2017 4:05 AM
> To: Bill Jacobs (billjac) <billjac@cisco.com>
> Cc: george.dunlap@citrix.com; xen-devel@lists.xen.org; xen-
> users@lists.xen.org
> Subject: Re: [Xen-users] UEFI Secure Boot Xen 4.9
> 
> On Mon, May 15, 2017 at 07:09:54PM +0000, Bill Jacobs (billjac) wrote:
> > > -----Original Message-----
> > > From: Daniel Kiper [mailto:daniel.kiper@oracle.com]
> > > Sent: Monday, May 15, 2017 6:13 AM
> > > To: Bill Jacobs (billjac) <billjac@cisco.com>;
> > > george.dunlap@citrix.com
> > > Cc: xen-devel@lists.xen.org; xen-users@lists.xen.org
> > > Subject: Re: [Xen-users] UEFI Secure Boot Xen 4.9
> > >
> > > Hey,
> > >
> > > CC-ing Xen-devel to spread some knowledge about the issue.
> > >
> > > On Mon, May 15, 2017 at 10:42:23AM +0100, George Dunlap wrote:
> > > > On Wed, May 10, 2017 at 11:36 PM, Bill Jacobs (billjac)
> > > > <billjac@cisco.com> wrote:
> > > > > Hi all
> > > > >
> > > > > I gather that with 4.9, UEFI secure boot of Xen should be possible.
> > > > >
> > > > > Is this true?
> > > > >
> > > > > If so, what are the options for utilizing UEFI secure boot? Do I
> > > > > need a MSFT-signed shim or grub? Any special changes required
> > > > > for Xen kernel
> > > > > (signing?) or has that been done?
> > > >
> > > > Bill,
> > > >
> > > > I guess in part it depends on what you mean by "utilizing UEFI
> > > > secure boot".  If you simply want to boot an unsigned Xen on a
> > > > UEFI system with SecureBoot enabled, then grub would probably
> > > > work.  If you want to actually do the full SecureBoot thing --
> > > > where you have grub check Xen's signature and that of the kernel
> > > > and initrd, you probably need a bit more.
> > > >
> > > > Daniel,
> > > >
> > > > Is there any good documentation on this?  The Xen EFI guide
> > > > (https://wiki.xenproject.org/wiki/Xen_EFI) mentions the shim, but
> > > > doesn't go into detail about how to sign a binary &c.
> > >
> > > Unfortunately I do not know anything like that. As you said in
> > > general shim is supported. Sadly, it works only if you load xen.efi directly
> from EFI.
> > > __Upstream__ GRUB2 has not have support for shim yet. I am working
> > > on it (shim support via GRUB2 requires also some changes in Xen). I
> > > hope that I will have something which works before Xen conf in Budapest.
> > >
> > > If you wish to use shim with xen.efi then you have to sign xen.efi
> > > and vmlinux with your key using sbsign or pesign. The process works
> > > in the same way like in case vmlinux alone. Of course you have to
> > > install your public key into MOK before enabling secure boot.
> > >
> > > Daniel
> >
> > Yes, there are options in how this is achievable, and the solutions may be
> different.
> >
> > We are targeting a secure boot chain from UEFI fw to .ko, using same signing.
> > In our case would skip shim and reduce attack surface, but it appears
> > that the mechanisms 'out there' for passing pub key (cert) from UEFI
> > db to Linux chainring require shim to do the work. Is that accurate? Does it
> have to be the case? I don't see why.
> 
> AIUI, if EFI secure boot is enabled then EFI verifies signatures of every
> loaded/executed PE file. Unfortunately, you are not able to use secure boot
> protocol directly to verify yourself PE's loaded from your app. So, this is one of
> reasons why shim was introduced. It exposes protocol which can be used by
> you to do verification.
> 
> > For us, ideal case is :
> > UEFI fw -> (signed)GRUB2.efi->Multiboot2->Xen(signed .ko)
> 
> AFAICT, it is not possible. We should do following thing:
> 
>   UEFI -> shim -> GRUB2 -> Multiboot2 -> Xen/Linux/etc.
> 
> UEFI will verify shim secure boot signature then shim will verify GRUB2
> signature then GRUB2 will verify (with shim protocol) Xen signature and finally
> Xen will verify (with shim protocol) Linux kernel signature. Then your kernel
> can verify modules using whatever you want.
> 
> > I would be happy to work to help achieve this.
> 
> There is a chance that I will have something very raw at the beginning of June.
> If you wish to do tests drop me a line.
> 
> Daniel

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel